CRM RFP Data Center Information Security Requirements
We are entrusting our Customer Relationhip Management (CRM) data (the "Data") to Service Provider as part of the hosting arrangement. Service Provider agrees to use reasonable measures to prevent the unauthorized processing, capture, transmission and use of Data which we may disclose to the Service Provider during the course of our relationship with the Service Provider. Hosting provider shall take commercially reasonable efforts to avoid the introduction into the hosted service computer systems, intranet, databases or extranet, by way of remote or direct access or otherwise, of any "back door", "time bomb", "Trojan horse", "worm", "drop dead device", "virus", "preventative routines" or other computer software routine designed: to permit unauthorized access to or use or modification of either the Confidential Information or computer systems intranet, databases or extranet; to disable, modify, damage or delete the Confidential Information, Personally-Identifiable Information, or any data, computer hardware or other equipment or software; or to perform any other such similar actions.
The CRM software hosting provider must provide assurances that the hosted CRM service will be continuously secure. Please provide a descriptive summary of your information security methods and practices. Please also identify any and all information security breaches incurred during the prior three years. Lastly, please identify any third party information security assurances, audits or certifications your hosting service has achieved.
The majority of the SaaS CRM publishers provide very respectable information security. Nonetheless, before putting your organization's most valuable information assets (e.g. your customer list and sales information) into the hands of a third party, do your homework. Many organizations moving to the SaaS delivery model have a mandatory requirement to visit the vendor and their data center facilities to physically verify security practices, methods and tools.
PROCESSING AND USE OF DATA
Service Provider shall process and use Data solely in accordance with the hosting provisions of this Agreement. Service Provider shall process and use Data only for those purposes specifically described in this Agreement or those purposes specifically authorized in writing. Service Provider shall not process or use Data for any purpose other than the purposes set forth in this Agreement. At any time we may make inquiries to Service Provider about Data transferred by us and stored by Service Provider, and Service Provider agrees to provide copies of Data to us within a reasonable time and to perform corrections or deletions of, or additions to, Data as reasonably requested.
We shall have the right upon reasonable prior notice to verify Service Provider's compliance with the terms and conditions of this Agreement, or to appoint a third party under professional covenants of confidentiality to verify the same on our behalf. Service Provider shall grant our agents supervised access to the extent necessary to accomplish the inspection and review of all data processing facilities, data files and other documentation used by Service Provider without broaching the Service Providers security standards.
USE OF SUBCONTRACTOR OR TRANSMISSION OF DATA TO THIRD PARTIES
Service Provider may not transfer Data to any third party without our prior written consent, and then only upon such third party's execution of an agreement containing covenants for the protection of Data no less stringent that those contained in this Agreement.