Secure Handling of Customer Data Agreement

(“CUSTOMER”) requires ITC Systems Inc (“ITC”) to review, accept, and integrate the following requirements (“Agreement”) as part of any contract, agreement, or Service Level Agreement (“SLA”) that involves the storage, transmission, processing, or collection of CUSTOMER data, or access to CUSTOMER data, by ITC. This Agreement is intended to ensure that CUSTOMER’s security and compliance requirements are outlined and followed by the ITC.

1 Security Controls

1.1 Network Security: ITC agrees at all times to maintain network security that – at a minimum – includes: network firewall provisioning, intrusion detection, and third-party penetration testing. Furthermore, ITC agrees to maintain network security that conforms to the current standards set forth and maintained by the National Institute of Standards and Technology or other generally recognized comparable standard (e.g., ISO/IEC 27001, ISA 62443, COBIT 5, CCS CSC, SANS, PCI-DSS, etc.)

1.2 Risk Assessments: Both ITC and Institution agrees to conduct a formal penetration test at least once a year of the ITC Systems’ netZcore Avro solution (Azure side and Institution side). Such test will be coordinated with ITC and Institution, to be done as solution test. A penetration test is here defined as “the process of using approved, qualified personnel to conduct real-world attacks against a system so as to identify and correct security weaknesses before they are discovered and exploited by others.”

1.3 Security Auditing: ITC agrees to have an independent, industry-recognized third party security audit that conforms to the current standards set forth and maintained by the National Institute of Standards and Technology or other generally recognized comparable standard (e.g., ISO/IEC 27001, ISA 62443, COBIT 5, CCS CSC, SANS, PCI-DSS, etc.) performed at least once a year. The audit results and ITC’s plan for addressing or resolving of the audit results shall be shared with the Institution within 90 days of ITC’s receipt of the audit results.

1.4 Business Continuity Plan: Should a plan be required; ITC agrees to work with CUSTOMER to develop detailed recovery procedures and manual workarounds in the event of a disaster. The plans should include emergency and contingency plans for the facilities in which ITC information systems that process CUSTOMER data are located. ITC’s redundant storage and its procedures for recovering data shall serve to reconstruct CUSTOMER Data in its original or last-replicated state from before the time it was lost or destroyed.

1.5 Cybersecurity Insurance: ITC agrees to maintain, at all times during the term of this Agreement, a comprehensive program of risk mitigation and cyber liability insurance. CUSTOMER shall have the right to request copies of such certificates of insurance and/or other evidence of the adequacy of the above insurance coverage from ITC.

2 Data Protection

2.1 Data Security: ITC shall develop, implement, maintain and use appropriate administrative, technical and physical security measures based on the latest industry security standards and best practices and in accordance with all applicable law, to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted CUSTOMER Data received from, or on behalf of Institution or its students.

2.2 Data Encryption: ITC agrees to encrypt all CUSTOMER data, either in transit or at rest. This includes any backup data as part of its backup and recovery processes. ITC agrees that any and all transmission or exchange of data with CUSTOMER and/or any other parties expressly designated by CUSTOMER – solely in accordance with Section 3.4 below – and/or any other transaction ITC engages in that involves CUSTOMER data – shall take place via secure means, e.g. TLS protocol via HTTPS or SFTPS.

2.3 Data Storage: ITC has a policy that includes the following:

1. 1. Any and all CUSTOMER data will be stored, processed, and maintained solely on designated target servers within Canada.
   2. No CUSTOMER data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, except as stated explicitly with a valid business reason in the agreement between CUSTOMER and ITC, or as an exception made on a case- by-case basis as specifically agreed to in writing, in advance, by an authorized agent of CUSTOMER.
   3. ITC agrees that any portable or laptop computing devices as part of such agreed-upon exception will employ full-disk encryption as agreed in 2.2 above.

2.4 Data Separation: ITC agrees that CUSTOMER data will be separated, either through physical or logical means, from other tenants in ITC’s infrastructure.

2.5 Audit Trail: ITC must log access and use of systems containing CUSTOMER Data, registering the access ID, time, authorization granted or denied, and relevant activity.

3 Data Stewardship

3.1 Data Ownership: ITC acknowledges that all CUSTOMER Data shared with ITC, or made accessible to ITC’s systems or personnel, remains the sole property of CUSTOMER as defined by existing CUSTOMER regulation and/or CUSTOMER policy. Sole property ownership by CUSTOMER shall mean that CUSTOMER retains at all times all physical as well as the sole intellectual property ownership of the CUSTOMER Data.

3.2 Data Use: ITC agrees that any and all data exchanged shall be used expressly and solely for the purposes enumerated in the agreement between CUSTOMER and ITC. Data shall not be distributed, repurposed or shared across other applications, environments, or business units of ITC.

3.3 Data Location: ITC agrees that no CUSTOMER Data will be outsourced or housed outside the country of origin without prior CUSTOMER authorization.

3.4 Data Redistribution: ITC agrees that no CUSTOMER data of any kind shall be transmitted, exchanged or otherwise passed to other ITCs, subcontractors, or other interested third parties except on a case- by-case basis as specifically agreed to in writing in advance by an authorized agent of CUSTOMER. ITC agrees that all such CUSTOMER pre-approved ITCs, subcontractors, or other interested third parties used by ITC will be contractually held to standards no less rigorous than those outlined in this Agreement.

3.5 Legal Requests: If required by law or a court of competent jurisdiction or an administrative body to disclose CUSTOMER Data, ITC will notify CUSTOMER in writing within two (2) days prior to any such disclosure in order to give CUSTOMER an opportunity to oppose any such disclosure.

3.6 End of Agreement Data Handling: ITC agrees that within 60 days of the termination of the agreement between CUSTOMER and ITC, or the termination of the pertinent records retention period, whichever is later (hereafter referred to as “data retention period”), CUSTOMER can reclaim any needed CUSTOMER data in a mutually agreed upon format. At the end of the data retention period, ITC will erase, destroy, and render unreadable all CUSTOMER data according to the standards enumerated in DOD 5220.22 or NIST 800-88 and certify in writing that these actions have been completed.

3.7 Data Breach: In the event of a breach of any of ITC’s security obligations, unauthorized access to, disclosure, or loss of CUSTOMER Data or other event requiring notification under applicable law (“Notification Event”), ITC agrees to:

1. 1. Notify CUSTOMER within twenty-four (24) hours of the discovery of the breach by providing notice via email to CUSTOMER’s Security Incident Response Team (email address to be supplied by CUSTOMER).
   2. Comply with all applicable provincial laws such that a requirement to notify affected individuals.
   3. Assume responsibility for informing all such individuals in accordance with applicable law.
   4. Indemnify, hold harmless and defend CUSTOMER, CUSTOMER’s officers, agents and employees from and against any claims, damages, or other harm related to such Notification Event, up to the limit of Cyber Liability Insurance held by ITC.

4 Compliance

4.1 Data Classification Addendum: ITC agrees to abide by all legal and regulatory compliance requirements that apply due to the nature of the CUSTOMER data being shared (FERPA, HIPAA, PCI, GDPR, etc.)

4.2 FERPA Regulations: If ITC is provided access to any student data defined by the Family Educational Rights and Privacy Act (“FERPA”) as non-directory information (such as personally identifiable information (PII) or educational records), or directory information, ITC acknowledges that it will comply with the regulations outlined in FERPA for the handling of such information to the extent such regulations apply to ITC. ITC will not disclose or use any student information, except to the extent necessary to carry out its obligations under its agreement with CUSTOMER and as permitted by FERPA.

4.3 PCI Compliance: In cases where ITC is identified as a PCI third party service provider (TPSP), CUSTOMER requires that the ITC at all times shall maintain compliance with the most current Payment Card Industry Data Security Standard (PCI DSS). ITC may also agree to CUSTOMER’s PCI Addendum.

4.4 HIPAA Compliance: If ITC is provided potential access to any data defined as Protected Health Information (PHI) under HIPAA and the ITC meets the definition of a business associate under HIPAA, the ITC is required to enter into a Business Associates Agreement with CUSTOMER. If ITC is provided access to data defined as Protected Health Information (PHI) under HIPAA but the ITC is not considered a business associate under HIPAA, then ITC must implement HIPAA- compliant security safeguards consistent with the NIST Cybersecurity Framework.

4.5 GDPR Compliance: If the transfer of personal data to the ITC is required and is subject to the GDPR, ITC is required to abide by CUSTOMER’s Data Protection Addendum, as well as the GDPR requirements applicable to ITC. For ITC Systems _______________________________________________ Name Title E-Mail Date