Data Security

1.0.         General Security Requirements.

1.1.         Agreement Compliance. Third Party’s compliance with these Security Requirements will not in it of itself excuse Third Party from any of its obligations, including without limitation, indemnification and confidentiality, set forth in the agreement.

1.2.         Compliance with Applicable Laws. Third Party represents, warrants and covenants that its collection, access, use, storage, disposal and disclosure of Mativ Data does and will at all times comply with all applicable laws, including, without limitation, international, federal, state and local privacy and data protection laws and regulations for all jurisdictions in which Third Party is conducting commerce with Mativ Data. Without limiting the generality of the foregoing, the Third Party shall not process any personal data without entering into a separate agreement on the processing of personal data and shall comply at all times with its obligations under such agreement.

1.3.         Notification of Fourth Parties. Third Party will notify Mativ of any planned use of fourth parties to fulfill contract requirements prior to the disclosure of or access to any Mativ systems or data.

1.4.         Single Sign On. Third Party systems shall utilize SAML 2.0, OAuth2, or OpenID Connect for the purposes of providing Mativ employees Single Sign On access to Third Party’s systems.

1.5.         Third Party Network Protection. Mativ data and must at all times be protected from unauthorized use, access, disclosure, alteration or destruction.

1.5.1.         Secure and Private Data Networks. Data networks that have Data Interactions, as defined in Definitions Section, must be secured and private.

1.5.2.         Reputation Based Filtering. Third Party shall use a reputation-based service to determine if a source IP address is a known anonymous proxy and prevent such anonymous proxies from accessing Third Party systems that have Data Interactions, as defined in Definitions Section.

1.6.         Audits. Third Party shall provide Mativ with reasonable and sufficient access to all relevant Third Party personnel, records and facilities including SOC reports upon request. No audit shall unreasonably interfere with Third Party’s performance of services to Mativ or Third Party’s other customers.

1.6.1.      Information Technology and Security Control Audits by External Firm. At least once per year, Third Party shall conduct an audit of the information technology and security controls for all systems used in complying with its obligations under any agreement, including without limitation, a network-level vulnerability assessment based on industry security best practices performed by a nationally recognized third-party audit firm.

1.6.2.      Information Security Audits. Upon prior written notice of not less than fifteen (15) business days, not more than twice in any twelve (12) month period Mativ shall have the right, to conduct a security audit at any Third Party location having Data Interactions, as defined in Definitions Section. The focus of the audits shall be Third Party’s policies, procedures, relevant written records and documentation, security compliance requirements, inspections of equipment, logged data and facilities servicing Mativ and compliance with these Security Requirements. The audits will also include interviews with Third Party personnel who are responsible for data and information security.

1.6.3.      Audit Results Reporting. Upon request, Third Party shall provide to Mativ any relevant formal summaries, attestations, or executive summaries of any security audit reports related to or impacting Mativ data or systems.

1.6.4.      Issue Remediation: Addressing Risks, Gaps, or Other Issues. If Mativ requests a remediation plan to address identified risks, then Third Party shall provide, within an agreed upon timeframe following such request, a written remediation plan to Mativ that details corrective actions, responsible individual(s), and associated time frames for completion of the remediation plan.

1.6.4.1.   Third Party shall provide periodic progress reports during this remediation process.

1.6.4.2.   Mativ may, at Mativ’s convenience and in its sole discretion, verify results after the remediation plan has been executed.

1.6.4.3.   In the event that Mativ learns of, or identifies, a risk or vulnerability related to any Third Party system that transmits, stores or handles Mativ Data, then Third Party shall cooperate with Mativ to immediately address the risk. Possible remediation actions include, but are not limited to, taking down the affected service or application, remediating through development, making configuration changes and adding additional security controls.

1.7.         Mativ System Disruptions. Third Party shall make all commercially reasonable efforts to detect and prevent any disruptions of the Mativ systems or data availability.

1.8.         Intrusion Detection/Prevention Systems. Third Party shall employ an industry-standard Intrusion Detection System (“IDS”) and/or an Intrusion Prevention System (“IPS”).

1.8.1.      Monitoring. The IDS/IPS devices must monitor all ingress and egress traffic in any environment where any Third Party system, that has Data Interactions as defined in Definitions Sections, resides.

1.8.2.      Alerts. The IDS/IPS devices must be configured to alert Third Party personnel of any and all suspected compromises of Mativ Data.

1.9.         Event Logging. Third Party shall configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

1.10.     Business Continuity and Disaster Recovery. On an annual basis, Third Party shall supply Mativ with a detailed business continuity plan related to the Services provided to Mativ. Mativ and Third Party agree to review the Business Continuity Plan at least once per year throughout the Term of this Agreement.

1.10.1.  Third Party Contact Information. Within 30 days of the Effective Date, and upon any organizational changes during the Term, Third Party will send to Mativ, the contact information of the person(s) in charge of Vendor’s business continuity plans should there be an adverse event. The contact information must contain, at a minimum, the name, physical address, email address, business phone number, mobile phone number, and fax number of the contact and their assigned alternate.

1.10.2.  Event Reporting. In the case of an adverse event and within 24 hours of such event, Third Party shall provide Mativ with a description of the problem, the projected length of time Services will be interrupted, and a detailed contingency plan to continue Services.

1.10.3.  Annual Plan Testing. Third Party shall conduct an annual test of the business continuity plan related to the Services provided to Mativ and provide test results or reporting to Mativ within 30 days of test completion.

1.11.     Training. On an annual basis, Third Party shall supply Mativ with a detailed business continuity plan related to the Services provided to Mativ. Mativ and Third Party agree to review the Business Continuity Plan at least once per year throughout the Term of this Agreement.

1.11.1.  Training Material Reviews. Third Party will, upon request of Mativ but no more than annually, provide copies of related training materials for Mativ review.

1.11.2.  Training Certifications. Third Party will, upon request of Mativ, have an officer certify that the applicable Third Party personnel have completed the training.

1.12.     Security Incident Handling. Third Party shall immediately investigate any Security incident, take immediate steps to stop and control any damage, resolve the issue and prevent its recurrence.

1.12.1.  Notification and Escalation. Third Party shall, unless prohibited by applicable law, notify Mativ of any Security Incident as soon as possible, but not more than twenty- four (24) hours following such incident. This includes any inadvertent exchange of Mativ Data outside the intended exchange (e.g., payment card information, etc.). Third Party shall continue to provide written updates every twenty-four (24) hours after submission of the initial report until the incident has been resolved to Mativ’s satisfaction. Notification must include a written report detailing:

1.12.1.1.     the nature of the incident,

1.12.1.2.     timelines of critical events,

1.12.1.3.     scope of suspected data loss,

1.12.1.4.     immediate steps taken to stop the damage,

1.12.1.5.     ongoing resolution activities, and

1.12.1.6.     expected timeline to reach full remediation.

1.12.2.  Breach Investigations. Third Party shall cooperate with Mativ during investigations of any known or suspected security breach of a Mativ system or data network. Third Party shall allow Mativ to employ an outside audit firm to conduct such an audit should it be deemed necessary by Mativ in Mativ’s sole and absolute discretion.

1.12.3.  Abnormal Access Research. Third Party shall follow up on all exceptions, suspected exceptions, suspicious activity, compromises and breaches in any way involving or related to Mativ Data.

1.12.4.  Customer Notification. Third Party shall notify end user customers that have been determined to be impacted as required by all applicable laws, including state privacy laws. In no event shall this provision require Third Party to assume any of the notification obligations that the law requires exclusively of Mativ.

1.12.5.  Login Credentials Incident Notification. Third Party acknowledges Mativ’s right to request additional information at any time, in Mativ’s sole discretion. If Third Party suspects that login credentials have been stolen or compromised in any manner, Third Party shall notify Mativ immediately.

1.13.     Credential Sharing Prevention. Third Party shall not engage in the “sharing” of login credentials (e.g., generic logins) between multiple systems or multiple personnel on any Third Party system having Data Interactions.

1.14.     Quarterly Access Reviews. Third Party shall review all login IDs related to Third Party systems that have Data Interactions, on a quarterly basis, to ensure that any inactive or unauthorized accounts are disabled or removed.

2.0.         Data Access Requirements.

2.1.         Automated Access Prevention. Third Party shall not use any automated means to access, query or otherwise collect Mativ Data from Mativ systems without prior explicit written authorization from Mativ.

2.2.         Mativ Application or System Logouts. Third Party shall ensure that any person or system that logs into any Mativ application or system also explicitly logs out of such Mativ application or system immediately at the end of such use. Third Party acknowledges that Mativ systems will not automatically end inactive sessions through use of time-outs or a similar mechanism.

3.0           Data Collection Requirements.

4.0           Data Processing Requirements.

4.1.         Third Party Hosted Solution Location. All Mativ Data processed through any Third Party or fourth party system must remain within the U.S. and/or any U.S. territory.

4.2.         SOC 2 Type II for Data Centers. If Third Party is processing Mativ Data, or using any third party to process Mativ Data, then the data center and each data center operator (each, a “Data Center Operator”) shall (a) maintain a SOC 2, Type II, report that is no more than one year old, and (b) upon request, provide Mativ with a true and complete copy of the most recent SOC 2, Type II report, for each Data Center Operator.

5.0           Data Storage and Destruction Requirements.

5.1.         Data Storage Location. All Mativ Data stored on any Third Party or fourth party system must remain within the U.S. and/or any U.S. territory.

5.2.         Data Center Security Standards. Third Party shall implement or, if using a third party Data Center Operator, ensure the Data Center Operator has implemented, administrative, physical and technical safeguards to protect Mativ Data that are consistent with the most recently published versions of industry-recognized security standards that have been approved by Mativ.

5.2.1.      SOC 2 Type II for Data Centers. Third Party shall (a) maintain a SOC 2, Type II, report that is no more than one year old, and (b) upon request, provide Mativ with a true and complete copy of the most recent SOC 2, Type II report, for each Data Center Operator.

5.3.         Mativ Data Separation. Mativ Data must at all times be logically separated from all non- Mativ Data by means of using access control or other security related tools to ensure only authorized people are able to access Mativ Data stored on Third Party systems.

5.4.         Data "At Rest" Encryption. All non-public Mativ Data must be encrypted at all times, using a method approved by Mativ in its sole and absolute discretion prior to use, including, but not limited to, while it is stored (“at rest”), regardless of the means, methods or mediums of storage.

5.5.         Data Retention. Unless otherwise set forth in the Agreement, all Mativ Data that is not being used to service an active account must be purged on a regular basis at least once every 6 months to proactively delete such data, and no Mativ Data related to a former Mativ customer may be stored for any period longer than 2 years.

5.6.         Data Return or Destruction Upon Termination or Request. "Except to the extent otherwise specifically set forth in the Agreement, upon termination of the Agreement and upon Mativ request, Third Party shall destroy, at Mativ’s option in Mativ’s sole and absolute discretion, all documents, electronic media, software and other items containing or relating to Mativ Data unless legally required to retain such information.

5.6.1.      Data Return Upon Termination or Request. If Mativ requests the Information to be returned, then delivery must take place by secure methods as determined by Mativ, in its sole and absolute discretion, and must be completed no less than thirty (30) days after termination of the Agreement.

5.6.2.      Data Destruction Upon Termination or Request. Within thirty (30) days following any request made by Mativ, Third Party shall destroy the information in a manner that makes it completely unrecoverable, as approved by Mativ in advance.

5.6.3.      Fourth Party Data Destruction. Within thirty (30) days following any request made by Mativ, Third Party shall require any fourth party in possession of Mativ Data to destroy the information in a manner that makes it completely unrecoverable, as approved by Mativ in advance.

5.6.4.      Data Destruction Certification. Within sixty (60) days following any request made by Mativ, an officer of Third Party will certify in writing to the Mativ Information Security Department stating that all data destruction has taken place in accordance with these Security Requirements.

6.0           Data Transmission Requirements.

6.1.         Data "In Transit" Encryption. All Mativ Data must be encrypted at all times, using a method approved by Mativ in its sole and absolute discretion prior to use, including, but not limited to, while it is transmitted ("in transit"), regardless of the means, methods or mediums of transmission.

 

Definitions

Data Interactions: the acts of accessing, collecting, receiving, processing, storing, or transmitting data.

Access: the ability to view data without the ability to modify the data.

Collect: the act of capturing data on behalf of the company.

Receive: the act of obtaining data that was distributed by Mativ (e.g., email file attachment) Process: the act of performing any operation or set of operations, whether or not by automated means, intended to modify or destroy data.

Store: the act of retaining data virtually or physically for any period of time.

Transmit: the act of sending, moving, or distributing data.

Third Party: an entity that enters into a contractual relationship with Mativ to provide business functions, systems, personnel, or products.