2025-339-E-Human Resources-DISA GLOBAL SOLUTIONS INC-employment screening checks

Browse Search

Unified Master Services Agreement Page 3 | 10 v.13.0 2.2.2022 1.22. "User" means any one or more, as the context requires or permits, of the following: Authorized User, Faculty User, and Individual User. 2. Services/Right to Access and Use: Vendor will provide Client the Services as set forth in this Agreement and the applicable Service Order. Client represents to Vendor that all Authorized Users are employees or agents of Client who have a legitimate business need to access and use the Serv ices, and to view, copy, and access results, reports, documents, and information about the individuals on or through the Services. Client shall promptly notify Vendor if an Authorized User no longer is employed by Client or is no longer authorized to access or use the Services. Client and each Authorized User shall comply with all applicable laws, rules, and regulations. Client is responsible for any access to or use of the Services through Client’s Account (s). In no event shall Client or any Authorized User input, upload, transmit, publish, or disclose, or permit, authorize, cause, require, or request any other individual, entity, or organization to input, upload, transmit, publish, or disclose, on, to, or throu gh the Services any Protected Health Information. Client agrees that it shall not, and it shall instruct each of its Authorized Users to not, (a) disclose or provide to any third party any username, password, or other log-in credential to the Services; or (b) permit, authorize, or enable any third party not specifically authorized in writing by Vendor to access or use the Services. In the event that any password, username, or other log-in credential of Client or any Authorized User is compromised, accessed, obtained, or disclosed to or by any unauthorized person, entity, Client shall immediately notify Vendor. User’s access to or use of the Services is subject to Vendor’s website terms and conditions of use and privacy policy, which can be found at https://discover.castlebranch.com/terms-and-conditions/, and https://discover.castlebranch.com/privacy- policy/, respectively, and are subject to change. 3. Data Collection; Confidentiality and Information Security: 3.1. Where Vendor processes any Personal Information on behalf of Authorized Users, Vendor shall process such Personal Information in accordance with all applicable laws. Vendor shall maintain commercially reasonable administrative, physical, and technical safeguards designed to protect the security of any Personal Information collected or maintained as a result of the Services. In the event either Vendor or Client suffers or experiences a Data Breach, the Vendor or Client, as applicable, shall notify the other party in writing as soon as reasonably practicable, but in no event later than three (3) business days, or earlier if required by law, following the party’s knowledge of the Data Breach, and shall take commercially reasonable actions to contain and investigate the Data Breach. The notification shall identify, to the extent such information is available (and if permitted by law): (a) the nature of the Data Breach; (b) the Personal Information accessed; (c) the person(s) who accessed the Personal Information; (d) any steps taken by the party to contain the Data Breach; and (e) any corrective action the party has taken or will take to prevent future unauthorized access. The p arty that suffered or experienced the Data Breach shall provide notice to affected individuals and to applicable governmental agencies if Required by Law. 3.2. If Vendor processes any Personal Information on behalf of Client that is subject to GDPR, Vendor and Client each agree and acknowledge that the Client shall be the data controller and Vendor shall be the data processor (as those terms are defined in GDPR) with respect to the processing of such Personal Information. Vendor shall only process such Personal Information upon the reasonable instructions of the Client for purposes notified to it by the Client for which consent from the relevant data subjects has been obtained. To the extent a User is covered by GDPR, then Vendor will (a) only collect, process and transfer those categories of Personal Information that it may legitimately process in accordance with this Agreement and/or the Client’s written instructions or as permitted by consent from the User; (b) notify the Client promptly of any communication received from a Client User to Vendor relating to subject access rights; and (c) take reasonable measures to keep such Personal Information secure and confidential. To the extent applicable, the right to store and/or use Personal Information is subject to the Right of Erasure as reflected in GDPR and any other applicable Data Protection Law. 3.3. Vendor utilizes multiple third-party Processors (or “Sub-processors” as that term is defined in GDPR), strictly as necessary, to perform the services und er this Agreement. Vendor imposes, in writing, the same data privacy, confidentiality, and security requirements on its Sub-Processors to which Vendor and Client are subject under this Agreement. To the extent Required by Law, Vendor will provide to Client, upon request, a list detailing the then current Sub-Processors to which Vendor discloses or allows access to Personal Information under this Agreement. Should Client refuse consent to Vendor’s use of a particular Sub-Processor(s), to the extent consent is require by law, and upon notice to Vendor, Client shall have the option of terminating this Agreement without penalty or liability. 3.4. Each party may be given access to Confidential Information of the other party under or in connection with this Agreement. "Confidential Information" means any proprietary or non-public information compiled, accessed, Docusign Envelope ID: A4CA1836-F4CC-417F-A6B3-95651F565E3A