Intact Insurance Specialty Solutions

Producers Careers Specialty Solutions Canada

Privacy and Security Schedule - Vendors

SECURITY SCHEDULE

THIS SECURITY SCHEDULE (“Schedule”) is between [insert vendor] (“Recipient”) and Intact Insurance Group USA LLC, a Delaware limited liability company, on behalf of itself and its Affiliates (“Customer”) (together with You/Recipient, the “Parties”) and is made part of the Services Agreement (the “Master Agreement”), which terms are incorporated as if set forth fully herein.

The Parties agree as follows:

1. This Schedule sets forth the terms and conditions on which the Recipient will Process Confidential Information (the “Business Purpose”). The Parties intend for this Schedule to supersede and replace the terms and conditions of any and all agreements, contracts, statements of work, purchase orders, or similar documents that govern the Business Purpose with respect to the matters set forth herein. To the extent the terms and conditions of this Schedule conflict or are inconsistent with the terms and conditions of any such document, the terms and conditions of this Schedule shall control.

2. Definitions. As used in this Schedule, the following terms have the meanings set forth below:

“Affiliate” means any corporation, partnership, joint venture, limited liability company, trust or other entity that, directly or indirectly, controls, is controlled by, or is under common control with a Party. The term “control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through the ownership of voting securities, by contract or otherwise.

“Applicable Law” means any published or unpublished statute, law, ordinance, regulation, rule, code, order, constitution, treaty, common law, judgment, decree, directive or other requirement, guideline or rule of law of any governmental authority.

“Business Purpose” is defined in Section 1.

“Personal Information” means any information that (i) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or (ii) is otherwise identified as protected personal information under Applicable Law.

"Processing, processes, or process" means any activity that involves the use of Confidential Information. It includes obtaining, disclosing, creating, using, organizing, amending, retrieving, holding, erasing or destroying Confidential Information.

“Security Breach” means unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that compromises the security, confidentiality, or integrity to Confidential Information, or compromise the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Confidential Information is a Security Breach whether or not the incident rises to the level of a security breach under Applicable Law.

3. Security.

3.1. WISP. Recipient shall implement and maintain a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually.

3.2. Safeguards. Without limiting Recipient’s obligations under Section 3.1, Recipient shall implement administrative, physical, and technical safeguards to protect Confidential Information from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Confidential Information is Processed, comply with Applicable Law and the terms and conditions of this Schedule.

3.3. Hosting. Recipient shall not Process Confidential Information outside the United States or Canada without the prior written consent of the Customer.

3.4. Provider Systems. Recipient shall be solely responsible for the information technology and Security infrastructure, including but not limited to all computers, software, databases, electronic systems (including database management systems, storage devices and cloud services), and networks used by or for You (including third party systems and services) to deliver the services ("Provider Systems") and shall monitor, patch and prevent unauthorized access to the Customer Systems through the Provider Systems. Recipient will take action to mitigate exposure when new vulnerabilities are found based on severity, especially for zero-day exploits.

4. Artificial Intelligence Technology. Unless Customer provides written consent in advance, Recipient shall not use any data obtained from Customer (including Customer Confidential Information or any Personal Data) to train, enhance or develop any Artificial Intelligence Technology. Upon request, Recipient shall promptly provide Customer with particulars of all Artificial Intelligence Technology utilized by You to provide the service and/or deliverables. Customer reserves the right to require You to comply with additional terms as a precondition to Customer’s approval for Recipient’s use of any Artificial Intelligence Technology in connection with the service and/or deliverables. “Artificial Intelligence Technology” includes technologies related to image recognition, audio processing, data classification, virtual agents, machine learning, deep learning, large language models, generative AI, and any other similar technologies (or evolutions of such technologies).

5. Deletion & Disposal. Upon termination and after Customer has retrieved any required data (or as otherwise instructed by Customer) Recipient will delete or destroy all of Customer’s data in accordance with standard best practices such as NIST 800-88 Guidelines for media sanitation; provided however, that You will not be required to remove copies of Customer data from Recipient’s backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; provided further that in all cases Recipient will continue to protect the Customer data. All Confidential Information of Customer stored on any Systems shall be rendered unrecoverable prior to the disposal of such Systems.

6. Security Incidents.

6.1. Breach notification. Recipient shall notify Customer of a Security Breach as soon as practicable, but no later than 24 hours after becoming aware of it. If notice to Customer is required under this Section, the notice shall be delivered by email to privacyandsecurity@intactinsurance.com, with a copy to Recipient’s primary business contact with Customer.

6.2. Breach Response. Immediately following Recipient’s notification to Customer of a Security Breach, Recipient shall coordinate with Customer to investigate the Security Breach. You agree to cooperate with Customer in Customer’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing Customer (or its designated representative) with physical access to the facilities and operations affected; (iii) facilitating interviews with Recipient’s employees and others involved in the matter; (iv) making available all relevant records, logs, files, archives, data reporting, and other materials required to comply with Applicable Law or as otherwise required by Customer; and (v) cooperating in litigation.

6.3. Containment. Recipient shall at its own expense use best efforts to immediately contain and remedy any Security Breach and prevent any further Security Breach, including, but not limited to taking any and all action necessary to comply with Applicable Law. Recipient shall reimburse Customer for all actual reasonable costs incurred by Customer in responding to, and mitigating damages caused by, any Security Breach, including all costs of notice and/or remediation.

7. Use of Personal Information. You shall not sell or share the Customer Personal Information, nor retain, use, or disclose Intact Personal Information for any purpose other than performing Your obligations pursuant to this Schedule. Any Personal Information that Customer provides to You will be disclosed by You to others only as necessary to conduct the assignment in response to Customer’s request for services.

Intact Insurance Specialty Solutions is the marketing brand for the insurance company subsidiaries of Intact Insurance Group USA LLC. Coverages may be underwritten by one of the following insurance companies: Atlantic Specialty Insurance Company, a New York insurer; Homeland Insurance Company of New York, a New York insurer; Homeland Insurance Company of Delaware, a Delaware insurer; OBI America Insurance Company, a Pennsylvania insurer; OBI National Insurance Company, a Pennsylvania insurer; or The Guarantee Company of North America USA, a Michigan insurer. Each of these insurers maintains its principal place of business at 605 Highway 169 N, Plymouth, MN 55441, except The Guarantee Company of North America USA, which is located at One Towne Square, Southfield, MI 48076. This material is intended as a general description of certain types of insurance coverages and services. Coverages and availability vary by state; exclusions and deductibles may apply. Please refer to your insurance policy or consult with your independent insurance advisor for information about coverages, terms and conditions. Some coverage may be written by a surplus lines insurer through a licensed surplus lines broker. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds.