Skip to main content

Privacy and Security Terms

These Privacy and Security Terms establish Kyndryl’s and Supplier’s rights and obligations on privacy, security and related matters (the “Terms”). The Terms are incorporated into and made a part of the Statement of Work, Work Authorization, or like document between our companies that refers to them (the “Transaction Document”). The Terms apply to the specific engagement reflected within the Transaction Document.

As a matter of convenience, this webpage allows Supplier to check the boxes below that characterize the facts of the engagement, and by doing so display selected Terms. Depending on those facts, more than one box could be relevant. For clarity, the facts reflected within the Transaction Document solely establish the applicable Terms for the engagement, not those that display from the boxes checked by Supplier below.

NOTE: Suppliers processing data of Kyndryl employees should click box 1 (access to Kyndryl Business Contact Information) and box 2 (access to Personal Data).

In the event of any conflict between the Terms and the Transaction Document or any associated base or other agreement between the parties, including any data processing agreement, the Terms will prevail. Notices required by these Terms will be made in accordance with the notice provisions of the Transaction Document.

Capitalized words used in these Terms have the meanings given in accordance with the Definitions section below.

  Check the boxes that reflect the facts of the Services for this specific engagement:

  1. If so, then Articles I (Business Contact Information) and X (Cooperation, Verification and Remediation) apply to that access.

    Examples:

    • Supplier uses names, email addresses and telephone numbers of Kyndryl or Customer employees for support or maintenance.
    • Kyndryl uses names and email addresses of Supplier employees for authentication to access a Corporate System.

    Note:

    - If Supplier is providing maintenance or support, then Supplier may have access to information beyond BCI (e.g., log files with or without Personal Data), in which case Supplier would also check the box under item 2 (if it will have access to Personal Data) and item 3 (if it will have access to non-Personal Data).

    - If Supplier is processing data of Kyndryl employees, then Supplier would also check the box under item 2 (if it will have access to Personal Data).

    Article I, Business Contact Information

    This Article applies if Supplier or Kyndryl Processes the other's BCI.

    1.1 Kyndryl and Supplier may Process the other’s BCI wherever they do business in connection with Supplier’s delivery of Services and Deliverables

    1.2 A party:

    (a) will not use or disclose the other party’s BCI for any other purpose (for clarity, neither party will Sell the other’s BCI or use or disclose the other’s BCI for any marketing purpose without the other party’s prior written consent, and where required, the prior written consent of affected Data Subjects), and

    (b) will delete, modify, correct, return, provide information about the Processing of, restrict the Processing of, or take any other reasonably requested action in respect of the other’s BCI, promptly on written request from the other party, whenever any unauthorized use of the personal information occurs, and the party wants to stop processing and remediate.

    1.3 The parties are not entering a joint Controller relationship regarding each other’s BCI and no provision of the Transaction Document will be interpreted or construed as indicating any intent to establish a joint Controller relationship.

    1.4 The Kyndryl Privacy Statement at https://www.kyndryl.com/us/en/privacy contains additional details on Kyndryl’s Processing of BCI.

    1.5 The parties have implemented and will maintain technical and organizational security measures to protect the other’s BCI against loss, destruction, alteration, accidental or unauthorized disclosure, accidental or unauthorized access, and unlawful Processing.

    1.6 Supplier will promptly (and in no event any later than 48 hours) notify Kyndryl after becoming aware of any Security Breach involving Kyndryl’s BCI. Supplier will provide such notification to cyber.incidents@kyndryl.com . Supplier will provide Kyndryl with reasonably requested information about such breach and the status of any Supplier remediation and restoration activities. By way of example, reasonably requested information may include logs demonstrating privileged, administrative, and other access to Devices, systems or applications, forensic images of Devices, systems or applications, and other similar items, to the extent relevant to the breach or Supplier’s remediation and restoration activities.

    1.7 Where Supplier is only Processing Kyndryl’s BCI, and has no access to any other data or materials of any kind or to any Kyndryl Corporate System, this Article and Article X (Cooperation, Verification and Remediation) are the only Articles that apply to such Processing.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law. 

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

  2. If so, then Articles II (Technical and Organizational Measures, Data Security), III (Privacy), VIII (Technical and Organizational Measures, General Security) and X (Cooperation, Verification and Remediation) apply to that access.

    Examples:

    1. Supplier accesses Personal Data in its delivery of any Hosted Service for Kyndryl’s internal use or use by Customers, or both.
    2. Supplier provides medical or healthcare-related Services, marketing Services or human resources or benefits-related Services, and accesses Personal Data in doing so.
    3. Supplier accesses log files containing Personal Data to provide support Services.

    Article II, Technical and Organizational Measures, Data Security

    This Article applies if Supplier Processes Kyndryl Data, other than Kyndryl’s BCI. Supplier will comply with the requirements of this Article in providing all Services and Deliverables, and by doing so protect Kyndryl Data against loss, destruction, alteration, accidental or unauthorized disclosure, accidental or unauthorized access, and unlawful forms of Processing. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services, including all development, testing, hosting, support, operations, and data center environments.

    1. Data Use

    1.1 Supplier may not add to the Kyndryl Data or include with the Kyndryl Data any other information or data, including any Personal Data, without Kyndryl’s prior written consent, and Supplier may not use Kyndryl Data in any form, aggregated or otherwise, for any purpose other than providing Services and Deliverables (by way of example, Supplier is not permitted to use or reuse Kyndryl Data to evaluate the effectiveness of or means of improving Supplier’s offerings, for research and development to create new offerings, or to generate reports regarding Supplier’s offerings). Unless expressly permitted in the Transaction Document, Supplier is prohibited from Selling Kyndryl Data.

    1.2 Supplier will not embed any web tracking technologies in the Deliverables or as part of the Services (such technologies include HTML5, local storage, third party tags or tokens, and web beacons) unless expressly permitted in the Transaction Document.

    2. Third Party Requests and Confidentiality

    2.1 Supplier will not disclose Kyndryl Data to any third party, unless authorized in advance by Kyndryl in writing. If a government, including any regulator, demands access to Kyndryl Data (e.g., if the U.S. government serves a national security order on Supplier to obtain Kyndryl Data), or if a disclosure of Kyndryl Data is otherwise required by law, Supplier will notify Kyndryl in writing of such demand or requirement and afford Kyndryl a reasonable opportunity to challenge any disclosure (where law prohibits notification, Supplier will take the steps that it reasonably believes are appropriate to challenge the prohibition and disclosure of Kyndryl Data through judicial action or other means).

    2.2 Supplier assures Kyndryl that: (a) only those of its employees who need access to Kyndryl Data to provide Services or Deliverables will have that access, and then only to the extent necessary to provide those Services and Deliverables; and (b) it has bound its employees to confidentiality obligations that require those employees to only use and disclose Kyndryl Data as these Terms permit.

    3. Return or Deletion of Kyndryl Data

    3.1 Supplier will, at Kyndryl’s choice, either delete or return Kyndryl Data to Kyndryl upon termination or expiration of the Transaction Document, or earlier upon request from Kyndryl. If Kyndryl requires deletion, then Supplier will, consistent with Industry Best Practices, render the data unreadable and unable to be reassembled or reconstructed, and will certify the deletion to Kyndryl. If Kyndryl requires the return of Kyndryl Data, then Supplier will do so on Kyndryl’s reasonable schedule and per Kyndryl’s reasonable written instructions.

    Article III, Privacy

    This Article applies if Supplier Processes Kyndryl Personal Data.

    1. Processing

    1.1 Kyndryl appoints Supplier as a Processor to Process Kyndryl Personal Data for the sole purpose of providing the Deliverables and Services in accordance with Kyndryl’s instructions, including those contained in these Terms, the Transaction Document and the associated base agreement between the parties. If Supplier does not accommodate an instruction, Kyndryl may terminate the affected part of the Services on written notice. If Supplier believes an instruction violates a data protection law, Supplier will so inform Kyndryl promptly and within any time frame required by the law. If Supplier fails to comply with any of its obligations under these Terms and that failure causes an unauthorized use of Personal Information, or, in general, in any case of unauthorized use of Personal Information, Kyndryl will have the right to stop the processing and correct the failure and remediate the harmful effects of the unauthorized use, with such performance and remediation at Kyndryl’s reasonable direction and schedule.  

    1.2 Supplier will comply with all data protection laws applicable to the Services and Deliverables.

    1.3 An Exhibit to the Transaction Document, or the Transaction Document itself, sets out the following in respect of Kyndryl Data:

    (a) categories of Data Subjects;

    (b) types of Kyndryl Personal Data;

    (c) data actions and Processing activities;

    (d) duration and frequency of Processing; and

    (e) a list of Subprocessors.

    2. Technical and Organizational Measures

    2.1 Supplier will implement and maintain the technical and organizational measures set forth in Article II (Technical and Organizational Measures, Data Security) and Article VIII (Technical and Organizational Measures, General Security), and by doing so ensure a level of security appropriate to the risk its Services and Deliverables present. Supplier certifies and understands the restrictions in Article II, this Article III, and Article VIII and will comply with them.

    3. Data Subject Rights and Requests

    3.1 Supplier will inform Kyndryl promptly (on a schedule that allows Kyndryl and any Other Controllers to fulfill their legal obligations) of any request from a Data Subject to exercise any Data Subject rights (e.g., rectification, deletion or blocking of data) regarding Kyndryl Personal Data. Supplier may also promptly direct a Data Subject making such a request to Kyndryl. Supplier will not answer any requests from Data Subjects unless it is legally required or instructed by Kyndryl in writing to do so.

    3.2 If Kyndryl is obliged to provide information regarding Kyndryl Personal Data to Other Controllers or other third-parties (e.g., Data Subjects or regulators), Supplier will assist Kyndryl by providing information and taking other reasonable actions that Kyndryl requests, on a schedule that allows Kyndryl to timely respond to such Other Controllers or third-parties.

    4. Subprocessors

    4.1 Supplier will provide Kyndryl with advance written notice before adding a new Subprocessor or expanding the scope of Processing by an existing Subprocessor, with such written notice identifying the name of the Subprocessor and describing the new or expanded scope of Processing. Kyndryl may object to any such new Subprocessor or expanded scope on reasonable grounds at any time, and if it does so, the parties will work together in good faith to address Kyndryl’s objection. Subject to Kyndryl’s right to so object at any time, Supplier may commission the new Subprocessor or expand the scope of Processing of the existing Subprocessor if Kyndryl has not raised an objection within 30 Days of the date of Supplier’s written notice.

    4.2 Supplier will impose the data protection, security and certification obligations set out in these Terms on each approved Subprocessor prior to a Subprocessor Processing any Kyndryl Data. Supplier is fully liable to Kyndryl for performance of each Subprocessor’s obligations.

    5. Transborder Data Processing

    As used below:

    Adequate Country means a country providing an adequate level of data protection with respect to the relevant transfer pursuant to the applicable data protection laws or decisions of regulators.

    Data Importer means either a Processor or a Subprocessor that is not established in an Adequate Country.

    EU Standard Contractual Clauses (“EU SCCs”) means the EU Standard Contractual Clauses (Commission Decision 2021/914) with optional clauses applied except for option 1 of Clause 9(a) and option 2 of Clause 17, as officially published at  https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en

    Serbian Standard Contractual Clauses (“Serbian SCCs”) means the Serbian Standard Contractual Clauses as adopted by the "Serbian Commissioner for Information of Public Importance and Personal Data Protection", published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx .

    Standard Contractual Clauses (“SCCs”) means the contractual clauses required by applicable data protection laws for the transfer of Personal Data to Processors that are not established in Adequate Countries.

    United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses(“UK Addendum”) means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as officially published at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ .

    5.1 Supplier will not transfer or disclose (including by remote access) any Kyndryl Personal Data across borders without Kyndryl’s prior written consent. If Kyndryl provides such consent, the parties will cooperate to ensure compliance with applicable data protection laws. If SCCs are required by those laws, Supplier will promptly enter into the SCCs upon Kyndryl’s request.

    5.2 Regarding EU SCCs:

    (a)If Supplier is not established in an Adequate Country: Supplier is hereby entering into EU SCCs as a Data Importer with Kyndryl, and Supplier will enter into written agreements with each approved Subprocessor, in accordance with Clause 9 of the EU SCCs, and will provide Kyndryl with copies of those agreements upon request.

    (i) Module 1 of the EU SCCs does not apply unless otherwise agreed by the parties in writing.

    (ii) Module 2 of the EU SCCs applies where Kyndryl is a Controller and Module 3 applies where Kyndryl is a Processor. In accordance with Clause 13 of the EU SCCs, when Modules 2 or 3 apply, the parties agree that (1) the EU SCCs will be governed by the law of the EU member state where the competent supervisory authority is located and (2) any disputes arising from the EU SCCs will be in the courts of the EU member state where the competent supervisory authority is located. If such law in (1) does not allow for third-party beneficiary rights, then the EU SCCs shall be governed by the law of the Netherlands and any disputes arising from the EU SCCs under (2) shall be resolved by the court of Amsterdam in the Netherlands.

    (b) If both parties, Supplier and Kyndryl, are established in an Adequate Country, Supplier will act as the Data Exporter and engage into EU SCCs with each approved Subprocessor in a Non-Adequate Country. Supplier will perform the Transfer Impact Assessment (TIA) required and notify Kyndryl without undue delay about (1) any need to apply supplementary measures and (2) the measures applied. On request Supplier will provide the results of the TIA and any information necessary to understand and evaluate the results to Kyndryl. In case Kyndryl disagrees with the results of Suppliers TIA or the supplementary measures applied, Kyndryl and Supplier will work together to find a feasible solution. Kyndryl remains the right to suspend or terminate Suppliers services concerned without compensation. For the avoidance of doubt, this does not relieve Supplier’s Subprocessors from the obligation to become party to the EU SCCs with Kyndryl or its Customers as outlined in section 5.2 (d) below.

    (c) If Supplier is established in the European Economic Area and Kyndryl is a Controller not subject to the General Data Protection Regulation 2016/679, then Module 4 of the EU SCCs applies, and Supplier is hereby entering into EU SCCs as a data exporter with Kyndryl. If Module 4 of the EU SCCs applies, the parties agree that the EU SCCs shall be governed by the law of the Netherlands and any disputes arising from the EU SCCs shall be resolved by the court of Amsterdam in the Netherlands.

    (d) If Other Controllers, such as Customers or affiliates, request to become a party to EU SCCs pursuant to the ‘docking clause’ in Clause 7, Supplier hereby agrees to any such request.

    (e) Technical and Organizational Measures required to complete Annex II of the EU SCCs can be found in these Terms, the Transaction Document itself, and the associated base agreement between the parties.

    (f) In the event of any conflict between the EU SCCs and these Terms, the EU SCCs will prevail.

    5.3 Regarding UK Addendum(s):

    (a) If Supplier is not established in an Adequate Country: (i) Supplier is hereby entering into UK Addendum(s) with Kyndryl as an Importer to append to the EU SCCs set out above (as applicable, depending on the circumstances of the processing activities); and (ii) Supplier will enter into written agreements with each approved Subprocessor , and will provide Kyndryl with copies of those agreements upon request.

    (b) If Supplier is established in an Adequate Country, and Kyndryl is a Controller not subject to the UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), then Supplier is hereby entering into UK Addendum(s) as an Exporter with Kyndryl to append to the EU SCCs set out in Section 5.2(b) above.

    (c) If Other Controllers, such as Customers or affiliates, request to become a party to UK Addendum(s), Supplier hereby agrees to any such request.

    (d) Appendix Information (as set out in Table 3) in the UK Addendum(s) can be found in the applicable EU SCCs, these Terms, the Transaction Document itself, and the associated base agreement between the parties. Neither Kyndryl nor Supplier can end the UK Addendum(s) when the UK Addendum changes.

    (e) In the event of any conflict between the UK Addendum(s) and these Terms, the UK Addendum(s) will prevail.

    5.4 Regarding Serbian SCCs:

    (a) If Supplier is not established in an Adequate Country: (i) Supplier is hereby entering into Serbian SCCs with Kyndryl on Supplier’s own behalf as a Processor; and (ii) Supplier will enter into written agreements with each approved Subprocessor, in accordance with Article 8 of the Serbian SCCs, and will provide Kyndryl with copies of those agreements upon request.

    (b) If Supplier is established in an Adequate Country, then Supplier is hereby entering into Serbian SCCs with Kyndryl on behalf of each Subprocessor located in a non-Adequate Country. If Supplier is unable to do so for any such Subprocessor, then Supplier will provide Kyndryl with the Serbian SCCs signed by that Subprocessor for Kyndryl’s countersignature prior to allowing the Subprocessor to Process any Kyndryl Personal Data.

    (c) The Serbian SCCs between Kyndryl and Supplier will serve either as Serbian SCCs between a Controller and Processor or as a back-to-back written agreement between ‘processor’ and ‘sub-processor’, as the facts require. In the event of any conflict between the Serbian SCCs and these Terms, the Serbian SCCs will prevail.

    (d) Information required to complete Appendices 1 to 8 of the Serbian SCCs for the purpose of governing the transfer of Personal Data to a non-Adequate Country can be found in these Terms and in the Exhibit to the Transaction Document, or the Transaction Document itself.

    6. Assistance and Records

    6.1 Taking into account the nature of Processing, Supplier will assist Kyndryl by having appropriate technical and organizational measures to fulfil obligations associated with Data Subject requests and rights. Supplier will also assist Kyndryl in ensuring compliance with obligations relating to the security of Processing, the notification and communication of a Security Breach and the creation of data protection impact assessments, including prior consultation with the responsible regulator, if required, taking into account the information available to Supplier.

    6.2 Supplier will maintain an up-to-date record of the name and contact details of each Subprocessor, including each Subprocessor’s representative and data protection officer. Upon request, Supplier will provide this record to Kyndryl on a schedule that allows Kyndryl to timely respond to any demand from a Customer or other third-party.

    Article VIII, Technical and Organizational Measures, General Security

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl, unless Supplier will only have access to Kyndryl BCI in providing those Services and Deliverables (i.e., Supplier will not Process any other Kyndryl Data or have access to any other Kyndryl Materials or to any Corporate System), Supplier’s only Services and Deliverables are to provide On-Premise Software to Kyndryl, or Supplier provides all of its Services and Deliverables in a staff augmentation model pursuant to Article VII, including Section 1.7 thereof.

    Supplier will comply with the requirements of this Article and by doing so protect: (a) Kyndryl Materials against loss, destruction, alteration, accidental or unauthorized disclosure, and accidental or unauthorized access, (b) Kyndryl Data from unlawful forms of Processing and (c) Kyndryl Technology from unlawful forms of Handling. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services and in Handling Kyndryl Technology, including all development, testing, hosting, support, operations, and data center environments.

    1. Security Policies

    1.1 Supplier will maintain and follow IT security policies and practices that are integral to Supplier’s business, mandatory for all Supplier Personnel, and consistent with Industry Best Practices.

    1.2 Supplier will review its IT security policies and practices at least annually and amend them as Supplier deems necessary to protect the Kyndryl Materials.

    1.3 Supplier will maintain and follow standard, mandatory employment verification requirements for all new employee hires, and extend such requirements to all Supplier Personnel and wholly-owned Supplier subsidiaries. Those requirements will include criminal background checks to the extent permitted by local laws, proof of identity validation, and additional checks that Supplier deems necessary. Supplier will periodically repeat and revalidate these requirements, as it deems necessary.

    1.4 Supplier will provide security and privacy education to its employees annually and require all such employees to certify each year that they will comply with Supplier’s ethical business conduct, confidentiality, and security policies, as set out in Supplier’s code of conduct or similar documents. Supplier will provide additional policy and process training to persons with administrative access to any components of the Services, Deliverables or Kyndryl Materials, with such training specific to their role and support of the Services, Deliverables and Kyndryl Materials, and as necessary to maintain required compliance and certifications.

    1.5 Supplier will design security and privacy measures to protect and maintain the availability of Kyndryl Materials, including through its implementation, maintenance, and compliance with policies and procedures which require security and privacy by design, secure engineering, and secure operations, for all Services and Deliverables and for all Handling of Kyndryl Technology.

    2. Security Incidents

    2.1 Supplier will maintain and follow documented incident response policies consistent with Industry Best Practices for computer security incident handling.

    2.2 Supplier will investigate unauthorized access or unauthorized use of Kyndryl Materials and will define and execute an appropriate response plan.

    2.3 Supplier will promptly (and in no event any later than 48 hours) notify Kyndryl after becoming aware of any Security Breach. Supplier will provide such notification to cyber.incidents@kyndryl.com . Supplier will provide Kyndryl with reasonably requested information about such breach and the status of any Supplier remediation and restoration activities. By way of example, reasonably requested information may include logs demonstrating privileged, administrative, and other access to Devices, systems or applications, forensic images of Devices, systems or applications, and other similar items, to the extent relevant to the breach or Supplier’s remediation and restoration activities.

    2.4 Supplier will provide Kyndryl with reasonable assistance to satisfy any legal obligations (including obligations to notify regulators or Data Subjects) of Kyndryl, Kyndryl affiliates and Customers (and their customers and affiliates) in relation to a Security Breach.

    2.5 Supplier will not inform or notify any third party that a Security Breach directly or indirectly relates to Kyndryl or Kyndryl Materials unless Kyndryl approves doing so in writing or where required by law. Supplier will notify Kyndryl in writing prior to distributing any legally required notification to any third-party, where the notification would directly or indirectly reveal Kyndryl’s identity.

    2.6 In case of a Security Breach which arises from Supplier’s breach of any obligation under these Terms:

    (a) Supplier will be responsible for any costs it incurs, as well as actual costs that Kyndryl incurs, in providing notification of the Security Breach to applicable regulators, other government and relevant industry self-regulatory agencies, the media (if required by applicable law), Data Subjects, Customers, and others,

    (b) if Kyndryl requests, Supplier will establish and maintain at Supplier’s own expense a call-center to respond to questions from Data Subjects about the Security Breach and its consequences, for 1 year after the date on which such Data Subjects were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection. Kyndryl and Supplier will work together to create the scripts and other materials to be used by call-center staff when responding to inquiries. Alternatively, on written notice to Supplier, Kyndryl may establish and maintain its own call-center, in lieu of having Supplier establish a call-center, and Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in establishing and maintaining such call-center, and

    (c) Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in providing credit monitoring and credit restoration services for 1 year after the date on which individuals affected by the breach who choose to register for such services were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection.

    3. Physical Security and Entry Control (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials).

    3.1 Supplier will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Facilities.

    3.2 Supplier will require authorized approval for access to Facilities and controlled areas within Facilities, including any temporary access, and will limit access by job role and business need. If Supplier grants temporary access, its authorized employee will escort any visitor while in the Facility and any controlled areas.

    3.3 Supplier will implement physical access controls, including multi-factor access controls that are consistent with Industry Best Practices, to appropriately restrict entrance to controlled areas within Facilities, will log all entry attempts, and retain such logs for at least one year.

    3.4 Supplier will revoke access to Facilities and controlled areas within Facilities upon (a) separation of an authorized Supplier employee or (b) the authorized Supplier employee no longer having a valid business need for access. Supplier will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.

    3.5 Supplier will take precautions to protect all physical infrastructure used to support the Services and Deliverables and the Handling of Kyndryl Technology against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

    4. Access, Intervention, Transfer, and Separation Control

    4.1 Supplier will maintain documented security architecture of networks that it manages in its operation of the Services, its provision of Deliverables and its Handling of Kyndryl Technology. Supplier will separately review such network architecture, and employ measures to prevent unauthorized network connections to systems, applications, and network devices, for compliance with secure segmentation, isolation, and defense in-depth standards. Supplier may not use wireless technology in its hosting and operations of any Hosted Services; otherwise, Supplier may use wireless networking technology in its delivery of Services and Deliverables and in its Handing of Kyndryl Technology, but Supplier will encrypt and require secure authentication for any such wireless networks.

    4.2 Supplier will maintain measures that are designed to logically separate and prevent Kyndryl Materials from being exposed to or accessed by unauthorized persons. Further, Supplier will maintain appropriate isolation of its production, non-production, and other environments, and, if Kyndryl Materials are already present within or are transferred to a non-production environment (for example to reproduce an error), then Supplier will ensure that the security and privacy protections in the non-production environment are equal to those in the production environment.

    4.3 Supplier will encrypt Kyndryl Materials in transit and at rest (unless Supplier demonstrates to Kyndryl’s reasonable satisfaction that encrypting Kyndryl Materials at rest is technically infeasible). Supplier will also encrypt all physical media, if any, such as media containing backup files. Supplier will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use associated with data encryption. Supplier will ensure that the specific cryptographic methods used for such encryption align with Industry Best Practices (such as NIST SP 800-131a).

    4.4 If Supplier requires access to Kyndryl Materials, Supplier will restrict and limit such access to the least level required to provide and support the Services and Deliverables. Supplier will require that such access, including administrative access to any underlying components (i.e., privileged access), will be individual, role based, and subject to approval and regular validation by authorized Supplier employees following segregation of duty principles. Supplier will maintain measures to identify and remove redundant and dormant accounts. Supplier will also revoke accounts with privileged access within twenty-four (24) hours after the account owner’s separation or the request by Kyndryl or any authorized Supplier employee, such as the account owner’s manager.

    4.5 Consistent with Industry Best Practices, Supplier will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases. Additionally, Supplier will utilize multi-factor authentication for all non-console based privileged access to any Kyndryl Materials.

    4.6 Supplier will monitor use of privileged access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity, (b) facilitate a timely and appropriate response to such access and activity, and (c) enable audits by Supplier, Kyndryl (pursuant to its verification rights in these Terms and audit rights in the Transaction Document or associated base or other related agreement between the parties) and others of compliance with documented Supplier policy.

    4.7 Supplier will retain logs in which it records, in compliance with Industry Best Practices, all administrative, user, or other access or activity to or with respect to systems used in providing Services or Deliverables and in Handling Kyndryl Technology (and will provide those logs to Kyndryl upon request). Supplier will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

    4.8 Supplier will maintain computing protections for systems that it owns or manages, including end-user systems, and that it uses in providing Services or Deliverables or in Handling Kyndryl Technology, with such protections including: endpoint firewalls, full disk encryption, signature and non-signature based endpoint detection and response technologies to address malware and advanced persistent threats, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In addition, Supplier will implement technical and operational controls that ensure only known and trusted end-user systems are allowed to use Supplier networks.

    4.9 Consistent with Industry Best Practices, Supplier will maintain protections for data center environments where Kyndryl Material are present or processed, with such protections including intrusion detection and prevention and denial of service attack countermeasures and mitigation.

    5. Service and Systems Integrity and Availability Control

    5.1 Supplier will: (a) perform security and privacy risk assessments at least annually, (b) perform security testing and assess vulnerabilities, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter as it concerns Services and Deliverables and annually with respect to its Handling of Kyndryl Technology, (c) enlist a qualified independent third-party to perform penetration testing consistent with Industry Best Practices at least annually, with such testing including both automated and manual testing, (d) perform automated management and routine verification of compliance with security configuration requirements for each component of the Services and Deliverables and with respect to its Handling of Kyndryl Technology, and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Supplier will take reasonable steps to avoid disruption of Services when performing its tests, assessments, scans, and execution of remediation activities. Upon Kyndryl’s request, Supplier will provide Kyndryl with a written summary of Supplier’s then-most recent penetration testing activities, which report will at a minimum include the name of the offerings covered by the testing, the number of systems or applications in-scope for the testing, the dates of the testing, the methodology used in the testing, and a high-level summary of findings.

    5.2 Supplier will maintain policies and procedures designed to manage risks associated with the application of changes to the Services or Deliverables or to the Handling of Kyndryl Technology. Prior to implementing such a change, including to affected systems, networks, and underlying components, Supplier will document in a registered change request: (a) a description of and reason for the change, (b) implementation details and schedule, (c) a risk statement addressing impact to the Services and Deliverables, customers of the Services, or Kyndryl Materials, (d) expected outcome, (e) rollback plan, and (f) approval by authorized Supplier employees.

    5.3 Supplier will maintain an inventory of all IT assets it uses in operating the Services, providing Deliverables and in Handling Kyndryl Technology. Supplier will continuously monitor and manage the health (including capacity) and availability of such IT assets, Services, Deliverables and Kyndryl Technology, including the underlying components of such assets, Services, Deliverables and Kyndryl Technology.

    5.4 Supplier will build all systems that it uses in the development or operation of Services and Deliverables and in its Handling of Kyndryl Technology from predefined system security images or security baselines, which satisfy Industry Best Practices, such as the Center for Internet Security (CIS) benchmarks.

    5.5 Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to business continuity, Supplier will separately assess each Service and Deliverable and each IT system used in Handling Kyndryl Technology for business and IT continuity and disaster recovery requirements pursuant to documented risk management guidelines. Supplier will ensure that each such Service, Deliverable and IT system has, to the extent warranted by such risk assessment, separately defined, documented, maintained, and annually validated business and IT continuity and disaster recovery plans consistent with Industry Best Practices. Supplier will ensure that such plans are designed to deliver the specific recovery times that are set forth in Section 5.6 below.

    5.6 The specific recovery point objectives (“RPO”) and recovery time objectives (“RTO”) with respect to any Hosted Service are: 24 hours RPO and 24 hours RTO; nevertheless, Supplier will comply with any shorter duration RPO or RTO that Kyndryl has committed to a Customer, promptly after Kyndryl notifies Supplier in writing of such shorter duration RPO or RTO (an email constitutes a writing). As it concerns all other Services provided by Supplier to Kyndryl, Supplier will ensure that its business continuity and disaster recovery plans are designed to deliver RPO and RTO that enable Supplier to remain in compliance with all of its obligations to Kyndryl under the Transaction Document and associated base agreement between the parties, and these Terms, including its obligations to timely provide testing, support, and maintenance.

    5.7 Supplier will maintain measures designed to assess, test, and apply security advisory patches to the Services and Deliverables and associated systems, networks, applications, and underlying components within the scope of those Services and Deliverables, as well as the systems, networks, applications, and underlying components used to Handle Kyndryl Technology. Upon determining that a security advisory patch is applicable and appropriate, Supplier will implement the patch pursuant to documented severity and risk assessment guidelines. Supplier’s implementation of security advisory patches will be subject to its change management policy.

    5.8 If Kyndryl has a reasonable basis for believing that hardware or software that Supplier provides to Kyndryl may contain intrusive elements, such as spyware, malware, or malicious code, then Supplier will timely cooperate with Kyndryl in investigating and remediating Kyndryl’s concerns.

    6. Service Provisioning

    6.1 Supplier will support industry common methods of federated authentication for any Kyndryl user or Customer accounts, with Supplier following Industry Best Practices in authenticating such Kyndryl user or Customer accounts (such as by Kyndryl centrally managed multi-factor Single Sign-On, using OpenID Connect or Security Assertion Markup Language).

    7. Subcontractors. Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to the retention of subcontractors, Supplier will ensure that any subcontractor performing work for Supplier has instituted governance controls to comply with the requirements and obligations that these Terms place on Supplier.

    8. Physical Media. Supplier will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with Industry Best Practices for media sanitization.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law.

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

     

  3. If so, then Articles II (Technical and Organizational Measures, Data Security), VIII (Technical and Organizational Measures, General Security) and X (Cooperation, Verification and Remediation) apply to that access.

    Examples:

    1. Supplier stores, transmits, has access to or otherwise Processes non-Personal Data that Kyndryl or Customers provide to Supplier.

    Article II, Technical and Organizational Measures, Data Security

    This Article applies if Supplier Processes Kyndryl Data, other than Kyndryl’s BCI. Supplier will comply with the requirements of this Article in providing all Services and Deliverables, and by doing so protect Kyndryl Data against loss, destruction, alteration, accidental or unauthorized disclosure, accidental or unauthorized access, and unlawful forms of Processing. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services, including all development, testing, hosting, support, operations, and data center environments.

    1. Data Use

    1.1 Supplier may not add to the Kyndryl Data or include with the Kyndryl Data any other information or data, including any Personal Data, without Kyndryl’s prior written consent, and Supplier may not use Kyndryl Data in any form, aggregated or otherwise, for any purpose other than providing Services and Deliverables (by way of example, Supplier is not permitted to use or reuse Kyndryl Data to evaluate the effectiveness of or means of improving Supplier’s offerings, for research and development to create new offerings, or to generate reports regarding Supplier’s offerings). Unless expressly permitted in the Transaction Document, Supplier is prohibited from Selling Kyndryl Data.

    1.2 Supplier will not embed any web tracking technologies in the Deliverables or as part of the Services (such technologies include HTML5, local storage, third party tags or tokens, and web beacons) unless expressly permitted in the Transaction Document.

    2. Third Party Requests and Confidentiality

    2.1 Supplier will not disclose Kyndryl Data to any third party, unless authorized in advance by Kyndryl in writing. If a government, including any regulator, demands access to Kyndryl Data (e.g., if the U.S. government serves a national security order on Supplier to obtain Kyndryl Data), or if a disclosure of Kyndryl Data is otherwise required by law, Supplier will notify Kyndryl in writing of such demand or requirement and afford Kyndryl a reasonable opportunity to challenge any disclosure (where law prohibits notification, Supplier will take the steps that it reasonably believes are appropriate to challenge the prohibition and disclosure of Kyndryl Data through judicial action or other means).

    2.2 Supplier assures Kyndryl that: (a) only those of its employees who need access to Kyndryl Data to provide Services or Deliverables will have that access, and then only to the extent necessary to provide those Services and Deliverables; and (b) it has bound its employees to confidentiality obligations that require those employees to only use and disclose Kyndryl Data as these Terms permit.

    3. Return or Deletion of Kyndryl Data

    3.1 Supplier will, at Kyndryl’s choice, either delete or return Kyndryl Data to Kyndryl upon termination or expiration of the Transaction Document, or earlier upon request from Kyndryl. If Kyndryl requires deletion, then Supplier will, consistent with Industry Best Practices, render the data unreadable and unable to be reassembled or reconstructed, and will certify the deletion to Kyndryl. If Kyndryl requires the return of Kyndryl Data, then Supplier will do so on Kyndryl’s reasonable schedule and per Kyndryl’s reasonable written instructions.

    Article VIII, Technical and Organizational Measures, General Security

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl, unless Supplier will only have access to Kyndryl BCI in providing those Services and Deliverables (i.e., Supplier will not Process any other Kyndryl Data or have access to any other Kyndryl Materials or to any Corporate System), Supplier’s only Services and Deliverables are to provide On-Premise Software to Kyndryl, or Supplier provides all of its Services and Deliverables in a staff augmentation model pursuant to Article VII, including Section 1.7 thereof.

    Supplier will comply with the requirements of this Article and by doing so protect: (a) Kyndryl Materials against loss, destruction, alteration, accidental or unauthorized disclosure, and accidental or unauthorized access, (b) Kyndryl Data from unlawful forms of Processing and (c) Kyndryl Technology from unlawful forms of Handling. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services and in Handling Kyndryl Technology, including all development, testing, hosting, support, operations, and data center environments.

    1. Security Policies

    1.1 Supplier will maintain and follow IT security policies and practices that are integral to Supplier’s business, mandatory for all Supplier Personnel, and consistent with Industry Best Practices.

    1.2 Supplier will review its IT security policies and practices at least annually and amend them as Supplier deems necessary to protect the Kyndryl Materials.

    1.3 Supplier will maintain and follow standard, mandatory employment verification requirements for all new employee hires, and extend such requirements to all Supplier Personnel and wholly-owned Supplier subsidiaries. Those requirements will include criminal background checks to the extent permitted by local laws, proof of identity validation, and additional checks that Supplier deems necessary. Supplier will periodically repeat and revalidate these requirements, as it deems necessary.

    1.4 Supplier will provide security and privacy education to its employees annually and require all such employees to certify each year that they will comply with Supplier’s ethical business conduct, confidentiality, and security policies, as set out in Supplier’s code of conduct or similar documents. Supplier will provide additional policy and process training to persons with administrative access to any components of the Services, Deliverables or Kyndryl Materials, with such training specific to their role and support of the Services, Deliverables and Kyndryl Materials, and as necessary to maintain required compliance and certifications.

    1.5 Supplier will design security and privacy measures to protect and maintain the availability of Kyndryl Materials, including through its implementation, maintenance, and compliance with policies and procedures which require security and privacy by design, secure engineering, and secure operations, for all Services and Deliverables and for all Handling of Kyndryl Technology.

    2. Security Incidents

    2.1 Supplier will maintain and follow documented incident response policies consistent with Industry Best Practices for computer security incident handling.

    2.2 Supplier will investigate unauthorized access or unauthorized use of Kyndryl Materials and will define and execute an appropriate response plan.

    2.3 Supplier will promptly (and in no event any later than 48 hours) notify Kyndryl after becoming aware of any Security Breach. Supplier will provide such notification to cyber.incidents@kyndryl.com . Supplier will provide Kyndryl with reasonably requested information about such breach and the status of any Supplier remediation and restoration activities. By way of example, reasonably requested information may include logs demonstrating privileged, administrative, and other access to Devices, systems or applications, forensic images of Devices, systems or applications, and other similar items, to the extent relevant to the breach or Supplier’s remediation and restoration activities.

    2.4 Supplier will provide Kyndryl with reasonable assistance to satisfy any legal obligations (including obligations to notify regulators or Data Subjects) of Kyndryl, Kyndryl affiliates and Customers (and their customers and affiliates) in relation to a Security Breach.

    2.5 Supplier will not inform or notify any third party that a Security Breach directly or indirectly relates to Kyndryl or Kyndryl Materials unless Kyndryl approves doing so in writing or where required by law. Supplier will notify Kyndryl in writing prior to distributing any legally required notification to any third-party, where the notification would directly or indirectly reveal Kyndryl’s identity.

    2.6 In case of a Security Breach which arises from Supplier’s breach of any obligation under these Terms:

    (a) Supplier will be responsible for any costs it incurs, as well as actual costs that Kyndryl incurs, in providing notification of the Security Breach to applicable regulators, other government and relevant industry self-regulatory agencies, the media (if required by applicable law), Data Subjects, Customers, and others,

    (b) if Kyndryl requests, Supplier will establish and maintain at Supplier’s own expense a call-center to respond to questions from Data Subjects about the Security Breach and its consequences, for 1 year after the date on which such Data Subjects were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection. Kyndryl and Supplier will work together to create the scripts and other materials to be used by call-center staff when responding to inquiries. Alternatively, on written notice to Supplier, Kyndryl may establish and maintain its own call-center, in lieu of having Supplier establish a call-center, and Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in establishing and maintaining such call-center, and

    (c) Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in providing credit monitoring and credit restoration services for 1 year after the date on which individuals affected by the breach who choose to register for such services were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection.

    3. Physical Security and Entry Control (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials).

    3.1 Supplier will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Facilities.

    3.2 Supplier will require authorized approval for access to Facilities and controlled areas within Facilities, including any temporary access, and will limit access by job role and business need. If Supplier grants temporary access, its authorized employee will escort any visitor while in the Facility and any controlled areas.

    3.3 Supplier will implement physical access controls, including multi-factor access controls that are consistent with Industry Best Practices, to appropriately restrict entrance to controlled areas within Facilities, will log all entry attempts, and retain such logs for at least one year.

    3.4 Supplier will revoke access to Facilities and controlled areas within Facilities upon (a) separation of an authorized Supplier employee or (b) the authorized Supplier employee no longer having a valid business need for access. Supplier will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.

    3.5 Supplier will take precautions to protect all physical infrastructure used to support the Services and Deliverables and the Handling of Kyndryl Technology against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

    4. Access, Intervention, Transfer, and Separation Control

    4.1 Supplier will maintain documented security architecture of networks that it manages in its operation of the Services, its provision of Deliverables and its Handling of Kyndryl Technology. Supplier will separately review such network architecture, and employ measures to prevent unauthorized network connections to systems, applications, and network devices, for compliance with secure segmentation, isolation, and defense in-depth standards. Supplier may not use wireless technology in its hosting and operations of any Hosted Services; otherwise, Supplier may use wireless networking technology in its delivery of Services and Deliverables and in its Handing of Kyndryl Technology, but Supplier will encrypt and require secure authentication for any such wireless networks.

    4.2 Supplier will maintain measures that are designed to logically separate and prevent Kyndryl Materials from being exposed to or accessed by unauthorized persons. Further, Supplier will maintain appropriate isolation of its production, non-production, and other environments, and, if Kyndryl Materials are already present within or are transferred to a non-production environment (for example to reproduce an error), then Supplier will ensure that the security and privacy protections in the non-production environment are equal to those in the production environment.

    4.3 Supplier will encrypt Kyndryl Materials in transit and at rest (unless Supplier demonstrates to Kyndryl’s reasonable satisfaction that encrypting Kyndryl Materials at rest is technically infeasible). Supplier will also encrypt all physical media, if any, such as media containing backup files. Supplier will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use associated with data encryption. Supplier will ensure that the specific cryptographic methods used for such encryption align with Industry Best Practices (such as NIST SP 800-131a).

    4.4 If Supplier requires access to Kyndryl Materials, Supplier will restrict and limit such access to the least level required to provide and support the Services and Deliverables. Supplier will require that such access, including administrative access to any underlying components (i.e., privileged access), will be individual, role based, and subject to approval and regular validation by authorized Supplier employees following segregation of duty principles. Supplier will maintain measures to identify and remove redundant and dormant accounts. Supplier will also revoke accounts with privileged access within twenty-four (24) hours after the account owner’s separation or the request by Kyndryl or any authorized Supplier employee, such as the account owner’s manager.

    4.5 Consistent with Industry Best Practices, Supplier will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases. Additionally, Supplier will utilize multi-factor authentication for all non-console based privileged access to any Kyndryl Materials.

    4.6 Supplier will monitor use of privileged access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity, (b) facilitate a timely and appropriate response to such access and activity, and (c) enable audits by Supplier, Kyndryl (pursuant to its verification rights in these Terms and audit rights in the Transaction Document or associated base or other related agreement between the parties) and others of compliance with documented Supplier policy.

    4.7 Supplier will retain logs in which it records, in compliance with Industry Best Practices, all administrative, user, or other access or activity to or with respect to systems used in providing Services or Deliverables and in Handling Kyndryl Technology (and will provide those logs to Kyndryl upon request). Supplier will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

    4.8 Supplier will maintain computing protections for systems that it owns or manages, including end-user systems, and that it uses in providing Services or Deliverables or in Handling Kyndryl Technology, with such protections including: endpoint firewalls, full disk encryption, signature and non-signature based endpoint detection and response technologies to address malware and advanced persistent threats, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In addition, Supplier will implement technical and operational controls that ensure only known and trusted end-user systems are allowed to use Supplier networks.

    4.9 Consistent with Industry Best Practices, Supplier will maintain protections for data center environments where Kyndryl Material are present or processed, with such protections including intrusion detection and prevention and denial of service attack countermeasures and mitigation.

    5. Service and Systems Integrity and Availability Control

    5.1 Supplier will: (a) perform security and privacy risk assessments at least annually, (b) perform security testing and assess vulnerabilities, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter as it concerns Services and Deliverables and annually with respect to its Handling of Kyndryl Technology, (c) enlist a qualified independent third-party to perform penetration testing consistent with Industry Best Practices at least annually, with such testing including both automated and manual testing, (d) perform automated management and routine verification of compliance with security configuration requirements for each component of the Services and Deliverables and with respect to its Handling of Kyndryl Technology, and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Supplier will take reasonable steps to avoid disruption of Services when performing its tests, assessments, scans, and execution of remediation activities. Upon Kyndryl’s request, Supplier will provide Kyndryl with a written summary of Supplier’s then-most recent penetration testing activities, which report will at a minimum include the name of the offerings covered by the testing, the number of systems or applications in-scope for the testing, the dates of the testing, the methodology used in the testing, and a high-level summary of findings.

    5.2 Supplier will maintain policies and procedures designed to manage risks associated with the application of changes to the Services or Deliverables or to the Handling of Kyndryl Technology. Prior to implementing such a change, including to affected systems, networks, and underlying components, Supplier will document in a registered change request: (a) a description of and reason for the change, (b) implementation details and schedule, (c) a risk statement addressing impact to the Services and Deliverables, customers of the Services, or Kyndryl Materials, (d) expected outcome, (e) rollback plan, and (f) approval by authorized Supplier employees.

    5.3 Supplier will maintain an inventory of all IT assets it uses in operating the Services, providing Deliverables and in Handling Kyndryl Technology. Supplier will continuously monitor and manage the health (including capacity) and availability of such IT assets, Services, Deliverables and Kyndryl Technology, including the underlying components of such assets, Services, Deliverables and Kyndryl Technology.

    5.4 Supplier will build all systems that it uses in the development or operation of Services and Deliverables and in its Handling of Kyndryl Technology from predefined system security images or security baselines, which satisfy Industry Best Practices, such as the Center for Internet Security (CIS) benchmarks.

    5.5 Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to business continuity, Supplier will separately assess each Service and Deliverable and each IT system used in Handling Kyndryl Technology for business and IT continuity and disaster recovery requirements pursuant to documented risk management guidelines. Supplier will ensure that each such Service, Deliverable and IT system has, to the extent warranted by such risk assessment, separately defined, documented, maintained, and annually validated business and IT continuity and disaster recovery plans consistent with Industry Best Practices. Supplier will ensure that such plans are designed to deliver the specific recovery times that are set forth in Section 5.6 below.

    5.6 The specific recovery point objectives (“RPO”) and recovery time objectives (“RTO”) with respect to any Hosted Service are: 24 hours RPO and 24 hours RTO; nevertheless, Supplier will comply with any shorter duration RPO or RTO that Kyndryl has committed to a Customer, promptly after Kyndryl notifies Supplier in writing of such shorter duration RPO or RTO (an email constitutes a writing). As it concerns all other Services provided by Supplier to Kyndryl, Supplier will ensure that its business continuity and disaster recovery plans are designed to deliver RPO and RTO that enable Supplier to remain in compliance with all of its obligations to Kyndryl under the Transaction Document and associated base agreement between the parties, and these Terms, including its obligations to timely provide testing, support, and maintenance.

    5.7 Supplier will maintain measures designed to assess, test, and apply security advisory patches to the Services and Deliverables and associated systems, networks, applications, and underlying components within the scope of those Services and Deliverables, as well as the systems, networks, applications, and underlying components used to Handle Kyndryl Technology. Upon determining that a security advisory patch is applicable and appropriate, Supplier will implement the patch pursuant to documented severity and risk assessment guidelines. Supplier’s implementation of security advisory patches will be subject to its change management policy.

    5.8 If Kyndryl has a reasonable basis for believing that hardware or software that Supplier provides to Kyndryl may contain intrusive elements, such as spyware, malware, or malicious code, then Supplier will timely cooperate with Kyndryl in investigating and remediating Kyndryl’s concerns.

    6. Service Provisioning

    6.1 Supplier will support industry common methods of federated authentication for any Kyndryl user or Customer accounts, with Supplier following Industry Best Practices in authenticating such Kyndryl user or Customer accounts (such as by Kyndryl centrally managed multi-factor Single Sign-On, using OpenID Connect or Security Assertion Markup Language).

    7. Subcontractors. Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to the retention of subcontractors, Supplier will ensure that any subcontractor performing work for Supplier has instituted governance controls to comply with the requirements and obligations that these Terms place on Supplier.

    8. Physical Media. Supplier will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with Industry Best Practices for media sanitization.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law.

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

  4. If so, then Articles IV (Technical and Organizational Measures, Code Security), V (Secure Development), VIII (Technical and Organizational Measures, General Security) and X (Cooperation, Verification and Remediation) apply to that access.

    Examples:

    1. Supplier assumes development responsibilities for a Kyndryl product, and Kyndryl makes its Source Code accessible to Supplier for that development.
    2. Supplier is developing Source Code that Kyndryl will own.

    Article IV, Technical and Organizational Measures, Code Security

    This Article applies if Supplier has access to Kyndryl Source Code. Supplier will comply with the requirements of this Article and by doing so protect Kyndryl Source Code against loss, destruction, alteration, accidental or unauthorized disclosure, accidental or unauthorized access, and unlawful forms of Handling. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services and in Handling Kyndryl Technology, including all development, testing, hosting, support, operations, and data center environments.

    1. Security Requirements

    As used below,

    Prohibited Country means any country: (a) that the US Government has designated as a foreign adversary under the May 15, 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain, (b) listed in accordance with Section 1654 of the U.S. National Defense Authorization Act of 2019, or (c) identified as a “Prohibited Country” in the Transaction Document.

    1.1 Supplier will not distribute or place any Kyndryl Source Code in escrow for the benefit of any third party.

    1.2 Supplier will not permit any Kyndryl Source Code to reside on servers located in a Prohibited Country. Supplier will not permit anyone, including its Personnel, located in a Prohibited Country or visiting a Prohibited Country (for the extent of any such visit), for any reason whatsoever, to access or use any Kyndryl Source Code, regardless of where that Kyndryl Source Code is located globally, and Supplier will not permit any development, testing, or other work to occur in a Prohibited Country that would require such access or use.

    1.3 Supplier will not place or distribute Kyndryl Source Code in any jurisdiction where law or interpretation of law requires disclosure of Source Code to any third party. If there is a change of law or interpretation of law in a jurisdiction where Kyndryl Source Code is located that may cause Supplier to be required to disclose such Source Code to a third party, Supplier will immediately destroy or immediately remove such Kyndryl Source Code from such jurisdiction, and will not place any additional Kyndryl Source Code in such jurisdiction if such law or interpretation of law remains operative.

    1.4 Supplier will not, directly or indirectly, take any action, including entering into any agreement, that would cause Supplier, Kyndryl or any third-party to incur a disclosure obligation under Sections 1654 or 1655 of the U.S. National Defense Authorization Act of 2019. For clarity, except as may be expressly permitted in the Transaction Document or associated base agreement between the parties, Supplier is not permitted to disclose Kyndryl Source Code to any third-party, under any circumstance, without Kyndryl’s prior written consent.

    1.5 If Kyndryl notifies Supplier, or a third party notifies either party that: (a) Supplier has allowed Kyndryl Source Code to be brought into a Prohibited Country or any jurisdiction subject to Section 1.3 above, (b) Supplier has otherwise released, accessed, or used Kyndryl Source Code in a manner not permitted by the Transaction Document or associated base or other agreement between the parties or (c) Supplier has violated Section 1.4 above, then without limiting Kyndryl’s rights to address such non-compliance at law or in equity or under the Transaction Document or associated base or other agreement between the parties: (i) if such notification is to Supplier, then Supplier will promptly share the notification with Kyndryl; and (ii) Supplier, at Kyndryl’s reasonable direction, will investigate and remediate the matter on the schedule that Kyndryl reasonably determines (after consultation with Supplier).

    1.6 If Kyndryl reasonably believes that changes in Supplier’s policies, procedures, controls, or practices with respect to Source Code access may be necessary to address cyber security, intellectual property theft or similar or related risks (including the risk that without such changes Kyndryl might be restricted from selling to certain Customers or into certain markets or otherwise be unable to satisfy Customer security or supply chain requirements), then Kyndryl may contact Supplier to discuss the actions necessary to address such risks, including changes to such policies, procedures, controls or practices. Upon Kyndryl’s request, Supplier will cooperate with Kyndryl in evaluating whether such changes are necessary and in implementing appropriate, mutually agreed changes.

    Article V, Secure Development

    This Article applies if Supplier will provide its or third-party Source Code or On-Premise Software to Kyndryl, or if any of Supplier’s Deliverables or Services will be provided to a Kyndryl Customer as part of a Kyndryl product or service.

    1. Security Readiness

    1.1 Supplier will cooperate with Kyndryl’s internal processes that assess the security readiness of Kyndryl products and services that are dependent upon any of Supplier’s Deliverables, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    2. Secure Development

    2.1 This Section 2 only applies where Supplier is providing On-Premise Software to Kyndryl.

    2.2 Supplier has implemented and will maintain throughout the term of the Transaction Document, in accordance with Industry Best Practices, the network, platform, system, application, device, physical infrastructure, incident response, and Personnel focused security policies, procedures, and controls that are necessary to protect: (a) the development, build, test and operations systems and environments that Supplier or any third-party engaged by Supplier operates, manages, uses or otherwise relies upon for or with respect to the Deliverables and (b) all Deliverable source code against loss, unlawful forms of handling, and unauthorized access, disclosure, or alteration.

    3. ISO 20243 Certification

    3.1 This Section 3 only applies if any of Supplier’s Deliverables or Services will be provided to a Kyndryl Customer as part of a Kyndryl product or service.

    3.2 Supplier will obtain a certification of compliance with ISO 20243, Information technology, Open Trusted Technology Provider, TM Standard (O-TTPS), Mitigating maliciously tainted and counterfeit products (either a self-assessed certification or one based on the assessment of a reputable independent auditor). In the alternative, if Supplier requests in writing and Kyndryl approves in writing, Supplier will obtain a certification of compliance with a substantially equivalent industry standard addressing secure development and supply chain practices (either a self-assessed certification or one based on the assessment of a reputable independent auditor, if and as Kyndryl approves).

    3.3 Supplier will obtain the certification of compliance with ISO 20243 or a substantially equivalent industry standard (if Kyndryl approves in writing) by 180 Days after the effective date of the Transaction Document and then renew the certification every 12 months thereafter (with each renewal against the then most current version of the applicable standard, i.e., ISO 20243 or, where Kyndryl has approved in writing, a substantially equivalent industry standard addressing secure development and supply chain practices).

    3.4 Supplier will, upon request, promptly provide to Kyndryl a copy of the certifications Supplier is obligated to obtain, per Sections 2.1 and 2.2 above.

    4. Security Vulnerabilities

    As used below,

    Error Correction means bug fixes and revisions that correct errors or deficiencies, including Security Vulnerabilities, in Deliverables.

    Mitigation means any known means of lessening or avoiding the risks of a Security Vulnerability.

    Security Vulnerability means a state in the design, coding, development, implementation, testing, operation, support, maintenance, or management of a Deliverable that allows an attack by anyone that could result in unauthorized access or exploitation, including: (a) access to, controlling or disrupting operation of a system, (b) access to, deleting, altering or extracting data or (c) changes of identity, authorizations or permissions of users or administrators. A Security Vulnerability may exist regardless of whether a Common Vulnerabilities and Exposures (CVE) ID or any scoring or official classification is assigned to it.

    4.1 Supplier represents and warrants that it will: (a) use Industry Best Practices to identify Security Vulnerabilities, including through continuous static and dynamic source code application security scanning, open source security scanning and system vulnerability scanning, and (b) comply with the requirements of these Terms to help prevent, detect and correct Security Vulnerabilities in Deliverables and in all IT applications, platforms, and infrastructure in and through which Supplier creates and provides Services and Deliverables.

    4.2 If Supplier becomes aware of a Security Vulnerability in a Deliverable or any such IT application, platform, or infrastructure, Supplier will provide Kyndryl with an Error Correction and Mitigations for all versions and releases of the Deliverables in accordance with the Severity Levels and time frames defined in the tables below:

    Severity Level*

    Emergency Security Vulnerability - is a Security Vulnerability that constitutes a severe and potentially global threat. Kyndryl designates Emergency Security Vulnerabilities in its sole discretion, regardless of CVSS Base Score.

    Critical - is a Security Vulnerability that has a CVSS Base Score from 9 to 10.0

    High - is a Security Vulnerability that has a CVSS Base Score from 7.0 to 8.9

    Medium - is a Security Vulnerability that has a CVSS Base Score from 4.0 to 6.9

    Low - is a Security Vulnerability that has a CVSS Base Score from 0.0 to 3.9

    Time Frames

    Emergency

    Critical

    High

    Medium

    Low

    4 Days or less, as determined by
    Kyndryl’s Chief Information
    Security Office

    30 Days

    30 Days

    90 Days

    Per Industry Best Practices

    In any case where a Security Vulnerability does not have a readily assigned CVSS Base Score, Supplier will apply a Severity Level that is appropriate for the nature and circumstances of such vulnerability.

    4.3 For a Security Vulnerability that has been publicly disclosed and for which Supplier has not yet provided any Error Correction or Mitigation to Kyndryl, Supplier will implement any technically feasible additional security controls that may mitigate the risks of the vulnerability.

    4.4 If Kyndryl is dissatisfied with Supplier’s response to any Security Vulnerability in a Deliverable or any application, platform, or infrastructure referenced above, then without prejudice to any other rights of Kyndryl, Supplier will promptly arrange for Kyndryl to discuss its concerns directly with a Supplier Vice President or equivalent executive that is responsible for delivery of the Error Correction.

    4.5 Examples of Security Vulnerabilities include third-party code or end-of-service (EOS) open source code, where these types of code no longer receive security fixes.

    Article VIII, Technical and Organizational Measures, General Security

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl, unless Supplier will only have access to Kyndryl BCI in providing those Services and Deliverables (i.e., Supplier will not Process any other Kyndryl Data or have access to any other Kyndryl Materials or to any Corporate System), Supplier’s only Services and Deliverables are to provide On-Premise Software to Kyndryl, or Supplier provides all of its Services and Deliverables in a staff augmentation model pursuant to Article VII, including Section 1.7 thereof.

    Supplier will comply with the requirements of this Article and by doing so protect: (a) Kyndryl Materials against loss, destruction, alteration, accidental or unauthorized disclosure, and accidental or unauthorized access, (b) Kyndryl Data from unlawful forms of Processing and (c) Kyndryl Technology from unlawful forms of Handling. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services and in Handling Kyndryl Technology, including all development, testing, hosting, support, operations, and data center environments.

    1. Security Policies

    1.1 Supplier will maintain and follow IT security policies and practices that are integral to Supplier’s business, mandatory for all Supplier Personnel, and consistent with Industry Best Practices.

    1.2 Supplier will review its IT security policies and practices at least annually and amend them as Supplier deems necessary to protect the Kyndryl Materials.

    1.3 Supplier will maintain and follow standard, mandatory employment verification requirements for all new employee hires, and extend such requirements to all Supplier Personnel and wholly-owned Supplier subsidiaries. Those requirements will include criminal background checks to the extent permitted by local laws, proof of identity validation, and additional checks that Supplier deems necessary. Supplier will periodically repeat and revalidate these requirements, as it deems necessary.

    1.4 Supplier will provide security and privacy education to its employees annually and require all such employees to certify each year that they will comply with Supplier’s ethical business conduct, confidentiality, and security policies, as set out in Supplier’s code of conduct or similar documents. Supplier will provide additional policy and process training to persons with administrative access to any components of the Services, Deliverables or Kyndryl Materials, with such training specific to their role and support of the Services, Deliverables and Kyndryl Materials, and as necessary to maintain required compliance and certifications.

    1.5 Supplier will design security and privacy measures to protect and maintain the availability of Kyndryl Materials, including through its implementation, maintenance, and compliance with policies and procedures which require security and privacy by design, secure engineering, and secure operations, for all Services and Deliverables and for all Handling of Kyndryl Technology.

    2. Security Incidents

    2.1 Supplier will maintain and follow documented incident response policies consistent with Industry Best Practices for computer security incident handling.

    2.2 Supplier will investigate unauthorized access or unauthorized use of Kyndryl Materials and will define and execute an appropriate response plan.

    2.3 Supplier will promptly (and in no event any later than 48 hours) notify Kyndryl after becoming aware of any Security Breach. Supplier will provide such notification to cyber.incidents@kyndryl.com . Supplier will provide Kyndryl with reasonably requested information about such breach and the status of any Supplier remediation and restoration activities. By way of example, reasonably requested information may include logs demonstrating privileged, administrative, and other access to Devices, systems or applications, forensic images of Devices, systems or applications, and other similar items, to the extent relevant to the breach or Supplier’s remediation and restoration activities.

    2.4 Supplier will provide Kyndryl with reasonable assistance to satisfy any legal obligations (including obligations to notify regulators or Data Subjects) of Kyndryl, Kyndryl affiliates and Customers (and their customers and affiliates) in relation to a Security Breach.

    2.5 Supplier will not inform or notify any third party that a Security Breach directly or indirectly relates to Kyndryl or Kyndryl Materials unless Kyndryl approves doing so in writing or where required by law. Supplier will notify Kyndryl in writing prior to distributing any legally required notification to any third-party, where the notification would directly or indirectly reveal Kyndryl’s identity.

    2.6 In case of a Security Breach which arises from Supplier’s breach of any obligation under these Terms:

    (a) Supplier will be responsible for any costs it incurs, as well as actual costs that Kyndryl incurs, in providing notification of the Security Breach to applicable regulators, other government and relevant industry self-regulatory agencies, the media (if required by applicable law), Data Subjects, Customers, and others,

    (b) if Kyndryl requests, Supplier will establish and maintain at Supplier’s own expense a call-center to respond to questions from Data Subjects about the Security Breach and its consequences, for 1 year after the date on which such Data Subjects were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection. Kyndryl and Supplier will work together to create the scripts and other materials to be used by call-center staff when responding to inquiries. Alternatively, on written notice to Supplier, Kyndryl may establish and maintain its own call-center, in lieu of having Supplier establish a call-center, and Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in establishing and maintaining such call-center, and

    (c) Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in providing credit monitoring and credit restoration services for 1 year after the date on which individuals affected by the breach who choose to register for such services were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection.

    3. Physical Security and Entry Control (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials).

    3.1 Supplier will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Facilities.

    3.2 Supplier will require authorized approval for access to Facilities and controlled areas within Facilities, including any temporary access, and will limit access by job role and business need. If Supplier grants temporary access, its authorized employee will escort any visitor while in the Facility and any controlled areas.

    3.3 Supplier will implement physical access controls, including multi-factor access controls that are consistent with Industry Best Practices, to appropriately restrict entrance to controlled areas within Facilities, will log all entry attempts, and retain such logs for at least one year.

    3.4 Supplier will revoke access to Facilities and controlled areas within Facilities upon (a) separation of an authorized Supplier employee or (b) the authorized Supplier employee no longer having a valid business need for access. Supplier will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.

    3.5 Supplier will take precautions to protect all physical infrastructure used to support the Services and Deliverables and the Handling of Kyndryl Technology against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

    4. Access, Intervention, Transfer, and Separation Control

    4.1 Supplier will maintain documented security architecture of networks that it manages in its operation of the Services, its provision of Deliverables and its Handling of Kyndryl Technology. Supplier will separately review such network architecture, and employ measures to prevent unauthorized network connections to systems, applications, and network devices, for compliance with secure segmentation, isolation, and defense in-depth standards. Supplier may not use wireless technology in its hosting and operations of any Hosted Services; otherwise, Supplier may use wireless networking technology in its delivery of Services and Deliverables and in its Handing of Kyndryl Technology, but Supplier will encrypt and require secure authentication for any such wireless networks.

    4.2 Supplier will maintain measures that are designed to logically separate and prevent Kyndryl Materials from being exposed to or accessed by unauthorized persons. Further, Supplier will maintain appropriate isolation of its production, non-production, and other environments, and, if Kyndryl Materials are already present within or are transferred to a non-production environment (for example to reproduce an error), then Supplier will ensure that the security and privacy protections in the non-production environment are equal to those in the production environment.

    4.3 Supplier will encrypt Kyndryl Materials in transit and at rest (unless Supplier demonstrates to Kyndryl’s reasonable satisfaction that encrypting Kyndryl Materials at rest is technically infeasible). Supplier will also encrypt all physical media, if any, such as media containing backup files. Supplier will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use associated with data encryption. Supplier will ensure that the specific cryptographic methods used for such encryption align with Industry Best Practices (such as NIST SP 800-131a).

    4.4 If Supplier requires access to Kyndryl Materials, Supplier will restrict and limit such access to the least level required to provide and support the Services and Deliverables. Supplier will require that such access, including administrative access to any underlying components (i.e., privileged access), will be individual, role based, and subject to approval and regular validation by authorized Supplier employees following segregation of duty principles. Supplier will maintain measures to identify and remove redundant and dormant accounts. Supplier will also revoke accounts with privileged access within twenty-four (24) hours after the account owner’s separation or the request by Kyndryl or any authorized Supplier employee, such as the account owner’s manager.

    4.5 Consistent with Industry Best Practices, Supplier will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases. Additionally, Supplier will utilize multi-factor authentication for all non-console based privileged access to any Kyndryl Materials.

    4.6 Supplier will monitor use of privileged access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity, (b) facilitate a timely and appropriate response to such access and activity, and (c) enable audits by Supplier, Kyndryl (pursuant to its verification rights in these Terms and audit rights in the Transaction Document or associated base or other related agreement between the parties) and others of compliance with documented Supplier policy.

    4.7 Supplier will retain logs in which it records, in compliance with Industry Best Practices, all administrative, user, or other access or activity to or with respect to systems used in providing Services or Deliverables and in Handling Kyndryl Technology (and will provide those logs to Kyndryl upon request). Supplier will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

    4.8 Supplier will maintain computing protections for systems that it owns or manages, including end-user systems, and that it uses in providing Services or Deliverables or in Handling Kyndryl Technology, with such protections including: endpoint firewalls, full disk encryption, signature and non-signature based endpoint detection and response technologies to address malware and advanced persistent threats, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In addition, Supplier will implement technical and operational controls that ensure only known and trusted end-user systems are allowed to use Supplier networks.

    4.9 Consistent with Industry Best Practices, Supplier will maintain protections for data center environments where Kyndryl Material are present or processed, with such protections including intrusion detection and prevention and denial of service attack countermeasures and mitigation.

    5. Service and Systems Integrity and Availability Control

    5.1 Supplier will: (a) perform security and privacy risk assessments at least annually, (b) perform security testing and assess vulnerabilities, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter as it concerns Services and Deliverables and annually with respect to its Handling of Kyndryl Technology, (c) enlist a qualified independent third-party to perform penetration testing consistent with Industry Best Practices at least annually, with such testing including both automated and manual testing, (d) perform automated management and routine verification of compliance with security configuration requirements for each component of the Services and Deliverables and with respect to its Handling of Kyndryl Technology, and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Supplier will take reasonable steps to avoid disruption of Services when performing its tests, assessments, scans, and execution of remediation activities. Upon Kyndryl’s request, Supplier will provide Kyndryl with a written summary of Supplier’s then-most recent penetration testing activities, which report will at a minimum include the name of the offerings covered by the testing, the number of systems or applications in-scope for the testing, the dates of the testing, the methodology used in the testing, and a high-level summary of findings.

    5.2 Supplier will maintain policies and procedures designed to manage risks associated with the application of changes to the Services or Deliverables or to the Handling of Kyndryl Technology. Prior to implementing such a change, including to affected systems, networks, and underlying components, Supplier will document in a registered change request: (a) a description of and reason for the change, (b) implementation details and schedule, (c) a risk statement addressing impact to the Services and Deliverables, customers of the Services, or Kyndryl Materials, (d) expected outcome, (e) rollback plan, and (f) approval by authorized Supplier employees.

    5.3 Supplier will maintain an inventory of all IT assets it uses in operating the Services, providing Deliverables and in Handling Kyndryl Technology. Supplier will continuously monitor and manage the health (including capacity) and availability of such IT assets, Services, Deliverables and Kyndryl Technology, including the underlying components of such assets, Services, Deliverables and Kyndryl Technology.

    5.4 Supplier will build all systems that it uses in the development or operation of Services and Deliverables and in its Handling of Kyndryl Technology from predefined system security images or security baselines, which satisfy Industry Best Practices, such as the Center for Internet Security (CIS) benchmarks.

    5.5 Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to business continuity, Supplier will separately assess each Service and Deliverable and each IT system used in Handling Kyndryl Technology for business and IT continuity and disaster recovery requirements pursuant to documented risk management guidelines. Supplier will ensure that each such Service, Deliverable and IT system has, to the extent warranted by such risk assessment, separately defined, documented, maintained, and annually validated business and IT continuity and disaster recovery plans consistent with Industry Best Practices. Supplier will ensure that such plans are designed to deliver the specific recovery times that are set forth in Section 5.6 below.

    5.6 The specific recovery point objectives (“RPO”) and recovery time objectives (“RTO”) with respect to any Hosted Service are: 24 hours RPO and 24 hours RTO; nevertheless, Supplier will comply with any shorter duration RPO or RTO that Kyndryl has committed to a Customer, promptly after Kyndryl notifies Supplier in writing of such shorter duration RPO or RTO (an email constitutes a writing). As it concerns all other Services provided by Supplier to Kyndryl, Supplier will ensure that its business continuity and disaster recovery plans are designed to deliver RPO and RTO that enable Supplier to remain in compliance with all of its obligations to Kyndryl under the Transaction Document and associated base agreement between the parties, and these Terms, including its obligations to timely provide testing, support, and maintenance.

    5.7 Supplier will maintain measures designed to assess, test, and apply security advisory patches to the Services and Deliverables and associated systems, networks, applications, and underlying components within the scope of those Services and Deliverables, as well as the systems, networks, applications, and underlying components used to Handle Kyndryl Technology. Upon determining that a security advisory patch is applicable and appropriate, Supplier will implement the patch pursuant to documented severity and risk assessment guidelines. Supplier’s implementation of security advisory patches will be subject to its change management policy.

    5.8 If Kyndryl has a reasonable basis for believing that hardware or software that Supplier provides to Kyndryl may contain intrusive elements, such as spyware, malware, or malicious code, then Supplier will timely cooperate with Kyndryl in investigating and remediating Kyndryl’s concerns.

    6. Service Provisioning

    6.1 Supplier will support industry common methods of federated authentication for any Kyndryl user or Customer accounts, with Supplier following Industry Best Practices in authenticating such Kyndryl user or Customer accounts (such as by Kyndryl centrally managed multi-factor Single Sign-On, using OpenID Connect or Security Assertion Markup Language).

    7. Subcontractors. Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to the retention of subcontractors, Supplier will ensure that any subcontractor performing work for Supplier has instituted governance controls to comply with the requirements and obligations that these Terms place on Supplier.

    8. Physical Media. Supplier will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with Industry Best Practices for media sanitization.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law.

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

  5. If so, where Supplier is providing its or third-party Source Code to Kyndryl, or any of Supplier’s Deliverables or Services will be provided to a Kyndryl Customer as part of a Kyndryl product or service, then Articles V (Secure Development), VIII (Technical and Organizational Measures, General Security), and X (Cooperation, Verification and Remediation) apply.

     

    Where Supplier is only providing On-Premise Software to Kyndryl, then Articles V (Secure Development) and X (Cooperation, Verification and Remediation) apply.

    Examples:

    1. Supplier is developing Source Code that Supplier will own, for a product that Kyndryl will market and sell.
    2. Supplier is licensing a software program to Kyndryl for Kyndryl’s on-premise use.
    3. Kyndryl rebrands a Supplier Hosted Service, that Supplier will host and manage, as a Kyndryl product or service.

    Note:

    Article VIII (Technical and Organizational Measures, General Security) will also apply to a Supplier providing On-Premise Software to Kyndryl, if the other facts of an engagement cause Article VIII to apply (e.g., where Supplier has access to information beyond BCI, such as Kyndryl Personal Data or non-Personal Data).

    Privacy and Security Terms

    Article V, Secure Development

    This Article applies if Supplier will provide its or third-party Source Code or On-Premise Software to Kyndryl, or if any of Supplier’s Deliverables or Services will be provided to a Kyndryl Customer as part of a Kyndryl product or service.

    1. Security Readiness

    1.1 Supplier will cooperate with Kyndryl’s internal processes that assess the security readiness of Kyndryl products and services that are dependent upon any of Supplier’s Deliverables, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    2. Secure Development

    2.1 This Section 2 only applies where Supplier is providing On-Premise Software to Kyndryl.

    2.2 Supplier has implemented and will maintain throughout the term of the Transaction Document, in accordance with Industry Best Practices, the network, platform, system, application, device, physical infrastructure, incident response, and Personnel focused security policies, procedures, and controls that are necessary to protect: (a) the development, build, test and operations systems and environments that Supplier or any third-party engaged by Supplier operates, manages, uses or otherwise relies upon for or with respect to the Deliverables and (b) all Deliverable source code against loss, unlawful forms of handling, and unauthorized access, disclosure, or alteration.

    3. ISO 20243 Certification

    3.1 This Section 3 only applies if any of Supplier’s Deliverables or Services will be provided to a Kyndryl Customer as part of a Kyndryl product or service.

    3.2 Supplier will obtain a certification of compliance with ISO 20243, Information technology, Open Trusted Technology Provider, TM Standard (O-TTPS), Mitigating maliciously tainted and counterfeit products (either a self-assessed certification or one based on the assessment of a reputable independent auditor). In the alternative, if Supplier requests in writing and Kyndryl approves in writing, Supplier will obtain a certification of compliance with a substantially equivalent industry standard addressing secure development and supply chain practices (either a self-assessed certification or one based on the assessment of a reputable independent auditor, if and as Kyndryl approves).

    3.3 Supplier will obtain the certification of compliance with ISO 20243 or a substantially equivalent industry standard (if Kyndryl approves in writing) by 180 Days after the effective date of the Transaction Document and then renew the certification every 12 months thereafter (with each renewal against the then most current version of the applicable standard, i.e., ISO 20243 or, where Kyndryl has approved in writing, a substantially equivalent industry standard addressing secure development and supply chain practices).

    3.4 Supplier will, upon request, promptly provide to Kyndryl a copy of the certifications Supplier is obligated to obtain, per Sections 2.1 and 2.2 above.

    4. Security Vulnerabilities

    As used below,

    Error Correction means bug fixes and revisions that correct errors or deficiencies, including Security Vulnerabilities, in Deliverables.

    Mitigation means any known means of lessening or avoiding the risks of a Security Vulnerability.

    Security Vulnerability means a state in the design, coding, development, implementation, testing, operation, support, maintenance, or management of a Deliverable that allows an attack by anyone that could result in unauthorized access or exploitation, including: (a) access to, controlling or disrupting operation of a system, (b) access to, deleting, altering or extracting data or (c) changes of identity, authorizations or permissions of users or administrators. A Security Vulnerability may exist regardless of whether a Common Vulnerabilities and Exposures (CVE) ID or any scoring or official classification is assigned to it.

    4.1 Supplier represents and warrants that it will: (a) use Industry Best Practices to identify Security Vulnerabilities, including through continuous static and dynamic source code application security scanning, open source security scanning and system vulnerability scanning, and (b) comply with the requirements of these Terms to help prevent, detect and correct Security Vulnerabilities in Deliverables and in all IT applications, platforms, and infrastructure in and through which Supplier creates and provides Services and Deliverables.

    4.2 If Supplier becomes aware of a Security Vulnerability in a Deliverable or any such IT application, platform, or infrastructure, Supplier will provide Kyndryl with an Error Correction and Mitigations for all versions and releases of the Deliverables in accordance with the Severity Levels and time frames defined in the tables below:

    Severity Level*

    Emergency Security Vulnerability - is a Security Vulnerability that constitutes a severe and potentially global threat. Kyndryl designates Emergency Security Vulnerabilities in its sole discretion, regardless of CVSS Base Score.

    Critical - is a Security Vulnerability that has a CVSS Base Score from 9 to 10.0

    High - is a Security Vulnerability that has a CVSS Base Score from 7.0 to 8.9

    Medium - is a Security Vulnerability that has a CVSS Base Score from 4.0 to 6.9

    Low - is a Security Vulnerability that has a CVSS Base Score from 0.0 to 3.9

    Time Frames

    Emergency

    Critical

    High

    Medium

    Low

    4 Days or less, as determined by
    Kyndryl’s Chief Information
    Security Office

    30 Days

    30 Days

    90 Days

    Per Industry Best Practices

    * In any case where a Security Vulnerability does not have a readily assigned CVSS Base Score, Supplier will apply a Severity Level that is appropriate for the nature and circumstances of such vulnerability.

    4.3 For a Security Vulnerability that has been publicly disclosed and for which Supplier has not yet provided any Error Correction or Mitigation to Kyndryl, Supplier will implement any technically feasible additional security controls that may mitigate the risks of the vulnerability.

    4.4 If Kyndryl is dissatisfied with Supplier’s response to any Security Vulnerability in a Deliverable or any application, platform, or infrastructure referenced above, then without prejudice to any other rights of Kyndryl, Supplier will promptly arrange for Kyndryl to discuss its concerns directly with a Supplier Vice President or equivalent executive that is responsible for delivery of the Error Correction.

    4.5 Examples of Security Vulnerabilities include third-party code or end-of-service (EOS) open source code, where these types of code no longer receive security fixes.

    Article VIII, Technical and Organizational Measures, General Security

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl, unless Supplier will only have access to Kyndryl BCI in providing those Services and Deliverables (i.e., Supplier will not Process any other Kyndryl Data or have access to any other Kyndryl Materials or to any Corporate System), Supplier’s only Services and Deliverables are to provide On-Premise Software to Kyndryl, or Supplier provides all of its Services and Deliverables in a staff augmentation model pursuant to Article VII, including Section 1.7 thereof.

    Supplier will comply with the requirements of this Article and by doing so protect: (a) Kyndryl Materials against loss, destruction, alteration, accidental or unauthorized disclosure, and accidental or unauthorized access, (b) Kyndryl Data from unlawful forms of Processing and (c) Kyndryl Technology from unlawful forms of Handling. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services and in Handling Kyndryl Technology, including all development, testing, hosting, support, operations, and data center environments.

    1. Security Policies

    1.1 Supplier will maintain and follow IT security policies and practices that are integral to Supplier’s business, mandatory for all Supplier Personnel, and consistent with Industry Best Practices.

    1.2 Supplier will review its IT security policies and practices at least annually and amend them as Supplier deems necessary to protect the Kyndryl Materials.

    1.3 Supplier will maintain and follow standard, mandatory employment verification requirements for all new employee hires, and extend such requirements to all Supplier Personnel and wholly-owned Supplier subsidiaries. Those requirements will include criminal background checks to the extent permitted by local laws, proof of identity validation, and additional checks that Supplier deems necessary. Supplier will periodically repeat and revalidate these requirements, as it deems necessary.

    1.4 Supplier will provide security and privacy education to its employees annually and require all such employees to certify each year that they will comply with Supplier’s ethical business conduct, confidentiality, and security policies, as set out in Supplier’s code of conduct or similar documents. Supplier will provide additional policy and process training to persons with administrative access to any components of the Services, Deliverables or Kyndryl Materials, with such training specific to their role and support of the Services, Deliverables and Kyndryl Materials, and as necessary to maintain required compliance and certifications.

    1.5 Supplier will design security and privacy measures to protect and maintain the availability of Kyndryl Materials, including through its implementation, maintenance, and compliance with policies and procedures which require security and privacy by design, secure engineering, and secure operations, for all Services and Deliverables and for all Handling of Kyndryl Technology.

    2. Security Incidents

    2.1 Supplier will maintain and follow documented incident response policies consistent with Industry Best Practices for computer security incident handling.

    2.2 Supplier will investigate unauthorized access or unauthorized use of Kyndryl Materials and will define and execute an appropriate response plan.

    2.3 Supplier will promptly (and in no event any later than 48 hours) notify Kyndryl after becoming aware of any Security Breach. Supplier will provide such notification to cyber.incidents@kyndryl.com . Supplier will provide Kyndryl with reasonably requested information about such breach and the status of any Supplier remediation and restoration activities. By way of example, reasonably requested information may include logs demonstrating privileged, administrative, and other access to Devices, systems or applications, forensic images of Devices, systems or applications, and other similar items, to the extent relevant to the breach or Supplier’s remediation and restoration activities.

    2.4 Supplier will provide Kyndryl with reasonable assistance to satisfy any legal obligations (including obligations to notify regulators or Data Subjects) of Kyndryl, Kyndryl affiliates and Customers (and their customers and affiliates) in relation to a Security Breach.

    2.5 Supplier will not inform or notify any third party that a Security Breach directly or indirectly relates to Kyndryl or Kyndryl Materials unless Kyndryl approves doing so in writing or where required by law. Supplier will notify Kyndryl in writing prior to distributing any legally required notification to any third-party, where the notification would directly or indirectly reveal Kyndryl’s identity.

    2.6 In case of a Security Breach which arises from Supplier’s breach of any obligation under these Terms:

    (a) Supplier will be responsible for any costs it incurs, as well as actual costs that Kyndryl incurs, in providing notification of the Security Breach to applicable regulators, other government and relevant industry self-regulatory agencies, the media (if required by applicable law), Data Subjects, Customers, and others,

    (b) if Kyndryl requests, Supplier will establish and maintain at Supplier’s own expense a call-center to respond to questions from Data Subjects about the Security Breach and its consequences, for 1 year after the date on which such Data Subjects were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection. Kyndryl and Supplier will work together to create the scripts and other materials to be used by call-center staff when responding to inquiries. Alternatively, on written notice to Supplier, Kyndryl may establish and maintain its own call-center, in lieu of having Supplier establish a call-center, and Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in establishing and maintaining such call-center, and

    (c) Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in providing credit monitoring and credit restoration services for 1 year after the date on which individuals affected by the breach who choose to register for such services were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection.

    3. Physical Security and Entry Control (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials).

    3.1 Supplier will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Facilities.

    3.2 Supplier will require authorized approval for access to Facilities and controlled areas within Facilities, including any temporary access, and will limit access by job role and business need. If Supplier grants temporary access, its authorized employee will escort any visitor while in the Facility and any controlled areas.

    3.3 Supplier will implement physical access controls, including multi-factor access controls that are consistent with Industry Best Practices, to appropriately restrict entrance to controlled areas within Facilities, will log all entry attempts, and retain such logs for at least one year.

    3.4 Supplier will revoke access to Facilities and controlled areas within Facilities upon (a) separation of an authorized Supplier employee or (b) the authorized Supplier employee no longer having a valid business need for access. Supplier will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.

    3.5 Supplier will take precautions to protect all physical infrastructure used to support the Services and Deliverables and the Handling of Kyndryl Technology against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

    4. Access, Intervention, Transfer, and Separation Control

    4.1 Supplier will maintain documented security architecture of networks that it manages in its operation of the Services, its provision of Deliverables and its Handling of Kyndryl Technology. Supplier will separately review such network architecture, and employ measures to prevent unauthorized network connections to systems, applications, and network devices, for compliance with secure segmentation, isolation, and defense in-depth standards. Supplier may not use wireless technology in its hosting and operations of any Hosted Services; otherwise, Supplier may use wireless networking technology in its delivery of Services and Deliverables and in its Handing of Kyndryl Technology, but Supplier will encrypt and require secure authentication for any such wireless networks.

    4.2 Supplier will maintain measures that are designed to logically separate and prevent Kyndryl Materials from being exposed to or accessed by unauthorized persons. Further, Supplier will maintain appropriate isolation of its production, non-production, and other environments, and, if Kyndryl Materials are already present within or are transferred to a non-production environment (for example to reproduce an error), then Supplier will ensure that the security and privacy protections in the non-production environment are equal to those in the production environment.

    4.3 Supplier will encrypt Kyndryl Materials in transit and at rest (unless Supplier demonstrates to Kyndryl’s reasonable satisfaction that encrypting Kyndryl Materials at rest is technically infeasible). Supplier will also encrypt all physical media, if any, such as media containing backup files. Supplier will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use associated with data encryption. Supplier will ensure that the specific cryptographic methods used for such encryption align with Industry Best Practices (such as NIST SP 800-131a).

    4.4 If Supplier requires access to Kyndryl Materials, Supplier will restrict and limit such access to the least level required to provide and support the Services and Deliverables. Supplier will require that such access, including administrative access to any underlying components (i.e., privileged access), will be individual, role based, and subject to approval and regular validation by authorized Supplier employees following segregation of duty principles. Supplier will maintain measures to identify and remove redundant and dormant accounts. Supplier will also revoke accounts with privileged access within twenty-four (24) hours after the account owner’s separation or the request by Kyndryl or any authorized Supplier employee, such as the account owner’s manager.

    4.5 Consistent with Industry Best Practices, Supplier will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases. Additionally, Supplier will utilize multi-factor authentication for all non-console based privileged access to any Kyndryl Materials.

    4.6 Supplier will monitor use of privileged access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity, (b) facilitate a timely and appropriate response to such access and activity, and (c) enable audits by Supplier, Kyndryl (pursuant to its verification rights in these Terms and audit rights in the Transaction Document or associated base or other related agreement between the parties) and others of compliance with documented Supplier policy.

    4.7 Supplier will retain logs in which it records, in compliance with Industry Best Practices, all administrative, user, or other access or activity to or with respect to systems used in providing Services or Deliverables and in Handling Kyndryl Technology (and will provide those logs to Kyndryl upon request). Supplier will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

    4.8 Supplier will maintain computing protections for systems that it owns or manages, including end-user systems, and that it uses in providing Services or Deliverables or in Handling Kyndryl Technology, with such protections including: endpoint firewalls, full disk encryption, signature and non-signature based endpoint detection and response technologies to address malware and advanced persistent threats, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In addition, Supplier will implement technical and operational controls that ensure only known and trusted end-user systems are allowed to use Supplier networks.

    4.9 Consistent with Industry Best Practices, Supplier will maintain protections for data center environments where Kyndryl Material are present or processed, with such protections including intrusion detection and prevention and denial of service attack countermeasures and mitigation.

    5. Service and Systems Integrity and Availability Control

    5.1 Supplier will: (a) perform security and privacy risk assessments at least annually, (b) perform security testing and assess vulnerabilities, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter as it concerns Services and Deliverables and annually with respect to its Handling of Kyndryl Technology, (c) enlist a qualified independent third-party to perform penetration testing consistent with Industry Best Practices at least annually, with such testing including both automated and manual testing, (d) perform automated management and routine verification of compliance with security configuration requirements for each component of the Services and Deliverables and with respect to its Handling of Kyndryl Technology, and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Supplier will take reasonable steps to avoid disruption of Services when performing its tests, assessments, scans, and execution of remediation activities. Upon Kyndryl’s request, Supplier will provide Kyndryl with a written summary of Supplier’s then-most recent penetration testing activities, which report will at a minimum include the name of the offerings covered by the testing, the number of systems or applications in-scope for the testing, the dates of the testing, the methodology used in the testing, and a high-level summary of findings.

    5.2 Supplier will maintain policies and procedures designed to manage risks associated with the application of changes to the Services or Deliverables or to the Handling of Kyndryl Technology. Prior to implementing such a change, including to affected systems, networks, and underlying components, Supplier will document in a registered change request: (a) a description of and reason for the change, (b) implementation details and schedule, (c) a risk statement addressing impact to the Services and Deliverables, customers of the Services, or Kyndryl Materials, (d) expected outcome, (e) rollback plan, and (f) approval by authorized Supplier employees.

    5.3 Supplier will maintain an inventory of all IT assets it uses in operating the Services, providing Deliverables and in Handling Kyndryl Technology. Supplier will continuously monitor and manage the health (including capacity) and availability of such IT assets, Services, Deliverables and Kyndryl Technology, including the underlying components of such assets, Services, Deliverables and Kyndryl Technology.

    5.4 Supplier will build all systems that it uses in the development or operation of Services and Deliverables and in its Handling of Kyndryl Technology from predefined system security images or security baselines, which satisfy Industry Best Practices, such as the Center for Internet Security (CIS) benchmarks.

    5.5 Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to business continuity, Supplier will separately assess each Service and Deliverable and each IT system used in Handling Kyndryl Technology for business and IT continuity and disaster recovery requirements pursuant to documented risk management guidelines. Supplier will ensure that each such Service, Deliverable and IT system has, to the extent warranted by such risk assessment, separately defined, documented, maintained, and annually validated business and IT continuity and disaster recovery plans consistent with Industry Best Practices. Supplier will ensure that such plans are designed to deliver the specific recovery times that are set forth in Section 5.6 below.

    5.6 The specific recovery point objectives (“RPO”) and recovery time objectives (“RTO”) with respect to any Hosted Service are: 24 hours RPO and 24 hours RTO; nevertheless, Supplier will comply with any shorter duration RPO or RTO that Kyndryl has committed to a Customer, promptly after Kyndryl notifies Supplier in writing of such shorter duration RPO or RTO (an email constitutes a writing). As it concerns all other Services provided by Supplier to Kyndryl, Supplier will ensure that its business continuity and disaster recovery plans are designed to deliver RPO and RTO that enable Supplier to remain in compliance with all of its obligations to Kyndryl under the Transaction Document and associated base agreement between the parties, and these Terms, including its obligations to timely provide testing, support, and maintenance.

    5.7 Supplier will maintain measures designed to assess, test, and apply security advisory patches to the Services and Deliverables and associated systems, networks, applications, and underlying components within the scope of those Services and Deliverables, as well as the systems, networks, applications, and underlying components used to Handle Kyndryl Technology. Upon determining that a security advisory patch is applicable and appropriate, Supplier will implement the patch pursuant to documented severity and risk assessment guidelines. Supplier’s implementation of security advisory patches will be subject to its change management policy.

    5.8 If Kyndryl has a reasonable basis for believing that hardware or software that Supplier provides to Kyndryl may contain intrusive elements, such as spyware, malware, or malicious code, then Supplier will timely cooperate with Kyndryl in investigating and remediating Kyndryl’s concerns.

    6. Service Provisioning

    6.1 Supplier will support industry common methods of federated authentication for any Kyndryl user or Customer accounts, with Supplier following Industry Best Practices in authenticating such Kyndryl user or Customer accounts (such as by Kyndryl centrally managed multi-factor Single Sign-On, using OpenID Connect or Security Assertion Markup Language).

    7. Subcontractors. Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to the retention of subcontractors, Supplier will ensure that any subcontractor performing work for Supplier has instituted governance controls to comply with the requirements and obligations that these Terms place on Supplier.

    8. Physical Media. Supplier will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with Industry Best Practices for media sanitization.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law.

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

  6. If so, then Articles VI (Corporate Systems’ Access), VIII (Technical and Organizational Measures, General Security) and X (Cooperation, Verification and Remediation) apply to that access.

    Examples:

    1. Supplier’s development responsibilities necessitate access to Kyndryl Source Code repositories.

    Note:

    Articles II (Technical and Organizational Measures, Data Security), III (Privacy), IV (Technical and Organizational Measures, Code Security), and V (Secure Development) may also apply depending on the Kyndryl Materials Supplier is permitted to access within Corporate Systems.

    Article VI, Corporate Systems’ Access

    This Article applies if Supplier employees will have access to any Corporate System.

    1. General Terms

    1.1 Kyndryl will determine whether to authorize Supplier employees to access Corporate Systems. If Kyndryl so authorizes, then Supplier will comply, and will cause its employees with such access to comply, with the requirements of this Article.

    1.2 Kyndryl will identify the means by which Supplier employees may access Corporate Systems, including whether such employees will access Corporate Systems through Kyndryl or Supplier provided Devices.

    1.3 Supplier employees may only access Corporate Systems, and may only use the Devices that Kyndryl authorizes for that access, to provide Services. Supplier employees may not use the Devices that Kyndryl so authorizes to provide services to any other person or entity, or to access any Supplier or third-party IT systems, networks, applications, websites, email tools, collaboration tools, or the like for or in connection with the Services.

    1.4 For clarity, Supplier employees may not use the Devices that Kyndryl authorizes to access Corporate Systems for any personal reason (e.g., Supplier employees may not store personal files such as music, videos, pictures or other like items on such Devices and cannot use the Internet from such Devices for personal reasons).

    1.5 Supplier employees will not copy Kyndryl Materials that are accessible through a Corporate System without Kyndryl’s prior written approval (and will never copy any Kyndryl Materials to a portable storage device, such as a USB, an external hard drive, or other like items).

    1.6 Upon request, Supplier will confirm, by employee name, the specific Corporate Systems which its employees are authorized to access, and have accessed, over any time period that Kyndryl identifies.

    1.7 Supplier will notify Kyndryl within twenty-four (24) hours after any Supplier employee with access to any Corporate System is no longer: (a) employed by Supplier or (b) working on activities that require such access. Supplier will work with Kyndryl to ensure that access for such former or current employees is immediately revoked.

    1.8 Supplier will immediately report any actual or suspected security incidents (such as loss of a Kyndryl or Supplier Device or unauthorized access to a Device or data, materials or other information of any kind) to Kyndryl and cooperate with Kyndryl in the investigation of such incidents.

    1.9 Supplier may not permit any agent, independent contractor or subcontractor employee to access any Corporate System, without Kyndryl’s prior written consent; if Kyndryl provides that consent, then Supplier will contractually commit those persons and their employers to comply with the requirements of this Article as if those persons were Supplier employees, and will be responsible to Kyndryl for all actions and omissions to act by any such person or employer with respect to such Corporate System access.

    2. Device Software

    2.1 Supplier will direct its employees to timely install all Device software that Kyndryl requires to facilitate access to Corporate Systems in a secure manner. Neither Supplier nor its employees will interfere with the operations of that software or the security features that the software enables.

    2.2 Supplier and its employees will adhere to the Device configuration rules that Kyndryl sets and otherwise work with Kyndryl to help ensure that the software functions as Kyndryl intends. For example, Supplier will not override software website blocking or automated patching features.

    2.3 Supplier employees may not share the Devices they use to access Corporate Systems, or their Device user-names, passwords, or the like, with any other person.

    2.4 If Kyndryl authorizes Supplier employees to access Corporate Systems using Supplier Devices, then Supplier will install and run an operating system on those Devices that Kyndryl approves and will upgrade to a new version of that operating system or a new operating system within a reasonable time after Kyndryl so instructs.

    3.Oversight and Cooperation

    3.1 Kyndryl has the unqualified rights to monitor and remediate potential intrusion and other cyber security threats in whatever ways, from whatever locations, and using whatever means Kyndryl believes is necessary or appropriate, without prior notice to Supplier or any Supplier employee or others. As examples of such rights, Kyndryl may, at any time, (a) perform a security test on any Device, (b) monitor, recover through technical or other means and review communications (including emails from any email accounts), records, files, and other items stored in any Device or transmitted through any Corporate System, and (c) acquire a full forensic image of any Device. If Kyndryl needs Supplier’s cooperation to exercise its rights, Supplier will fully and timely satisfy Kyndryl’s requests for such cooperation (including, for example, requests to securely configure any Device, install monitoring or other software on any Device, share system level connection details, engage in incident response measures on any Device, and provide physical access to any Device for Kyndryl to obtain a full forensic image or otherwise, and similar and related requests).

    3.2 Kyndryl may revoke access to Corporate Systems at any time, for any Supplier employee or all Supplier employees, without prior notice to Supplier or any Supplier employee or others, if Kyndryl believes that doing so is necessary to protect Kyndryl.

    3.3 Kyndryl’s rights are not blocked, lessened, or restricted in any way by any provision of the Transaction Document, the associated base agreement between the parties, or any other agreement between the parties, including any provision that may require data, materials or other information of any kind to reside only in a select location or locations or that may require that only persons from a select location or locations access such data, materials or other information.

    4.Kyndryl Devices

    4.1 Kyndryl will retain title to all Kyndryl Devices, with Supplier bearing the risk of loss of the Devices, including due to theft, vandalism, or negligence. Supplier will not make or permit any alterations to Kyndryl Devices without Kyndryl’s prior written consent, with an alteration being any change to a Device, including any change to Device software, applications, security design, security configuration, or physical, mechanical, or electrical design.

    4.2 Supplier will return all Kyndryl Devices within 5 business days after the need for those Devices to provide Services ends, and if Kyndryl requests, destroy all data, materials and other information of any kind on those Devices at the same time, without retaining any copy, by following Industry Best Practices to permanently erase all such data, materials and other information. Supplier will pack and return Kyndryl Devices in the same condition as delivered to Supplier, other than reasonable wear and tear, at its own expense to the location that Kyndryl identifies. Supplier’s failure to comply with any obligation in this Section 4.2 constitutes a material breach of the Transaction Document and associated base agreement and any related agreement between the parties, with the understanding that an agreement is “related” if access to any Corporate System facilitates Supplier’s tasks or other activities under that agreement.

    4.3 Kyndryl will provide support for Kyndryl Devices (including Device inspection and preventive and remedial maintenance). Supplier will promptly advise Kyndryl of the need for remedial service.

    4.4 For software programs that Kyndryl owns or has the right to license, Kyndryl grants Supplier a temporary right to use, store, and make sufficient copies to support its authorized use of Kyndryl Devices. Supplier may not transfer programs to anyone, make copies of software license information, or disassemble, decompile, reverse engineer, or otherwise translate any program unless expressly permitted by applicable law without the possibility of contractual waiver.

    5. Updates

    5.1 Notwithstanding anything to the contrary in the Transaction Document or associated base agreement between the parties, upon written notice to Supplier and without the need for obtaining Supplier’s consent, Kyndryl may update, supplement, or otherwise amend this Article to address any requirement under applicable law or Customer obligation, to reflect any development in security best practices, or otherwise as Kyndryl believes necessary to protect Corporate Systems or Kyndryl.

    Article VIII, Technical and Organizational Measures, General Security

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl, unless Supplier will only have access to Kyndryl BCI in providing those Services and Deliverables (i.e., Supplier will not Process any other Kyndryl Data or have access to any other Kyndryl Materials or to any Corporate System), Supplier’s only Services and Deliverables are to provide On-Premise Software to Kyndryl, or Supplier provides all of its Services and Deliverables in a staff augmentation model pursuant to Article VII, including Section 1.7 thereof.

    Supplier will comply with the requirements of this Article and by doing so protect: (a) Kyndryl Materials against loss, destruction, alteration, accidental or unauthorized disclosure, and accidental or unauthorized access, (b) Kyndryl Data from unlawful forms of Processing and (c) Kyndryl Technology from unlawful forms of Handling. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services and in Handling Kyndryl Technology, including all development, testing, hosting, support, operations, and data center environments.

    1. Security Policies

    1.1 Supplier will maintain and follow IT security policies and practices that are integral to Supplier’s business, mandatory for all Supplier Personnel, and consistent with Industry Best Practices.

    1.2 Supplier will review its IT security policies and practices at least annually and amend them as Supplier deems necessary to protect the Kyndryl Materials.

    1.3 Supplier will maintain and follow standard, mandatory employment verification requirements for all new employee hires, and extend such requirements to all Supplier Personnel and wholly-owned Supplier subsidiaries. Those requirements will include criminal background checks to the extent permitted by local laws, proof of identity validation, and additional checks that Supplier deems necessary. Supplier will periodically repeat and revalidate these requirements, as it deems necessary.

    1.4 Supplier will provide security and privacy education to its employees annually and require all such employees to certify each year that they will comply with Supplier’s ethical business conduct, confidentiality, and security policies, as set out in Supplier’s code of conduct or similar documents. Supplier will provide additional policy and process training to persons with administrative access to any components of the Services, Deliverables or Kyndryl Materials, with such training specific to their role and support of the Services, Deliverables and Kyndryl Materials, and as necessary to maintain required compliance and certifications.

    1.5 Supplier will design security and privacy measures to protect and maintain the availability of Kyndryl Materials, including through its implementation, maintenance, and compliance with policies and procedures which require security and privacy by design, secure engineering, and secure operations, for all Services and Deliverables and for all Handling of Kyndryl Technology.

    2. Security Incidents

    2.1 Supplier will maintain and follow documented incident response policies consistent with Industry Best Practices for computer security incident handling.

    2.2 Supplier will investigate unauthorized access or unauthorized use of Kyndryl Materials and will define and execute an appropriate response plan.

    2.3 Supplier will promptly (and in no event any later than 48 hours) notify Kyndryl after becoming aware of any Security Breach. Supplier will provide such notification to cyber.incidents@kyndryl.com . Supplier will provide Kyndryl with reasonably requested information about such breach and the status of any Supplier remediation and restoration activities. By way of example, reasonably requested information may include logs demonstrating privileged, administrative, and other access to Devices, systems or applications, forensic images of Devices, systems or applications, and other similar items, to the extent relevant to the breach or Supplier’s remediation and restoration activities.

    2.4 Supplier will provide Kyndryl with reasonable assistance to satisfy any legal obligations (including obligations to notify regulators or Data Subjects) of Kyndryl, Kyndryl affiliates and Customers (and their customers and affiliates) in relation to a Security Breach.

    2.5 Supplier will not inform or notify any third party that a Security Breach directly or indirectly relates to Kyndryl or Kyndryl Materials unless Kyndryl approves doing so in writing or where required by law. Supplier will notify Kyndryl in writing prior to distributing any legally required notification to any third-party, where the notification would directly or indirectly reveal Kyndryl’s identity.

    2.6 In case of a Security Breach which arises from Supplier’s breach of any obligation under these Terms:

    (a) Supplier will be responsible for any costs it incurs, as well as actual costs that Kyndryl incurs, in providing notification of the Security Breach to applicable regulators, other government and relevant industry self-regulatory agencies, the media (if required by applicable law), Data Subjects, Customers, and others,

    (b) if Kyndryl requests, Supplier will establish and maintain at Supplier’s own expense a call-center to respond to questions from Data Subjects about the Security Breach and its consequences, for 1 year after the date on which such Data Subjects were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection. Kyndryl and Supplier will work together to create the scripts and other materials to be used by call-center staff when responding to inquiries. Alternatively, on written notice to Supplier, Kyndryl may establish and maintain its own call-center, in lieu of having Supplier establish a call-center, and Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in establishing and maintaining such call-center, and

    (c) Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in providing credit monitoring and credit restoration services for 1 year after the date on which individuals affected by the breach who choose to register for such services were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection.

    3. Physical Security and Entry Control (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials).

    3.1 Supplier will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Facilities.

    3.2 Supplier will require authorized approval for access to Facilities and controlled areas within Facilities, including any temporary access, and will limit access by job role and business need. If Supplier grants temporary access, its authorized employee will escort any visitor while in the Facility and any controlled areas.

    3.3 Supplier will implement physical access controls, including multi-factor access controls that are consistent with Industry Best Practices, to appropriately restrict entrance to controlled areas within Facilities, will log all entry attempts, and retain such logs for at least one year.

    3.4 Supplier will revoke access to Facilities and controlled areas within Facilities upon (a) separation of an authorized Supplier employee or (b) the authorized Supplier employee no longer having a valid business need for access. Supplier will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.

    3.5 Supplier will take precautions to protect all physical infrastructure used to support the Services and Deliverables and the Handling of Kyndryl Technology against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

    4. Access, Intervention, Transfer, and Separation Control

    4.1 Supplier will maintain documented security architecture of networks that it manages in its operation of the Services, its provision of Deliverables and its Handling of Kyndryl Technology. Supplier will separately review such network architecture, and employ measures to prevent unauthorized network connections to systems, applications, and network devices, for compliance with secure segmentation, isolation, and defense in-depth standards. Supplier may not use wireless technology in its hosting and operations of any Hosted Services; otherwise, Supplier may use wireless networking technology in its delivery of Services and Deliverables and in its Handing of Kyndryl Technology, but Supplier will encrypt and require secure authentication for any such wireless networks.

    4.2 Supplier will maintain measures that are designed to logically separate and prevent Kyndryl Materials from being exposed to or accessed by unauthorized persons. Further, Supplier will maintain appropriate isolation of its production, non-production, and other environments, and, if Kyndryl Materials are already present within or are transferred to a non-production environment (for example to reproduce an error), then Supplier will ensure that the security and privacy protections in the non-production environment are equal to those in the production environment.

    4.3 Supplier will encrypt Kyndryl Materials in transit and at rest (unless Supplier demonstrates to Kyndryl’s reasonable satisfaction that encrypting Kyndryl Materials at rest is technically infeasible). Supplier will also encrypt all physical media, if any, such as media containing backup files. Supplier will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use associated with data encryption. Supplier will ensure that the specific cryptographic methods used for such encryption align with Industry Best Practices (such as NIST SP 800-131a).

    4.4 If Supplier requires access to Kyndryl Materials, Supplier will restrict and limit such access to the least level required to provide and support the Services and Deliverables. Supplier will require that such access, including administrative access to any underlying components (i.e., privileged access), will be individual, role based, and subject to approval and regular validation by authorized Supplier employees following segregation of duty principles. Supplier will maintain measures to identify and remove redundant and dormant accounts. Supplier will also revoke accounts with privileged access within twenty-four (24) hours after the account owner’s separation or the request by Kyndryl or any authorized Supplier employee, such as the account owner’s manager.

    4.5 Consistent with Industry Best Practices, Supplier will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases. Additionally, Supplier will utilize multi-factor authentication for all non-console based privileged access to any Kyndryl Materials.

    4.6 Supplier will monitor use of privileged access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity, (b) facilitate a timely and appropriate response to such access and activity, and (c) enable audits by Supplier, Kyndryl (pursuant to its verification rights in these Terms and audit rights in the Transaction Document or associated base or other related agreement between the parties) and others of compliance with documented Supplier policy.

    4.7 Supplier will retain logs in which it records, in compliance with Industry Best Practices, all administrative, user, or other access or activity to or with respect to systems used in providing Services or Deliverables and in Handling Kyndryl Technology (and will provide those logs to Kyndryl upon request). Supplier will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

    4.8 Supplier will maintain computing protections for systems that it owns or manages, including end-user systems, and that it uses in providing Services or Deliverables or in Handling Kyndryl Technology, with such protections including: endpoint firewalls, full disk encryption, signature and non-signature based endpoint detection and response technologies to address malware and advanced persistent threats, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In addition, Supplier will implement technical and operational controls that ensure only known and trusted end-user systems are allowed to use Supplier networks.

    4.9 Consistent with Industry Best Practices, Supplier will maintain protections for data center environments where Kyndryl Material are present or processed, with such protections including intrusion detection and prevention and denial of service attack countermeasures and mitigation.

    5. Service and Systems Integrity and Availability Control

    5.1 Supplier will: (a) perform security and privacy risk assessments at least annually, (b) perform security testing and assess vulnerabilities, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter as it concerns Services and Deliverables and annually with respect to its Handling of Kyndryl Technology, (c) enlist a qualified independent third-party to perform penetration testing consistent with Industry Best Practices at least annually, with such testing including both automated and manual testing, (d) perform automated management and routine verification of compliance with security configuration requirements for each component of the Services and Deliverables and with respect to its Handling of Kyndryl Technology, and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Supplier will take reasonable steps to avoid disruption of Services when performing its tests, assessments, scans, and execution of remediation activities. Upon Kyndryl’s request, Supplier will provide Kyndryl with a written summary of Supplier’s then-most recent penetration testing activities, which report will at a minimum include the name of the offerings covered by the testing, the number of systems or applications in-scope for the testing, the dates of the testing, the methodology used in the testing, and a high-level summary of findings.

    5.2 Supplier will maintain policies and procedures designed to manage risks associated with the application of changes to the Services or Deliverables or to the Handling of Kyndryl Technology. Prior to implementing such a change, including to affected systems, networks, and underlying components, Supplier will document in a registered change request: (a) a description of and reason for the change, (b) implementation details and schedule, (c) a risk statement addressing impact to the Services and Deliverables, customers of the Services, or Kyndryl Materials, (d) expected outcome, (e) rollback plan, and (f) approval by authorized Supplier employees.

    5.3 Supplier will maintain an inventory of all IT assets it uses in operating the Services, providing Deliverables and in Handling Kyndryl Technology. Supplier will continuously monitor and manage the health (including capacity) and availability of such IT assets, Services, Deliverables and Kyndryl Technology, including the underlying components of such assets, Services, Deliverables and Kyndryl Technology.

    5.4 Supplier will build all systems that it uses in the development or operation of Services and Deliverables and in its Handling of Kyndryl Technology from predefined system security images or security baselines, which satisfy Industry Best Practices, such as the Center for Internet Security (CIS) benchmarks.

    5.5 Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to business continuity, Supplier will separately assess each Service and Deliverable and each IT system used in Handling Kyndryl Technology for business and IT continuity and disaster recovery requirements pursuant to documented risk management guidelines. Supplier will ensure that each such Service, Deliverable and IT system has, to the extent warranted by such risk assessment, separately defined, documented, maintained, and annually validated business and IT continuity and disaster recovery plans consistent with Industry Best Practices. Supplier will ensure that such plans are designed to deliver the specific recovery times that are set forth in Section 5.6 below.

    5.6 The specific recovery point objectives (“RPO”) and recovery time objectives (“RTO”) with respect to any Hosted Service are: 24 hours RPO and 24 hours RTO; nevertheless, Supplier will comply with any shorter duration RPO or RTO that Kyndryl has committed to a Customer, promptly after Kyndryl notifies Supplier in writing of such shorter duration RPO or RTO (an email constitutes a writing). As it concerns all other Services provided by Supplier to Kyndryl, Supplier will ensure that its business continuity and disaster recovery plans are designed to deliver RPO and RTO that enable Supplier to remain in compliance with all of its obligations to Kyndryl under the Transaction Document and associated base agreement between the parties, and these Terms, including its obligations to timely provide testing, support, and maintenance.

    5.7 Supplier will maintain measures designed to assess, test, and apply security advisory patches to the Services and Deliverables and associated systems, networks, applications, and underlying components within the scope of those Services and Deliverables, as well as the systems, networks, applications, and underlying components used to Handle Kyndryl Technology. Upon determining that a security advisory patch is applicable and appropriate, Supplier will implement the patch pursuant to documented severity and risk assessment guidelines. Supplier’s implementation of security advisory patches will be subject to its change management policy.

    5.8 If Kyndryl has a reasonable basis for believing that hardware or software that Supplier provides to Kyndryl may contain intrusive elements, such as spyware, malware, or malicious code, then Supplier will timely cooperate with Kyndryl in investigating and remediating Kyndryl’s concerns.

    6. Service Provisioning

    6.1 Supplier will support industry common methods of federated authentication for any Kyndryl user or Customer accounts, with Supplier following Industry Best Practices in authenticating such Kyndryl user or Customer accounts (such as by Kyndryl centrally managed multi-factor Single Sign-On, using OpenID Connect or Security Assertion Markup Language).

    7. Subcontractors. Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to the retention of subcontractors, Supplier will ensure that any subcontractor performing work for Supplier has instituted governance controls to comply with the requirements and obligations that these Terms place on Supplier.

    8. Physical Media. Supplier will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with Industry Best Practices for media sanitization.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law.

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

  7. If so, then Articles VI (Corporate Systems’ Access), VII (Staff Augmentation) and X (Cooperation, Verification and Remediation) apply.

    Note:

    Articles II (Technical and Organizational Measures, Data Security), III (Privacy), IV (Technical and Organizational Measures, Code Security), and V (Secure Development) may also apply depending on the Kyndryl Materials Supplier is permitted to access within Corporate Systems.

    Article VI, Corporate Systems’ Access

    This Article applies if Supplier employees will have access to any Corporate System.

    1. General Terms

    1.1 Kyndryl will determine whether to authorize Supplier employees to access Corporate Systems. If Kyndryl so authorizes, then Supplier will comply, and will cause its employees with such access to comply, with the requirements of this Article.

    1.2 Kyndryl will identify the means by which Supplier employees may access Corporate Systems, including whether such employees will access Corporate Systems through Kyndryl or Supplier provided Devices.

    1.3 Supplier employees may only access Corporate Systems, and may only use the Devices that Kyndryl authorizes for that access, to provide Services. Supplier employees may not use the Devices that Kyndryl so authorizes to provide services to any other person or entity, or to access any Supplier or third-party IT systems, networks, applications, websites, email tools, collaboration tools, or the like for or in connection with the Services.

    1.4 For clarity, Supplier employees may not use the Devices that Kyndryl authorizes to access Corporate Systems for any personal reason (e.g., Supplier employees may not store personal files such as music, videos, pictures or other like items on such Devices and cannot use the Internet from such Devices for personal reasons).

    1.5 Supplier employees will not copy Kyndryl Materials that are accessible through a Corporate System without Kyndryl’s prior written approval (and will never copy any Kyndryl Materials to a portable storage device, such as a USB, an external hard drive, or other like items).

    1.6 Upon request, Supplier will confirm, by employee name, the specific Corporate Systems which its employees are authorized to access, and have accessed, over any time period that Kyndryl identifies.

    1.7 Supplier will notify Kyndryl within twenty-four (24) hours after any Supplier employee with access to any Corporate System is no longer: (a) employed by Supplier or (b) working on activities that require such access. Supplier will work with Kyndryl to ensure that access for such former or current employees is immediately revoked.

    1.8 Supplier will immediately report any actual or suspected security incidents (such as loss of a Kyndryl or Supplier Device or unauthorized access to a Device or data, materials or other information of any kind) to Kyndryl and cooperate with Kyndryl in the investigation of such incidents.

    1.9 Supplier may not permit any agent, independent contractor or subcontractor employee to access any Corporate System, without Kyndryl’s prior written consent; if Kyndryl provides that consent, then Supplier will contractually commit those persons and their employers to comply with the requirements of this Article as if those persons were Supplier employees, and will be responsible to Kyndryl for all actions and omissions to act by any such person or employer with respect to such Corporate System access.

    2. Device Software

    2.1 Supplier will direct its employees to timely install all Device software that Kyndryl requires to facilitate access to Corporate Systems in a secure manner. Neither Supplier nor its employees will interfere with the operations of that software or the security features that the software enables.

    2.2 Supplier and its employees will adhere to the Device configuration rules that Kyndryl sets and otherwise work with Kyndryl to help ensure that the software functions as Kyndryl intends. For example, Supplier will not override software website blocking or automated patching features.

    2.3 Supplier employees may not share the Devices they use to access Corporate Systems, or their Device user-names, passwords, or the like, with any other person.

    2.4 If Kyndryl authorizes Supplier employees to access Corporate Systems using Supplier Devices, then Supplier will install and run an operating system on those Devices that Kyndryl approves and will upgrade to a new version of that operating system or a new operating system within a reasonable time after Kyndryl so instructs.

    3.Oversight and Cooperation

    3.1 Kyndryl has the unqualified rights to monitor and remediate potential intrusion and other cyber security threats in whatever ways, from whatever locations, and using whatever means Kyndryl believes is necessary or appropriate, without prior notice to Supplier or any Supplier employee or others. As examples of such rights, Kyndryl may, at any time, (a) perform a security test on any Device, (b) monitor, recover through technical or other means and review communications (including emails from any email accounts), records, files, and other items stored in any Device or transmitted through any Corporate System, and (c) acquire a full forensic image of any Device. If Kyndryl needs Supplier’s cooperation to exercise its rights, Supplier will fully and timely satisfy Kyndryl’s requests for such cooperation (including, for example, requests to securely configure any Device, install monitoring or other software on any Device, share system level connection details, engage in incident response measures on any Device, and provide physical access to any Device for Kyndryl to obtain a full forensic image or otherwise, and similar and related requests).

    3.2 Kyndryl may revoke access to Corporate Systems at any time, for any Supplier employee or all Supplier employees, without prior notice to Supplier or any Supplier employee or others, if Kyndryl believes that doing so is necessary to protect Kyndryl.

    3.3 Kyndryl’s rights are not blocked, lessened, or restricted in any way by any provision of the Transaction Document, the associated base agreement between the parties, or any other agreement between the parties, including any provision that may require data, materials or other information of any kind to reside only in a select location or locations or that may require that only persons from a select location or locations access such data, materials or other information.

    4.Kyndryl Devices

    4.1 Kyndryl will retain title to all Kyndryl Devices, with Supplier bearing the risk of loss of the Devices, including due to theft, vandalism, or negligence. Supplier will not make or permit any alterations to Kyndryl Devices without Kyndryl’s prior written consent, with an alteration being any change to a Device, including any change to Device software, applications, security design, security configuration, or physical, mechanical, or electrical design.

    4.2 Supplier will return all Kyndryl Devices within 5 business days after the need for those Devices to provide Services ends, and if Kyndryl requests, destroy all data, materials and other information of any kind on those Devices at the same time, without retaining any copy, by following Industry Best Practices to permanently erase all such data, materials and other information. Supplier will pack and return Kyndryl Devices in the same condition as delivered to Supplier, other than reasonable wear and tear, at its own expense to the location that Kyndryl identifies. Supplier’s failure to comply with any obligation in this Section 4.2 constitutes a material breach of the Transaction Document and associated base agreement and any related agreement between the parties, with the understanding that an agreement is “related” if access to any Corporate System facilitates Supplier’s tasks or other activities under that agreement.

    4.3 Kyndryl will provide support for Kyndryl Devices (including Device inspection and preventive and remedial maintenance). Supplier will promptly advise Kyndryl of the need for remedial service.

    4.4 For software programs that Kyndryl owns or has the right to license, Kyndryl grants Supplier a temporary right to use, store, and make sufficient copies to support its authorized use of Kyndryl Devices. Supplier may not transfer programs to anyone, make copies of software license information, or disassemble, decompile, reverse engineer, or otherwise translate any program unless expressly permitted by applicable law without the possibility of contractual waiver.

    5. Updates

    5.1 Notwithstanding anything to the contrary in the Transaction Document or associated base agreement between the parties, upon written notice to Supplier and without the need for obtaining Supplier’s consent, Kyndryl may update, supplement, or otherwise amend this Article to address any requirement under applicable law or Customer obligation, to reflect any development in security best practices, or otherwise as Kyndryl believes necessary to protect Corporate Systems or Kyndryl.

    Article VII, Staff Augmentation

    This Article applies where Supplier’s employees will devote all of their working time to provide Services for Kyndryl, will perform all of those Services on Kyndryl premises, Customer premises or from their homes, and will only provide Services using Kyndryl Devices to access Corporate Systems.

    1. Access to Corporate Systems; Kyndryl’s Environments

    1.1 Supplier may only perform Services by accessing Corporate Systems using Devices that Kyndryl provides.

    1.2 Supplier will comply with the terms set forth in Article VI (Corporate Systems’ Access), for all access to Corporate Systems.

    1.3 Kyndryl provided Devices are the only Devices that Supplier and its employees may use to provide Services and may only be used by Supplier and its employees to provide Services. For clarity, in no event may Supplier or its employees use any other devices to provide Services or use Kyndryl Devices for any other Supplier customer or for any purpose other than providing Services to Kyndryl.

    1.4 Supplier employees using Kyndryl Devices may share Kyndryl Materials with each other and store such materials on the Kyndryl Devices, but only to the limited extent that such sharing and storage is necessary to successfully perform Services.

    1.5 Except with respect to such storage within the Kyndryl Devices, in no event may Supplier or its employees remove any Kyndryl Materials from the Kyndryl repositories, environments, tools or infrastructure where they are retained by Kyndryl.

    1.6 For clarity, Supplier and its employees are not authorized to transfer any Kyndryl Materials to any Supplier repositories, environments, tools, or infrastructure, or any other Supplier systems, platforms, networks or the like, without Kyndryl’s prior written consent.

    1.7 Article VIII (Technical and Organizational Measures, General Security) does not apply to Supplier’s Services where Supplier’s employees will devote all of their working time to provide Services for Kyndryl, will perform all of those Services on Kyndryl premises, Customer premises or from their homes, and will only provide Services using Kyndryl Devices to access Corporate Systems. Otherwise, Article VIII applies to Supplier’s Services.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law.

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

  8. If so, then Articles II (Technical and Organizational Measures, Data Security), VIII (Technical and Organizational Measures, General Security), IX (Hosted Services’ Certifications and Reports) and X (Cooperation, Verification and Remediation) apply. Article III (Privacy) will also apply if Supplier has access to Kyndryl Personal Data in providing a Hosting Service.

    Examples:

    1. Supplier provides any “as a service” offering to Kyndryl, such as software, platform or infrastructure “as a service” offerings.

    Article II, Technical and Organizational Measures, Data Security

    This Article applies if Supplier Processes Kyndryl Data, other than Kyndryl’s BCI. Supplier will comply with the requirements of this Article in providing all Services and Deliverables, and by doing so protect Kyndryl Data against loss, destruction, alteration, accidental or unauthorized disclosure, accidental or unauthorized access, and unlawful forms of Processing. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services, including all development, testing, hosting, support, operations, and data center environments.

    1. Data Use

    1.1 Supplier may not add to the Kyndryl Data or include with the Kyndryl Data any other information or data, including any Personal Data, without Kyndryl’s prior written consent, and Supplier may not use Kyndryl Data in any form, aggregated or otherwise, for any purpose other than providing Services and Deliverables (by way of example, Supplier is not permitted to use or reuse Kyndryl Data to evaluate the effectiveness of or means of improving Supplier’s offerings, for research and development to create new offerings, or to generate reports regarding Supplier’s offerings). Unless expressly permitted in the Transaction Document, Supplier is prohibited from Selling Kyndryl Data.

    1.2 Supplier will not embed any web tracking technologies in the Deliverables or as part of the Services (such technologies include HTML5, local storage, third party tags or tokens, and web beacons) unless expressly permitted in the Transaction Document.

    2. Third Party Requests and Confidentiality

    2.1 Supplier will not disclose Kyndryl Data to any third party, unless authorized in advance by Kyndryl in writing. If a government, including any regulator, demands access to Kyndryl Data (e.g., if the U.S. government serves a national security order on Supplier to obtain Kyndryl Data), or if a disclosure of Kyndryl Data is otherwise required by law, Supplier will notify Kyndryl in writing of such demand or requirement and afford Kyndryl a reasonable opportunity to challenge any disclosure (where law prohibits notification, Supplier will take the steps that it reasonably believes are appropriate to challenge the prohibition and disclosure of Kyndryl Data through judicial action or other means).

    2.2 Supplier assures Kyndryl that: (a) only those of its employees who need access to Kyndryl Data to provide Services or Deliverables will have that access, and then only to the extent necessary to provide those Services and Deliverables; and (b) it has bound its employees to confidentiality obligations that require those employees to only use and disclose Kyndryl Data as these Terms permit.

    3. Return or Deletion of Kyndryl Data

    3.1 Supplier will, at Kyndryl’s choice, either delete or return Kyndryl Data to Kyndryl upon termination or expiration of the Transaction Document, or earlier upon request from Kyndryl. If Kyndryl requires deletion, then Supplier will, consistent with Industry Best Practices, render the data unreadable and unable to be reassembled or reconstructed, and will certify the deletion to Kyndryl. If Kyndryl requires the return of Kyndryl Data, then Supplier will do so on Kyndryl’s reasonable schedule and per Kyndryl’s reasonable written instructions.

    Article III, Privacy

    This Article applies if Supplier Processes Kyndryl Personal Data.

    1. Processing

    1.1 Kyndryl appoints Supplier as a Processor to Process Kyndryl Personal Data for the sole purpose of providing the Deliverables and Services in accordance with Kyndryl’s instructions, including those contained in these Terms, the Transaction Document and the associated base agreement between the parties. If Supplier does not accommodate an instruction, Kyndryl may terminate the affected part of the Services on written notice. If Supplier believes an instruction violates a data protection law, Supplier will so inform Kyndryl promptly and within any time frame required by the law.  If Supplier fails to comply with any of its obligations under these Terms and that failure causes an unauthorized use of Personal Information, or, in general, in any case of unauthorized use of Personal Information, Kyndryl will have the right to stop the processing and correct the failure and remediate the harmful effects of the unauthorized use, with such performance and remediation at Kyndryl’s reasonable direction and schedule.  

    1.2 Supplier will comply with all data protection laws applicable to the Services and Deliverables.

    1.3 An Exhibit to the Transaction Document, or the Transaction Document itself, sets out the following in respect of Kyndryl Data:

    (a) categories of Data Subjects;

    (b) types of Kyndryl Personal Data;

    (c) data actions and Processing activities;

    (d) duration and frequency of Processing; and

    (e) a list of Subprocessors.

    2. Technical and Organizational Measures

    2.1 Supplier will implement and maintain the technical and organizational measures set forth in Article II (Technical and Organizational Measures, Data Security) and Article VIII (Technical and Organizational Measures, General Security), and by doing so ensure a level of security appropriate to the risk its Services and Deliverables present. Supplier certifies and understands the restrictions in Article II, this Article III, and Article VIII and will comply with them.

    3. Data Subject Rights and Requests

    3.1 Supplier will inform Kyndryl promptly (on a schedule that allows Kyndryl and any Other Controllers to fulfill their legal obligations) of any request from a Data Subject to exercise any Data Subject rights (e.g., rectification, deletion or blocking of data) regarding Kyndryl Personal Data. Supplier may also promptly direct a Data Subject making such a request to Kyndryl. Supplier will not answer any requests from Data Subjects unless it is legally required or instructed by Kyndryl in writing to do so.

    3.2 If Kyndryl is obliged to provide information regarding Kyndryl Personal Data to Other Controllers or other third-parties (e.g., Data Subjects or regulators), Supplier will assist Kyndryl by providing information and taking other reasonable actions that Kyndryl requests, on a schedule that allows Kyndryl to timely respond to such Other Controllers or third-parties.

    4. Subprocessors

    4.1 Supplier will provide Kyndryl with advance written notice before adding a new Subprocessor or expanding the scope of Processing by an existing Subprocessor, with such written notice identifying the name of the Subprocessor and describing the new or expanded scope of Processing. Kyndryl may object to any such new Subprocessor or expanded scope on reasonable grounds at any time, and if it does so, the parties will work together in good faith to address Kyndryl’s objection. Subject to Kyndryl’s right to so object at any time, Supplier may commission the new Subprocessor or expand the scope of Processing of the existing Subprocessor if Kyndryl has not raised an objection within 30 Days of the date of Supplier’s written notice.

    4.2 Supplier will impose the data protection, security and certification obligations set out in these Terms on each approved Subprocessor prior to a Subprocessor Processing any Kyndryl Data. Supplier is fully liable to Kyndryl for performance of each Subprocessor’s obligations.

    5. Transborder Data Processing

    As used below:

    Adequate Country means a country providing an adequate level of data protection with respect to the relevant transfer pursuant to the applicable data protection laws or decisions of regulators.

    Data Importer means either a Processor or a Subprocessor that is not established in an Adequate Country.

    EU Standard Contractual Clauses (“EU SCCs”) means the EU Standard Contractual Clauses (Commission Decision 2021/914) with optional clauses applied except for option 1 of Clause 9(a) and option 2 of Clause 17, as officially published at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en

    Serbian Standard Contractual Clauses (“Serbian SCCs”) means the Serbian Standard Contractual Clauses as adopted by the "Serbian Commissioner for Information of Public Importance and Personal Data Protection", published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx .

    Standard Contractual Clauses (“SCCs”) means the contractual clauses required by applicable data protection laws for the transfer of Personal Data to Processors that are not established in Adequate Countries.

    United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses(“UK Addendum”) means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as officially published at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ .

    5.1 Supplier will not transfer or disclose (including by remote access) any Kyndryl Personal Data across borders without Kyndryl’s prior written consent. If Kyndryl provides such consent, the parties will cooperate to ensure compliance with applicable data protection laws. If SCCs are required by those laws, Supplier will promptly enter into the SCCs upon Kyndryl’s request.

    5.2 Regarding EU SCCs:

    (a)If Supplier is not established in an Adequate Country: Supplier is hereby entering into EU SCCs as a Data Importer with Kyndryl, and Supplier will enter into written agreements with each approved Subprocessor, in accordance with Clause 9 of the EU SCCs, and will provide Kyndryl with copies of those agreements upon request.

    (i) Module 1 of the EU SCCs does not apply unless otherwise agreed by the parties in writing.

    (ii) Module 2 of the EU SCCs applies where Kyndryl is a Controller and Module 3 applies where Kyndryl is a Processor. In accordance with Clause 13 of the EU SCCs, when Modules 2 or 3 apply, the parties agree that (1) the EU SCCs will be governed by the law of the EU member state where the competent supervisory authority is located and (2) any disputes arising from the EU SCCs will be in the courts of the EU member state where the competent supervisory authority is located. If such law in (1) does not allow for third-party beneficiary rights, then the EU SCCs shall be governed by the law of the Netherlands and any disputes arising from the EU SCCs under (2) shall be resolved by the court of Amsterdam in the Netherlands.

    (b) If both parties, Supplier and Kyndryl, are established in an Adequate Country, Supplier will act as the Data Exporter and engage into EU SCCs with each approved Subprocessor in a Non-Adequate Country. Supplier will perform the Transfer Impact Assessment (TIA) required and notify Kyndryl without undue delay about (1) any need to apply supplementary measures and (2) the measures applied. On request Supplier will provide the results of the TIA and any information necessary to understand and evaluate the results to Kyndryl. In case Kyndryl disagrees with the results of Suppliers TIA or the supplementary measures applied, Kyndryl and Supplier will work together to find a feasible solution. Kyndryl remains the right to suspend or terminate Suppliers services concerned without compensation. For the avoidance of doubt, this does not relieve Supplier’s Subprocessors from the obligation to become party to the EU SCCs with Kyndryl or its Customers as outlined in section 5.2 (d) below.

    (c) If Supplier is established in the European Economic Area and Kyndryl is a Controller not subject to the General Data Protection Regulation 2016/679, then Module 4 of the EU SCCs applies, and Supplier is hereby entering into EU SCCs as a data exporter with Kyndryl. If Module 4 of the EU SCCs applies, the parties agree that the EU SCCs shall be governed by the law of the Netherlands and any disputes arising from the EU SCCs shall be resolved by the court of Amsterdam in the Netherlands.

    (d) If Other Controllers, such as Customers or affiliates, request to become a party to EU SCCs pursuant to the ‘docking clause’ in Clause 7, Supplier hereby agrees to any such request.

    (e) Technical and Organizational Measures required to complete Annex II of the EU SCCs can be found in these Terms, the Transaction Document itself, and the associated base agreement between the parties.

    (f) In the event of any conflict between the EU SCCs and these Terms, the EU SCCs will prevail.

    5.3 Regarding UK Addendum(s):

    (a) If Supplier is not established in an Adequate Country: (i) Supplier is hereby entering into UK Addendum(s) with Kyndryl as an Importer to append to the EU SCCs set out above (as applicable, depending on the circumstances of the processing activities); and (ii) Supplier will enter into written agreements with each approved Subprocessor , and will provide Kyndryl with copies of those agreements upon request.

    (b) If Supplier is established in an Adequate Country, and Kyndryl is a Controller not subject to the UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), then Supplier is hereby entering into UK Addendum(s) as an Exporter with Kyndryl to append to the EU SCCs set out in Section 5.2(b) above.

    (c) If Other Controllers, such as Customers or affiliates, request to become a party to UK Addendum(s), Supplier hereby agrees to any such request.

    (d) Appendix Information (as set out in Table 3) in the UK Addendum(s) can be found in the applicable EU SCCs, these Terms, the Transaction Document itself, and the associated base agreement between the parties. Neither Kyndryl nor Supplier can end the UK Addendum(s) when the UK Addendum changes.

    (e) In the event of any conflict between the UK Addendum(s) and these Terms, the UK Addendum(s) will prevail.

    5.4 Regarding Serbian SCCs:

    (a) If Supplier is not established in an Adequate Country: (i) Supplier is hereby entering into Serbian SCCs with Kyndryl on Supplier’s own behalf as a Processor; and (ii) Supplier will enter into written agreements with each approved Subprocessor, in accordance with Article 8 of the Serbian SCCs, and will provide Kyndryl with copies of those agreements upon request.

    (b) If Supplier is established in an Adequate Country, then Supplier is hereby entering into Serbian SCCs with Kyndryl on behalf of each Subprocessor located in a non-Adequate Country. If Supplier is unable to do so for any such Subprocessor, then Supplier will provide Kyndryl with the Serbian SCCs signed by that Subprocessor for Kyndryl’s countersignature prior to allowing the Subprocessor to Process any Kyndryl Personal Data.

    (c) The Serbian SCCs between Kyndryl and Supplier will serve either as Serbian SCCs between a Controller and Processor or as a back-to-back written agreement between ‘processor’ and ‘sub-processor’, as the facts require. In the event of any conflict between the Serbian SCCs and these Terms, the Serbian SCCs will prevail.

    (d) Information required to complete Appendices 1 to 8 of the Serbian SCCs for the purpose of governing the transfer of Personal Data to a non-Adequate Country can be found in these Terms and in the Exhibit to the Transaction Document, or the Transaction Document itself.

    6. Assistance and Records

    6.1 Taking into account the nature of Processing, Supplier will assist Kyndryl by having appropriate technical and organizational measures to fulfil obligations associated with Data Subject requests and rights. Supplier will also assist Kyndryl in ensuring compliance with obligations relating to the security of Processing, the notification and communication of a Security Breach and the creation of data protection impact assessments, including prior consultation with the responsible regulator, if required, taking into account the information available to Supplier.

    6.2 Supplier will maintain an up-to-date record of the name and contact details of each Subprocessor, including each Subprocessor’s representative and data protection officer. Upon request, Supplier will provide this record to Kyndryl on a schedule that allows Kyndryl to timely respond to any demand from a Customer or other third-party.

    Article VIII, Technical and Organizational Measures, General Security

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl, unless Supplier will only have access to Kyndryl BCI in providing those Services and Deliverables (i.e., Supplier will not Process any other Kyndryl Data or have access to any other Kyndryl Materials or to any Corporate System), Supplier’s only Services and Deliverables are to provide On-Premise Software to Kyndryl, or Supplier provides all of its Services and Deliverables in a staff augmentation model pursuant to Article VII, including Section 1.7 thereof.

    Supplier will comply with the requirements of this Article and by doing so protect: (a) Kyndryl Materials against loss, destruction, alteration, accidental or unauthorized disclosure, and accidental or unauthorized access, (b) Kyndryl Data from unlawful forms of Processing and (c) Kyndryl Technology from unlawful forms of Handling. The requirements of this Article extend to all IT applications, platforms, and infrastructure that Supplier operates or manages in providing Deliverables and Services and in Handling Kyndryl Technology, including all development, testing, hosting, support, operations, and data center environments.

    1. Security Policies

    1.1 Supplier will maintain and follow IT security policies and practices that are integral to Supplier’s business, mandatory for all Supplier Personnel, and consistent with Industry Best Practices.

    1.2 Supplier will review its IT security policies and practices at least annually and amend them as Supplier deems necessary to protect the Kyndryl Materials.

    1.3 Supplier will maintain and follow standard, mandatory employment verification requirements for all new employee hires, and extend such requirements to all Supplier Personnel and wholly-owned Supplier subsidiaries. Those requirements will include criminal background checks to the extent permitted by local laws, proof of identity validation, and additional checks that Supplier deems necessary. Supplier will periodically repeat and revalidate these requirements, as it deems necessary.

    1.4 Supplier will provide security and privacy education to its employees annually and require all such employees to certify each year that they will comply with Supplier’s ethical business conduct, confidentiality, and security policies, as set out in Supplier’s code of conduct or similar documents. Supplier will provide additional policy and process training to persons with administrative access to any components of the Services, Deliverables or Kyndryl Materials, with such training specific to their role and support of the Services, Deliverables and Kyndryl Materials, and as necessary to maintain required compliance and certifications.

    1.5 Supplier will design security and privacy measures to protect and maintain the availability of Kyndryl Materials, including through its implementation, maintenance, and compliance with policies and procedures which require security and privacy by design, secure engineering, and secure operations, for all Services and Deliverables and for all Handling of Kyndryl Technology.

    2. Security Incidents

    2.1 Supplier will maintain and follow documented incident response policies consistent with Industry Best Practices for computer security incident handling.

    2.2 Supplier will investigate unauthorized access or unauthorized use of Kyndryl Materials and will define and execute an appropriate response plan.

    2.3 Supplier will promptly (and in no event any later than 48 hours) notify Kyndryl after becoming aware of any Security Breach. Supplier will provide such notification to cyber.incidents@kyndryl.com . Supplier will provide Kyndryl with reasonably requested information about such breach and the status of any Supplier remediation and restoration activities. By way of example, reasonably requested information may include logs demonstrating privileged, administrative, and other access to Devices, systems or applications, forensic images of Devices, systems or applications, and other similar items, to the extent relevant to the breach or Supplier’s remediation and restoration activities.

    2.4 Supplier will provide Kyndryl with reasonable assistance to satisfy any legal obligations (including obligations to notify regulators or Data Subjects) of Kyndryl, Kyndryl affiliates and Customers (and their customers and affiliates) in relation to a Security Breach.

    2.5 Supplier will not inform or notify any third party that a Security Breach directly or indirectly relates to Kyndryl or Kyndryl Materials unless Kyndryl approves doing so in writing or where required by law. Supplier will notify Kyndryl in writing prior to distributing any legally required notification to any third-party, where the notification would directly or indirectly reveal Kyndryl’s identity.

    2.6 In case of a Security Breach which arises from Supplier’s breach of any obligation under these Terms:

    (a) Supplier will be responsible for any costs it incurs, as well as actual costs that Kyndryl incurs, in providing notification of the Security Breach to applicable regulators, other government and relevant industry self-regulatory agencies, the media (if required by applicable law), Data Subjects, Customers, and others,

    (b) if Kyndryl requests, Supplier will establish and maintain at Supplier’s own expense a call-center to respond to questions from Data Subjects about the Security Breach and its consequences, for 1 year after the date on which such Data Subjects were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection. Kyndryl and Supplier will work together to create the scripts and other materials to be used by call-center staff when responding to inquiries. Alternatively, on written notice to Supplier, Kyndryl may establish and maintain its own call-center, in lieu of having Supplier establish a call-center, and Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in establishing and maintaining such call-center, and

    (c) Supplier will reimburse Kyndryl the actual costs that Kyndryl incurs in providing credit monitoring and credit restoration services for 1 year after the date on which individuals affected by the breach who choose to register for such services were notified of the Security Breach, or as required by any applicable data protection law, whichever affords greater protection.

    3. Physical Security and Entry Control (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials).

    3.1 Supplier will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Facilities.

    3.2 Supplier will require authorized approval for access to Facilities and controlled areas within Facilities, including any temporary access, and will limit access by job role and business need. If Supplier grants temporary access, its authorized employee will escort any visitor while in the Facility and any controlled areas.

    3.3 Supplier will implement physical access controls, including multi-factor access controls that are consistent with Industry Best Practices, to appropriately restrict entrance to controlled areas within Facilities, will log all entry attempts, and retain such logs for at least one year.

    3.4 Supplier will revoke access to Facilities and controlled areas within Facilities upon (a) separation of an authorized Supplier employee or (b) the authorized Supplier employee no longer having a valid business need for access. Supplier will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.

    3.5 Supplier will take precautions to protect all physical infrastructure used to support the Services and Deliverables and the Handling of Kyndryl Technology against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

    4. Access, Intervention, Transfer, and Separation Control

    4.1 Supplier will maintain documented security architecture of networks that it manages in its operation of the Services, its provision of Deliverables and its Handling of Kyndryl Technology. Supplier will separately review such network architecture, and employ measures to prevent unauthorized network connections to systems, applications, and network devices, for compliance with secure segmentation, isolation, and defense in-depth standards. Supplier may not use wireless technology in its hosting and operations of any Hosted Services; otherwise, Supplier may use wireless networking technology in its delivery of Services and Deliverables and in its Handing of Kyndryl Technology, but Supplier will encrypt and require secure authentication for any such wireless networks.

    4.2 Supplier will maintain measures that are designed to logically separate and prevent Kyndryl Materials from being exposed to or accessed by unauthorized persons. Further, Supplier will maintain appropriate isolation of its production, non-production, and other environments, and, if Kyndryl Materials are already present within or are transferred to a non-production environment (for example to reproduce an error), then Supplier will ensure that the security and privacy protections in the non-production environment are equal to those in the production environment.

    4.3 Supplier will encrypt Kyndryl Materials in transit and at rest (unless Supplier demonstrates to Kyndryl’s reasonable satisfaction that encrypting Kyndryl Materials at rest is technically infeasible). Supplier will also encrypt all physical media, if any, such as media containing backup files. Supplier will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use associated with data encryption. Supplier will ensure that the specific cryptographic methods used for such encryption align with Industry Best Practices (such as NIST SP 800-131a).

    4.4 If Supplier requires access to Kyndryl Materials, Supplier will restrict and limit such access to the least level required to provide and support the Services and Deliverables. Supplier will require that such access, including administrative access to any underlying components (i.e., privileged access), will be individual, role based, and subject to approval and regular validation by authorized Supplier employees following segregation of duty principles. Supplier will maintain measures to identify and remove redundant and dormant accounts. Supplier will also revoke accounts with privileged access within twenty-four (24) hours after the account owner’s separation or the request by Kyndryl or any authorized Supplier employee, such as the account owner’s manager.

    4.5 Consistent with Industry Best Practices, Supplier will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases. Additionally, Supplier will utilize multi-factor authentication for all non-console based privileged access to any Kyndryl Materials.

    4.6 Supplier will monitor use of privileged access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity, (b) facilitate a timely and appropriate response to such access and activity, and (c) enable audits by Supplier, Kyndryl (pursuant to its verification rights in these Terms and audit rights in the Transaction Document or associated base or other related agreement between the parties) and others of compliance with documented Supplier policy.

    4.7 Supplier will retain logs in which it records, in compliance with Industry Best Practices, all administrative, user, or other access or activity to or with respect to systems used in providing Services or Deliverables and in Handling Kyndryl Technology (and will provide those logs to Kyndryl upon request). Supplier will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

    4.8 Supplier will maintain computing protections for systems that it owns or manages, including end-user systems, and that it uses in providing Services or Deliverables or in Handling Kyndryl Technology, with such protections including: endpoint firewalls, full disk encryption, signature and non-signature based endpoint detection and response technologies to address malware and advanced persistent threats, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In addition, Supplier will implement technical and operational controls that ensure only known and trusted end-user systems are allowed to use Supplier networks.

    4.9 Consistent with Industry Best Practices, Supplier will maintain protections for data center environments where Kyndryl Material are present or processed, with such protections including intrusion detection and prevention and denial of service attack countermeasures and mitigation.

    5. Service and Systems Integrity and Availability Control

    5.1 Supplier will: (a) perform security and privacy risk assessments at least annually, (b) perform security testing and assess vulnerabilities, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter as it concerns Services and Deliverables and annually with respect to its Handling of Kyndryl Technology, (c) enlist a qualified independent third-party to perform penetration testing consistent with Industry Best Practices at least annually, with such testing including both automated and manual testing, (d) perform automated management and routine verification of compliance with security configuration requirements for each component of the Services and Deliverables and with respect to its Handling of Kyndryl Technology, and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Supplier will take reasonable steps to avoid disruption of Services when performing its tests, assessments, scans, and execution of remediation activities. Upon Kyndryl’s request, Supplier will provide Kyndryl with a written summary of Supplier’s then-most recent penetration testing activities, which report will at a minimum include the name of the offerings covered by the testing, the number of systems or applications in-scope for the testing, the dates of the testing, the methodology used in the testing, and a high-level summary of findings.

    5.2 Supplier will maintain policies and procedures designed to manage risks associated with the application of changes to the Services or Deliverables or to the Handling of Kyndryl Technology. Prior to implementing such a change, including to affected systems, networks, and underlying components, Supplier will document in a registered change request: (a) a description of and reason for the change, (b) implementation details and schedule, (c) a risk statement addressing impact to the Services and Deliverables, customers of the Services, or Kyndryl Materials, (d) expected outcome, (e) rollback plan, and (f) approval by authorized Supplier employees.

    5.3 Supplier will maintain an inventory of all IT assets it uses in operating the Services, providing Deliverables and in Handling Kyndryl Technology. Supplier will continuously monitor and manage the health (including capacity) and availability of such IT assets, Services, Deliverables and Kyndryl Technology, including the underlying components of such assets, Services, Deliverables and Kyndryl Technology.

    5.4 Supplier will build all systems that it uses in the development or operation of Services and Deliverables and in its Handling of Kyndryl Technology from predefined system security images or security baselines, which satisfy Industry Best Practices, such as the Center for Internet Security (CIS) benchmarks.

    5.5 Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to business continuity, Supplier will separately assess each Service and Deliverable and each IT system used in Handling Kyndryl Technology for business and IT continuity and disaster recovery requirements pursuant to documented risk management guidelines. Supplier will ensure that each such Service, Deliverable and IT system has, to the extent warranted by such risk assessment, separately defined, documented, maintained, and annually validated business and IT continuity and disaster recovery plans consistent with Industry Best Practices. Supplier will ensure that such plans are designed to deliver the specific recovery times that are set forth in Section 5.6 below.

    5.6 The specific recovery point objectives (“RPO”) and recovery time objectives (“RTO”) with respect to any Hosted Service are: 24 hours RPO and 24 hours RTO; nevertheless, Supplier will comply with any shorter duration RPO or RTO that Kyndryl has committed to a Customer, promptly after Kyndryl notifies Supplier in writing of such shorter duration RPO or RTO (an email constitutes a writing). As it concerns all other Services provided by Supplier to Kyndryl, Supplier will ensure that its business continuity and disaster recovery plans are designed to deliver RPO and RTO that enable Supplier to remain in compliance with all of its obligations to Kyndryl under the Transaction Document and associated base agreement between the parties, and these Terms, including its obligations to timely provide testing, support, and maintenance.

    5.7 Supplier will maintain measures designed to assess, test, and apply security advisory patches to the Services and Deliverables and associated systems, networks, applications, and underlying components within the scope of those Services and Deliverables, as well as the systems, networks, applications, and underlying components used to Handle Kyndryl Technology. Upon determining that a security advisory patch is applicable and appropriate, Supplier will implement the patch pursuant to documented severity and risk assessment guidelines. Supplier’s implementation of security advisory patches will be subject to its change management policy.

    5.8 If Kyndryl has a reasonable basis for believing that hardware or software that Supplier provides to Kyndryl may contain intrusive elements, such as spyware, malware, or malicious code, then Supplier will timely cooperate with Kyndryl in investigating and remediating Kyndryl’s concerns.

    6. Service Provisioning

    6.1 Supplier will support industry common methods of federated authentication for any Kyndryl user or Customer accounts, with Supplier following Industry Best Practices in authenticating such Kyndryl user or Customer accounts (such as by Kyndryl centrally managed multi-factor Single Sign-On, using OpenID Connect or Security Assertion Markup Language).

    7. Subcontractors. Without limiting Supplier’s obligations or Kyndryl’s rights under the Transaction Document or associated base agreement between the parties with respect to the retention of subcontractors, Supplier will ensure that any subcontractor performing work for Supplier has instituted governance controls to comply with the requirements and obligations that these Terms place on Supplier.

    8. Physical Media. Supplier will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with Industry Best Practices for media sanitization.

    Article IX, Hosted Services’ Certifications and Reports

    This Article applies if Supplier provides a Hosted Service to Kyndryl.

    1.1 Supplier will obtain the following certifications or reports within the time frames set forth below:

     

    Certifications / Reports

    Time Frame

    With respect to Supplier’s Hosted Services:

    Certification of compliance with ISO 27001, Information technology, Security techniques, Information security management systems, with such certification based on the assessment of a reputable independent auditor

    Or

    SOC 2 Type 2: A report by a reputable independent auditor demonstrating its review of Supplier’s systems, controls and operations in accordance with a SOC 2 Type 2 (including, at a minimum, security, confidentiality, and availability)

    Supplier will obtain the ISO 27001 certification by 120 Days after the effective date of the Transaction Document* or Assumption Date** and then renew the certification based on the assessment of a reputable independent auditor every 12 months thereafter (with each renewal against the then most current version of the standard)

    Supplier will obtain the SOC 2 Type 2 report by 240 Days after the effective date of the Transaction Document* or Assumption Date** and then obtain a new report by a reputable independent auditor demonstrating its review of Supplier’s systems, controls and operations in accordance with a SOC 2 Type 2 (including, at a minimum, security, confidentiality, and availability) every 12 months thereafter

    * If, as of such effective date, Supplier provides a Hosted Service

    ** The date that Supplier assumes an obligation to provide a Hosted Service

     

    1.2 If Supplier requests in writing, and Kyndryl approves in writing, Supplier may obtain a substantially equivalent certification or report to those referenced above, with the understanding that the time frames set forth in the table above would apply unchanged with respect to the substantially equivalent certification or report.

    1.3 Supplier will: (a) upon request, promptly provide to Kyndryl a copy of each certification and report Supplier is obligated to obtain and (b) promptly resolve any internal control weaknesses noted during the SOC 2 or substantially equivalent (if Kyndryl so approves) reviews.

    Article X, Cooperation, Verification and Remediation

    This Article applies if Supplier provides any Services or Deliverables to Kyndryl.

    1. Supplier Cooperation

    1.1 If Kyndryl has reason to question whether any Services or Deliverables may have contributed, are contributing or will contribute to any cyber security concern, then Supplier will reasonably cooperate with any Kyndryl inquiry regarding such concern, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like.

    1.2 The parties agree to: (a) furnish upon request to each other such further information, (b) execute and deliver to each other such other documents, and (c) do such other acts and things, all as the other party may reasonably request for the purpose of carrying out the intent of these Terms and the documents referred to in these Terms. For example, if Kyndryl requests, Supplier will timely provide the privacy and security focused terms of its written contracts with Subprocessors and subcontractors, including, where Supplier has the right to do so, by granting access to the contracts themselves.

    1.3 If Kyndryl requests, Supplier will timely provide information on the countries where its Deliverables and the components of those Deliverables were manufactured, developed, or otherwise sourced.

    2. Verification (as used below, “Facility” means a physical location where Supplier hosts, processes or otherwise accesses Kyndryl Materials)

    2.1 Supplier will maintain an auditable record demonstrating compliance with these Terms.

    2.2 Kyndryl, by itself or with an external auditor, may, upon 30 Days prior written notice to Supplier, verify Supplier’s compliance with these Terms, including by accessing any Facility or Facilities for such purposes, though Kyndryl will not access any data center where Supplier Processes Kyndryl Data unless it has a good faith reason to believe that doing so would provide relevant information. Supplier will cooperate with Kyndryl’s verification, including by timely and fully responding to requests for information, whether through documents, other records, interviews of relevant Supplier Personnel, or the like. Supplier may offer proof of adherence to an approved code of conduct or industry certification or otherwise provide information to demonstrate compliance with these Terms, for Kyndryl’s consideration.

    2.3 A verification will not occur more than once in any 12 month period, unless: (a) Kyndryl is validating Supplier’s remediation of concerns resulting from a previous verification during the 12 month period or (b) a Security Breach has arisen and Kyndryl wishes to verify compliance with obligations relevant to the breach. In either case, Kyndryl will provide the same 30 Days prior written notice as specified in Section 2.2 above, but the urgency of addressing a Security Breach may necessitate Kyndryl conducting a verification on less than 30 Days prior written notice.

    2.4 A regulator or other Controller may exercise the same rights as Kyndryl in Sections 2.2 and 2.3, with the understanding that a regulator may exercise any additional rights it has under the law.

    2.5 If Kyndryl has a reasonable basis for concluding that Supplier is not compliant with any of these Terms (whether such basis arises from a verification under these Terms or otherwise), then Supplier will promptly remediate such non-compliance.

    3. Anti-Counterfeiting Program

    3.1 If Supplier’s Deliverables include electronic components (e.g., hard disk drives, solid-state drives, memory, central processing units, logic devices or cables), Supplier will maintain and follow a documented counterfeit prevention program to, first and foremost, prevent Supplier from providing counterfeit components to Kyndryl and, secondarily, promptly detect and remediate any case where Supplier mistakenly provides counterfeit components to Kyndryl. Supplier will impose this same obligation to maintain and follow a documented counterfeit prevention program on all of its suppliers that provide electronic components that are included in Supplier’s Deliverables to Kyndryl.

    4. Remediation

    4.1 If Supplier fails to comply with any of its obligations under these Terms, and that failure causes a Security Breach, then Supplier will correct the failure in its performance and remediate the harmful effects of the Security Breach, with such performance and remediation at Kyndryl’s reasonable direction and schedule. If, however, the Security Breach arises from Supplier’s provision of a multi-tenant Hosted Service, and consequently impacts many Supplier customers, including Kyndryl, then Supplier will, given the nature of the Security Breach, timely and appropriately correct the failure in its performance and remediate the harmful effects of the Security Breach, while affording due consideration to any Kyndryl input on such corrections and remediation. Without prejudice to the above, Supplier must notify Kyndryl without undue delay if Supplier can no longer comply with the obligations set by the applicable data protection law.

    4.2 Kyndryl will have the right to participate in the remediation of any Security Breach referenced in Section 4.1, as it believes appropriate or necessary, and Supplier will be responsible for its costs and expenses in correcting its performance and for the remediation costs and expenses that the parties incur with respect to any such Security Breach.

    4.3 By way of example, remediation costs and expenses associated with a Security Breach could include those for detecting and investigating a Security Breach, determining responsibilities under applicable laws and regulations, providing breach notifications, establishing and maintaining call-centers, providing credit monitoring and credit restoration services, reloading data, correcting product defects (including through Source Code or other development), retaining third-parties to assist with the foregoing or other relevant activities, and other costs and expenses that are necessary to remediate the harmful effects of the Security Breach. For clarity, remediation costs and expenses would not include Kyndryl’s loss of profits, business, value, revenue, goodwill, or anticipated savings.

View All Terms

Definitions
Capitalized words have the meanings given below, otherwise within these Terms, or in the Transaction Document or associated base agreement between the parties. The terms “Services” and “Deliverables” are likely defined in the Transaction Document or associated base agreement between the parties; but if they are not, then “Services” means any Hosted Service, consulting, installation, customization, maintenance, support, staff augmentation, business, technical or other work that Supplier performs for Kyndryl , as specified in the Transaction Document, and “Deliverables” means any software programs, platforms, applications or other products or items and their respective related materials that Supplier provides to Kyndryl, as specified in the Transaction Document.

Business Contact Information ("BCI") means Personal Data that are used to contact, identify or authenticate an individual in a professional or business capacity. Typically, BCI includes an individual’s name, business e-mail address, physical address, telephone number or similar attributes.

Cloud Service means any "as a service" offering that Supplier hosts or manages, including "software as a service", "platform as a service", and "infrastructure as a service" offerings.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.

Corporate System means an IT system, platform, application, network, or the like that Kyndryl  relies upon for its business, including those located on or accessible through Kyndryl's intranet, the Internet, or otherwise.

Customer means an Kyndryl customer.

Data Subject means a natural person who can be identified, directly or indirectly, by reference to a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Day or Days means calendar days, unless “business” days are designated.

Device means an Kyndryl or Supplier provided workstation, laptop, tablet, smartphone or personal digital assistant.

Handle, Handles or Handling include all access to, use and storage of, and all other handling of Kyndryl Technology.

Hosted Service means any data center service, application service, IT service, or Cloud Service that Supplier hosts or manages.

Kyndryl Data means any and all electronic files, materials, text, audio, video, images and other data, including Kyndryl Personal Data and non-Personal Data, that Kyndryl , Kyndryl Personnel, a Customer, Customer employee, or any other person or entity, in connection with the Transaction Document, provides to Supplier, uploads to or stores in a Hosted Service, or to which Supplier otherwise has access, and which Supplier is Processing on Kyndryl's behalf.

Kyndryl Materials means any and all Kyndryl Data and Kyndryl Technology.

Kyndryl Personal Data means the Personal Data which Supplier is Processing on Kyndryl's behalf. Kyndryl  Personal Data include Personal Data that Kyndryl controls and Personal Data that Kyndryl Processes on behalf of Other Controllers.

Kyndryl Source Code means Source Code that Kyndryl owns or licenses.

Kyndryl Technology means Kyndryl Source Code, other code, description languages, firmware, software, tools, designs, schematics, graphical representations, embedded keys, certificates and other information, materials, assets, documents and technology that Kyndryl has directly or indirectly licensed or otherwise made available to Supplier in connection with the Transaction Document or a related agreement between Kyndryl and Supplier.

Includes and Including, whether capitalized or not, will not be construed as terms of limitation.

Industry Best Practices means practices that are consistent with those recommended or required by the National Institute of Standards and Technology or International Standards Organization, or any other body or organization of similar reputation and sophistication.

IT means information technology.

Other Controller means any entity other than Kyndryl that is a Controller of Kyndryl Data, such as an Kyndryl affiliate, Customer, or a Customer affiliate.

On-Premise Software means software that Kyndryl or a subcontractor runs, installs or operates on Kyndryl's or the subcontractor’s servers or systems. For clarity, On-Premise Software is a Supplier Deliverable.

Personal Data means any information relating to a Data Subject and any other information that qualifies as “personal data” or the like under any data protection law.

Personnel means individuals who are employees of Kyndryl or Supplier, agents of Kyndryl or Supplier, independent contractors engaged by Kyndryl  or Supplier, or provided to a party by a subcontractor.

Process or Processing means any operation or set of operations performed on Kyndryl Data, including storage, use, access and reading.

Processor means a natural or legal person which Processes Personal Data on a Controller’s behalf.

Security Breach means a breach of security leading to the: (a) loss, destruction, alteration, or accidental or unauthorized disclosure of Kyndryl Materials, (b) accidental or unauthorized access to Kyndryl Materials, (c) unlawful Processing of Kyndryl Data or (d) unlawful Handling of Kyndryl  Technology.

Sell (or Selling) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, data for monetary or other valuable consideration.

Source Code means human readable programming code that developers use to develop or maintain a product, but that is not delivered to end users in the normal course of the product’s commercial distribution or use.

Subprocessor means any Supplier subcontractor, including a Supplier affiliate, that Processes Kyndryl Data.