Contentsquare designates a fully qualified employee to coordinate with Customer and provide to Customer, as needed, all information reasonably requested in writing by Customer concerning the processing, storage and protection of Customer Data.
Contentsquare has implemented and maintains a written data information security program for the protection of Customer Data that included appropriate organizational, administrative, technical and physical safeguards and other security measures that are industry standard and commensurate with the nature of the Customer Data processed by Contentsquare (the “Information Security Program”). Contentsquare’s Information Security Program includes regular training of its personnel on those policies, hiring and exit procedures including regular risk assessment of the risks to the security of Customer Data, and shall be updated as necessary with changes in any applicable law. Contentsquare reserves the right to and may update or modify such measures from time to time provided that such updates or modifications do not result in any material degradation to the security of Customer Data.
Contentsquare implements appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk presented by processing Customer Data, in particular from unlawful and unauthorized destruction, loss, disclosure, or access to Customer Data, stored or otherwise processed by Contentsquare (“Security Breach”), including, inter alia, as appropriate: (i) implementation of reasonable and sufficient physical barriers and controls to prevent unauthorized physical access to, or compromise of Customer Data by human or environmental causes; (ii) ensuring that only those authorized Contentsquare representatives gain access to the Customer Data, and taking commercially reasonable steps to prevent unauthorized access to or destruction or loss of any Customer Data; and, (iii) maintaining a secure processing environment for Customer Data, which includes: (a) timely application of anti-virus updates, system patches, fixes and updates to all operating systems and applications, the implementation of firewalls and other similar measures designed to ensure the confidentiality, integrity, and availability of Customer Data; (b) encryption of all Customer Data at all times in transit and at rest, using and deploying a commercially acceptable encryption solution; and, (c) secure email for all Contentsquare domains.
Contentsquare maintains a business continuity plan so that Customer Data is protected and in the event of a disruption to, or loss of data or CS Solution, delivery of CS Solution and access to Customer Data are restored and continue at the applicable service levels. The plan is being reviewed and approved by management level and tested periodically.
If at any time Contentsquare determines that any individual or entity has attempted to circumvent or has circumvented the security of any computer, system, or device containing Customer Data, or that there has been a Security Breach (each, an “Incident”), Contentsquare shall: (a) immediately terminate any unauthorized access and within forty-eight (48) hours notify Customer in writing of such Incident; (b) promptly investigate and take reasonable steps to remediate the Incident; and (c) cooperate with Customer investigation and provide documentation and assistance as may reasonably be requested by Customer. Contentsquare shall notify Customer of any Incidents at the email address detailed in the Order Form, or such other address as either Party has notified the other.
Third-Party Certifications and Audits
Each calendar year, Contentsquare shall engage an appropriately recognized accreditor to conduct an audit in accordance with ISO 27001, ISO 27701, SOC 2 or other similarly recognized standards (a “Data Protection Controls Audit”). Contentsquare shall cooperate with the Beneficiary and, upon reasonable prior notice to Contentsquare (no less than thirty (30) days), provided that the Beneficiary agrees to our Penetration Testing Protocol, the Beneficiary may conduct periodic technical security tests (manual penetration tests) and audits of Contentsquare’s systems holding or containing any Beneficiary Personal Data, using a third party provider (under confidentiality obligations no less strict than the obligations of the Beneficiary under this Contract), to verify that all necessary security measures have been implemented and are functioning properly, and in any event no more than once per each calendar year (a “Technology Security Audit”). Arising deficiencies and their associated criticality should be reviewed and mutually agreed on by both Parties. Contentsquare shall promptly address all critical deficiencies, concerns or recommendations arising out of any Security Questionnaire, Data Protection Controls Audit, or Technology Security Audit (each a “Security Audit”). If, as a result of any Security Audit, the Beneficiary reasonably deems Contentsquare’s security measures insufficient, then promptly following the Beneficiary’s written request, a senior Contentsquare executive shall meet with a representative of the Beneficiary to discuss the matter in good faith until its conclusion. Notwithstanding the foregoing, all assessments and audits conducted under this Section 6.2 shall conform to the following requirements: (i) 30 days prior written notice; (ii) limited to once every twelve months; (iii) at the sole cost of the Beneficiary; (iv) scope of assessments and audits shall be limited to matters not covered by the SOC 2, ISO 27701 or ISO 27001 certifications in effect; and (v) any internal expenses incurred by Contentsquare as part of assessments and audits requested by the Beneficiary with a scope already covered by the SOC 2, ISO27701 or ISO 27001 certifications in effect, shall be reimbursed by the Beneficiary. In addition, except in the event of a proven and justified breach, Contentsquare may provide the Beneficiary with the result of a previous audit carried out by a third party on the same scope (SOC 2, ISO 27001 or ISO 27701) and less than 12 months instead of the audit requested by the Beneficiary. In this event, Contentsquare will be deemed to have satisfied the Beneficiary’s right to audit.