2. Data Privacy and Security Terms

Vendor agrees to comply with the data security and privacy requirements set forth below (the “Data Privacy and Security Terms”). In the event the Data Privacy and Security Terms are inconsistent or conflict with the terms of the Agreement, whichever terms are more stringent and more protective of Brookfield shall govern and control.   

1. Definitions: As used in these Data Privacy and Security Terms, the following capitalized terms shall have the following meanings:

“Applicable Law” means all applicable laws, rules, regulations, ordinances, rulings, decisions, regulatory guidance, and interpretations, and industry guidelines, including, without limitation, the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act, MA 201 C.M.R. §§ 17.00 et seq., the New York SHIELD Act, and all other applicable privacy, security, and data protection laws and regulations and all related amendments and implementing regulations, all as may be amended, restated or replaced from time to time.

“Brookfield Privacy Data” shall mean all Brookfield trade secrets, confidential information, and proprietary information; any information that identifies, relates to, describes, is capable of being associated with or identifying, or could reasonably be linked, directly or indirectly, with Brookfield; and any Personal Data obtained by or on behalf of Vendor, Processed by or on behalf of Vendor, or made available to Vendor or any third party on behalf of Vendor in connection with, or in relation to, the Agreement, these Data Privacy and Security Terms, and/or the provision of any products or services to, or on behalf of, Brookfield, including, without limitation, any Personal Data that relates to or could be associated with Brookfield, its employees, customers, and/or prospects, and/or other end-users of Brookfield’s products, services, websites, advertisements, or content. Brookfield Privacy Data includes any aggregated, de-identified or other derivative of Brookfield Privacy Data. The parties agree that any transfer or disclosure of Brookfield Privacy Data between Brookfield and Vendor under the Agreement is not for monetary or other valuable consideration. As between Vendor and Brookfield, all Brookfield Privacy Data is and will be deemed to be and will remain the exclusive property of Brookfield.

“Personal Data” shall mean any information that identifies, relates to, describes, is capable of being associated with or identifying, or could reasonably be linked, directly or indirectly, with a particular individual, consumer, household, or device, including, without limitation, any inferences drawn about individuals, consumers, households, or devices, or derivatives thereof, and/or any other information that is regulated as “personal data,” “personally identifiable information,” or “personal information,” or similar term as otherwise defined under any Applicable Law.

2. Use of Privacy Data. All Brookfield Privacy Data will be accessed, used, maintained, stored, collected, modified, adapted, merged, analyzed, combined, aggregated, shared, disseminated, retained, erased, processed, made available, or disclosed (“Processed”) by Vendor only as is necessary for Vendor to perform its obligations to Brookfield under the Agreement, and as otherwise instructed in writing by Brookfield. Vendor is prohibited from using, retaining, disclosing, or otherwise Processing Brookfield Privacy Data for any other purpose or otherwise outside of the direct business relationship between Brookfield and Vendor. Vendor shall promptly inform Brookfield of any requirement under Applicable Law that would require Processing Brookfield Privacy Data in any way other than per Brookfield’s instructions, or if Brookfield’s instructions may infringe or violate any Applicable Law. For the avoidance of doubt, Vendor may not sell, share, resell, lease, assign, rent, sublicense, distribute, transfer, disclose, time-share or otherwise exchange Brookfield Privacy Data for monetary or other consideration. If Vendor has reason to believe it can no longer comply with Applicable Law or these Data Privacy and Security Terms, it must notify Brookfield as expeditiously as practicable, but in any event within forty-eight (48) hours. Vendor is prohibited from (i) combining, updating, comingling or merging Brookfield Privacy Data with any other Personal Data; (ii) Processing Brookfield Privacy Data for behavioral or targeted advertising purposes; and (iii) re-identifying or attempting to re-identify Brookfield Privacy Data that has been de-identified or aggregated. Without limiting the foregoing, Vendor is expressly prohibited from (i) using or otherwise Processing any Brookfield Privacy Data in any manner in connection with any tools, products, or services that consist of, incorporate, train, or otherwise leverage artificial intelligence (including but not limited to generative artificial intelligence) technologies, and (ii) disclosing any Brookfield Privacy Data to any third party that could reasonably be expected to do the same. No right, title, or interest in Brookfield Privacy Data is transferred to Vendor.   

3. Access Limitations. Vendor shall not disclose, transfer, or otherwise make available Brookfield Privacy Data to any third party, including, without limitation, any agent, contractor, or subcontractor, without the prior written consent and authorization of Brookfield. Without limiting the foregoing, any third party to which Vendor discloses Brookfield Privacy Data shall be required by Vendor to enter into written contractual obligations that are no less stringent than the obligations imposed upon Vendor by these Data Privacy and Security Terms before any such third party is provided with access to any Brookfield Privacy Data. Promptly following Brookfield’s request, Vendor shall provide copies of such agreements (which may be redacted to exclude commercial terms) executed by all third parties with access to Brookfield Privacy Data, for Brookfield’s inspection. The acts or omissions of Vendor’s employees, agents, representatives, contractors, subcontractors or affiliates (and such affiliates’ employees, agents, representatives, contractors, or subcontractors) will also be deemed the acts or omissions of Vendor and Vendor shall be fully responsible for all such acts or omissions. Without limiting the foregoing, Vendor will restrict access to Brookfield Privacy Data only to those individuals who have a need to know or otherwise access the Brookfield Privacy Data to enable Vendor to perform its obligations under these Data Privacy and Security Terms and the Agreement, and as otherwise permitted by these Data Privacy and Security Terms, provided that: (a) subject to Applicable Law, a background check has first been conducted of those individuals and no adverse, material background information has been uncovered, (b) those individuals have first executed a written agreement that is at least as protective of the Brookfield Privacy Data as the terms of Data Privacy and Security Terms, and (c) Vendor and its subcontractors have a written policy governing the grant and control of access privileges and revocation of access privileges immediately upon employment termination. Upon Brookfield’s written request, Vendor will promptly identify in writing all individuals who have been granted access to the Brookfield Privacy Data as of the date of the request. Vendor will at all times cause its employees and others who have been granted access to Brookfield Privacy Data to strictly abide by Vendor’s obligations under these Data Privacy and Security Terms. Vendor further agrees that it will maintain a disciplinary process to address any unauthorized access, use or disclosure of Brookfield Privacy Data by any of Vendor’s officers, partners, principals, employees, agents or contractors.

4. Assistance. Should Brookfield receive a request from an individual exercising rights under Applicable Law, Vendor shall promptly (and in any event, within five (5) days) and at no charge to Brookfield, provide all assistance required by Brookfield in the fulfillment of, and response to, such request. Individual requests may seek, without limitation, easily portable copies of, corrections to, or deletion of all Brookfield Privacy Data relating to the individual. Vendor shall implement procedures necessary to categorize, access, modify, delete, and upload Brookfield Privacy Data so that Vendor may promptly and fully assist Brookfield if and as requested (including, without limitation, notifying other parties as instructed by Brookfield). If Vendor receives a request directly from an individual relating to Brookfield Privacy Data, Vendor will, unless otherwise directed in writing by Brookfield, and to the extent not prohibited by Applicable Law or any regulatory authority: (a) promptly (and in no event longer than twenty-four (24) hours after receipt of such request) notify the designated representative for Brookfield and forward the request to Brookfield for handling; (b) if requested, provide Brookfield with copies of documents or other relevant data relating to the request; (c) not refer to Brookfield or its affiliates in any correspondence with the requester without Brookfield’s prior written consent; (d) not disclose any confidential information of Brookfield or its affiliates without Brookfield’s prior written consent and (e) communicate with the individual in accordance with Brookfield’s instructions. Vendor shall, upon Brookfield’s request, cooperate in good faith with Brookfield to enter into additional or modified contract terms to address any modifications, amendments, or updates to Applicable Law.

5. Confidentiality. Vendor shall: (a) keep confidential all Brookfield Privacy Data which it accesses or otherwise Processes; and (b) limit access to such Brookfield Privacy Data only to those of its employees and representatives who have a need to access such Brookfield Privacy Data in order to perform their job functions, and to ensure that those employees and representatives are trained with respect to the obligations imposed by these Data Privacy and Security Terms and Applicable Law and sign an undertaking to comply with these obligations as described herein.

6. Security. Vendor warrants that it has adopted, documented, and implemented, and will maintain and enforce for as long as the Agreement is in effect or as long as Vendor stores or Processes Brookfield Privacy Data (whichever is later), an information security program that includes administrative, organizational, technical, physical, and other safeguards sufficient to protect Personal Data and all Brookfield Privacy Data against accidental, unauthorized or unlawful Processing, destruction, loss, loss of control, alteration, modification, communication, acquisition, use, disclosure, and access, and against all other unlawful activities, and that complies with all Applicable Laws. Without limiting the foregoing, Vendor warrants that it shall at all times maintain and comply with all of the security standards, requirements, and procedures set forth in the table below in these Data Privacy and Security Terms and with the Center for Internet Security CIS Controls 8.0 for Implementation Group 3 (or successor version). Without limiting the foregoing, Vendor further warrants that it shall have in place safeguards that provide for and ensure: (a) protection of business facilities, paper files, servers, computing equipment, including without limitation all mobile devices and other equipment with information storage capability, and backup systems containing Personal Data and Brookfield Privacy Data; (b) network, application (including databases) and platform security, including secure network and software design; (c) business systems designed to optimize security and proper and secure disposal of Brookfield Privacy Data according to these Data Privacy and Security Terms; (d) secure transmission and storage of Personal Data and Brookfield Privacy Data, including encryption of data in transmission and at rest; (e) authentication and access control mechanisms over Brookfield Privacy Data, media, applications, operating systems and equipment, ensuring that user IDs are unique among users and not shared, and utilizing industry standard password selection and aging procedures and multi-factor authentication; (f) personnel security and integrity, including background checks where consistent with applicable law; (g) annual training to Vendor’s employees and other personnel on how to comply with the Vendor’s physical, technical, and administrative information security safeguards and confidentiality obligations under Applicable Law and the Agreement (including these Data Privacy and Security Terms); (h) up to date versions of security agent software for systems that house Brookfield Privacy Data, which include malware protection, and up to date implementation of patches and virus definitions; (i) storage limitations such that Brookfield Privacy Data resides only on servers in data centers that comply with industry standard data center security controls, and restrictions to ensure that Brookfield Privacy Data files are not placed on any notebook hard drive or removable media, such as compact disc or flash drives, unless necessary and encrypted; (j) identification of reasonably foreseeable internal and external risks on a regular basis, and assessments of the sufficiency of existing safeguards in relation to such risks; (k) regular monitoring and testing of the effectiveness of key controls, systems, and procedures and prompt remediation of ineffective controls, systems, and procedures; (l) prompt implementation of any adjustments to the information security program and Vendor’s safeguards in light of business changes or new threats, technologies, and circumstances; (m) role-based access control lists maintained and enforced with access to assets and information limited to individuals on a need-to-know basis; (n) standardized logging and monitoring of all cybersecurity events and activities; (o) multilayered boundary defenses (e.g. firewalls, web proxies, DMZ perimeter networks, and other network based tools); and (p) regular testing of backup and incident response recovery processes. Vendor shall separate and segregate Brookfield Privacy Data from its other clients’ data and ensure strong authentication and authorization controls are in place to gain access to any Brookfield Privacy Data. For all systems that store or transmit Brookfield Privacy Data, Vendor shall run internal and external network vulnerability scans at least quarterly and after any material change in the network configuration; Vendor shall immediately remediate vulnerabilities identified in such scans. Brookfield Privacy Data shall not be Processed or stored in a cloud or outsourced environment unless preapproved by Brookfield in writing and there is transport encryption for communications with and among cloud or outsourced elements.

7. Brookfield Systems. In the event Vendor accesses any Brookfield (or Brookfield affiliate or Brookfield licensor) system, infrastructure, software, hardware, property, computer, device, information network, or equipment (collectively, “Brookfield Systems”), Vendor shall: (a) connect only in the manner and through the means authorized by Brookfield and in accordance with any policies, guidelines, or restrictions provided by or on behalf of Brookfield; (b) not connect, access, or use (nor attempt to connect, access, or use) any Brookfield System without the prior authorization of Brookfield; (c) not use personal or shared accounts; (d) not attempt to gain unauthorized access to any Brookfield System or other user’s account; (e) not, nor attempt to, use any Brookfield System in any way that is (i) illegal, abusive, or harmful to or interferes with Brookfield’s other networks or systems or the networks or systems of any other entity, (ii) infringes, misappropriates, or otherwise violates the privacy, proprietary, or other rights of any party, or (iii) creates a security risk or vulnerability; (f) be responsible for all Brookfield equipment issued or in Vendor’s possession or control; and (g) return any Brookfield equipment when no longer required to complete the services under the Agreement, if the Agreement is terminated, or immediately upon Brookfield’s request. Notwithstanding anything to the contrary contained herein, Vendor shall be deemed to be in material breach of these in the event that the acts or omissions of Vendor or any of Vendor’s employees, agents, representatives, contractors, subcontractors or affiliates (and such parties’ employees, agents, representatives, contractors, or subcontractors) cause, result in, or contribute to any damage to, unauthorized or accidental access to, unauthorized Processing of, loss of, unauthorized disclosure, acquisition, use, reproduction, alteration, modification, loss of control, destruction, or deletion of, vulnerability to, or misuse of any Brookfield System, database, data, or materials.

8. Data Retention. All Brookfield Privacy Data shall be securely deleted or destroyed (in a manner as specified by Brookfield) once such information is no longer required for Vendor to perform its obligations under the Agreement, applicable statement of work, or these Data Privacy and Security Terms. Except as may otherwise be directed by Brookfield in a separate writing, Vendor shall immediately delete or securely return, at Brookfield’s discretion, all copies of Brookfield Privacy Data upon expiration or termination of the Agreement, or upon Brookfield’s request. Any Brookfield Privacy Data retained by Vendor shall be safeguarded in accordance with these Data Privacy and Security Terms for so long as such Brookfield Privacy Data is retained.

9. Encryption. Vendor shall ensure that (a) any Brookfield Privacy Data transmitted over a network, whether via email, file transfer protocol, or other means of electronic exchange, and (b) any Brookfield Privacy Data stored on a portable device, including but not limited to a laptop computer, USB drive, floppy disk, or CD, shall be encrypted using a cryptographic algorithm employing a key length of at least 256 bits.

10. PCI Compliance. To the extent applicable to the products or services provided under the Agreement, Vendor acknowledges that it is responsible for the security of the credit, debit or other cardholder payment information it Processes, and hereby represents and warrants that it will comply with the most current PCI Standard in connection with the Processing of such data, including, but not limited to: (a) creating and maintaining a secure network to protect cardholder data; (b) using all technical and procedural measures reasonably necessary to protect cardholder data it maintains or controls; (c) creating and implementing secure measures to limit access to cardholder data; (d) monitoring access to cardholder data it maintains or controls; and (e) creating and implementing an information security policy that assures employee compliance with the foregoing. To the extent applicable, Vendor acknowledges that it is responsible for maintaining compliance with the then-current PCI DSS requirements (which requirements are incorporated herein by reference) and monitoring the PCI DSS compliance of all associated third parties Vendor may provide with access to cardholder data in accordance with the terms of the Agreement.

11. Data Incidents. In the event of any actual or reasonably suspected unauthorized, unlawful, and/or accidental access to, loss of control over, and/or loss, unavailability, alteration, Processing, disclosure, communication, acquisition, use, reproduction, modification, destruction, or deletion of Personal Data or Brookfield Privacy Data (“Data Incident”), Vendor shall inform Brookfield’s designated representative via email of the same within twenty-four (24) hours of Vendor becoming aware of such Data Incident. In addition, Vendor shall investigate and remediate the Data Incident and, to the extent that a Data Incident involves Brookfield Privacy Data, Vendor shall provide Brookfield as soon as reasonably possible with assurances satisfactory to Brookfield that the Data Incident has been remediated and will not recur. Vendor warrants that if there has been a Data Incident, all responsive steps will be documented and a post-incident review will be made of both the events and actions taken, if any, to change business practices relating to Personal Data and Brookfield Privacy Data. Vendor agrees to fully cooperate with Brookfield in Brookfield’s handling of any Data Incident involving Brookfield Privacy Data, including without limitation any investigation, reporting or other obligations required by Applicable Law, or as otherwise required by Brookfield, and will work with Brookfield to otherwise respond to and mitigate any damages caused by the Data Incident. Unless required by Applicable Law, Vendor shall not notify any third party of a Data Incident involving Brookfield Privacy Data without Brookfield’s prior, written authorization. Vendor shall reimburse and indemnify Brookfield for all costs incurred in responding to and/or mitigating damages caused by a Data Incident involving Brookfield Privacy Data, including, without limitation, costs of forensic investigation, regulatory fines, notification costs, credit monitoring, and/or reasonable attorneys’ fees.

12. No Export. Vendor will not transmit, directly or indirectly, any Brookfield Privacy Data to any country outside of the jurisdiction from which such Brookfield Privacy Data was collected without the prior written consent of Brookfield. Any such transfers must be in compliance with all Applicable Laws. Where required, Vendor shall ensure that a lawful data transfer mechanism is in place prior to transferring Brookfield Privacy Data from one country to another. Without limiting the foregoing, Vendor shall take all appropriate additional measures necessary to ensure an adequate level of data protection for any data transferred from one country to another. 

13. Written Program. Vendor represents and warrants that it has in place all appropriate written policies containing reasonable and appropriate administrative, physical, and technical safeguards that, at a minimum, meet the applicable requirements under these Data Privacy and Security Terms, including: (a) a written program instructing its employees, contractors, agents, and suppliers how to protect Personal Data, and (b) a written security incident response plan detailing the procedures for managing Data Incidents and assigning personnel roles and responsibilities related to same. Vendor further represents and warrants that it shall use all necessary steps to protect Personal Data and Brookfield Privacy Data, including conducting on a regular basis assessments of foreseeable internal and external risks to the security, confidentiality and integrity of electronic, paper and other records containing Personal Data and/or Brookfield Privacy Data, and as necessary, improving the effectiveness of its safeguards to limit such risks, including employee training, ensuring ongoing employee compliance with its written program, and the development of measures for detecting and preventing security system failures. Vendor has identified a specific representative to be in charge of its program in the Agreement and shall ensure that this individual (or a designated alternate) is available to Brookfield to respond to any questions and to work with Brookfield in the event of any incident or suspected incident involving Brookfield Privacy Data and/or impacting the security, integrity, availability, or confidentiality of Brookfield Privacy Data.

14. Cooperation, Audit and Inspection. Vendor shall provide reasonable assistance, information, and cooperation to Brookfield to ensure compliance with the Brookfield’s obligations pursuant to Applicable Law, including, without limitation, with respect to conducting privacy and data protection impact assessments, taking into account the nature of Processing and the information available to Vendor. Vendor further grants Brookfield the right to take reasonable and appropriate steps to ensure that Vendor Processes Brookfield Privacy Data in a manner consistent with Brookfield’s and Vendor’s obligations under Applicable Law and to stop and remediate any unauthorized Processing of Brookfield Privacy Data. Vendor shall make available to Brookfield all information necessary to demonstrate compliance with Applicable Law. Vendor shall maintain complete, accurate, and up-to-date written records of all Processing activities carried out on behalf of Brookfield (“Processing Records”) and shall promptly make available to Brookfield such information (including the Processing Records) as is reasonably requested by Brookfield to demonstrate the Vendor’s compliance with its obligations under Applicable Law and these Data Privacy and Security Terms, which Brookfield may disclose to regulatory authorities. The Processing Records shall contain, at a minimum, a description of all Brookfield Privacy Data Processed by Vendor, the type of Processing, the purposes of the Processing, a record of consent (if any), and any other information reasonably required by Brookfield. Brookfield reserves the right to regularly conduct (by itself or through a designated, reputable third party) ongoing manual and/or automated reviews, scans, testing, audits, and assessments, including, without limitation, on-site audits and testing of any locations where Brookfield Privacy Data is stored or otherwise Processed, to monitor, assess, and ensure Vendor’s compliance with its obligations under Applicable Law and these Data Privacy and Security Terms, including, without limitation, compliance with PCI DSS requirements where applicable. Vendor shall otherwise cooperate with Brookfield in Brookfield’s efforts to monitor Vendor’s compliance. On an annual basis, Vendor will conduct a SSAE18 SOC II Type II audit, or other audit acceptable to Brookfield in its sole discretion, of Vendor’s internal controls and will promptly provide the results of such audit to Brookfield, upon Brookfield’s request. Vendor will promptly, at its sole expense, remediate any material deficiencies identified in any audit and provide documentation of its remediation of such deficiencies to Brookfield. In the event Vendor makes any material changes to the security safeguards applicable to the locations, servers, systems, or databases where Brookfield Privacy Data is stored or otherwise Processed, Vendor shall certify in writing that the changes will not in any way diminish or weaken the security or integrity of the Brookfield Privacy Data stored therein.

15. Injunctive Relief. Vendor acknowledges and agrees that a threatened or actual breach of these Data Privacy and Security Terms will result in irreparable harm for which monetary damages may not provide a sufficient remedy, and that in addition to all other remedies, Brookfield shall be entitled to obtain specific performance and injunctive relief, specifically to protect against the disclosure or improper use of Brookfield Privacy Data, as a remedy for any such breach of these Data Privacy and Security Terms by Vendor without posting security and without prejudice to such other rights as may be available under these Data Privacy and Security Terms or  Applicable Law.

16. Representations and Warranties. Vendor represents and warrants that it has the authorization necessary to enter into these Data Privacy and Security Terms, and no consent, approval, or other action is necessary in connection with the execution of or performance under these Data Privacy and Security Terms. Vendor further represents, warrants, and certifies that it understands and will perform all of its duties and obligations under these Data Privacy and Security Terms, and will comply with all Applicable Laws in the fulfillment of its obligations in Processing any Personal Data and/or Brookfield Privacy Data, and otherwise in its rendering of services to Brookfield. Vendor represents and warrants that it has created written guidelines to ensure its compliance with its obligations under these Data Privacy and Security Terms and shall provide those written guidelines to Brookfield upon request. Notwithstanding anything to the contrary that may be contained herein or in the Agreement, Vendor expressly represents, warrants, and covenants that neither Vendor nor any third party it utilizes or engages in connection with the Agreement shall collect, receive, analyze, capture, store or otherwise Process Biometric Data (defined below) and/or use any Facial Recognition Technology, Face Recognition Technologies, Face Recognition, Face Surveillance System, or Face Surveillance (each defined below) at any time in connection with the services provided to Brookfield or otherwise in connection with Vendor’s performance under the Agreement or in the provision of any other services or deliverables to, or on behalf of, Brookfield. “Biometric Data” shall include: (a) any information, data, content, or material that constitutes a biometric identifier, biometric information, or biometric data under any Applicable Law, including, without limitation, the California Consumer Privacy Act, the California Privacy Rights Act, the Illinois Biometric Information Privacy Act, the Texas Biometric Privacy Act, the Revised Code of Washington §§ 19.375.010 et seq., the New York City Biometric Identifier Information ordinance, and any other information that is regulated as “biometric data,” “biometric identifier,” “biometric identifier information”, “biometric information,” or other similar term as otherwise defined under any Applicable Law; (b) any retina or iris scan, fingerprint, faceprint, palm print, voiceprint, record or scan of hand or face geometry; and (c) any information, data, content, or material generated from measurements or analysis of the human body, biological or physiological characteristics or patterns that is used, or could be used, alone or in combination with other identifying data, to identify an individual, including, without limitation, information based on the characteristics of an individual’s gait, speech pattern, keystroke patterns or rhythms, sleep, health, or exercise data, or any immutable characteristic of an individual. “Facial Recognition Technology” means any technology, device or process that assists in identifying, verifying, detecting, authenticating, matching, organizing, measuring or characterizing facial features of an individual or capturing or rendering information about an individual based on an individual’s face or facial features. “Face Recognition Technologies” and “Face Recognition” shall be defined as set forth in Portland City Code 34.10.030. “Face Surveillance System” means any computer software or application that performs Face Surveillance. “Face Surveillance” means an automated or semi-automated process that assists in identifying or verifying an individual based on the physical characteristics of the individual’s face.

17. Indemnification/Remedies. Vendor agrees to indemnify, hold harmless, and defend, on demand, Brookfield and its parent, subsidiaries, and affiliates and each of their respective officers, shareholders, directors and employees from and against any demands, investigations, claims, actions, losses, damages, liabilities, costs or expenses (including reasonable attorney’s fees) arising out of or in relation to: (a) Vendor’s or its personnel’s or agent(s)’ (or any third party acting on any of their behalf, including, without limitation, any employee, agent, representative, contractor, subcontractor or affiliate): (i) acts or omissions, (ii) performance or non-performance of Vendor’s obligations set forth in these Data Privacy and Security Terms and/or the breach of, alleged breach of, and/or failure to comply with these Data Privacy and Security Terms, and/or (iii) failure, or alleged failure, to comply with any Applicable Law; and/or (b) any Data Incident. Vendor’s indemnification and reimbursement obligations under these Data Privacy and Security Terms shall not be subject to any disclaimer of warranty, disclaimer of damages, cap on liability, or other limitation of liability contained in the Agreement. Vendor agrees that Vendor’s failure to comply with any of the provision(s) set forth in these Data Privacy and Security Terms shall be deemed a material breach of the Agreement and, without limiting any of Brookfield’s other rights or remedies under the Agreement or at law, Brookfield will have the right to terminate the Agreement without liability to Vendor upon written notice to the Vendor in the event of any such failure to comply with any of the provision(s) of these Data Privacy and Security Terms by Vendor (or a third party working on behalf of Vendor).  

Vendor further agrees to adhere to and to adopt the following technical and organizational security controls:

Reference	Description	Minimum Requirements
1.     Inventory of Authorized and Unauthorized Devices	Reduce the ability of attackers to find and exploit unauthorized and unprotected systems	Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, and remote devices.
2.     Inventory of Authorized and Unauthorized Software	Identify vulnerable or malicious software to mitigate or root out attacks	Devise a list of authorized software for each type of system, deploy tools to track software installed (including type, version, and patches) and monitor for unauthorized or unnecessary software.
3.     Secure Configurations for Hardware & Software on Laptops, Workstations, and Servers	Prevent attackers from exploiting services and settings that allow easy access through networks and browsers	Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.
4.     Continuous Vulnerability Assessment and Remediation	Proactively identify and repair software vulnerabilities reported by security researchers or vendors	Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within forty-eight (48) hours.
5.     Malware Defenses	Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading	Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent network devices from using auto-run programs to access removable media.
6.     Application Software Security	Neutralize vulnerabilities in web-based and other application software	Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy threat detection and continuous monitoring of traffic. Explicitly check for errors in all user input (including by size and data type).
7.     Wireless Device Control	Protect the security perimeter against unauthorized wireless access	Allow wireless devices to connect to the network only if they match an authorized configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.
8.     Data Recovery Capability	Minimize the damage from an attack	Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly, and back up sensitive systems more often. Regularly test the restoration process.
9.     Security Skills Assessment and Appropriate Training to Fill Gaps	Find knowledge gaps, and fill them with exercises and training	Develop a security skills assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.
10.  Secure Configurations for Network Devices such as Firewalls, Routers, and Switches	Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments	Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.
11.  Limitation and Control of Network Ports, Protocols, and Services	Allow remote access only to legitimate users and services	Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.
12.  Controlled Use of Administrative Privileges	Protect and validate administrative accounts on desktops, laptops, and servers to prevent attack	Use robust passwords that follow Federal Desktop Core Configuration (FDCC), NIST, or ISO 270001 standards.
13.  Boundary Defense	Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines	Establish multilayered boundary defenses by relying on firewalls, proxies, demilitarized zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).
14.  Maintenance, Monitoring, and Analysis of Security Audit Logs	Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines	Generate standardized logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers and run biweekly reports to identify and document anomalies.
15.  Controlled Access Based on the Need to Know	Prevent attackers from gaining access to highly sensitive data	Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to nonpublic data and files.
16.  Account Monitoring and Control	Keep attackers from impersonating legitimate users	Review all system accounts and disable any that are not associated with a business process and owner. Immediately remove system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that conform to FDCC, NIST, or ISO 270001 standards.
17.  Data Loss Prevention	Stop unauthorized transfer of sensitive data through network attacks and physical theft	Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework.
18.  Incident Response Management	Protect the organization’s reputation, as well as its information	Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
19.  Secure Network Engineering	Keep poor network design from enabling attackers	Use a robust and secure network engineering process to prevent security controls from being circumvented. Deploy a network architecture with at least three tiers: DMZ, middleware, and private network. Allow rapid deployment of new access controls to quickly deflect attacks.
20.  Penetration Test and Red Team Exercises	Use simulated attacks to improve organizational readiness	Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises to test existing defense and response capabilities.

---

3. Compliance with Law / Doing Business with Brookfield

Compliance with Laws.

Vendor shall, and shall require all Vendor employees, subcontractors, and agents (“Vendor Personnel”) to keep itself/themselves fully informed of, and to observe and comply with all applicable foreign and domestic laws, rules, and implementing regulations relating to the performance of the Agreement and any products, services and deliverables thereunder, including but not limited to, all employment laws, data privacy and data protection laws, Occupational Safety and Health Laws, consumer product safety standards under the U.S. Consumer Product Safety Act, anti-bribery/anti-corruption and sanction laws, the U.S. Federal Hazardous Substances Act, all United States Import/Export laws, and laws governing the protection of intellectual property and trade secrets (“Applicable Laws”). In connection with the foregoing, Vendor shall, and shall cause the Vendor Personnel to, perform all obligations under the Agreement in an ethical manner, which shall, at a minimum, require compliance by Vendor Personnel with the following:

• Sanctions Compliance. Vendor confirms that neither it, nor any of its Ultimate Beneficial Owners, nor any related company (including parent companies, subsidiaries, and affiliates) nor any third parties it engages in relation to the Agreement (e.g., subcontractors) are a Sanctioned Party or otherwise subject to Sanctions as such terms are defined below. Vendor has complied and will continue to comply with all applicable trade restrictions and Sanctions and has not and will not knowingly employ or do business with anyone suspected of being connected with criminal or terrorist activities or who is the subject of Sanctions. Vendor represents that Brookfield’s payment to the Vendor of funds for the products and services under the Agreement would not result in a violation of Sanctions by Brookfield. As used in this Sanctions Compliance Section, “Governmental Authority” means (a) any government or any governmental, judicial, administrative, executive or legislative subdivision, department, organization, court, tribunal, agency or instrumentality thereof in any relevant jurisdiction, whether federal, national, supranational, state, provincial, county, municipal, or local, and (b) any public international organization (such as the United Nations, European Union, Organization for Economic Co-operation and Development, or World Bank; “Sanctions” means any type of economic, trade, financial, transactional or other type of sanction (or any other form of ban or prohibition pursuant to any laws or regulations) administered, imposed or enforced by a Governmental Authority, or any other applicable sanctions authority in any relevant jurisdiction, including but not limited to the U.S. Department of the Treasury’s Office of Foreign Assets Control, the U.S. Department of State, the U.S. Department of Commerce, the United Nations Security Council, the European Union, the UK Government (including His Majesty’s Treasury), and the Canadian Government; “Sanctioned Party” means any person or entity that is. or is directly or indirectly owned or controlled (as such terms are interpreted in accordance with applicable Sanctions laws and regulations), by any person or entity that is the target of Sanctions and/or that is located, organized or a resident in a country or territory that is the target of comprehensive Sanctions (including, as of the date of these Vendor Requirements, Cuba, Iran, North Korea, Syria, the Crimea region of Ukraine, and the Donetsk and Luhansk regions); and “Ultimate Beneficial Owner” means any person or entity that (x) ultimately owns or controls (directly or indirectly) 25% of the shares or voting rights in Vendor (or such lower percentage required in accordance with applicable law), (y) exercises ultimate control over the management of Vendor, or (z) has the right to exercise, or actually exercises, significant influence or control over the activities of Vendor.
• Reporting Hotline.  Brookfield hereby advises Vendor that Brookfield has established the Brookfield Ethics Hotline so that all employees, vendors, partners and various other stakeholders in Brookfield may anonymously report any concerns or raise any issues, free of discrimination, retaliation or harassment, pertaining to: (a) accounting, auditing and any other financial reporting irregularities, (b) unethical business conduct (including, without limitation, safety, environment, conflicts of interest, theft and fraud), or (c) violations of law.  The Brookfield Ethics Hotline may be accessed either: (i) by telephone, by calling toll free from anywhere in North America to (800) 665-0831, or (ii) via the internet by submitting an anonymous report online at www.reportlineweb.com/Brookfield.  Reports to the Brookfield Ethics Hotline shall be reviewed by Brookfield and Brookfield shall commence appropriate investigations in compliance with law or as Brookfield otherwise deems necessary.
• Anti-Bribery.  Vendor hereby acknowledges, certifies, warrants and undertakes to Brookfield that: (a) it has not offered, promised, given or agreed to give and shall not during the term of the Agreement offer, promise, give or agree to give to any person or entity any bribe on behalf of Brookfield or otherwise with the object of obtaining a business advantage for Brookfield or otherwise; (b) it will not engage in any activity or practice which would constitute an offence under any applicable anti-bribery and/or anti-corruption laws, including but not limited to the United States Foreign Corrupt Practices Act of 1977; (c) it has, and will maintain in place, its own policies and procedures to ensure compliance with any applicable anti-corruption laws; (d) it will ensure that any person or entity who performs or has performed services for or on its behalf in connection with the Agreement complies with the terms and conditions set forth in these Vendor Requirements; (e) it has, and will maintain in place, effective accounting procedures and internal controls necessary to record all expenditures in connection with the Agreement, which enable Vendor and Brookfield to readily identify Vendor’s financial and related records in connection with the Agreement; (f) from time to time during the term of the Agreement, at the reasonable request of Brookfield, Vendor will confirm in writing that it has complied with its undertakings under these Vendor Requirements; (g) shall notify Brookfield as soon as practicable of any breach of any of the undertakings contained in these Vendor Requirements of which it becomes aware; and (h) it shall explicitly include the obligations in these Vendor Requirements in any subcontracts or agreements formed between Vendor and any subcontractors to the extent that those subcontracts or agreements relate to fulfillment of Vendor’s obligations to Brookfield under the Agreement.
• International Trade and Customs.  Vendor shall comply with all applicable export control laws and regulations, including the Export Administration Regulations. Vendor shall not export or re-export any items or technical data furnished by Brookfield, except with Brookfield’s prior written consent. Except with prior written consent of Brookfield, Vendor shall not (a) file, or cause or permit any third party to file, for duty drawback with customs authorities in respect of any products provided under the Agreement or any component thereof, or (b) show, or cause or permit any third party to show, Brookfield’s name as “importer of record” on any customs declaration. Vendor shall timely provide Brookfield with accurate information, records and documentation relating to any products, as Brookfield deems necessary or advisable to fulfill customs and trade related obligations. To the extent any products are to be imported into the U.S, Vendor shall comply with all applicable recommendations or requirements of the U.S. Bureau of Customs and Border Protection’s Customs-Trade Partnership Against Terrorism (“C-TPAT”) initiative. No later than the time of delivery, Vendor shall provide Brookfield with the applicable Export Control Classification Numbers (“ECCNs”) of any products provided under the Agreement and their components.