Attached files
| file | filename |
|---|---|
| EX-10.1 - EX-10.1 - TRX INC/GA | d233980dex101.htm |
| EX-10.6 - EX-10.6 - TRX INC/GA | d233980dex106.htm |
| EX-10.5 - EX-10.5 - TRX INC/GA | d233980dex105.htm |
| EX-31.1 - EX-31.1 - TRX INC/GA | d233980dex311.htm |
| EX-10.2 - EX-10.2 - TRX INC/GA | d233980dex102.htm |
| EX-32.1 - EX-32.1 - TRX INC/GA | d233980dex321.htm |
| EX-31.2 - EX-31.2 - TRX INC/GA | d233980dex312.htm |
| EX-10.3 - EX-10.3 - TRX INC/GA | d233980dex103.htm |
| EXCEL - IDEA: XBRL DOCUMENT - TRX INC/GA | Financial_Report.xls |
| 10-Q - FORM 10-Q - TRX INC/GA | d233980d10q.htm |
Exhibit 10.4
AMENDMENT #4 TO
SERVICES AGREEMENT
BETWEEN TRX FULFILLMENT SERVICES, LLC.
AND
AMERICAN AIRLINES, INC.
This Amendment #4 (“Amendment”) is entered into as of the 1st day of September 2011 (“Amendment Effective Date”) between TRX Fulfillment Services, LLC (“TRX” or “Supplier”) and American Airlines, Inc. (“American”). TRX and American have previously entered into a Services Agreement dated as of December 23, 2002, as amended on February 1, 2006, June 27, 2008, and June 29, 2011 (the “Agreement”), which is incorporated herein by reference. The parties desire to amend and revise the Agreement solely as set forth in this Amendment. The terms defined within the Agreement and its Exhibits and Attachments shall also apply to this Amendment.
WITNESSETH
WHEREAS, TRX and American entered into the Agreement, pursuant to which TRX agreed to provide certain Services;
WHEREAS, TRX and American have agreed to amend the Agreement as specified herein;
NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions set forth herein the parties hereto amend the Agreement as follows:
| 1. | Section 5 – Miscellaneous. The section shall be deleted in its entirety and replaced with the following: |
“5. Miscellaneous. In addition to the aforementioned Exhibit A, the attached Exhibit B (American’s Purchase Order Terms and Conditions) and Attachment 1(Data Security and Confidentiality), are incorporated herein by reference and made a part hereof as if set forth herein in full. In the event of a conflict between the terms and conditions of Exhibit A, the body of this Agreement, Exhibit B and Attachment 1, the following order of precedence shall apply: such Attachment 1, Exhibit A, the body of this Agreement and Exhibit B. This Agreement (including all incorporated Exhibits and Attachment) is the “Order” referred to in the Purchase Order Terms and Conditions.”
| 2. | The Agreement shall be amended by adding the following Section 10: |
“10. Indemnification.
(a) Supplier shall indemnify, defend and hold harmless American, and American’s Affiliates and licensees, and each of their officers, shareholders, directors, employees, agents and Customers (collectively, the “American Indemnified Parties”), from and against all liabilities, obligations, losses, damages, deficiencies, penalties, taxes, levies, fines, judgments, settlements, expenses (including attorneys’ and accountants’ fees and disbursements) and costs arising from a claim, demand, proceeding, suit or action by a third party (“Third Party Claims”), incurred by or asserted against any of the American Indemnified Parties to the extent such Third Party Claims relate to, arise out of or result from: (i) physical injury to or death of any person or damage to tangible property caused by any willfully or intentionally wrongful, or negligent, act or omission of any employee, agent or subcontractor of Supplier relating to this Agreement; (ii) Supplier’s failure to perform or improper performance under this Agreement, or breach of any of Supplier’s representations or warranties contained in this Agreement; (iii) any actual or alleged infringement or misappropriation of any IP Right by any hardware, software, equipment, services, materials or any other information or items provided by Supplier or any of its agents or subcontractors pursuant to this Agreement; (iv) Supplier’s failure to comply with any laws (including Data Laws) in connection with the products or services under this Agreement; or (v) any Security Incident.
Page 1 of 13
(b) American shall indemnify, defend and hold harmless Supplier, and Supplier’s Affiliates and licensees, and each of their officers, shareholders, directors, employees and agents (collectively, the “Supplier Indemnified Parties”), from and against all Third Party Claims incurred by or asserted against any of the Supplier Indemnified Parties to the extent such Third Party Claims relate to, arise out of or result from: (i) physical injury to or death of any person or damage to tangible property caused by any willfully or intentionally wrongful, or negligent, act or omission of any employee or agent of American relating to this Agreement; (ii) American’s failure to perform or improper performance under this Agreement, or breach of any representation or warranty contained in this Agreement; (iii) any actual or alleged infringement or misappropriation of any IP Right by the Applications provided by American pursuant to this Agreement or (iv) American’s failure to comply with any laws (including Data Laws) applicable to American in its receipt of the products or services under this Agreement.
(c). Intellectual Property Remedies.
(i) In the event of a Third Party Claim that is subject to indemnification under Section 10(a)(iii) (relating to infringement), and in addition to Supplier’s obligations in this Section 10, Supplier shall, at its expense, either (a) procure for American the right to continue use of the affected products or services, or any component thereof; (b) replace the affected products or services with functionally equivalent (including the look and feel) non-infringing products or services; or (c) modify the affected products or services to be non-infringing and functionally equivalent (including the look and feel). If Supplier cannot accomplish any of the foregoing within a reasonable time after using commercially reasonable efforts, then in addition to Supplier’s obligations in this Section 10, (i) either party may terminate this Agreement upon written notice to the other specifying the effective date of termination and (ii) Supplier shall refund to American any unused monies pre-paid by American for the products or services under the applicable exhibit.
(ii) In the event of a Third Party Claim that is subject to indemnification under Section 10(b)(iii) (relating to infringement), and in addition to American’s obligations in this Section 10, American shall, at its expense, either (a) procure for Supplier the right to continue use of the affected products or services, or any component thereof; (b) replace the affected products or services with functionally equivalent non-infringing products or services; or (c) modify the affected products or services to be non-infringing and functionally equivalent. If American cannot accomplish any of the foregoing within a reasonable time after using commercially reasonable efforts, then in addition to American obligations in this Section 10, either Party may terminate this Agreement upon written notice to the other specifying the effective date of termination.
(d) Promptly after a Party seeking indemnification obtains knowledge of the existence or commencement of a Third Party Claim, the Party to be indemnified (the “Indemnified Party”) will notify the other Party (the “Indemnifying Party”) of such Third Party Claim in writing; provided, however, that any failure to give such notice will not waive any rights of the Indemnified Party except to the extent that the rights of the Indemnifying Party are actually prejudiced thereby. The Indemnifying Party will assume the defense and settlement of such Third Party Claim with counsel reasonably satisfactory to the Indemnified Party at the Indemnifying Party’s sole risk and expense; provided, however, that the Indemnified Party (i) may join in the defense and settlement of such Third Party Claim and employ counsel at its own expense, and (ii) will reasonably cooperate with the Indemnifying Party in the defense and settlement of such Third Party Claim. The Indemnifying Party may settle any Third Party Claim without the Indemnified Party’s written consent unless such settlement (A) does not include a release of all covered claims pending against the Indemnified Party; (B) contains an admission of liability or wrongdoing by the Indemnified Party; or (C) imposes any obligations upon the Indemnified Party other than an obligation to stop using any infringing items.
Page 2 of 13
(e) If the Indemnifying Party fails to assume the defense of such Third Party Claim in a timely manner or, having assumed the defense of such Third Party Claim, fails reasonably to contest such Third Party Claim in good faith, the Indemnified Party, without waiving its right to indemnification, may assume the defense, and the Indemnifying Party will reasonably cooperate with the Indemnified Party in the defense and settlement of such Third Party Claim. The Indemnified Party may settle such Third Party Claim without the Indemnifying Party’s written consent unless such settlement (i) does not include a release of all covered Third Party Claims; (ii) contains an admission of liability or wrongdoing by the Indemnifying Party; or (iii) imposes any obligations upon the Indemnifying Party other than an obligation to stop using any infringing items. The Indemnifying Party will be liable for all costs and expenses incurred by the Indemnified Party in connection with the defense and settlement of any Third Party Claim pursuant to this Section.
(f) For purposes of this Section,” IP Rights” means all intellectual property and proprietary rights of any nature or kind, anywhere in the world, whether protected, created, or arising under any applicable law, and all worldwide common law, statutory, and other rights in, arising out of, or associated therewith, including but not limited to patents, trademarks, publicity rights, copyrights, moral rights, database rights, domain names, and trade secrets, unfair competition law, or other similar protections, whether or not such rights are registered or perfected.”
| 3. | The Agreement shall be amended by adding the following Section 11: |
“11. Limitation of Liability.
(a) SUBJECT TO SECTION 11(b) OF THIS AGREEMENT, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY ANTICIPATED PROFITS OR FOR INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL OR PUNITIVE DAMAGES IN CONNECTION WITH THIS AGREEMENT. SUBJECT TO SECTION 11(b) OF THIS AGREEMENT, IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY FOR ANY DIRECT DAMAGE ARISING IN CONNECTION WITH THIS AGREEMENT EXCEED *.
SUPPLIER, IN PROVIDING SERVICES AND/OR ARTICLES PURSUANT TO THIS AGREEMENT, WILL NOT BE RESPONSIBLE OR LIABLE FOR ACTS, ERRORS, OMISSIONS, LOSSES, INJURIES, DEATH, PROPERTY DAMAGE, ACCIDENTS, DELAYS, NONPERFORMANCES OR ANY OTHER IRREGULARITIES RESULTING FROM THIRD PARTIES IF AMERICAN REQUIRED PROVIDER, IN WRITING, TO UTILIZE SUCH THIRD PARTIES IN THE PERFORMANCE OF SERVICES HEREUNDER.
(b) The limitations in Section 11(a) of this Agreement shall not apply to: (i) Third Party Claims that are the subject of indemnification under this Agreement; (ii) damages occasioned by the willful misconduct or fraud of a Party; (iii) damages occasioned by a breach of Section 2 (Security) or Section 4 (Confidential Information) of Attachment 1; or (iv) Supplier’s abandonment of the Services provided under this Agreement.
* CONFIDENTIAL TREATMENT REQUESTED
Page 3 of 13
4. Exhibit A, Section 1 - Location of the Services to be Performed. The following shall be added to the end of this section:
“Notwithstanding the foregoing, Supplier represents, warrants and covenants that American Personal Identifying Information will not be stored outside of the U.S.”
5. Exhibit A, Section 3(c) – Security. The section shall be deleted in its entirety and replaced with the following:
“The rights and obligations of the Parties with respect to Confidential Information are set forth in Attachment 1.”
6. Exhibit A, Section 3(l) is hereby deleted in its entirety.
7. Exhibit A, Section 3(g) and Section 3(h). These sections shall be deleted in their entirety and each will be replaced with the following:
“[Intentionally deleted.]”
8. Exhibit A, Section 5(a) – Term and Termination. The section shall be deleted in its entirety and replaced with the following:
“The term of this Agreement shall commence on the date executed and continue in full force and effect through August 31, 2014 (the “Initial Term”). American shall have the option to extend the Initial Term for up to three (3) additional two (2) year terms (each, a “Renewal Term” and together with the Initial Term, the “Term”). Exercise of any such option shall be upon at least 120 days advance written notice. Should American exercise any such option (s) the pricing would be as then mutually agreed upon and Sections 5(b) and 5( c) will no longer apply unless renegotiated for additional terms. In the event pricing is not mutually agreed upon within 30 days of such notice, then the Term shall not be extended. Termination of this Agreement for any reason will not relieve or release either party from any rights, liabilities or obligations, including but not limited to payment pursuant to Attachment II, which it has accrued prior to the date of such termination and will be in addition to all other rights available to it under this Agreement or by law or in equity. The immediately preceding sentence shall in no way preclude, supercede or waive any claim, right or defense of any party hereto.”
9. Exhibit A, Section 5(b) *. The section shall be deleted in its entirety and replaced with the following:
*
10. Exhibit A, Section 5(c) *. The section shall be deleted in its entirety and replaced with the following:
*
* CONFIDENTIAL TREATMENT REQUESTED
Page 4 of 13
11. Exhibit A, Section 10(a)(iv) – Insurance. This section shall be deleted in its entirety and replaced with the following:
“Travel Agents Errors and Omissions coverage with a minimum amount of not less than * each occurrence and a deductible of *.”
12. Attachment II to Exhibit A, Section A - * shall be amended by adding the chart below:
*
13. Attachment II to Exhibit A - Section C – * shall be amended by adding the paragraph below:
*
*
* CONFIDENTIAL TREATMENT REQUESTED
Page 5 of 13
14. Exhibit B, Section 4 - Indemnification, Section 7 - Confidentiality and Section 10 - Limitation of Our Liability/Statute of Limitations. These sections shall be deleted in their entirety and each will be replaced with the following:
“[Intentionally deleted.]”
15. The parties agree that Paragraph 3 of Amendment 2 dated June 27, 2008 shall be deleted in its entirety.
16. Except as expressly set forth in this Amendment, the terms and conditions of the Agreement shall continue in full force and effect. The Agreement and this Amendment reflect the entire agreement of the parties. This Amendment shall take precedence over any conflicting terms in the Agreement with respect to the subject matter herein.
IN WITNESS WHEREOF, the undersigned duly authorized representatives of the parties hereto have made and entered in this Amendment effective as of the date set forth above.
| TRX Fulfillment Services, LLC | American Airlines, Inc. | |||||
| Signed: | /s/ David D. Cathcart | Signed: | /s/ Kevin Doeksen | |||
| Name: | David D. Cathcart | Name: | Kevin Doeksen | |||
| Title: | CFO | Title: | Director, IM/Res Plng & Perf. | |||
| Date: | 25 August 2011 | Date: | 8-25-11 | |||
Page 6 of 13
ATTACHMENT 1
DATA SECURITY AND CONFIDENTIALITY
1. Definitions. As used in this Attachment, capitalized terms have the following meanings, unless elsewhere defined in the Agreement:
“American Data” means all Data (a) submitted by or on behalf of American to the Supplier or loaded into an application, network, database or system (collectively the “System”) provided by Supplier, (b) obtained, developed, produced or Processed by the Supplier or by the System in connection with this Agreement, or (c) to which Supplier has access in connection with this Agreement. For the avoidance of doubt, all references to Supplier in this definition include Supplier’s employees, contractors and agents and American Data includes:
(i) all PNR Data and other passenger Data, including Personal Identifying Information for passengers;
(ii) other Customer and sales data, ticket information, inventory, fares, tariff rules, aircraft seating configurations, aircraft operation notes and data, schedules and other information relating to American products and services;
(iii) any Data that can be attributed to or used to identify a User or a User’s computer or device or their online activities, including cookies, IP addresses, and any other identifiers, as well as Data, such as clickstream data, about a User collected by using cookies or similar identification or tracking mechanisms;
(iv) any Data related to employees of American or its affiliates or of their respective contractors, agents and business partners, including Personal Identifying Information for such employees;
(v) any Data available on or via an American Website; and
(vi) any successors, equivalents or derivatives of any of the above, whether now known or hereafter devised, and in any medium or format. For example, copying or tracking of any portion of American Data to create a separate set of information or database constitutes a derivative and is within the definition of American Data.
If it is unclear if any Data constitutes American Data, then as between American and Supplier and until such matter is resolved such Data will be deemed to be American Data and subject to this Agreement.
“American Website” means any website owned, controlled, or operated by American or an affiliate of American or on which American or an affiliate of American otherwise has the right to place Data or other content.
“Confidential Information” means any confidential or proprietary information of a Party to this Agreement that is disclosed in any manner and in any media to the other Party in connection with or as a result of this Agreement, and which at the time of disclosure either (a) is marked as being “Confidential” or “Proprietary”, (b) is otherwise reasonably identifiable as confidential or proprietary information, or (c) under the circumstances of disclosure should reasonably be considered as confidential or proprietary information. Specifically, Confidential Information includes (i) the terms and conditions of this Agreement; and (ii) all types of proprietary technical or business information, including but not limited to data, know-how, formulas, algorithms, processes, designs, drawings, schematics, plans, strategies, specifications, requirements, standards and documentation, reports, pricing, market, marketing or demographic information, software, trade secrets, research, analyses, inventions, ideas and other types of nonpublic information. With respect to American, Confidential Information includes American Data.
“Data” means any data or information, in any form or format, including interim, processed, compiled, summarized, or derivative versions of such data or information, that may exist in any system, database, or record.
“Data Law” means, as in effect from time to time, any law, rule, regulation, declaration, decree, directive, statute, or other enactment, order, mandate, resolution or self-regulatory guideline or standard (including, without limitation, those issued by organizations such as the ATA, IATA, BSP and the PCI Security Standards Council), which is applicable to a Party or to which a Party is required to submit or voluntarily submits, issued or enacted by any domestic or foreign, supra-national, national, state, county, municipal, local, territorial or other government or industry body, bureau, court, commission, board, authority, or agency, anywhere in the world and which relates to Data (including Data Privacy).
“IP Rights” means all intellectual property and proprietary rights of any nature or kind, anywhere in the world, whether protected, created, or arising under any applicable law, and all worldwide common law, statutory, and other rights in, arising out of, or associated therewith, including but not limited to patents, trademarks, publicity rights, copyrights, moral rights, database rights, domain names, and trade secrets, unfair competition law, or other similar protections, whether or not such rights are registered or perfected.
“Permitted Uses” means the uses necessary to perform Supplier’s obligations to American under this Agreement. Additionally, Supplier may collect user utterances for the purpose of tuning grammars and improving usability of the Applications. In addition to allowing Supplier to provide reporting as required hereunder, Supplier will log information on caller statistics such as ANI and duration and time of call.
“Personal Identifying Information” means any Data that identifies or could be used to identify a natural person, such as a name, mailing address, phone number, fax number, email address, frequent flier number, Social Security number, credit card or other payment Data, date of birth, drivers license number, account number or user ID, PIN, or password. For the avoidance of doubt, Data shall be deemed Personal Identifying Information if the unauthorized access, use, disclosure, modification, storage, destruction, or loss of that Data may trigger the application of any Data Law or any security breach notification under a Data Law.
“Process” or “Processing” means, with respect to Data, to collect, access, use, process, disclose, transmit, transfer, store, or retain such Data.
“Remediation Efforts” means activities designed to remedy a Security Incident which may be required by a Data Law (applicable to American, Supplier, or both) or by American policy or procedures pertaining to a Security Incident, or which may otherwise be necessary, reasonable or appropriate under the circumstances, commensurate with the nature of the Security Incident. Remediation Efforts may include, without limitation: *
“Security Incident” means, in connection with the System or services provided by Supplier to American (i) the loss or misuse (by any means) of American’s Confidential Information; (ii) the inadvertent, unauthorized, and/or unlawful Processing, alteration, corruption, sale, rental, or destruction of American’s Confidential Information; (iii) any other act or omission that compromises or threatens to compromise the security, confidentiality, or integrity of American’s Confidential Information, or (iv) any breach of American’s security policies set forth in this Attachment.
“Security Policies” means statements of direction for securing company information pertaining to Security Best Practices and mandating compliance with applicable laws and regulations. Typically, Security Policies are high level instructions to management on how the organization is to be run with respect to Security Best Practices.
“Security Procedures” means statements of the step-by-step actions taken to achieve and maintain compliance with Security Best Practices.
* CONFIDENTIAL TREATMENT REQUESTED
“Security Technical Controls” means any specific hardware, software or administrative mechanisms necessary to enforce Security Best Practices in accordance with the terms of this Agreement as methods for addressing security risks to information technology systems and relevant physical locations, or implementing related policies. Security Technical Controls specify technologies, methodologies, implementation procedures, and other detailed factors or other processes to be used to implement Security Policy elements relevant to specific groups, individuals, or technologies.
“User” means any user of the System provided pursuant to this Agreement and, if applicable, any visitor to an American Website.
| 2. | Security. |
| (a) | Security Best Practices. Supplier shall provide a secure environment for American’s Confidential Information, and any hardware and software to be provided or used by Supplier as part of its performance under this Agreement, in order to protect the same from unauthorized Processing, destruction, use, modification, or disclosure. Supplier represents and warrants that the security measures it takes in performance of its obligations under this Agreement are, and will at all times remain, at the highest of the following (collectively referred to herein as “Security Best Practices”): (i) Privacy & IT Security Best Practices (as defined by ISO 27001); (ii) the security requirements, standards, obligations, specifications and event reporting procedures in this Agreement, including as set forth in this Attachment and any Statement of Work; (iii) to the extent applicable, Payment Card Industry standards or VISA, MasterCard, and any other credit card network bylaws and operating regulations, and federal and state laws and regulations relating to credit card processing (collectively, “PCI Standards”); and (iv) any security requirements, standards, obligations, specifications and/or event reporting procedures required by any Data Law. Additionally, Supplier shall contractually require any subcontractors or agents with access to American’s Confidential Information to adhere to Security Best Practices. Without limiting or affecting American’s rights under this Agreement, if Supplier or Supplier subcontractors or agents discover or are notified of a breach or potential breach of the foregoing relating to American’s Confidential Information, Supplier shall expeditiously (A) notify American of such breach or potential breach, (B) investigate and use commercially reasonable efforts to remediate the effects of such breach or potential breach, and (C) provide assurances satisfactory to American that such breach or potential breach will not recur. Any notifications to Customers of security breaches involving American’s Confidential Information will be handled exclusively by American and Supplier may not under any circumstances contact Customers relating to such security breach. |
| (b) | PCI Compliance. To the extent PCI Standards apply to any product, service or system provided by Supplier pursuant to this Agreement, Supplier shall (i) annually and at such other times as American may from time to time request provide American a certification of compliance with PCI Standards in the relevant capacity (e.g., as a “Payment Application and Service Supplier to Merchant”), (ii) maintain such compliance with respect to any version of such Supplier product, service or system used by American or any Affiliate throughout the term of the Agreement or any relevant license granted by Supplier under the Agreement, and (iii) not charge American or any Affiliate any fee or other amount with respect to such compliance or certification thereof. |
| (c) | Security Reviews. American (or its designated representatives) may, no more than * basis conduct an audit to verify that Supplier is operating in accordance with Security Best Practices. In the event American utilizes a third party for any or all of the security audit, the parties will mutually agree on the third party auditor and such approval will not be unreasonably withheld. Any American personnel or approved American third party auditor onsite at Supplier’s locations will be subject to Supplier’s then-current facility and security policies. The audit may include a review of all aspects of Supplier’s performance, including, but not limited to: *. |
* CONFIDENTIAL TREATMENT REQUESTED
Supplier will cooperate with American in conducting any such audit, and will allow American reasonable access, during normal business hours and upon reasonable notice, to all pertinent records, documentation, computer systems, Data, personnel and processing areas as American reasonably requests to complete the audit. American will take reasonable steps to prevent the audit from materially impacting Supplier’s operations. Supplier shall correct any deviations from Security Best Practices that are identified in any security audit as soon as practicable using commercially reasonable efforts after receiving notice from American outlining any deviations.
| (d) | Remediation Efforts. Following any Security Incident, Supplier and American will consult in good faith regarding Remediation Efforts that may be necessary and reasonable and will mutually agree as to the exact Remediation Efforts to be undertaken by each Party provided that such agreement must comply with the requirements of Section 2(a) above. In conjunction with the agreement reached by Supplier and American, Supplier shall, *. |
| 3. | Proprietary Rights. |
| (a) | Ownership of Data. As between American and Supplier, all right, title, and interest in and to any American Data, including IP Rights to American Data, will be solely owned by American. American Data shall be subject to the terms and restrictions in this Agreement, including as set forth in this Attachment. Nothing in this Agreement conveys any rights or interest in the American Data to Supplier. Except for the Permitted Uses, Supplier may not edit, modify, create derivatives, combinations or compilations of, combine, associate, synthesize, reverse engineer, reproduce, display, distribute, disclose, or otherwise Process American Data. |
| (b) | Assignment. Supplier hereby irrevocably assigns, transfers and conveys, and will cause Supplier’s subcontractors and agents to assign, transfer and convey, to American, without any requirement of further consideration, all of its and their right, title and interest in, to and under American’s Confidential Information. Upon request by American, Supplier shall execute and deliver, and shall cause Supplier’s agents and subcontractors to execute and deliver, any documents that may be necessary or desirable under any law to perfect, protect, preserve, or enable American to enforce, its rights with respect to American’s Confidential Information. |
| 4. | Confidentiality Obligations. |
| (a) | Treatment and Protection. Each Party shall (i) hold in strict confidence all Confidential Information of the other Party using the same safeguards as it uses to protect its own Confidential Information of comparable value or sensitivity, but in any event safeguards that meet or exceed Security Best Practices, (ii) use the Confidential Information solely to perform its obligations or exercise its rights under this Agreement, (iii) not transfer, display or otherwise disclose or make available such Confidential Information to any third party, other than the receiving Party’s directors, officers, employees or agents to the extent such persons are bound by equivalent confidentiality commitments and use restrictions and have a legitimate need to know the Confidential Information in order for the receiving Party to perform its obligations or exercise its rights under this Agreement. |
| (b) | Segregation and Processing of American Data. Supplier will logically segregate American’s Confidential Information from other Data and will not disclose any of American’s Confidential Information to any third party except in connection with, and to the minimum extent required for the Permitted Uses. This segregation includes all records containing American’s Confidential Information, which must be Processed in accordance with Security Best Practices. Failure to implement appropriate procedures to segregate American’s Confidential Information will be considered a material breach of this Agreement and a Security Incident. In addition, the unauthorized Processing of American Data will be considered a material breach of this Agreement and a Security Incident. |
* CONFIDENTIAL TREATMENT REQUESTED
| (c) | Exclusions. The term “Confidential Information” does not include information that is: (i) in the public domain other than due to a breach by the receiving Party or any other person or entity of a contractual commitment or other duty to the disclosing Party; (ii) known to the receiving Party prior to its receipt from the disclosing Party or obtained by the receiving Party outside the scope of this Agreement from a third party that has no obligation of confidentiality to the disclosing Party, in each case without breaching this Agreement; or (iii) independently developed by the receiving Party without reference to the Confidential Information of the disclosing Party. However, Personal Identifying Information within American Data shall always be treated as Confidential Information of American and shall not be subject to the exclusions contained in this provision. |
| (d) | Disclosures Required by Law. The receiving Party may disclose the Confidential Information of the other Party in response to a valid court order, law, rule, regulation (including any securities exchange regulation), or other governmental action, provided that, (i) the disclosing Party is notified in writing reasonably in advance of the disclosure of the information, and (ii) the receiving Party assists the disclosing Party, at the disclosing Party’s expense, in any lawful attempt by the other to limit or prevent the disclosure of the Confidential Information. In the event that the disclosure relates to Personal Identifying Information within American Data, the Supplier agrees to immediately notify American of any action or communication that may lead to Supplier being required to disclose such Data and to the greatest extent possible American will control and manage any such response, but in no event will Supplier be required to allow American to control or manage such response in a way that will cause Supplier to breach its obligations under applicable law or governmental regulations. |
| (e) | Remedies Upon Breach. Each Party (in addition to any legal or other remedies available to such Party) may seek injunctive or other equitable relief to prevent or remedy a breach or threatened breach of this Section and each Party agrees not to object or defend against such action on the basis that monetary damages would provide an adequate remedy. |
| (f) | Return or Destruction. Upon the request of the disclosing Party at the termination or expiration of this Agreement or at any other time, the receiving Party shall (i) * (a) promptly return to the disclosing Party all tangible Confidential Information (and all copies thereof) of the disclosing Party in its then-current format, or (b) at the written direction of the disclosing Party, destroy such Confidential Information and provide the disclosing Party with written certification of such destruction, and (ii) cease all further use of the other Party’s Confidential Information, whether in tangible or intangible form, subject American’s right to use the System (including any escrowed software or materials) pursuant to this Agreement. |
| (g) | Personal Identifying Information. Supplier shall keep American Data confidential even if it would otherwise fall within the exception described in Section 4(c)(i) of this Attachment. For clarity and notwithstanding the foregoing, Supplier is not required to keep any information confidential if it is obtained by Supplier from publicly available sources where the information is available without restriction, including, without limitation, through a publicly available website. In addition, each Party agrees that if it discloses Personal Identifying Information to the other Party, it shall satisfy any requirements of applicable Data Law governing such disclosure, including but not limited to any requirement to give notice to or obtain consent of the individual. Each Party also agrees to limit its disclosure of Personal Identifying Information to the other Party in a manner consistent with any posted privacy policy or other representations made to the person to whom the information is identifiable, and to communicate those limitations to the receiving Party. The receiving Party agrees to abide by any such limitations, in addition to the requirements of this Agreement applicable to Confidential Information. |
* CONFIDENTIAL TREATMENT REQUESTED
5. Prohibited Internet Practices. Supplier will not, and will not authorize or encourage any third party to, directly or indirectly: generate impressions, click-throughs, or any other actions for any advertisement or Internet promotion mechanism through any automated, deceptive, fraudulent, or other invalid means, either on American Websites or in relation to advertisements or Internet promotions of American or its Affiliates on third party websites; or collect Data from an American Website other than as is necessary for purposes of the Permitted Uses.
6. Security Policies and Practices. The following is not intended to be an all inclusive list of security services and obligations necessary to comply with Security Best Practices, but is intended to capture key elements of such a program. American reserves the right to modify the obligations in this Section or add new obligations, and any such modified or new security requirement, specification or event reporting procedures shall become effective * after written notice thereof from American, **. Notwithstanding the foregoing, if such modification or addition is required by applicable law, Supplier will implement and adhere to such modification or addition and such procedures will become effective in time to comply with such law and Supplier will not have the right to terminate this Agreement.
| (a) | Information Security Policy. Supplier represents and warrants that it has established and during the Term and any Termination Assistance Period it will at all times enforce: |
*
| (b) | Physical Access. Supplier represents and warrants that it has established and during the Term and any Termination Assistance Period it will at all times enforce: |
*
| (c) | Logical Access. Supplier represents and warrants that it has established and during the Term and any Termination Assistance Period it will at all times enforce: |
*
* CONFIDENTIAL TREATMENT REQUESTED
| (d) | Security Architecture and Design. Supplier represents and warrants that it has established and during the Term and any Termination Assistance Period it will at all times maintain: |
*
| (e) | System and Network Management. Supplier represents and warrants that it has established and during the Term and any Termination Assistance Period it will at all times maintain: |
*
* CONFIDENTIAL TREATMENT REQUESTED