Content Square designates a fully qualified employee to coordinate with Customer and provide to Customer, as needed, all information reasonably requested in writing by Customer concerning the processing, storage and protection of Customer Data.
Content Square has implemented and maintains a written data information security program for the protection of Customer Data that included appropriate organisational, administrative, technical and physical safeguards and other security measures that are industry standard and commensurate with the nature of the Customer Data processed by Content Square (the “Information Security Program”). Content Square’s Information Security Program includes regular training of its personnel on those policies, hiring and exit procedures including regular risk assessment of the risks to the security of Customer Data, and shall be updated as necessary with changes in any applicable law. Content Square reserves the right to and may update or modify such measures from time to time provided that such updates or modifications do not result in any material degradation to the security of Customer Data.
Content Square implements appropriate physical, technical and organisational measures to ensure a level of security appropriate to the risk presented by processing Customer Data, in particular from unlawful and unauthorised destruction, loss, disclosure, or access to Customer Data, stored or otherwise processed by Content Square (“Security Breach”), including, inter alia, as appropriate: (a) implementation of reasonable and sufficient physical barriers and controls to prevent unauthorised physical access to, or compromise of Customer Data by human or environmental causes; (b) ensuring that only those authorised Content Square representatives gain access to the Customer Data, and taking commercially reasonable steps to prevent unauthorised access to or destruction or loss of any Customer Data; and (c) maintaining a secure processing environment for Customer Data, which includes: (i) timely application of anti-virus updates, system patches, fixes and updates to all operating systems and applications, the implementation of firewalls and other similar measures designed to ensure the confidentiality, integrity, and availability of Customer Data; (ii) encryption of all Customer Data at all times in transit and at rest, using and deploying a commercially acceptable encryption solution; and (iii) secure email (SMTP/TLS) for all Content Square domains.
Content Square maintains a business continuity plan so that Customer Data is protected and in the event of a disruption to, or loss of data or CS Solution, delivery of CS Solution and access to Customer Data are restored and continue at the applicable service levels. The plan is being reviewed and approved by management level and tested periodically.
If at any time Content Square determines that any individual or entity has attempted to circumvent or has circumvented the security of any computer, system, or device containing Customer Data, or that there has been a Security Breach (each an “Incident”), Content Square shall: (a) immediately terminate any unauthorised access and promptly notify Customer in writing of such Incident; (b) promptly investigate and take reasonable steps to remediate the Incident; and (c) cooperate with Customer investigation and provide documentation and assistance as may reasonably be requested by Customer.
Upon written request, and no more than once per each calendar year, Content Square shall respond to Customer’s reasonable information security questionnaire (“Security Questionnaire”). Each calendar year, Content Square shall engage an appropriately recognised accreditor to conduct an audit in accordance with ISO 27001, ISO 27018, SSAE 16/SOC2 Type II, or other similarly recognised standards (a “Data Protection Controls Audit”). Content Square shall cooperate with Customer and, upon reasonable prior notice to Content Square (no less than 14 days), Customer may conduct periodic security scans and audits of Content Square’s systems holding or containing any Customer Data, using a third party scanning provider (under confidentiality obligations no less strict than the obligations of Customer under this Agreement) or software, to verify that all necessary security measures have been implemented and are functioning properly, and in any event no more than once per each calendar year (a “Technology Security Audit”). Content Square shall promptly address all critical deficiencies, concerns or recommendations arising out of any Security Questionnaire, Data Protection Controls Audit, or Technology Security Audit (each a “Security Audit”). If, as a result of any Security Audit, Customer reasonably deem Content Square’s security measures insufficient, then promptly following Customer’s written request, a senior Content Square executive shall meet with a representative of Customer to discuss the matter in good faith until its conclusion.