Intact Insurance Specialty Solutions

Producers Careers Specialty Solutions Canada

Privacy and Security Schedule - Consultants

Privacy and Security Schedule

This schedule (“Schedule”) sets forth the terms and condition on which [insert name] (“Consultant,” “you” or “your”) will process Confidential Information when providing goods and services to Intact Insurance Group USA LLC and its direct and indirect affiliates (collectively, “Customer”) under the Services Agreement (the “Agreement”).

1. If the terms of this Schedule conflict with the terms of any other agreement between the parties, the terms of this Schedule shall control. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement. All references to the Agreement in this Schedule refer to the Agreement as modified or supplemented by this Schedule.

2. Definitions. As used herein, the following terms have the meanings set forth below:

“Applicable Law” means any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, common law, judgment, decree, directive or other requirement, guideline or rule of law of any governmental authority.

“Authorized Employees” means Your employees who have a need to know or otherwise access Confidential Information to enable You to perform Your obligations under this Agreement.

“Authorized Persons” means (i) Your Authorized Employees; and (ii) Your contractors, agents, service providers and auditors who have a need to know or otherwise access Confidential Information in connection with the Agreement, and who are bound in writing by confidentiality and other obligations sufficient to protect Confidential Information in accordance with the terms and conditions of this Agreement.

“Confidential Information” means all information of the Customer or its Affiliates that is furnished by or on behalf of the Customer, in whole or in part, together with all notes, analyses, compilations, studies, interpretations or other documents to the extent containing or otherwise reflecting, in whole or in part, any such information. Additionally, “Confidential Information” includes (i) Personal Information; (ii) the fact that such information has been or will be so furnished and (iii) the terms and existence of this Agreement and the content.

“Customer Systems” means information technology infrastructure, including the computers, software, databases, electronic systems (including database management systems), and networks, of Customer or any of its designees.

“Personal Information” means information You Process under the Agreement that: (i) that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or (ii) is otherwise identified as protected personal information under Applicable Law.

“Processing, processes, or process” means any activity that involves the use of Confidential Information. It includes obtaining, creating. accessing, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, encrypting, decrypting, or destroying it. Processing also includes transferring Confidential Information to third parties.

“Representatives” means, with respect to any party, any of the person or entity’s Affiliates, directors, officers, managers, employees, agents or professional advisers, to whom the party discloses Confidential Information.

“Security Breach” means any act or omission that compromises the security, confidentiality, availability or integrity of Confidential Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Confidential Information is a Security Breach whether or not the incident rises to the level of a security breach under Applicable Law.

3. Information Security.

3.1. WISP. You shall implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually.

3.2. Safeguards. Without limiting Your obligations under Section 3.1, You shall implement administrative, physical, and technical safeguards to protect Confidential Information from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Confidential Information is Processed, comply with Applicable Law and the terms and conditions of this Agreement.

3.3. PCI. If You Process credit, debit, or other payment cardholder information in the course of Your engagement by Customer, You shall at all times remain in compliance with current Payment Card Industry Data Security Standard ("PCI DSS") requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices and self-assessments as may be necessary to remain in compliance with the PCI DSS, in each case, at Your sole cost and expense.

3.4. Minimum Safeguards. At a minimum, Your safeguards for the protection of Confidential Information and information systems shall include:

(i) limiting access to Confidential Information to extent required by Applicable Law;
(ii) securing business facilities, data centers, paper files, servers, scheduled and verified backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability;
(iii) implementing network, application, database, and platform security;
(iv) securing information transmission, storage, and disposal;
(v) implementing commercially reasonable authentication and access controls within media, applications, operating systems, commercial software and equipment;
(vi) encrypting Confidential Information stored at rest;
(vii) encrypting Confidential Information transmitted over public or wireless networks;
(viii) strictly segregating Confidential Information from information of You or Your other customers so that Confidential is not commingled with any other types of information;
(ix) no less than annually, conducting risk assessments and penetration testing and promptly implementing, at Your sole cost and expense, a corrective action plan to correct any issues that are reported as a result;
(x) no less than quarterly, conducting vulnerability scans and promptly implementing, at Your sole cost and expense, a corrective action plan to correct any significant issues that are reported as a result of the testing, ensuring that vulnerabilities are remedied and patches installed on an accelerated basis for zero-day, critical and high vulnerabilities. For zero-day vulnerabilities, implementing appropriate mitigation measures promptly on notification of the zero-day vulnerability. Remediating zero-day, high and critical vulnerabilities through patching, decommission, or compensating controls. Patching high vulnerabilities within 30 days or less of discovery and patch medium vulnerabilities within 90 days or less of discovery;
(xi) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with Applicable Law; and
(xii) providing appropriate privacy and information security training to Your employees and to any Authorized Person;
(xiii) maintaining commercial off-the-shelf software in accordance with manufacturer recommendations, including applying all security patches and hotfixes no later than the next release of patches and hotfixes from the manufacturer;
(xiv) maintaining all hardware in accordance with the manufacturer’s recommended guidelines, including patching of all Firmware / BIOS levels no later than the next release of firmware and BIOS Levels unless other circumstances impacting the business prevent this action;
(xv) implementing endpoint controls including appropriate use of malware detection, whitelisting, encryption, and media protections; and
(xvi) maintaining a formalized crisis response plan, a formalized disaster recovery plan along with proof of test results, and a formalized business continuity plan.

3.5. Authorized Persons. During the term of each Authorized Person’s employment by You, You shall at all times cause such Authorized Person to abide by Applicable Law and to strictly abide by Your obligations under this Agreement and Your standard policies and procedures. You shall maintain a disciplinary process to address any unauthorized access, use, or disclosure of Confidential Information by any of Your officers, partners, principals, employees, agents, or contractors.

3.6. Network Diagram. Upon Customer's written request, You shall provide Customer with a network diagram that outlines Your information technology network infrastructure and all equipment used in relation to fulfilling its obligations under this Agreement, including, without limitation: (i) connectivity to Customer and all third parties who may access Your network to the extent the network contains Confidential Information; (ii) all network connections, including remote access services and wireless connectivity; (iii) all access control measures (for example, firewalls, packet filters, intrusion detection and prevention services, and access-list-controlled routers); (iv) all backup or redundant servers; and (v) permitted access through each network connection.

3.7. Hosting. You agree to host, store, and Process Confidential Information only in the United States or Canada, unless otherwise expressly authorized in writing by Customer.

3.8. Provider Systems. You shall be solely responsible for the information technology and Security infrastructure, including but not limited to all computers, software, databases, electronic systems (including database management systems, storage devices and cloud services), and networks used by or for You (including third party systems and services) to deliver the services ("Provider Systems") and shall monitor, patch and prevent unauthorized access to the Customer Systems through the Provider Systems. You will take action to mitigate exposure when new vulnerabilities are found based on severity, especially for zero-day exploits.

4. Security Incidents.

4.1. Contact. You shall provide Customer with the name and contact information of one of Your employees who shall serve as Customer's primary security contact and shall be available to assist Customer 24 hours per day, 7 days per week as a contact in resolving obligations associated with a Security Breach.

4.2. Notification to Customer. You shall notify Customer of a Security Breach as soon as practicable, but no later than 24 hours after You become aware of it by email at privacyandsecurity@intact.com, with a copy by email to Your primary business contact within Customer.

4.3. Breach Response. Immediately following Your notification to Customer of a Security Breach, You shall coordinate with Customer to investigate the Security Breach. You agree to cooperate with Customer in Customer’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing Customer (or its designated representative) with physical access to the facilities and operations affected; (iii) facilitating interviews with Your employees and others involved in the matter; and (iv) making available all relevant records, logs, files, archives, data reporting, and other materials required to comply with Applicable Law, regulation, industry standards, or as otherwise required by Customer.

4.4. Containment. You shall at Your own expense use best efforts to immediately contain and remedy any Security Breach and prevent any further Security Breach, including, but not limited to taking any and all action necessary to comply with Applicable Law.

4.5. Indemnity. In addition to any indemnification obligations contained in the Agreement, You shall reimburse Customer for the expenses incurred by Customer with respect to a cybersecurity incident involving Your information system that impacts Customer’s data, including but not limited to all costs of notice and/or remediation.

4.6. Notification to Third Parties. You agree that You shall not inform any third party of any Security Breach without first obtaining Customer's prior written consent, other than to inform a complainant that the matter has been forwarded to Customer's legal counsel. Further, You agree that Customer shall have the sole right to determine: (i) whether notice of the Security Breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or otherwise in Customer's discretion; (ii) the contents of such notice; and (iii) whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.

4.7. Records. You agree to maintain and preserve all documents, records, logs, backups and other data related to any Security Breach indefinitely or until otherwise instructed.

4.8. Cooperation. You agree to fully cooperate at Your own expense with Customer in any litigation, investigation, or other action deemed necessary by Customer to protect its rights relating to the use, disclosure, protection, and maintenance of Confidential Information.

5. Oversight of Security Procedures. Upon Customer's written request to confirm Your compliance with this Agreement, Applicable Law and industry standards, You grant Customer or, upon Customer’s election, a third party on Customer's behalf, permission to perform an assessment, audit, examination, or review of all controls in Your physical and/or technical environment in relation to all Confidential Information You Process. You shall fully cooperate with such assessment by answering all questions and inquiries and by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Confidential Information for Customer pursuant to this Agreement. In addition, upon Customer's written request, You shall provide Customer with the written results of any audit performed by You or on Your behalf that assesses the effectiveness of Your information security program as relevant to the security and confidentiality of Confidential Information shared during the course of this Agreement.

6. Artificial Intelligence Technology. Unless Customer provides written consent in advance, You shall not use any data obtained from Customer (including Customer Confidential Information or any Personal Data) to train, enhance or develop any Artificial Intelligence Technology. Upon request, You shall promptly provide Customer with particulars of all Artificial Intelligence Technology utilized by You to provide the service and/or deliverables. Customer reserves the right to require You to comply with additional terms as a precondition to Customer’s approval for Your use of any Artificial Intelligence Technology in connection with the service and/or deliverables. “Artificial Intelligence Technology” includes technologies related to image recognition, audio processing, data classification, virtual agents, machine learning, deep learning, large language models, generative AI, and any other similar technologies (or evolutions of such technologies).

7. Deletion & Disposal. Upon termination and after Customer has retrieved any required data (or as otherwise instructed by Customer) You will delete or destroy all of Customer’s data in accordance with standard best practices such as NIST 800-88 Guidelines for media sanitation; provided however, that You will not be required to remove copies of Customer data from your backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; provided further that in all cases You will continue to protect the Customer data. All Confidential Information of Customer stored on any Systems shall be rendered unrecoverable prior to the disposal of such Systems.

8. Use of Personal Information. For purposes of this Section, capitalized terms not previously defined shall have the meanings given to such terms in the California Consumer Privacy Act of 2018, Cal. Civil. Code 1798.100 et seq., as amended by the California Privacy Rights and Enforcement Act of 2020, and any regulations promulgated thereunder (“CPRA”). “Intact Personal Information” shall mean Personal Information that Vendor receives from or on behalf of Intact as part of the provision of Services under the Agreement. “Contracted Business Purposes” shall mean the Services described in the Agreement for which the Vendor receives or accesses Intact Personal Information.

8.1. You shall process Intact Personal Information in furtherance of the Business Purposes under applicable law only. You shall not sell or share the Intact Personal Information, nor retain, use, or disclose Intact Personal Information for any purpose other than performing Your obligations pursuant to this Agreement. You shall not combine the Intact Personal Information with personal information received from another party or directly from the individual unless permitted by regulation.
8.2. You shall notify Intact if You receive a CPRA request regarding Intact Personal Information. You shall provide reasonable assistance to Intact to meet its response obligations under applicable law. As required by applicable law, You shall comply with deletion and access requests for Intact Personal Information.
8.3. Both parties will comply with all applicable requirements of the CPRA when collecting, using, retaining, or disclosing personal information. You certify that You understand this Agreement's and the CPRA's restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties' direct business relationship, and will comply with them.
8.4. You warrant that You have no reason to believe any CPRA requirements or restrictions prevent You from providing any of the Contracted Business Purposes or otherwise performing under this Agreement. You must promptly notify Intact of any changes to the CPRA's requirements that may adversely affect Your performance under the Agreement or Your ability to comply with the CPRA.
8.5. You grant Intact the right to (1) take reasonable and appropriate steps to help ensure that You are using the Intact Personal Information in a manner consistent with the Intact's CPRA obligations (including but not limited to monitoring contract compliance through administrative measures); and (2) upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Intact Personal Information.

Intact Insurance Specialty Solutions is the marketing brand for the insurance company subsidiaries of Intact Insurance Group USA LLC. Coverages may be underwritten by one of the following insurance companies: Atlantic Specialty Insurance Company, a New York insurer; Homeland Insurance Company of New York, a New York insurer; Homeland Insurance Company of Delaware, a Delaware insurer; OBI America Insurance Company, a Pennsylvania insurer; OBI National Insurance Company, a Pennsylvania insurer; or The Guarantee Company of North America USA, a Michigan insurer. Each of these insurers maintains its principal place of business at 605 Highway 169 N, Plymouth, MN 55441, except The Guarantee Company of North America USA, which is located at One Towne Square, Southfield, MI 48076. This material is intended as a general description of certain types of insurance coverages and services. Coverages and availability vary by state; exclusions and deductibles may apply. Please refer to your insurance policy or consult with your independent insurance advisor for information about coverages, terms and conditions. Some coverage may be written by a surplus lines insurer through a licensed surplus lines broker. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds.