Skip to content

Data Security Requirements

Each Party shall apply generally accepted security best practices in the protection of Confidential Information. For purposes of this Exhibit only (unless expressly incorporated elsewhere in this Agreement), capitalized terms not defined in the Agreement shall have the meanings set forth herein. This Exhibit shall survive expiration or termination of this Agreement. Last updated July 1, 2021.

1.0 INFORMATION SECURITY POLICIES

Each Party shall maintain and adhere to its own written and internally published set of information security policies (the “Information Security Policies”), which shall constitute the rules and guidelines for handling, processing and protecting information and information assets, including Confidential Information. Each Party shall review its Information Security Policies on at least an annual basis and update as necessary to ensure currency.

2.0 ORGANIZATION OF INFORMATION SECURITY

Each Party shall maintain an information security function responsible for security initiatives within the organization which shall be led by a qualified individual or team composed of the respective Party’s personnel responsible for overseeing and implementing the following: creating, reviewing and approving information security policies designed to maintain the security and integrity of Confidential Information and protect Confidential Information from unauthorized access and use, all in accordance with applicable data protection Laws; reviewing the effectiveness of information security policy implementation and updating the information security policy as necessary; managing assignment of specific roles and responsibilities for information security; providing adequate personnel and/or resources to ensure information security; developing and maintaining an overall strategic security plan; reviewing, monitoring, responding to and remediating Security Incidents (as defined below) or events; monitoring material changes in the security exposure of information assets; and identifying and documenting instances of non-compliance with security policies.

3.0 HUMAN RESOURCES SECURITY

3.1 Personnel. Prior to granting any employees or contractors access to Confidential Information of the other Party each Party shall require that such personnel have (a) as is standard upon employment by the respective Party, satisfied reasonable background checks in accordance with the respective Party’s employment procedures; (b) agreed to comply with the respective Party’s appropriate non-disclosure or confidentiality policies; and (c) agreed to abide by its own policies, ethics and acceptable use agreements.

3.2 Training. In addition, each Party’s personnel having access to the Motorq Service shall complete mandatory information security training when hired and on an annual basis; among other goals, this training shall ensure that any personnel who may have access to Confidential Information are aware of compliance measures, security risks and such Party’s information security management policies and standards.

4.0 ACCESS CONTROL

Each Party shall have an access control policy and supporting processes with respect to its information systems that store Confidential Information. Such Party shall also have access controls in place on applications, operating systems, databases, and network devices used in connection with the Motorq Service to help ensure access to Confidential Information by such Party’s personnel is only on a need-to-know basis.

5.0 OPERATIONS SECURITY

5.1 Operation Procedures and Responsibilities. Each Party shall maintain documented operating procedures and make them available to all users who require them based on their job duties.

5.2 Protection from Malware. For systems used in connection with the Telematics Data, each Party shall maintain antivirus/malware/spyware software with frequent updates as necessary to protect the Confidential Information from virus-related threats. Each Party shall apply antivirus/malware/spyware definition updates on a frequency of no less than weekly, if available. At a minimum, each Party shall ensure that antivirus/malware/spyware scan engine software remains within the latest two (2) available versions.

5.3 Logging and Monitoring.

  • For servers and applications used in connection with Telematics Data, each Party shall maintain event logs reasonably detailed to document unauthorized activity associated with access to such Telematics Data.
    • Each Party shall maintain, or shall be in the process of implementing the applicable solution in order to maintain server logs online for at least three (3) months and maintain server logs offline for at least one (1) year.

5.4 Technical Vulnerability Management. Each Party must implement reasonable processes to obtain information about technical vulnerabilities of information systems being used in connection with the Telematics Data and to address the associated risks.

5.5 Mobile Security. Neither Party nor any of its personnel shall store Confidential Information of the other Party on any mobile devices, unless having a legitimate business need to do so and unless controls are implemented and enforced to protect Telematics Data.

6.0 NETWORKSECURITYMANAGEMENT (COMMUNICATIONS SECURITY)

6.1 Network Controls. Each Party shall identify network security management and control mechanisms to protect information in networks, systems and application. Each Party shall follow industry standard best practices when implementing network and security devices, and where applicable and possible, disable unnecessary services and protocols (e.g., Telnet, tftp, etc.).

6.2 Firewall Protection. Each Party shall provide firewall protections including administration and maintenance to help prevent unauthorized access to Confidential Information of the other Party. Firewalls may be used at the network, server host, portable device or application level based on the type and nature of the Telematics Data.

7.0 INFORMATION SECURITY INCIDENT MANAGEMENT

7.1 Information Security Incident Policy.

  • Each Party shall maintain a documented and commercially reasonable incident response process (“Incident Response Process”) and establish an incident response team with defined roles and responsibilities.
    • In the event either Party (the “First Party”) suspects the loss of, or unauthorized disclosure of, use, or access to Confidential Information of the other Party (a “Security Incident”), the First Party shall (and to the extent applicable, shall cause its permitted subcontractors to) (a) take prompt steps to remedy the incident at its sole cost and expense in accordance with applicable Law, (b) implement the communication plan (“Communications Plan”) below, (c) execute the Incident Response Process, including recovery processes, and (d) take any other prompt actions to ensure that such Security Incident shall not recur.
      • Each Party shall maintain documentation on Security Incidents.

7.2 Communications Plan. Each Party shall communicate with the other Party and resolve security-related issues which affect the confidentiality, integrity or availability of such other Party’s Confidential Information that arise consistently with the processes described in this Exhibit. Such issues include but are not limited to unauthorized access or modification of Confidential Information (including any Security Incident) and either Party (the “Initial Party”) denials of service.

Motorq
Motorq, Inc. 345 California St San Francisco, CA 94104

(415) 779-0525