CRM RFP Confidential and Personally Identifiable Information
Confidential Business Information
During the term of this Agreement and for a period of five (5) years thereafter, each party (for the purposes of this Article, a "Recipient") shall maintain in strict confidence, and agree not to disclose to any third party, except as necessary for the performance of the Agreement when authorized by the other party (for the purposes of this Article, a "Discloser") in writing, Confidential Business Information that the Recipient receives from Discloser or its Affiliates. "Confidential Business Information" means all non-public information of a competitively sensitive nature concerning Discloser or its Affiliates, including, but not limited to, this Agreement; any information regarding identifiable individuals, including without limitation, Customer, Employee, or Member data, which data has been collected by or on behalf of Discloser or its Affiliates ("PII" or "Personally-Identifiable Information"); Trade Secrets, as defined by applicable state law; and
any other non-public information (whether in writing or retained as mental impressions) concerning research and development; present and future projections; operational costs and processes; pricing, cost or profit factors; quality programs; annual and long-range business plans; marketing plans and methods; customers or suppliers; contracts and bids; and personnel.
Exclusions: Confidential Business Information does not include: information that is, or subsequently may become within the knowledge of the public generally through no fault of the Recipient; information that the Recipient can show was previously known to it as a matter of record at the time of receipt; information that the Recipient may subsequently obtain lawfully from a third party who has lawfully obtained the information free of any confidentiality obligations; or information that the Recipient may subsequently develop as a matter of record, independently of disclosure by Discloser.
Trade Secrets: During the term of this Agreement and for so long thereafter as applicable U.S. federal law allows, the parties agree to maintain in strict confidence, and agree not to use or disclose except as authorized in writing by Discloser, Trade Secrets as defined by U.S. federal law.
Third Party Information: The confidentiality provisions apply to and shall protect the confidentiality of information provided to Discloser by third parties.
Court Order: Notwithstanding the foregoing restrictions, the Recipient may disclose Confidential Business Information or Trade Secrets to the extent required by an order of any court or other governmental authority, but only after the Recipient has notified Discloser and Discloser has had the opportunity, if possible, to obtain reasonable protection for such information in connection with such disclosure.
Additional Provisions Regarding Personally-Identifiable Information (PII)
For the purposes of these provisions, the term "Personally-Identifiable Information" or "PII" mean any information regarding identifiable individuals, including without limitation, customer, employee or member data, and the terms "process," "processing" or "processed" in relation to PII include, without limitation, collection, recording, organization, storage, amendment, retrieval, consultation, manipulation, and erasure.
Additional Provisions Regarding PII: In addition to the other obligations in this Article, Service Provider shall abide by the provisions concerning PII. For the purposes of these provisions: the terms "process," "processing" or "processed" in relation to PII include, without limitation, collection, recording, organization, storage, amendment, retrieval, consultation, manipulation, and erasure.
General: We entrust Service Provider with PII. Service Provider agrees to use reasonable measures to prevent the unauthorized processing, capture, transmission and use of PII which we may disclose to Service Provider during the course of our relationship with Service Provider.
Processing and Use of PII: Service Provider shall process and use PII solely in accordance with the provisions of this Agreement. Service Provider shall not process or use PII for any purpose not specifically set forth in this Agreement. At any time, we may make inquiries to Service Provider about PII transferred and stored by Service Provider, and Service Provider agrees to provide copies of such PII as maintained by Service Provider within a reasonable time and to perform corrections or deletions of, or additions to, PII as reasonably requested.
Use of Subcontractors; Transmission of PII to Third Parties: Service Provider may not transfer PII to any third party without our prior written consent, and then only upon such third party's execution of an agreement containing covenants for the protection of PII no less stringent than those contained in this Agreement. Nothing in this Section shall be construed to prohibit either party from sharing its own account information with any third party.
Access of Persons: Service Provider agrees to use reasonable measures to prevent unauthorized persons from gaining access to the data processing equipment or media where PII is stored or processed. Service Provider agrees to provide its employees and agents access to PII on a need-to-know basis only and agrees to cause any persons having authorized access to such information to be bound by obligations of confidentiality, non-use and non-disclosure no less stringent than those imposed upon Service Provider by this Agreement.
Data Media: Service Provider agrees to use reasonable measures to prevent the unauthorized reading, copying alteration or removal of the data media used by Service Provider and containing PII.
Data Retention: Service Provider shall not retain PII any longer than is reasonably necessary to accomplish the intended purposes for which PII was transferred as set forth in this Agreement. Upon the earlier termination of this Agreement or our written request, Service Provider shall delete and/or destroy all PII in Service Provider's possession, including any copies thereof, and shall deliver a written statement to us within 15 days of request confirming that Service Provider has done so.
Data Memory: Service Provider agrees to use reasonable measures to prevent unauthorized data input into memory and the unauthorized reading, alteration or deletion of PII.
Personnel: Upon request, Service Provider shall provide us with a list of Service Provider's employees entrusted with processing the PII transferred by Service Provider, together with a description of their access rights.
Transmission: Service Provider agrees to use reasonable measures to prevent PII from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media on which PII is stored.
The confidentiality provisions are routine and should be expanded upon by your chosen legal counsel. The real intent of this CRM RFP component is to make sure you include specific verbiage related to PII. As your company is certain to make negative headlines if your organization's PII data falls into the wrong hands or the public domain, you should apply extra diligence and assure yourself that the hosting providers information security is sound and the agreement reflects PII requirements.