NIST Privacy Framework : Our Essential Data Protection Guide



1. Information Security. Spirion will use commercially reasonable efforts to maintain the security, integrity and availability of all Customer Data received from Customer, including but not limited to commercially reasonable efforts reflecting changing technological approaches, to comply with the following measures with respect to Customer Data:

1.1 maintain commercially customary physical security and access controls;
1.2 maintain commercially customary network security controls including firewall and intrusion prevention solutions;
1.3 maintain commercially customary redundancy at the demark, network and system layers;
1.4 maintain commercially customary monitoring solutions to continually manage health and capacity of the IT infrastructure of the System;
1.5 provide data encryption in a commercially customary manner of all data transmissions;
1.6 require individual user accounts and passwords for any access;
1.7 maintain generally acceptable user account management processes and procedures;
1.8 maintain industry accepted data protection program;
1.9 maintain and periodically test (at least annually) a commercially customary disaster recovery plan that provides adequate system backup, technology replacement, and alternate (backup-site) site capabilities;
1.10 follow commercially customary hardening procedures for system/device builds;
1.11 conduct ongoing vulnerability management through the use of commercially customary tools; and
1.12 follow commercially customary change and release management practices for hardware and software changes.

2. Privacy. Spirion will comply with all applicable laws regarding the privacy of consumer information. If Spirion will process Personal Data under the Agreement: (a) it shall process Personal Data (a) only on behalf of and for the benefit of Customer in connection with the Services under the Agreement; (b) in strict compliance with applicable laws and with the Data Processing Agreements attached hereto as Schedule 1 and Schedule 2, as applicable. Spirion agrees that the parties may add additional Data Privacy Agreements as attachments in the event that additional laws become applicable.

3. Data Security Incident Response
If Spirion becomes aware of a confirmed breach of the security measures described in this Spirion Data Privacy and Security Policy that results in either (a) unlawful access to Customer Data stored on Spirion’s equipment or in Spirion’s facilities, or (b) unauthorized access to such equipment or facilities, where in either case such access results in loss, disclosure, or alteration of Customer Data (each a “Security Event”), Spirion will: (x) notify Customer of the Security Event using the email address listed in Customer’s Spirion account within 24 hours after Spirion confirms the Security Event (provided Spirion is not prohibited from providing the notification by a court order or other legal requirement); and (y) promptly take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Event. Spirion shall assist the Customer, where required by applicable law, to notify any Security Event to the competent government entity and to affected individuals.

4. Insurance
Spirion will maintain insurance covering impacts directly related to cyber security incidents involving Services supplied under the Agreement.

5. Applicability of Schedule
5.1 Attachment 1 shall apply to Spirion’s processing of any Personal Information of a Data Subject who is a resident of the state of California.

ATTACHMENT 1: CCPA Privacy Addendum

This California Privacy Addendum (“CPA”), by and between Customer and Spirion, LLC (collectively, the “Parties”) sets forth the terms and conditions relating to compliance with the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”) in connection with any of the services rendered by Partner to Customer (the “Services”) pursuant to the Spirion Software as a Services Agreement effective on the date specified on the Order Form entered into between them (together, the “Agreement”).

Whereas, Customer is a Business subject to the CCPA;

Whereas, Spirion (i) is a Service Provider that provides Services to Customer pursuant to the Agreement and (ii) Processes Personal Information that is necessary to perform the Services under the Agreement;

Now therefore, in consideration of the mutual covenants and agreements in this Addendum and the Agreement, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Customer and Partner agree as follows:

1. Definitions
Any capitalized term used but not defined herein shall have the meaning ascribed to it in the CCPA, except that the definitions of Aggregate and Personal Information set forth in this Addendum shall control in any and all cases.

2. Relationship with the Agreement

  • The parties agree that this CPA shall replace any existing data processing addendum the parties may have previously entered into in connection with Personal Information of Consumers (defined at Section 1798.140(g) as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by an unique identifier”). This CPA shall have no effect on any data processing addenda regarding compliance with European laws and regulations.
  • Except for the changes made by this CPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this CPA and the Agreement, this CPA shall prevail to the extent of that conflict.

3. Privacy of Personal Information

  1. Spirion represents, warrants and covenants as follows:
    1. Spirion is acting solely as a Service Provider with respect to Personal Information as specified in Exhibit A below.
    2. Spirion shall not (1) Sell Personal Information, or (2) retain, use or disclose Personal Information for any purpose other than for the specific purpose of performing the Services.
    3. Spirion shall cooperate with Customer if an individual requests from Customer (i) access to his or her Personal Information, (ii) information about the categories of sources from which the Personal Information is collected, or (iii) information about the categories or specific pieces of the individual’s Personal Information, including by providing the requested information in a portable and, to the extent technically feasible, readily useable format that allows the individual to transmit the information to another entity without hindrance. Partner shall promptly inform Customer in writing of any requests with respect to Personal Information.
    4. Upon Customer’s request, Spirion shall promptly delete a particular individual’s Personal Information from Spirion’s records. In the event Spirion is unable to delete the Personal Information for reasons permitted under the CCPA, Spirion shall (i) promptly inform Customer of the reason(s) for its refusal of the deletion request, (ii) ensure the privacy, confidentiality and security of such Personal Information, and (iii) delete the Personal Information promptly after the reason(s) for Spirion’s refusal has expired.
  2. Where Spirion provides a third party with access to Personal Information, or contracts any of its rights or obligations concerning Personal Information to a third party, Spirion shall enter into a written agreement with each such third party that imposes obligations on the third party that are equivalent to those imposed on Spirion under Section 3 of this Addendum.
  3. The Parties acknowledge and agree as follows:
    1. The Personal Information that Customer discloses to Spirion is provided to Spirion for a Business Purpose, and Customer does not Sell Personal Information to Spirion in connection with the Agreement.
    2. During the time the Personal Information is disclosed to Spirion, Customer has no knowledge or reason to believe that Spirion is unable to comply with the provisions of this Addendum.
  4. Spirion certifies that it understands and will comply with the requirements and restrictions set forth in Section 3 of this Addendum.

Exhibit A: Specifics of Services and Personal Information

The nature of the Services that require use of Personal Information: Using search algorithms to identify certain sensitive data, as specified by Customer, within the Customer Data

Types of Personal Information: As provided by Customer

Spirion Subscription Services Agreement (v.20220422) View / Download

The following Schedules will be provided to Customer when applicable:
  • Customer Support Policy (v.20220426) View
  • Service Level Agreement (v.20211201) View / Download
The following Addendums will be provided to Customer when applicable: