Terms of Service for Business Messages

Last modified: March 11, 2021

Thank you for using Business Messages ("Business Messages"), a platform and associated software that enable users to enter into a business messaging conversation with you. End users may access the messaging platform via links in Google Search, Google Maps and other access points.

A. These Business Messages Terms of Service ("Business Messages Terms") are entered into by Google LLC and you (the entity agreeing to these terms).

B. These Business Messages Terms form a binding agreement between the parties and are effective as of the earliest date you confirmed acceptance in writing, clicked to accept the Business Messages Terms, or used Business Messages. If an individual is accepting on your behalf such individual represents and warrants that: (i) such individual has full legal authority to bind you to these Business Messages Terms; (ii) the individual has read and understands these Business Messages Terms; and (iii) the individual agrees, on your behalf, to these Business Messages Terms. These Business Messages Terms govern your access to and use of Business Messages.

C. By accepting these Business Messages Terms, you are agreeing to the Google APIs Terms of Service at https://developers.google.com/terms (or such other URL as we may provide) (the "General API Terms").

D. Additionally, you may have access to other tools and services provided by Google and its affiliates. Any use of such tools and services may be subject to separate terms and conditions.

E. Collectively, the General API Terms, any other applicable terms listed in Section 1.1 (Incorporation by Reference), any accompanying API documentation, and any applicable policies and guidelines are part of these Business Messages Terms. You agree to comply with the Business Messages Terms and that the Business Messages Terms control your relationship with us.

F. We may refer to Google LLC as "Google," "we," "our," or "us" in the Business Messages Terms. Google may use its affiliates in connection with the performance of its obligations and exercise of its rights under these Business Messages Terms.

G. The Business Messages Terms apply to you, your agents, the service provider(s) or brand(s) you work with, and both your and their employees, representatives, agents, and suppliers (collectively "you" or "Company").

1. Applicable Terms; Modifications.

1.1 Incorporation by Reference. To the extent applicable, the following terms are incorporated by reference into these Business Messages Terms:

(a) General APIs Terms of Service. The General API Terms will apply to and are deemed part of these Business Messages Terms. The parties agree (i) Business Messages constitute "APIs", and (ii) these Business Messages Terms constitute part of the "Terms", as each such term is defined in the General API Terms.

(b) Business Messages Policies. All of your products, services, or materials must comply with the policies for Business Messages available at https://developers.google.com/business-communications/business-messages/support/tos (or such other URL as we may provide) (the "Business Messages Policies"). This includes the Acceptable Use Policies set out at https://developers.google.com/business-communications/support/aup (or such other URL as we may provide).

(c) Terms for Other Product(s). If at any time your services use other Google or Google-affiliated products or services ("Other Product(s)"), then the terms for those Other Product(s) will also apply. For example, if you use Google Cloud Platform in the service that you provide through Business Messages, the Google Cloud Platform terms of service will apply in addition to these Business Messages Terms. The use of third-party products or services is subject to their applicable terms.

1.2 Order of Precedence. To the extent there are any conflicts, the following order of precedence will apply:

(a) Other Product(s)' terms of service (for example, Google Cloud Platform);

(b) Business Messages Policies (including the Business Messages Acceptable Use Policies);

(d) General API Terms.

1.3 Entire Agreement; All other Terms are Void. The Business Messages Terms are the entire agreement between you and Google relating to its subject and supersede any prior or contemporaneous agreements on that subject (including any previously executed early access agreement). We object to any additional or different terms in your terms of service or other documents, including any of your API terms of service. Those other terms of service and documents will be considered material alterations to these Business Messages Terms and are void.

1.4 Modifications to these Terms.

Google may make changes to these Business Messages Terms (including the Business Messages Policies), including any terms relating pricing or payment from time to time. Unless otherwise noted by Google, material changes to these Business Messages Terms will become effective 30 days after they are posted, except if the changes apply to new functionality in which case they will be effective immediately. If you do not agree to the revised Business Messages Terms, please stop using Business Messages. Google will post any modification to these Business Messages Terms to the Terms URL (if the Terms URL is available).

2. Definitions

2.1 "Agent" When using BM, Brands are represented by Agents, who handle the direct communications with the end user.

2.2 "AUP" means the Acceptable Use Policy provided at https://developers.google.com/business-communications/support/aup (or such other link provided by Google).

2.3 "Brand" The company the end user communicates with through BM. Brands might be retailers, travel companies, CPG brands, business to business service providers, or others.

2.4 "Brand Features" means a party’s trade names, trademarks, logos, or other distinctive brand features.

2.5 "Business Messages" or "BM"means the Business Messages service, and its natural successors, however named or branded.

2.6 "Business Messages APIs" Google-provided application programming interfaces relating to Business Messages that are intended to enable Company (and its authorized affiliates) to engage its customers in messaging conversations relating to the Company’s service(s) and products, and which are made accessible to Company in connection with and during the Term of this Agreement.

2.7 "Confidential Information" means information that one party discloses to the other party under this Agreement, and that is marked as confidential or would normally be considered confidential information under the circumstances. It does not include information that the recipient already knew, that becomes public through no fault of the recipient, that was independently developed by the recipient, or that was lawfully given to the recipient by a third party. For the avoidance of doubt, the following is considered Confidential Information: the Business Messages APIs (in addition to their related source materials, sample code, and documentation) and any discussions between the parties in relation to the Business Messages APIs.

2.8 "include" or "including" means "including but not limited to".

2.9 "Partner" A Brand may use a Partner to connect with the Business Messages APIs and help provide the BM service for the Brand and it’s end users. Partners might be Customer Service Platforms (CSPs), Customer Relationship Management (CRM) systems, bot builders, messaging aggregators, system integrators, or others.

2.10 "Promotion" has the meaning given in Exhibit A.

2.11 "Term" has the meaning given in Section 11.1 (Term).

2.12 "Terms URL" means the terms provided at https://developers.google.com/business-communications/business-messages/support/tos, as Google may update from time to time.

2.13 When examples are provided in this Agreement, they are for illustrative purposes only, and are not the exclusive examples of a particular concept or provision.

3. Brands and Partners

3.1 Under this Agreement, Company may act as a Brand, a Partner, or both. Its obligations and responsibilities under this Agreement will apply to its chosen role.

3.2 Subject to Google’s approval, a Partner may integrate with Google’s Business Messages API and provide access to Google’s Business Message services to one or more Brands.

3.3 A Brand may:

(a) integrate directly with the Google Business Messages API, and provide Google’s Business Message services on its own behalf; or

(b) integrate with a Partner and gain access to Google’s Business Messages service via that partner.

4. Business Messages API and Promotion Activities. Google and Company will fulfill the obligations described in Exhibit A.

5. Licenses.

5.1 Google Brand Features. Subject to Google having given its prior written approval (email to suffice) of its Brand Features, and subject further to the terms and conditions of this Agreement, Google grants to Company a royalty-free, nonexclusive, worldwide license to: (a) use Google’s Brand Features in promotional and marketing activities in connection with the Promotion; provided that in each case Company complies with: (i) the Google Brand Feature Guidelines currently posted at http://www.google.com/permissions/guidelines.html (or such other URL as Google may specify), as applicable, and (ii) any other guidelines or instructions provided by Google to Company regarding its use, distribution, or display of Google’s Brand Features. Company will use commercially reasonable efforts to promptly modify its use of Google’s Brand Features upon request by Google to comply with this Agreement.

5.2 Company Brand Features.

(a) Subject to Company having given its prior written approval (email to suffice) of its Brand Features, and subject further to the terms and conditions of this Agreement, Company grants to Google a royalty-free, nonexclusive, worldwide license to use Company’s Brand Features, in each case solely for the purposes of (i) the exercise of Google’s rights and performance of its obligations under this Agreement, and (ii) promotional and marketing activities in connection with Company’s products and services, provided that in each case Google complies with any guidelines or instructions provided by Company to Google regarding its use, distribution, or display of Company’s Brand Features. Google will use commercially reasonable efforts to promptly modify its use of Company’s Brand Features upon request by Company to comply with this Agreement.

(b) Where Company is acting a Partner, Company will also obtain for Google, with respect to each of its Brand customers, a royalty-free, nonexclusive, worldwide license to use the Brand Features of such Brand solely for the purposes of (i) the exercise of Google’s rights and performance of its obligations under this Agreement, and (ii) promotional and marketing activities in connection with Company’s and its Brand customers’ products and services; provided that, in each case, Google complies with the guidelines or instructions provided by Company to Google in writing (email to suffice) regarding its use, distribution, or display of the Brand Features of Company’s Brand customers. Google will use commercially reasonable efforts to promptly modify its use of such Brand Features upon request by Company to comply with this Agreement.

5.3 Review; Approvals. Neither party may use the other’s Brand Features without the other’s prior written approval (email to suffice), and such use will be only in accordance with any guidelines provided by either party to the other. Such approval will not be unreasonably delayed or withheld.

5.4 Retention of Rights. As between the parties:

(a) Company retains all rights in Company’s Brand Features;

(b) Google retains all rights in: (i) Google’s Brand Features; (ii) promotional materials and other marketing assets for the Promotion created or developed by or on behalf of Google; and (iii) Google products and services (including Business Messages); and

(c) Google’s use of Company’s Brand Features (including any associated goodwill) will inure to Company’s benefit. Company’s use of Google’s Brand Features (including any associated goodwill) will inure to Google’s benefit.

5.5 No Other Restrictions. Nothing in this Agreement:

(a) restricts either party from using content it creates or rightfully obtains elsewhere; or

(b) restricts either party from exercising any rights it has at law (including under the U.S. Copyright Act).

6. Business Messages API Terms of Services and AUP.

6.1 API TOS; AUP. By using the Business Messages APIs, Company agrees to be bound by the Google APIs Terms of Service (the "API ToS"), the current version of which is available at https://developers.google.com/terms/, as such terms may be updated by Google from time to time. The API ToS is hereby incorporated by reference into this Agreement. In the event of a conflict between this Agreement and the API ToS, this Agreement will take precedence and apply. In addition, Company will comply with the AUP.

6.2 Sublicense Right for Partner. Subject to Google’s prior written consent (provided at Google’s sole discretion on a case-by-case basis), Company (acting as a Partner) may sublicense use of Business Messages to third parties with whom Company has a written agreement that is no less protective of Google, Google’s affiliates, and Business Messages than as set forth in this Agreement. Company will be liable for the acts and omissions of such third parties.

6.3 Agent partner registration. If the Brand, as represented by an Agent, has a developer partner who will be managing the Agent’s use of BM, Company represents and warrants that the Brand has a direct, contractual relationship with the Partner that grants the Partner all necessary rights to manage the Agent’s messaging content. The Partner will be subject to and will comply with the AUP. No entities that were previously disapproved by Google may be Partners under this Agreement.

6.4 No Fees. As between the parties, as of the Effective Date Company’s use and resale of Business Messages is free of charge, subject to change. Google may introduce fees for Business Messages at any time or terminate this Agreement in accordance with Section 11 (Term and Termination).

7. Costs and Expenses. Each party will bear all costs and expenses arising out of its performance under this Agreement, except as otherwise described in Exhibit A.

8. Confidentiality.

8.1 Confidentiality Obligations. The recipient of any Confidential Information will not disclose that Confidential Information except to subcontractors, affiliates, employees, agents and professional advisors who need to know it and who have agreed in writing (or in the case of professional advisors are otherwise bound) to keep it confidential. The recipient will ensure that those people and entities use such Confidential Information only to exercise rights and fulfill obligations under this Agreement, while using reasonable care to protect it. The recipient may also disclose Confidential Information when required by law after giving reasonable notice to the discloser, if permitted by law.

8.2 Publicity. Neither party will issue any public announcement regarding the existence or content of this Agreement without the other party's prior written approval, or as expressly permitted under Exhibit A.

9. Data Protection. Each of Google and Company will comply with its own privacy policies when handling customer information. If Company processes any personal data relating to individuals, Company will provide a clear and conspicuous privacy notice to such individuals that accurately describes how Company collects, uses, and protects that information.

9.1 Google is always a data controller in the context of this Agreement.

9.2 Google and Company (when acting as a Brand) is each an independent controller in respect of its processing of personal data in the context of this Agreement and will (in relation to the processing of individuals' data in the context of the performance of their obligations under this Agreement) comply with their respective obligations under any applicable laws (including any applicable data protection and privacy laws, rules, and regulations).

9.3 Where Company is acting as a Partner, it is a data processor in respect of its processing of personal data provided by Brands that are its third party customers in the context of this Agreement and will (in relation to the processing of individuals' data in the context of the performance of their obligations under this Agreement) comply with its obligations under any applicable laws (including any applicable data protection and privacy laws, rules, and regulations).

9.4 Furthermore, each party warrants and undertakes that it will, in relation to personal information processed or exchanged under this Agreement, comply with Exhibit B (Data Protection Safeguards).

9.5 Customer will not, and will not allow anyone with whom it exchanges Business Messages, to transmit, store, or process health information subject to regulation under the United States Health Insurance Portability and Accountability Act.

10. Representations and Warranties; Disclaimers.

10.1 Each party represents and warrants that: (i) it has the power to enter into this Agreement; (ii) it has the ability to perform its obligations under this Agreement; and (iii) it has and will retain all necessary rights to grant the licenses in Section 5 (Licenses);

10.2 Company represents and warrants that it will comply with all applicable laws, rules, and regulations relating to the performance of this Agreement.

10.3 Disclaimers. EXCEPT FOR THE EXPRESS WARRANTIES MADE BY THE PARTIES IN THIS AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PARTIES DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.

11. Term and Termination.

11.1 Term. This Agreement starts on the Effective Date and continues until terminated in accordance with Section 11.2 (the "Termination").

11.2 Termination.

(a) Termination without cause. Under the Agreement, either party may terminate this Agreement without cause with a 10 day notice period.

(b) Effects of Termination. Upon expiration or termination of this Agreement for any reason (contractual or otherwise), (i) Company will stop using the Business Messages APIs, or other materials provided by Google; (ii) all licenses granted under this Agreement will terminate; and (iii) each party’s marketing obligations and commitments set forth in Exhibit A will terminate.

11.3 Survival. Any Sections that under their terms or by implication ought to survive, will survive the expiration or termination of this Agreement.

12. Defense and Indemnity.

12.1 Definitions. "Indemnified Liabilities" means any (i) settlement amounts approved by the indemnifying party; and (ii) damages and costs in a final judgment awarded against the indemnified party(ies) by a competent court. "Third-Party Legal Proceeding" means any formal legal proceeding filed by an unaffiliated third party before a court or government tribunal (including any appellate proceeding).

12.2 Obligations.

(a) Google’s Obligations. Subject to Section 12.4 (Conditions), Google will defend Company and its affiliates, and indemnify them against Indemnified Liabilities, in any Third-Party Legal Proceeding to the extent arising from: (a) Google’s breach of its representations and warranties under this Agreement; and (b) an allegation that Company’s use of Google Brand Features in accordance with this Agreement infringes the third party’s intellectual property rights.

(b) Company Obligations. Subject to Section 12.4 (Conditions), Company will defend Google and its affiliates, and indemnify them against Indemnified Liabilities, in any Third-Party Legal Proceeding to the extent arising from: (a) Company’s breach of its representations or warranties under this Agreement; or (b) an allegation that Google’s use of Company’s Brand Features in accordance with this Agreement infringes the third party’s intellectual property rights.

12.3 Exclusion. This Section 12 (Defense and Indemnity) will not apply to the extent the underlying allegation arises from the indemnified party’s breach of this Agreement or from modifications or combinations to the indemnifying party’s Brand Features that were not provided by the indemnifying party.

12.4 Conditions. Section 12.2 (Obligations) is conditioned on the following:

(a) The indemnified party must promptly notify the indemnifying party of any allegation(s) that preceded the Third-Party Legal Proceeding and cooperate reasonably with the indemnifying party to resolve the allegation(s) and Third-Party Legal Proceeding. If a breach of this subsection (i) prejudices the defense of the Third-Party Legal Proceeding, the indemnifying party’s obligations under Section 12 (Defense and Indemnity) will be reduced in proportion to the prejudice.

(b) The indemnified party must tender sole control of the indemnified portion of the Third-Party Legal Proceeding to the indemnifying party, subject to the following: (i) the indemnified party may appoint its own non-controlling counsel, at its own expense; and (ii) any settlement requiring the indemnified party to admit liability, pay money, or take (or refrain from taking) any action, will require the indemnified party’s prior written consent, not to be unreasonably withheld, conditioned, or delayed.

13. Limitations of Liability.

13.1 Liability. "LIABILITY" MEANS ANY LIABILITY, WHETHER UNDER CONTRACT, TORT, OR OTHERWISE, INCLUDING FOR NEGLIGENCE.

13.2 Limitations. SUBJECT TO SECTION 13.3 (Exceptions), AND EXCEPT FOR INDEMNIFICATION OBLIGATIONS (SECTION 12 (DEFENSE AND INDEMNITY)): (i) NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES; AND (ii) EACH PARTY’S MAXIMUM AGGREGATE LIABILITY FOR ALL CLAIMS RELATING TO THIS AGREEMENT WILL BE LIMITED TO US$100,000.

13.3 Exceptions. NOTHING IN THIS AGREEMENT EXCLUDES OR LIMITS EITHER PARTY’S LIABILITY FOR (I) DEATH OR PERSONAL INJURY RESULTING FROM ITS NEGLIGENCE OR THE NEGLIGENCE OF ITS EMPLOYEES OR AGENTS; (II) FRAUD OR FRAUDULENT MISREPRESENTATION; (III) BREACH OF SECTION 8 (CONFIDENTIALITY); (IV) INFRINGEMENT OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS; OR (V) MATTERS FOR WHICH LIABILITY CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

14. General.

14.1 Notices. All notices of termination or breach must be in English, in writing and addressed to the other party’s Legal Department. The address for notices to Google’s Legal Department is legal-notices@google.com. All other notices must be in English, in writing and addressed to the other party’s primary contact. Notice will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).

14.2 Subcontracting. Google may subcontract any of its obligations under this Agreement, but will remain liable for all subcontracted obligations and its subcontractors’ acts or omissions.

14.3 Assignment. Neither party may assign any part of this Agreement without the written consent of the other, except to an affiliate where: (i) the assignee has agreed in writing to be bound by the terms of this Agreement; (ii) the assigning party remains liable for obligations under the Agreement if the assignee defaults on them; and (iii) the assigning party has notified the other party of the assignment. Any other attempt to assign is void.

14.4 Change of Control. If a party experiences a change of control (for example, through a stock purchase or sale, merger, or other form of corporate transaction): (i) that party will give written notice to the other party within 30 days after the change of control; and (ii) the other party may immediately terminate this Agreement any time between the change of control and 30 days after it receives that written notice.

14.5 Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

14.6 No Waiver. Neither party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under this Agreement.

14.7 Severability. If any term (or part of a term) of this Agreement is invalid, illegal or unenforceable, the rest of the Agreement will remain in effect.

14.8 No Agency. This Agreement does not create any agency, partnership or joint venture between the parties.

14.9 No Third Party Beneficiaries. This Agreement does not confer any benefits on any third party unless it expressly states that it does.

14.10 Counterparts. The parties may execute this Agreement in counterparts, including facsimile, PDF, and other electronic copies, which taken together will constitute one instrument.

14.11 Governing Law. All claims arising out of or relating to this Agreement will be governed by California law, excluding California’s conflict of laws rules, and will be litigated exclusively in Santa Clara County, California, USA.

14.12 Amendments. Any amendment must be in writing, signed by both parties, and expressly state that it is amending this Agreement.

14.13 Entire Agreement. This Agreement sets out all terms agreed between the parties and supersedes all other agreements between the parties relating to its subject matter. In entering into this Agreement neither party has relied on, and neither party will have any right or remedy based on, any statement, representation or warranty (whether made negligently or innocently), except those expressly set out in this Agreement.

EXHIBIT A

Business Messages Promotion

Background. The parties wish to use Business Messages to enable end users to enter into a business messaging conversation with Company. End users may access the messaging platform via links in Google Search, Google Maps and other access points. (the "Promotion").
Promotion Obligations.
1. Marketing Plan. In addition to the activities and obligations set forth in this Exhibit A, Google and Company may work together to develop a co-marketing plan for the Promotion ("Co-Marketing Plan"). As part of any such plan, the parties may mutually agree upon the concepts and directions of the campaign creatives, including any relevant button and text link calls-to-action ("CTAs"). The specific details of the various marketing activities and each parties’ obligations with respect to such activities under the Co-Marketing Plan that are mutually agreed upon by Google and Company, and not otherwise described in this Exhibit A, will be set forth in writing (email to suffice).
2. Technical Resources. During the Term, the parties will dedicate the appropriate resources to work together in good faith to address, in a prioritized manner, any technical and/or performance details of the Promotion, including the Business Messages APIs and CTAs.
3. Google Obligations.
  1. Provision and Maintenance of Business Messages APIs.
    1. Google will provide Company with access to Business Messages APIs subject to the terms of this Agreement, the API ToS, and the AUP for the purpose of enabling Company to pursue the Promotion.
    2. Google will use commercially reasonable efforts to support the Business Messages APIs during the Term. During the Term, Google may make changes to the Business Messages APIs in its sole discretion. If Google plans to make any material changes, Google will use commercially reasonable efforts to notify Company at least ten (10) days before any material changes take effect. For clarity, if Google determines in its sole discretion that a material change must be made to the Business Messages APIs to remedy a critical issue, Google may make such change without providing Company with advance notice and will use commercially reasonable efforts to notify Company promptly after making such change.
  2. CTAs. Google may place graphical and text based CTAs on search results and other locations for the purpose of enabling the initiation of Business Messages services. Google has sole discretion on the format and placement of CTAs.
4. Company Obligations.
  1. Company will:
    1. Connect to the Business Messages APIs, using (for example) a third party CRM or customer support platform, or its own integration method.
    2. Provide guidance and answer, within a mutually agreed upon time period, queries from customers who click on a CTA and start a conversation with Company.

Exhibit B

Data Protection Safeguards

To the extent the parties exchange or process personal information in connection with Business Messages, the parties do so as independent data controllers. Furthermore, the parties will, as a minimum requirement, implement and maintain the following "Safeguards":

Data Protection Program. Each party will establish and maintain a reasonable program of organizational, operational, administrative, physical and technical Safeguards appropriate to (1) comply with applicable laws, and (2) prevent unauthorized physical or electronic access to or loss of personal information or Confidential Information, or services, systems, devices, or media containing this information.
Supervision and Training. Each party will provide an appropriate level of supervision, guidance, and training on that party’s Safeguards to anyone acting on its behalf who require access to personal data or Confidential Information.
Access Control. Each party will maintain controls appropriate to limit access to personal data or Confidential Information to employees and other parties acting on that party’s behalf that (1) have a legitimate need to access that information to perform the transactions and services contemplated under this Agreement, and (2) have agreed to be bound by an appropriate confidentiality agreement. Such controls will include an industry-standard logging system capable of reconstructing access to personal data.
Retention and Destructions. Each party will maintain a program to destroy personal data when no longer reasonably needed to provide services to the end users or when otherwise requested by the end user. The parties will destroy personal data using an appropriate industry-standard destruction method.
Third Party Providers. Each party will be responsible for ensuring that any subcontractors, service providers, or any other party engaged to act on behalf of or provide services to the engaging party is taking reasonable and appropriate steps to protect the security, privacy, and confidentiality of personal data and Confidential Information.
Incident Response. Each party will maintain an incident response program to respond when that party has reason to believe that has been or will be unauthorized access to, use or loss of personal data or other Confidential Information. A party will promptly notify the other party if it identifies such an incident involving personal data processed by, for, or on behalf of the other party.
Risk Assessment. Each party will assess the risks to the security, privacy, and confidentiality of personal data and Confidential Information and the effectiveness of the Safeguards it has adopted at reasonable periodic intervals. Each party will update its Safeguards as needed to reasonably protect the security, privacy, and confidentiality of personal data and Confidential Information. In the event that a party identifies a vulnerability in that party’s Safeguards that presents a material risk to the security, privacy, or confidentiality of personal data or Confidential Information, that party shall correct or resolve the vulnerability within a period of time that is reasonable and appropriate to the risk presented.
Security Auditing. Each party will perform the following testing of the services, systems, devices, and media used to perform services pursuant to this Agreement using employees qualified to perform such testing, or a qualified independent security assessor:
1. regular vulnerability scans using an industry standard vulnerability scanner at reasonable intervals, but in no event, less frequently than once every quarter;
2. penetration testing at least once per year; and
3. annual audit of that party’s Safeguards under an audit standard appropriate and applicable to the actions that party performs pursuant to this Agreement.
Reasonable Assurances. When reasonably requested, a party will provide the other party with reasonable assurances in writing that it has implemented all of these Safeguards, which shall include providing accurate and complete information as the other party may reasonably request in written questionnaires. A party may request such written assurances once per year.