10.2 Termination. Either Party may terminate this Agreement for the other Party’s material breach that remains uncured for ten (10) business days following written notice thereof from the non-breaching Party. In the event Media Company materially changes the content offerings made available to end-users via its OTT distribution to attract a different target audience than the target audience as of the Effective Date, and for which VMT is requested to supply Creatives to as part of the Monthly Impressions (e.g., a material shift in content offerings to target a specific demographic or genre, such as limiting content only to offerings that are principally targeted to children, gaming enthusiasts, mature-audiences, etc.) VMT may terminate this Agreement upon thirty (30) days prior written notice to Media Company. Additionally, Media Company may terminate this Agreement for convenience upon at least thirty (30) days’ written notice to VMT. In the event that VMT has booked Creatives to run on the Animax Properties prior to receiving notice of termination from Media Company, VMT may serve and bill for such ads, and VMT will pay Media Company the fees due to Media Company on such ads. Once VMT receives notice of termination from Media Company, VMT will not sell Creatives for periods beyond the effective termination date without Media Company’s prior written consent.
10.3 Termination for Insolvency. Either Party may terminate this Agreement immediately by written notice to the other Party if (a) the other Party files a petition for bankruptcy or is adjudicated a bankrupt under any applicable bankruptcy law; (b) the other Party makes an assignment for the benefit of its creditors or an arrangement for its creditors pursuant to any applicable bankruptcy law; (c) the other Party discontinues its business; or (d) a receiver is appointed for the other Party or its business.
10.4 Effect of Termination. Upon any termination or expiration of this Agreement, each Party, upon receipt of a written request from the other Party hereto, will either deliver to the requesting Party, or destroy, within thirty (30) days of receipt of such written request, all copies of any Confidential Information (whether in tangible or electronic form) of the Party provided hereunder in its possession or under its control, and will furnish to the requesting Party an affidavit signed by an officer of its company certifying that such delivery or destruction has been fully effected. Sections 4 through 13 will survive the expiration or termination of this Agreement for any reason.
11. User Data; Privacy.
11.1 User Data
11.1.1 Ownership of User Data. As between Media Company and VMT, Media Company owns all User Data. Except for the Permitted Uses described below, VMT has no right, title or interest in such User Data.
11.1.2 Data Collection. In connection with Creatives, Media Company will permit and enable the placement of VMT’s ad beacons and cookies in connection with inventory on the Animax Properties made available to VMTs, subject to the user opt-out provisions listed below and a user's ability to prevent the use of cookies through browser settings. The collection and sharing of User Data by the Parties will comply with all applicable laws and regulations and with the Parties’ respective privacy policies and terms of service. VMT will not collect, and Media Company will not disclose to VMT, personally identifiable information of users of the Animax Properties. VMT will collect, store, maintain and use User Data in accordance with security procedures and practices appropriate to the nature of the information.
11.1.3 Permitted Uses. VMT may use User Data solely (i) to improve, enhance and implement the sale, display and targeting of Creatives on the Animax Properties; and (ii) for purposes of providing reporting to Media Company on the number of Impressions delivered, aggregate anonymous reporting to advertising clients on the number of Impressions served for their campaign(s), general reporting on the number of Impressions served by VMT over a given timeframe, calculating payments due, geo-targeting, and fraud detection and auditing (collectively, the “Permitted Uses”) and for no other purposes; provided, however, that any third party receiving such User Data shall agree to maintain in confidence all such User Data for the foregoing purposes. VMT may also use aggregated User Data that does not identify Media Company or Media Company users solely for its internal business purposes. Without limiting the foregoing, VMT will not use any User Data to sell, display or target advertising on any properties served by VMT other than the Animax Properties.
11.1.4 User Opt Out. In the event any OTT Property contains a clickable platform, Media Company will include links within such Animax Properties to pages that, among other things, (a) inform users of the collection of User Data as contemplated by this Agreement, (b) explain the Permitted Uses, and (c) enable users to opt out of the collection of such User Data in compliance with Network Advertising Initiative. The placement of such links and the text of such pages will be within Media Company’s sole discretion. VMT will not collect, and Media Company may take measures to prevent the collection by VMT of, User Data (or any other data) from users of the Animax Properties who opt out of the collection of User Data.
11.2 Privacy
11.2.1 Privacy Policy. Each Party represents and warrants that any Digital Media that delivers Impressions under this Agreement shall, at all times during the term of this Agreement (a) maintain a privacy statement conspicuously on such Digital Media that complies with applicable law and, at a minimum, includes disclosures on the type(s) of data collected from users by such Digital Media, the Digital Media owner’s use of any such data and the types of technologies used by the Digital Media to collect such data (e.g., cookies, pixels or other similar technologies); (b) provide a brief explanation within its privacy statement explaining that it works with third party advertising service providers and allows such third parties to target and serve Creatives,, and use cookies, pixels or other similar technologies on its Digital Media to collect non-personally identifiable data for use in connection with the delivery of such Creatives; and (c) to the extent the Digital Media is a Web Site, include a conspicuous link within its privacy policy to permit consumers to opt out of online behavioral advertising.
11.2.2 Changes in Privacy Laws. The parties hereby acknowledge that: (a) the state of the law with respect to behavioral advertising, contextual advertising, cookies, PII, and informational privacy is unsettled; and (b) subsequent to the date of this Agreement, new or changes in existing applicable federal, state, and local laws, rules, and regulations (a “ Change in Law”) may hold that the services provided under this Agreement, the collection and use of data and cookies, or other activities as contemplated under this Agreement, is not permissible. Neither Party makes any representations or warranties with respect to such Changes in Law and each Party hereby expressly disclaims any representations, warranties, guarantees, covenants, or obligations relating thereto. In the event any such Change in Law frustrates the purpose of this Agreement the parties shall use commercially reasonable efforts to effectuate the purpose of this Agreement within the confines of the new Laws, and if the parties cannot develop or agree upon certain solutions to effectuate the purpose of this Agreement within thirty (30) days, either Party may terminate this Agreement on thirty (30) days written notice in accordance with Section 13.5.
11.2.3 Data Privacy and Information Security. Unless otherwise requested by VMT (in which case the provisions of Exhibit 4 shall apply), Media Company agrees that it will not send, transmit, or in any way provide to VMT any Personal Data as defined in this section. Such Personal Data is not required by VMT to provide the Services herein and VMT assumes no responsibility for the transmission of such data by Media Company to VMT. In the event that Media Company send such Personal Data to VMT, VMT, upon discovery of the receipt of such Personal Data shall use commercially reasonable efforts to contact Media Company regarding the receipt of such Personal Data. For purposes of this section, “Personal Data” means individually identifiable information from or about an individual including, but not limited to, (i) social security number; (ii) credit or debit card information, including card number, expiration date and data stored on the magnetic strip of a credit or debit card; (iii) financial account information, including the ABA routing number, bank account number and retirement account number; (iv) driver’s license, passport, or taxpayer, military or state identification number; (v) medical, health or disability information, including insurance policy numbers, (vi) passwords, fingerprints or biometric data, or (vii) other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone number.
12. Choice of Law; Arbitration. This Agreement is governed, controlled, interpreted and defined exclusively by and under the laws of the State of New York and the United States, without regard to the conflicts of laws provisions thereof. All actions or proceedings arising in connection with, touching upon or relating to this Agreement, the breach thereof and/or the scope of the provisions of this Section (a “Proceeding”) shall be submitted to JAMS (“JAMS”) for binding arbitration under its Comprehensive Arbitration Rules and Procedures if the matter in dispute is over $250,000 or under its Streamlined Arbitration Rules and Procedures if the matter in dispute is $250,000 or less (as applicable, the “Rules”) to be held solely in New York, New York, U.S.A., in the English language in accordance with the provisions below.
12.1 Each arbitration shall be conducted by an arbitral tribunal (the “Arbitral Board”) consisting of a single arbitrator who shall be mutually agreed upon by the Parties. If the Parties are unable to agree on an arbitrator, the arbitrator shall be appointed by JAMS. The arbitrator shall be a retired judge with at least ten (10) years’ experience in commercial matters. The Arbitral Board shall assess the cost, fees and expenses of the arbitration against the losing party, and the prevailing party in any arbitration or legal proceeding relating to this Agreement shall be entitled to all reasonable expenses (including, without limitation, reasonable attorney’s fees). Notwithstanding the foregoing, the Arbitral Board may require that such fees be borne in such other manner as the Arbitral Board determines is required in order for this arbitration clause to be enforceable under applicable law. The Parties shall be entitled to conduct discovery, provided that (a) the Arbitral Board must authorize all such discovery in advance based on findings that the material sought is relevant to the issues in dispute and that the nature and scope of such discovery is reasonable under the circumstances, and (b) discovery shall be limited to depositions and production of documents unless the Arbitral Board finds that another method of discovery (e.g., interrogatories) is the most reasonable and cost efficient method of obtaining the information sought.
12.2 There shall be a record of the proceedings at the arbitration hearing and the Arbitral Board shall issue a Statement of Decision setting forth the factual and legal basis for the Arbitral Board’s decision. If neither Party gives written notice requesting an appeal within ten (10) business days after the issuance of the Statement of Decision, the Arbitral Board’s decision shall be final and binding as to all matters of substance and procedure, and may be enforced by a petition to the Los Angeles County Superior Court or, in the case of VMT, such other court having jurisdiction over VMT, which may be made ex parte, for confirmation and enforcement of the award. If either Party gives written notice requesting an appeal within ten (10) business days after the issuance of the Statement of Decision, the award of the Arbitral Board shall be appealed to three (3) neutral arbitrators (the “Appellate Arbitrators”), each of whom shall have the same qualifications and be selected through the same procedure as the Arbitral Board. The appealing party shall file its appellate brief within thirty (30) days after its written notice requesting the appeal and the other party shall file its brief within thirty (30) days thereafter. The Appellate Arbitrators shall thereupon review the decision of the Arbitral Board applying the same standards of review (and all of the same presumptions) as if the Appellate Arbitrators were a California Court of Appeal reviewing a judgment of the Los Angeles County Superior Court, except that the Appellate Arbitrators shall in all cases issue a final award and shall not remand the matter to the Arbitral Board. The decision of the Appellate Arbitrators shall be final and binding as to all matters of substance and procedure, and may be enforced by a petition to the Los Angeles County Superior Court or, in the case of VMT, such other court having jurisdiction over VMT, which may be made ex parte, for confirmation and enforcement of the award. The party appealing the decision of the Arbitral Board shall pay all costs and expenses of the appeal, including the fees of the Appellate Arbitrators and including the reasonable outside attorneys’ fees of the opposing party, unless the decision of the Arbitral Board is reversed, in which event the costs, fees and expenses of the appeal shall be borne as determined by the Appellate Arbitrators.
12.3 Subject to a Party’s right to appeal pursuant to the above, neither Party shall challenge or resist any enforcement action taken by the Party in whose favor the Arbitral Board, or if appealed, the Appellate Arbitrators, decided. Each Party acknowledges that it is giving up the right to a trial by jury or court. The Arbitral Board shall have the power to enter temporary restraining orders and preliminary and permanent injunctions. Neither Party shall be entitled or permitted to commence or maintain any action in a court of law with respect to any matter in dispute until such matter shall have been submitted to arbitration as herein provided and then only for the enforcement of the Arbitral Board’s award; provided, however, that prior to the appointment of the Arbitral Board or for remedies beyond the jurisdiction of an arbitrator, at any time, either party may seek pendente lite relief in a court of competent jurisdiction in County, or, such other court that may have jurisdiction over a Party, without thereby waiving its right to arbitration of the dispute or controversy under this Section. All arbitration proceedings (including proceedings before the Appellate Arbitrators) shall be closed to the public and confidential and all records relating thereto shall be permanently sealed, except as necessary to obtain court confirmation of the arbitration award. Notwithstanding anything to the contrary herein, VMT hereby irrevocably waives any right or remedy to seek and/or obtain injunctive or other equitable relief or any order with respect to, and/or to enjoin or restrain or otherwise impair in any manner, the production, distribution, exhibition or other exploitation of any motion picture, production or project related to Media Company, its parents, subsidiaries and affiliates, or the use, publication or dissemination of any advertising in connection with such motion picture, production or project. The provisions of this Section shall supersede any inconsistent provisions of any prior agreement between the parties.
12.4 THE PARTIES HEREBY WAIVE THEIR RIGHT TO JURY TRIAL WITH RESPECT TO ALL CLAIMS AND ISSUES ARISING UNDER, IN CONNECTION WITH, TOUCHING UPON OR RELATING TO THIS AGREEMENT, THE BREACH THEREOF AND/OR THE SCOPE OF THE PROVISIONS OF THIS SECTION 12.3, WHETHER SOUNDING IN CONTRACT OR TORT, AND INCLUDING ANY CLAIM FOR FRAUDULENT INDUCEMENT THEREOF.
13. General Provisions.
13.1 Press Release. Neither Party will make any public announcement or press release regarding this Agreement or the other Party’s performance under this Agreement without the prior written approval of the other Party.
13.2 Waiver and Modification; Remedies. Failure by any Party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision. Any waiver, amendment or other modification of any provision of this Agreement will be effective only if in writing and signed by both Media Company and VMT. Unless expressly set forth herein, no remedy conferred on either Party by any of the specific provisions of this Agreement is intended to be exclusive of any other remedy, and each and every remedy will be cumulative and will be in addition to every other remedy given hereunder or now or hereafter existing at law or in equity or by statute or otherwise. The election of one or more remedies by a Party will not constitute a waiver of the right to pursue other available remedies.
13.3 Severability. If for any reason a court of competent jurisdiction or Arbitral Board finds any provision or portion of this Agreement to be unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible so as to affect the intent of the Parties, and the remainder of this Agreement will continue in full force and effect.
13.4 Force Majeure. Notwithstanding any provision to the contrary in this Agreement, neither Party will be held liable or responsible to the other Party nor be deemed to have breached this Agreement for failure or delay in fulfilling or performing any term of this Agreement when such failure or delay is caused by or results from causes beyond the reasonable control of the affected Party, including, but not limited to, fire, floods, failure of communications systems or networks, Internet black out or brown outs, embargoes, war, acts of war, insurrections, riots, civil commotion, strikes, lockouts or other labor disturbances, acts of God, acts of terrorism or acts, omissions or delays in acting by any governmental authority or the other Party; provided, however, that the Party so affected will use reasonable efforts to avoid or remove such causes of nonperformance, and will continue performance hereunder with reasonable promptness whenever such causes are removed. Either Party will provide the other Party with prompt written notice of any delay or failure to perform that occurs by reason of force majeure.
13.5 Notice. Except as otherwise stated herein, all notices required or permitted under this Agreement will be in writing, will reference this Agreement and will be deemed given: (a) when sent by facsimile and confirmed by registered or certified mail; (b) five (5) business days after having been sent by registered or certified mail, return receipt requested, postage prepaid; or (c) one (1) business day after deposit with a commercial overnight carrier, with written verification of receipt. All communications will be sent to the addresses set forth below or to such other address as may be designated by a Party by giving written notice to the other Party pursuant to this Section.
If to VMT: Videology Media Technologies, LLC
1500 Whetstone Way, Ste. 500
Baltimore, MD 21230
Facsimile No.: (443) 378-7567
Email: legal@videologygroup.com
Attn: Legal Department
If to Media Company: Animax Broadcast Japan Inc.:
1-11-1 Kaigan, Minato-ku.
Tokyo 105-0022
Facsimile No: +81 3 5402 1711
Attn: Director, Legal Department
With a copy to: Sony Pictures Entertainment Inc.
10202 W. Washington Blvd.
Culver City, CA 90232
Facsimile No: (310) 244-0510
Attn: General Counsel
13.6 Assignment. Except as otherwise set forth below, neither Party may assign this Agreement, in whole or in part, nor delegate any of its rights or obligations hereunder, without the other Party’s prior written consent. Notwithstanding the foregoing, either Party may, with prior written notice to the other Party, and without such other Party’s consent, assign, delegate, or otherwise transfer this Agreement, or the rights or obligations hereunder, in whole or in part, including the right to receive any payments under this Agreement, (a) to an affiliate controlling, controlled by or under common control with such Party or (b) to any third party in connection with a merger or acquisition of such Party or a sale of all or substantially all of its assets Upon receipt of any such notice, the Party receiving notice may, in its sole discretion, terminate this Agreement immediately upon written notice to the other Party. Subject to the foregoing, this Agreement will benefit and bind the permitted successors and assigns of the Parties.
13.7 Relationship of Parties. The Parties to this Agreement are independent contractors and nothing in this Agreement contained will be deemed to create a joint venture, or partnership between the Parties in this Agreement. Nothing in this Agreement may be construed to give either Party the power to direct or control the daytoday activities of the other Party and no Party will have any power to create or assume any obligation on behalf of the other Party for any purpose whatsoever.
13.8 Interpretation. Any headings contained in this Agreement are for convenience only and will not be employed in interpreting this Agreement. The Parties and their respective counsel have negotiated this Agreement. This Agreement will be interpreted fairly in accordance with its terms and conditions and without any strict construction in favor of or against either Party. This contract is written in English and, if it is translated into any other language, the English-language version controls.
13.9 Counterparts; Fax Signature. This Agreement may be executed in counterparts, each of which will be deemed an original hereof and all of which together will constitute one and the same instrument. This Agreement may be executed by facsimile signature by either Party and such signature shall be deemed binding for all purposes hereof, without delivery of an original signature being thereafter required.
13.10 Entire Agreement. This Agreement, including the exhibits, constitutes the entire agreement between the Parties with respect to the subject matter to this Agreement, and supersedes and replaces all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter.
IN WITNESS WHEREOF, the Parties hereto have caused this Agreement to be executed by their duly authorized representatives as of the Effective Date.
AGREED TO AND ACCEPTED BY:
|
AGREED TO AND ACCEPTED BY:
|
Animax Broadcast Japan Inc.:
By:_________________________________________
Authorized Signature
_____________________________________________
Printed Name
______________________________________________
Title
______________________________________________
Date
|
Videology Media Technologies PTE LTD:
By:___________________________________________
Authorized Signature
______________________________________________
Printed Name
_______________________________________________
Title
_______________________________________________
Date
|
|
|
|
|
EXHIBIT 1
LIST OF ANIMAX PROPERTIES
Animax
Animax Official site
http://www.animax.co.jp/
Animax PLUS
http://plus.animax.co.jp/
This Exhibit 1 may be amended or modified from time to time in writing by Media Company as approved by VMT.
EXHIBIT 2
RESTRICTED AD CATEGORIES AND GUIDELINES
1. Restricted Ad Categories and Guidelines.
A . Alcoholic Beverages: Media Company will accept advertising for alcoholic beverages as long as it meets country-specific guidelines.
B. Gambling: Any advertisement promoting any form of gambling or casino play (a) may not depict actual money; and (b) may promote a Web Site only if and to the extent such Web Site does not permit actual gambling and/or link to a site at which actual gambling may be conducted. Scheduling restrictions may occur.
C. Contests or Sweepstakes: Any advertisement promoting any contest or sweepstakes must be submitted to Media Company together with all applicable contest and/or sweepstakes rules.
D. Motion Pictures: Any advertisement promoting a motion picture must adhere to local rules – for example, US advertising must include a visual graphic indicating the MPAA rating for the film. Advertisements promoting motion pictures rated something equivalent to the MPAA NC-17 rating will be considered on a case-by-case basis, and, if accepted, will likely be subject to scheduling restrictions at Media Company’s discretion. Motion pictures rated something equivalent to R and those Not Yet Rated will be restricted to content where Media Company reasonably believe the majority of viewers are expected to be at least 17 years old or older.
E. Video Games: Any advertisement promoting a video game must adhere to local rules – for example, US advertising must include a visual graphic of and audio reference to the ESRB rating for the game. Advertisements promoting video games rated AO and/or Not Yet Rated are subject to review prior to air, and if accepted, will likely be subject to scheduling restrictions at Media Company’s discretion.
F. Competitive Advertising: Media Company will accept competitive advertising on a case-by-case basis; provided that VMT shall at all times have the right to include advertisements for any product or service of Media Company, without exception. For purposes of this Agreement and Exhibit B, Competitive Advertising shall include the VOD servicess provided by the following operators: CS/BS animation channels and animation productions. . Notwithstanding the foregoing, other VOD service operators may be added to the Agreement with VMT’s prior written approval, which written approval shall not be unreasonably withheld.
G. Strictly Prohibited Categories: Media Company will not accept any advertisements promoting pornography, tobacco products, illegal drugs, premium rate phone numbers and/or firearms.
H. Additional Policies: Without limitation of any of the foregoing, VMT will not sell Creatives in violation of any of Media Company’s additional advertising standards and policies as communicated in writing thirty (30) days in advance to VMT from time to time, provided that such standards and policies are generally applicable to all advertisers and VMT.
EXHIBIT 3
INSURANCE REQUIRMENTS
1. VMT shall, at its own expense, procure and maintain the following insurance coverage, which insurance coverage shall be maintained in full force and effect until all obligations under this Agreement are completed:
1.1 A Commercial General Liability Insurance Policy with a limit of not less than $2 million per occurrence and $2 million in the aggregate, including Contractual Liability.
1.2 Professional Liability to include MultiMedia Errors & Omissions Insurance including personal and advertising injury with limits of not less than $1 million for each occurrence and $2 million in the aggregate.
(An Umbrella or Following Form Excess Liability Insurance Policy will be acceptable to achieve the liability limits required in clauses 1.1 and 1.2 above)
The policies referenced in the foregoing clauses 1.1 and 1.2 shall name Animax Broadcast Japan, Inc., its parent(s), subsidiaries, licensees, successors, related and affiliated companies, and its officers, directors, employees, agents, representatives and assigns as an additional insured by endorsement. The above referenced policy in clause 1.1 shall be primary insurance in place and stead of any insurance maintained by Media Company, but only to the extent that VMT is negligent in causing the claim or loss, and shall contain a Severability of Interest Clause. VMT’s insurance companies shall be licensed to do business in the state(s) or country(ies) where services are to be performed for Media Company and will have an A.M. Best Guide Rating of at least A:VII or better. VMT is solely responsible for all deductibles and/or self-insured retentions under their policies.
3. VMT agrees to deliver to Media Company upon execution of this Agreement Certificates of Insurance and endorsements evidencing the insurance coverage herein required. Each such Certificate of Insurance and endorsement shall be signed by an authorized agent or insurance underwriter of the applicable insurance company, shall provide that not less than thirty (30) days prior written notice of cancellation is to be given to Media Company prior to cancellation or non-renewal, and shall state that such insurance policies are primary and non-contributing to any insurance maintained by Media Company.
EXHIBIT 4
Information Security Program Safeguards
In the event that VMT requests, in writing, for Media Company to send to VMT PII, VMT shall be responsible for implementing and maintaining the following (directly by VMT and/or through its subcontractors, as applicable):
PERSONAL DATA PRIVACY
Definition – For purposes of this Agreement, “Personal Data” means individually identifiable information from or about an individual including, but not limited to, (i) social security number; (ii) credit or debit card information, including card number, expiration date and data stored on the magnetic strip of a credit or debit card; (iii) financial account information, including the ABA routing number, bank account number and retirement account number; (iv) driver’s license, passport, or taxpayer, military or state identification number; (v) medical, health or disability information, including insurance policy numbers, (vi) passwords, fingerprints or biometric data, or (vii) other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone number.
Personal Data Usage – To the extent that Media Company provides to VMT, or VMT otherwise accesses, Personal Data about Media Company’s employees, customers or other individuals in connection with this Agreement, (i) VMT shall only use Personal Data for the purposes of fulfilling its obligations under this Agreement, and VMT will not disclose or otherwise process such Personal Data except upon Media Company’s instructions in writing; (ii) VMT will notify Media Company in writing and obtain Media Company’s consent before sharing any Personal Data with any government authorities or other third parties; (iii) comply with relevant local data privacy laws, and (iv) VMT agrees to adhere to additional contractual terms and conditions related to Personal Data as Media Company may instruct in writing that Media Company deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements.
Unauthorized Disclosure – In the event that (i) any Personal Data is disclosed by VMT (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) VMT (including its agents or subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data has occurred (“Privacy Incident”), VMT shall notify Media Company immediately in writing of any such Privacy Incident. VMT shall cooperate fully in the investigation of the Privacy Incident, indemnify Media Company for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such incident, and remedy any harm or potential harm caused by such incident.
Remediation – To the extent that a Privacy Incident gives rise to a need, in Media Company’s sole judgment, to (i) provide notification to public authorities, individuals or other persons, or (ii) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a “Remedial Action”)), at Media Company’s request, VMT shall, at VMT’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Media Company in its sole discretion.
INFORMATION SECURITY
(a) Physical Security
(1) Physical Security and Access Control – Safeguards to (i) maintain all systems hosting Media Company Personal Data and/or providing services on behalf of Media Company in a physically secure environment that provides an unbroken barrier to unauthorized access, (ii) restrict access to physical locations containing Personal Data, such as buildings, computer facilities, and records storage facilities, only to authorized individuals, and (iii) detect and respond to any unauthorized access that may occur.
(2) Physical Security for Media – Appropriate procedures and measures to prevent the unauthorized viewing, copying, alteration or removal of, all media containing Personal Data, wherever located.
(3) Media Destruction – Appropriate procedures and measures to destroy (subject to applicable record retention requirements) removable media containing Personal Data when no longer used or, alternatively, to render Personal Data on such removable media unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed.
(4) Environmental Hazards – Measures to protect against destruction, loss, or damage of Personal Data or information relating thereto due to potential environmental hazards, such as fire or water damage or technological failures, as well as uninterruptible power supply (UPS) to ensure constant and steady supply of electricity.
(b) Technical Security
(1) Access Controls on Information Systems – Appropriate procedures and measures to control access to all systems hosting Personal Data and/or providing services on behalf of Media Company (“Systems”) through the use of physical and logical access control systems, grant access only to authorized individuals and, based on the principle of least privileges, prevent unauthorized persons from gaining access to Personal Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events, including:
(i) Access Rights Policies – Policies and procedures regarding the granting of access rights to Personal Data to permit only the appropriate personnel to create, modify or cancel the rights of access of VMT’s employees, agents and subcontractors. Such policies and procedures must ensure that only designated information asset owners and their delegates may authorize and grant access to Personal Data. Systems or applications that can be used to access Personal Data must have strong passwords. On a monthly basis, VMT shall conduct reviews to ensure compliance with this Section (b)(1)(i).
(ii) Authorization Procedures for Persons Entitled Access – Appropriate procedures to establish and configure authorization profiles in order to enable personnel to have access to Personal Data to the extent that they need to know the data to perform their duties, and to enable access to more sensitive classifications of Personal Data only within the scope and to the extent covered by their respective access permission.
(iii) Authentication Credentials and Procedures – Appropriate procedures for authentication of authorized personnel, including use of Media Company approved authentication to access any Personal Data on Media Company’s networks or other systems.
(iv) Remote Access – Appropriate procedures and measures to prevent personnel performing remote system support from accessing Personal Data without end-user permission and presence and/or accountability during remote access sessions and subject to all applicable confidentiality obligations.
(v) Access Control via Internet – Appropriate procedures and measures to prevent the Systems or Personal Data from being used by unauthorized persons by means of data transmission equipment via the Internet or otherwise. No "administration" consoles for web server, application and database software will be accessible from the Internet. Any servers that can be used to transmit Personal Data to the Internet shall be configured with firewalls to only expose port 80 and 443 to the Internet.
(vi) Internet-Based Communications/Transmissions – Appropriate procedures and measures to ensure security and integrity of Internet-based email and other communications, including use of encryption, time stamp and other techniques for transmission of sensitive Personal Data or other communications over the Internet. Only secure protocols such as SSL or SFTP may be used to transfer Personal Data on to the web servers and active monitoring of this shall be done to ensure only legitimate uploads and downloads.
(vii) Access Monitoring – Appropriate procedures and measures to monitor all access to Systems and Personal Data, including protocol analyzers for applications, network and servers, only by authorized VMT personnel, and to track additions, alterations, and deletions of Personal Data.
(viii) Intrusion Detection/Prevention and Malware – Appropriate and up-to-date procedures and safeguards to protect Personal Data against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, where appropriate. VMT must make all reasonable attempts to ensure that basic DOS and DDOS measures are in place. VMT must implement active intrusion monitoring systems and monitor logs on a 24*7*365 basis alerting Media Company within 4 hours of any breach detected.
(ix) Program Patching and Vulnerability Remediation – Appropriate procedures and measures to regularly update and patch operating systems, applications and databases to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches. Security patches for high-level vulnerabilities (e.g. vulnerabilities that can result in compromise of server, loss of personal information, brand defacement) must be applied within 24 hours; security patches for non high-level vulnerabilities (e.g. invalid server SSL certificate, server or application misconfigurations) must be applied within 48 hours; and all operating system, web server, and application software security patches must be installed within 10 business days of patch release. VMT must appropriately remediate any known vulnerabilities within a timely manner. If VMT is unable to remediate vulnerabilities in a timely manner, VMT must isolate any systems, applications, and databases from the Internet. Websites or systems that have direct or indirect access to the Internet shall not be opened to the Internet until such vulnerabilities have been fixed.
(2) Additional Application and Website Coding, Security, and Testing Requirements – If any application coding will be performed by VMT in connection with any application that processes or stores (or might allow access to) any Personal Data:
(i) VMT must write code that appropriately addresses known security risks. At a minimum, VMT must comply with any applicable published Open Web Application Security project ("OWASP") security guidelines and must address the current OWASP top ten web application security risks.
(ii) When new code is deployed or existing code modified, VMT must take all reasonable steps to ensure that the code is secure, including appropriate testing from a security vulnerability perspective, prior to going live on the Internet. Full regression testing must also be conducted to ensure that security remains strong across the entire site.
(iii) Captcha technology must be used when designing any website registration page to prevent ‘robot scripts’ from registering false users.
(iv) Any website with a login and password must be designed using strong passwords. All website "reset" password and "forgotten" password features must be designed to use an industry standard secure mechanism to reset user passwords.
(v) Any servers that host Personal Data or websites that provide an interface to access Personal Data must be security hardened using industry best practices, and all operating systems and software configurations (including applications and databases must conform to best industry security practices for such applications and databases).
(3) Data Management Controls
(i) Data Input Control – Appropriate procedures to enable VMT to check and establish whether, when, and by whom Personal Data may have been input into the Systems, or otherwise modified, or removed.
(ii) Data Processing Control – Appropriate procedures and measures intended to limit the processing of Personal Data to the uses permitted under the Agreement.
(iii) Access to Production Data – Appropriate procedures and measures to limit access to production Personal Data to authorized persons requiring such access to perform contracted services and to prevent other access to such Personal Data, except temporary access to production Personal Data to support specific business need.
(iv) Logs – All web server, application and database logs for systems or applications that process or store Personal Data must log sufficient data and information to recreate unauthorized activity. In the event of a breach, such logs must enable the tracing of unauthorized activity from the intrusion point through to table level access in a database. All such logs must be kept for a minimum of 1 year.
(v) Data Encryption – Appropriate procedures and measures to protect Personal Data so that it cannot be read, copied, changed or deleted by unauthorized persons while in storage and while it is being transferred electronically or transferred or saved on data media, including data encryption in storage on portable devices where appropriate in light of the sensitivity of the Personal Data. Any encryption schemes used shall be consistent with the strongest available industry best practices.
(vi) Backup, Retention, and Recovery – Appropriate backup and recovery procedures and measures to safeguard Personal Data from events resulting in the loss of data or in system unavailability from any cause, including but not limited to implementing and testing at least annually an appropriate business continuity and disaster recovery plan (including a data backup plan).
(vii) Secure Disposal – policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read and reconstructed.
Share with your friends: |