ISDP Terms EMEA

Effective date: July 2020

A. OVERVIEW
In the course of providing Services to an Alight client, Alight may have access to Personal Information. Capitalized terms not otherwise defined herein shall have the meaning ascribed to it in the underlying services agreement between Alight and Alight client (the “Agreement”).

“Personal Data or Personal Information means any information relating to an identified or identifiable natural person; where an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Information includes, without limitation, (a) an individual’s name; (b) home or other physical address; (c) Social Security number or other similar government identifier; (d) health information; (e) financial account numbers in combination with a password, PIN, or security code that would permit access to the financial account; or (f) any other combination of data elements that would trigger individual or governmental notice under applicable law if exposed to an unauthorized third party; or (g) any combination of (a)-(f).

Alight agrees to collect, process, transfer, disclose, store, and otherwise use Personal Information in its possession in accordance with these terms and applicable law.

B. GENERAL REQUIREMENTS: DATA PRIVACY AND SECURITY
1. Data Privacy and Security Programs. Alight’s data privacy and security programs shall include reasonable and appropriate physical, technical, organizational and administrative measures designed to protect against the unauthorized destruction, loss, access to or alteration of Personal Information in Alight’s possession.
2. Data Privacy and Security Policies. Alight maintains rigorous policies and practices to protect Personal Information, including a Global Privacy Policy and a Global Information Security Policy, which we apply uniformly across our operations based on industry standards. These policies are consistent with the ISO27001/2 standards. Alight abides by these policies, which outline the physical, technical, organizational and administrative measures by which it protects Personal Information. Upon client’s request, Alight will provide client with current copies of such policies.
3. Third Party Subcontractors. Alight maintains rigorous policies and practices to protect Personal Information, including a Global Privacy Policy and a Global Information Security Policy, which we apply uniformly across our operations based on industry standards. These policies are consistent with the ISO27001/2 standards. Alight abides by these policies, which outline the physical, technical, organizational and administrative measures by which it protects Personal Information. Upon client’s request, Alight will provide client with current copies of such policies.
4. On Boarding Process.

a. Background Checks. Where permitted by local law, Alight’s requires that new hires be subjected to a comprehensive pre-employment background check.
b. Confidentiality Agreements. Alight requires that non-disclosure/confidentiality agreements or undertakings be signed by all new employees within 30 days of hire.
c. Training. Alight will provide employees with training on data security and privacy, including Alight’s Information Security and Data Privacy Policies.

C. SECURITY MEASURES
1. Physical Security. Alight maintains security controls for entry points, holding areas, telecommunications areas, and cabling areas that contain information processing systems or media containing Personal Information. Security controls may include, but are not limited to:

a. Access control and restriction by use of a defined security perimeter, appropriate security barriers, security cameras, entry controls and authentication controls, and maintenance of access logs for a minimum of two (2) years or other time specified by law or policy;
b. Where Alight ID cards are deployed, a requirement for all personnel, vendors, contractors and visitors to wear some form of visible identification to identify themselves as employees, contractors, vendors, or visitors;
c. A clear desk/clear screen policy;
d. An automatic idle-lock for unattended equipment;
e. A requirement for visitors to Alight’s premises to be escorted at all times; and
f. Where technically feasible and commercially reasonable, cameras and CCTVs.

2. Network Security Controls. Alight maintains the following network security controls and safeguards:

a. Defense-in-depth design with perimeter routers, network switches and firewall devices and default deny-all policy to protect Internet presence;
b. Least privilege and authenticated access for network users and equipment;
c. Control of internet access by proxies;
d. Two-factor authentication for remote access with a non-reusable password;
e. Intrusion detection system to monitor and respond to potential intrusions;
f. Real-time network event logging and investigation using a security information event management tool;
g. Content filtering and website blocking using approved lists;
h. Limitations on wireless access to the network;
i. Policies and standards for wireless network devices;
j. Prohibitions on bridging of wireless and other networks, including the corporate network; and
k. Detection and disassociation of rogue wireless access points.

3. Platform Security Controls. Alight maintains the following platform security controls and safeguards:

a. Maintenance of configuration/hardening standards;
b. Control of changes through an internal change control process;
c. Prohibition on installing unauthorized hardware and software;
d. Where technically feasible, automatic session timeouts after periods of inactivity;
e. Removal of vendor-supplied defaults (accounts, passwords and roles) during installation;
f. Removal of services and devices that are not required by valid business needs;
g. Use of an anti-virus program with timely updates;
h. Non-privileged account access on workstations and laptops; and
i. Full disk encryption and active firewall installation on laptops.

4. Application Security Controls. Alight maintains the following application security controls and safeguards:

a. Defense-in-depth with the use of n-tier architecture for separation and protection of data;
b. A secure software development life cycle (SSDLC) for application development that includes training, development, testing and ongoing assessments;
c. Documentation, review, testing and approval before changes are implemented into production;
d. Identification, testing and remediation of application vulnerabilities and patches in a timely manner; and
e. A prohibition on using production data in development and testing environments.

5. Data and Asset Management. Alight maintains the following data and asset management security controls and safeguards:

a. Technical, administrative and physical safeguards;
b. Regular backups and storage of Personal Information;
c. Encryption of Personal Information transmitted over public networks and on removable media;
d. Use of a data loss prevention tool for end point data transfer activities involving socia security numbers or other national identification numbers;
e. Use of an inventory program to control the installation, ownership and movement of hardware, software and communications equipment;
f. Encryption, sanitization, destruction, or purging of all physical media containing Personal Information leaving Alight’s custody to ensure that residual magnetic, optical, electrical, or other representation of data has been deleted, and is not recoverable; and
g. Logical separation of Personal Information of an Alight client from other Alight clients.

6. Access Control and Management. Alight maintains the following access control and management security controls and safeguards:

a. Monitoring and logging access and use of the Alight systems that contain Personal Information, including, but not limited to logging of access attempts to the Alight systems that contain Personal Information;
b. Periodic review and validation of role-based access to Personal Information and prompt removal of unnecessary access;
c. Unique logon ID and passwords;
d. Strong passwords with minimum length, complexity and expiration requirements;
e. Disabling access after a limited number of failed login attempts; and
f. Rejection of previously used passwords.

7. Vulnerability and Patch Management. Alight takes the following measures designed to identify and mitigate vulnerabilities that threaten Alight’s ability to enforce the confidentiality, integrity, and availability of Personal Information:

a. A vulnerability monitoring process that provides alerts or notifications of new fixes available, and the resulting timeframe for remediation;
b. Regular scanning to identify and remediate vulnerabilities promptly;
c. Classification of vulnerabilities based on severity to allow for remediation based on predetermined service level expectations; and
d. Penetration tests on applicable Alight environments, including perimeter vulnerability testing, internal infrastructure vulnerability testing, and application testing.

D. DATA SECURITY INCIDENT NOTIFICATION & RESPONSE
1. Notification. In the event that Alight confirms or is notified of a breach of security by Alight or its subcontractor(s) that results in the unauthorized access, disclosure, or loss of Personal Information (Data Security Incident), Alight shall promptly notify client's authorized representative of such Data Security Incident.
2. Incident Management. In the event of a Data Security Incident, Alight shall (i) reasonably investigate the impact of such Data Security Incident, (ii) identify the root cause of such Data Security Incident, (iii) take reasonable and appropriate measures to remedy the Data Security Incident, and (iv) take reasonable and appropriate measures to prevent a reoccurrence of such Data Security Incident.
3. Incident ReportingUpon client’s request, Alight will provide the following information that is known to Alight’s authorized representatives at such time: (i) the nature of the Data Security Incident, (ii) the Personal Information used or disclosed in the Data Security Incident, (iii) the measures Alight has taken or will take to remediate or mitigate the effect of such Data Security Incident, and (iv) any corrective action Alight has taken or will take to prevent future similar Data Security Incidents from occurring.
4. Incident Remediation. Alight agrees to be responsible for all reasonable costs incurred by Alight related to or arising from any such Data Security Incident that is the result of Alight’s breach of its security obligations herein, including but not limited to, forensic and investigatory costs incurred by Alight, as such may be reasonably required. In addition, client may require Alight, at Alight’s expense, to provide notification to individuals or governmental entities, in each case where such notice is required by law or regulation.

E. PRIVACY AND SECURITY REGULATORY COMPLIANCE
1. GDPR. If the Agreement or the services involve “Personal Data” (as such term is defined in the European Union General Data Protection Regulation (EU) 2016/679 of an EU resident, and, to the extent applicable, the data protection or privacy laws of any EU Member State or other country) (“EU Privacy Laws”) then, in addition to the requirements set forth herein, Alight and client hereby agree to:

a. Alight GDPR Terms: The terms set out at https://alight.com/gdprterms for compliance with applicable EU Privacy Laws; and
b. EU Standard Contractual Clauses. As applicable, the terms set out at https://alight.com/sccterms comprising the standard contractual clauses specified by the EU for the onward transfer of Personal Data.

2. Compliance with Data Privacy Laws and Regulations. Alight will comply with all data privacy laws and regulations applicable to Alight in its capacity as a service provider. The technical and organizational security measures implemented by Alight to protect Personal Information shall be consistent and no less stringent than what is required under applicable laws and regulations, including, without limitation, the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).
3. California Consumer Privacy Act (CCPA). To the extent that Alight collects, stores, transfers or processes Personal Information that is subject to the CCPA, the Parties acknowledge and agree as follows:

a. Alight shall comply with all applicable provisions of CCPA in its capacity as a service provider as contemplated under CCPA.
b.Personal Information that client discloses to Alight under the Agreement is provided to Alight for a Business Purpose (as defined under CCPA), and client does not sell Personal Information to Alight.
c. Alight shall not retain, use or disclose Personal Information for any purpose other than as necessary to perform the Services specified in the Agreement.
d. Upon client’s request, Alight shall delete particular Personal Information from Alight’s records. In the event Alight is unable to delete the Personal Information for reasons permitted under CCPA, Alight shall (i) promptly inform client of the reason(s) for its refusal to the deletion request, (ii) ensure the privacy, confidentiality and security of such Personal Information, and (iii) delete sure Personal Information promptly after the reason(s) for Alight’s refusal has expired.

4. Health Insurance Portability and Accountability Act (HIPAA).If the Agreement or the Services involve “Protected Health Information” as such term is defined in HIPAA, then, in addition to all other requirements set forth herein, Alight and client shall execute a HIPAA Business Associate Agreement (“Business Associate Agreement”). In the event of any conflict between the terms of the Business Associate Agreement and these terms, the Business Associate Agreement will govern.
5. Gramm-Leach Bliley Act. Alight shall comply with the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § § 6801-6827 to the extent that Alight is subject to the GLBA in the provision of Services to client.