VENDOR SERVICES AGREEMENT

VENDOR SERVICES AGREEMENT
Agreement entered into this _____ day of _______________, ________ by and between Kelly Services, Inc., having
its principal place of business at 999 West Big Beaver Road, Troy, Michigan 48084 ("Kelly"), and
________________________________________,
having
its
principal
place
of
business
at
__________________________________________________ ("Vendor").
In consideration of the mutual covenants, terms, and conditions herein contained, the parties agree as follows:
DEFINITIONS.
As used herein, the following terms shall have the meanings ascribed to them as set forth below:
1. SERVICES.
The services and other materials provided to Kelly by Vendor (collectively, the “Services”) are described, and
must be provided at the times and in the manner set forth in, Exhibit A attached hereto and incorporated herein
by this reference.
1.1 SCOPE OF SERVICES.
1.2 ATTACHMENTS TO AGREEMENT
1.2.1
Exhibit A: Description of Services
1.2.2
Exhibit B: Pricing
1.2.3
Exhibit C: Service Level Agreement
1.2.4
Exhibit D: Implementation
1.2.5
Exhibit E: Reporting
1.2.6
Attachment 1: Information Security and Privacy Compliance
2. TERM
This Agreement is binding on the parties upon full signing hereof. The term of the Agreement commences
___________________, ________ (the “Effective Date”) and shall remain in effect remains in effect for _____
years (the “Initial Term”) expiring on ___________________, ________ (the “Expiration Date”).
2.1 Extension of Term.
The term may be extended or renewed for an additional term (“Renewal Term”) only by written agreement
of the parties. If the term of the Agreement expires without being formally renewed or extended, both
parties may continue to perform as set forth in this Agreement on a month-to-month basis until terminated
by either party with thirty (30) days prior written notice.
2.2 Termination for Convenience
Kelly may terminate this agreement, (in whole or in part), without penalty, at any time by giving the vendor
notice of the termination at least thirty (30) days prior to the termination date specified in the notice.
2.3 Termination for Cause
2.3.1 Kelly Termination
Kelly may terminate this agreement if Vendor fails to perform any of its material obligations under
this agreement and does not cure such failure within thirty (30) days after being given notice
specifying the nature of the failure. Without limiting this Subsection, repeated breaches by Vendor
of its duties or obligations under this Agreement, or Vendor’s failure to achieve the Service Levels
shall each be deemed a material breach of this agreement.
1
Confidential to Kelly Services, Inc. and Vendor
R07/13
2.3.2 Vendor Termination
Vendor may terminate this agreement by giving notice to Client if Client fails to pay undisputed
Fees for a period of three (3) months or more and fails to make such payment within thirty (30)
days after being given notice of such failure.
2.4 Sale of Business to Client Competitor
If Vendor enters into an agreement to sell all or substantially all of its business to a direct competitor of
Kelly, Vendor must inform Kelly prior to completion of the sale of this transaction. Under this circumstance,
Client can immediately terminate the agreement such that any data Kelly deems to be confidential or
proprietary can be destroyed before ownership changes hands.
2.5 Discontinuance of Services
Upon receipt of any termination notice, Vendor shall discontinue the Services on the date and to the extent
specified in the notice. Vendor shall be paid for the actual costs incurred during performance hereunder, up
to the termination date specified in said notice, any costs not previously reimbursed by Kelly to the extent
such costs are actual, necessary, reasonable and verifiable costs which have been incurred by Vendor and
which are otherwise reimbursable hereunder. In no event shall such cost include unabsorbed overhead or
anticipated profit.
3. GOVERNING LAW AND JURISDICTION
THIS AGREEMENT, AND ALL OTHER ASPECTS OF THE BUSINESS RELATIONSHIP BETWEEN THE PARTIES, IS
CONSTRUED, INTERPRETED, AND ENFORCED UNDER AND IN ACCORDANCE WITH THE LAWS OF THE STATE
OF MICHIGAN WITHOUT REGARD TO CHOICE OF LAW PROVISIONS. VENDOR AGREES, WITH RESPECT TO
ANY LITIGATION ARISING DIRECTLY OR INDIRECTLY OUT OF, OR THAT IN ANY WAY RELATES TO, THIS
AGREEMENT, THE BUSINESS RELATIONSHIP OR ANY OTHER TRANSACTION, MATTER, OR ISSUE BETWEEN
THE PARTIES, TO COMMENCE IT EXCLUSIVELY IN THE STATE OF MICHIGAN COURTS OF OAKLAND COUNTY,
MICHIGAN OR THE UNITED STATES DISTRICT COURT AT DETROIT, MICHIGAN, AND VENDOR BY THIS
AGREEMENT CONSENTS TO THE JURISDICTION OF THESE COURTS.
4. COMPLIANCE WITH LAWS
Vendor shall comply with all applicable national, multi-jurisdictional, federal, state, and local laws, rules, statutes,
treaties, regulations and orders, including compliance with Kelly’s current privacy policy and Safe Harbor
certification requirements and local data protection and privacy laws.
4.1 FOREIGN CORRUPT PRACTICES ACT (FCPA).
Vendor shall, and shall be responsible for ensuring that its representatives and subcontractors shall, perform
all obligations of Vendor under the Agreement in compliance with all laws, rules, regulations and other legal
requirements.
Vendor represents and warrants that it is familiar with all applicable domestic and foreign antibribery or
anticorruption laws, including those prohibiting Vendor, and, if applicable, its officers, employees, agents
and others working on its behalf, from taking corrupt actions in furtherance of an offer, payment, promise
to pay or authorization of the payment of anything of value, including but not limited to cash, checks, wire
transfers, tangible and intangible gifts, favors, services, and those entertainment and travel expenses that
go beyond what is reasonable and customary and of modest value, to: (i) an executive, official, employee or
agent of a governmental department, agency or instrumentality, (ii) a director, officer, employee or agent of
a wholly or partially government-owned or -controlled company or business, (iii) a political party or official
thereof, or candidate for political office, (iv) an executive, official, employee or agent of a public
international organization (e.g., the International Monetary Fund or the World Bank) (“Government Official”)
or (v) any executive, officer, employee of agent of a third party; while knowing or having a reasonable
belief that all or some portion will be used for the purpose of: (a) influencing any act, decision or failure to
act by a Government Official in his or her official capacity, (b) inducing a Government Official to use his or
her influence with a government or instrumentality to affect any act or decision of such government or
entity, or (c) securing an improper advantage; in order to obtain, retain, or direct business.
Vendor represents and warrants that it and its subcontractors would now be in compliance with all
applicable domestic or foreign anti-bribery or anticorruption laws, including those prohibiting the bribery of
Government Officials, and will remain in compliance with all applicable laws; that it will not authorize, offer
2
Confidential to Kelly Services, Inc. and Vendor
R07/13
or make payments directly or indirectly to any Government Official; and that no part of the payments
received by it will be used for any purpose that could constitute a violation of any applicable laws.
4.2 MASSACHUSETTS STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION.
Vendor acknowledges that to the extent it maintains or has access to any Personal Information (“PI”) of any
individual that resides in the Commonwealth of Massachusetts, Vendor is obligated to comply with the
Massachusetts Office of Consumer Affairs and Business Regulation Standards for the Protection of Personal
Information, 201 CMR 17.00 (“Massachusetts PI Standards”). PI is described as a Massachusetts resident’s
first and last name in combination with one or more of the following: Social Security Number; driver’s
license number or state-issued identification card; or financial account number, or credit card number, or
debit card number. Vendor represents and warrants that from the Effective Date of this Agreement and for
so long as it has PI of Massachusetts residents thereafter, even after termination of this Agreement, (i)
Vendor shall be in compliance with the Massachusetts PI Standards and shall remain in compliance with
such Standards as amended from time to time and (ii) that Vendor shall notify Kelly Services, Inc. in
writing immediately if it is no longer in compliance with the Massachusetts PI Standards. Failure to notify
Kelly of such non-compliance shall be considered a material breach of this Agreement.
If at any time during the term of this Agreement, any part of PI that Vendor obtains from Kelly ceases to be
required by Vendor for the performance of its obligations in this Agreement, Vendor shall promptly notify
Kelly that such information is no longer required. Vendor shall at Kelly’s option either (i) return to such Kelly
PI to Kelly or (ii) destroy all copies of such Kelly PI. Such instructions will include all Kelly PI in the Vendor’s
possession or control and Vendor shall certify to Kelly that the same has been completed.
5. DATA PRIVACY AND SECURITY
As a result of this Agreement, Vendor may obtain certain information relating to identified or identifiable
individuals (“Personal Data”). Vendor shall, and shall ensure its employees, agents, representatives and Vendors
(“Vendor Personnel”) collect, access, maintain, use, process and transfer Personal Data in accordance with the
requirements set forth in this section and for the sole purpose of performing Vendor’s obligations under this
Agreement.
Protection of Personal Data. Vendor shall at all times comply with Kelly’s instructions regarding Personal Data, as
well as all applicable laws, regulations and international accords, treaties, or accords, including without
limitation, the EU/US Safe Harbor program (collectively, “Legal Requirements”), and shall refrain from engaging
in any behavior which renders or is likely to render Kelly in breach of same. Without limiting the generality of
the foregoing, with respect to any data received directly or indirectly from the European Economic Area or from
Kelly’s European affiliates, Vendor shall abide by the Safe Harbor Privacy Principles of the U.S. Department of
Commerce, located at http://www.export.gov/safeharbor, as may be amended from time to time (the “Safe
Harbor Principles”), excluding the Notice, Choice and Enforcement provisions contained within the Safe Harbor
Principles.
Vendor shall take all appropriate legal, organizational, and technical measures to ensure the confidentiality of
Personal Data, and protect Personal Data against accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access, and against all other unlawful forms of processing, keeping in mind the
nature of such data.
Vendor may only disclose Personal Data to third parties (including Vendor Personnel), who have a need to know
and have signed agreements that require them to protect Personal Data in the same manner as detailed in this
Agreement. Vendor shall hold such third parties with access to Personal Data accountable for violations of this
Agreement, including imposing sanctions, and where appropriate, terminating contracts and employment.
Vendor shall take all reasonable steps to ensure that Personal Data is reliable for its intended use, and is
accurate, complete and current. Immediately upon Kelly’s request, or as otherwise may be necessary to comply
with this Agreement, Vendor shall correct, delete and/or block Personal Data from unauthorized processing
and/or use. Vendor shall promptly notify Kelly’s General Counsel if it receives any requests from an individual
with respect to Personal Data, including but not limited to “opt-out” specifications, information access requests,
information rectification requests and all like requests, and shall not respond to any such requests unless
expressly authorized to do so by Kelly. Vendor shall promptly and properly deal with inquiries and requests from
Kelly in relation to the processing of Personal Data under this Agreement.
Vendor acknowledges that it shall have no right, title or interest in any Personal Data obtained by it as a result of
this Agreement.
3
Confidential to Kelly Services, Inc. and Vendor
R07/13
Vendor shall provide other reasonable assistance and support, and assist and support Kelly in the event of an
investigation by a data protection regulator or similar authority, if and to the extent that such investigation
relates to the collection, maintenance, use, processing or transfer of Personal Data under this Agreement.
Vendor shall provide to Kelly, its authorized representatives and independent inspection body designated by
Kelly, on reasonable notice, (i) access to Vendor's information processing premises and records and (ii)
reasonable assistance and cooperation of Vendor's relevant staff for the purpose of auditing Vendor's compliance
with its obligations under this Agreement.
In the event that Vendor is unable to comply with the obligations stated in this section 11 (b) (Data Privacy and
Security), Vendor shall promptly notify Kelly, and Kelly may take any one or more of the following actions: (i)
suspend the transfer of Personal Data to Vendor; (ii) require Vendor to cease processing Personal Data; (iii)
demand the return or destruction of Personal Data; or (iv) immediately terminate this Agreement.
Upon termination of this Agreement for any reason, Vendor shall promptly contact Kelly for instructions
regarding the return, destruction or other appropriate action with regard to Personal Data.
Security Procedures. Vendor shall maintain reasonable operating standards and security procedures, and shall
use its best efforts to secure Personal Data through the use of appropriate physical and logical security measures
including, but not limited to, appropriate network security and encryption technologies. Vendor shall use
reasonable user identification or password control requirements and other security procedures as may be issued,
from time to time by Kelly in relation to the Personal Data. Vendor shall promptly notify Kelly in the event that
Vendor learns or has reason to believe that any person or entity has breached or attempted to breach Vendor’s
security measures, or gained unauthorized access to Personal Data (“Information Security Breach”). Upon any
such discovery, Vendor will (a) investigate, remediate, and mitigate the effects of the Information Security
Breach, and (b) provide Kelly with assurances reasonably satisfactory to Kelly that such Information Security
Breach will not recur. Additionally, if and to the extent any Information Security Breach or other unauthorized
access, acquisition or disclosure of Personal Information occurs as a result of an act or omission of Vendor or
Vendor’s Personnel, and if Kelly determines that notices (whether in Kelly’s or Vendor’s name) or other remedial
measures (including notice, credit monitoring services, fraud insurance and the establishment of a call center to
respond to customer inquiries) are warranted, Vendor will, at Kelly’s request and at Vendor’s cost and expense,
undertake the aforementioned remedial actions.
6. AUDIT
Upon 30 days notice, Kelly or a 3rd party of their choosing, may audit, copy, and inspect the records,
transactions, and Vendor processes during the term of this agreement, and a period of at least 3 years after the
termination of this agreement, or any Order, whichever occurs last. Vendor will maintain all records pertaining
to services rendered or products delivered for the term of this agreement and for the ensuring 3 year period. In
addition to record maintenance, Vendor will agree to provide 100% of transactions requested for the period
under audit in a database format of either Microsoft Access of Excel. The transactions provided will agree to the
total amount invoiced to Kelly for the period requested. Vendor agrees to review findings identified as a result
of the audit and provide feedback within 30 days after receipt of the audit findings unless a different timeframe
is agreed upon by both parties. Vendor agrees to refund all overcharges identified by Kelly Services or a 3 rd
party auditor within 2 weeks after Vendor feedback has been provided. Kelly, without waiver or limitation of any
rights, may deduct from any amounts due to Vendor in connection with this agreement, or any other Agreement
between Kelly Services and Vendor any audit findings identified during the course of the audit not repaid by
Vendor within the 2 week timeframe. At Kelly’s request, Vendor will at no charge provide Kelly with copies of
any routine SSAE-16 Type I and II audit reports, or any successor reports (“SSAE-16 Reports”) directly related to
the Services provided hereunder.
7. REPRESENTATIONS AND WARRANTIES
Vendor represents and warrants that: (i) its performance under this Agreement will at all times conform to the
highest professional and ethical standards; (ii) due care and its best efforts will be utilized by Vendor in the
performance of this Agreement; (iii) it is under no obligation or restriction that would conflict with the Services
required to be furnished by Vendor and its other obligations under this Agreement, or that otherwise would in
any manner prevent the full performance by Vendor of the terms, conditions, and requirements of this
Agreement (Vendor must immediately disclose to Kelly any actual or potential conflict of interest that may arise
during the Vendor’s performance of this Agreement). In the event Vendor breaches any of the above warranties
in any material respect, Kelly may exercise all rights and remedies available to it under applicable laws and all
other rights and remedies under this Agreement.
4
Confidential to Kelly Services, Inc. and Vendor
R07/13
8. LIMITATION OF LIABILITY
Except with respect to damages arising from sections 5, 9, 13, and 14 herein, neither party is liable to the other
party for incidental, consequential, punitive, or exemplary damages arising in connection with this Agreement or
the performance, omission of performance, or termination hereof including, without limitation, lost sales and
profits and other business interruption damages, even if the party has been advised of the possibility of such
damages and without regard to the nature of the claim or the underlying theory or cause of action (whether in
contract, tort, or otherwise).
9. INDEMNIFICATION
9.1 Vendor’s Obligations
To the fullest extent permitted by law: Vendor must reimburse, indemnify, defend, and hold harmless Kelly,
its subsidiaries and affiliates and each of its subsidiary’s and affiliate’s present, former, and future
shareholders, employees, officers, and directors from and against all loss, damage, expense (including
attorney’s fees and expenses), and penalty, and any claim or action therefore by or on behalf of any person,
(collectively, “Loss”) arising out of or in connection with the performance or failure of performance of this
Agreement including, without limitation, Loss arising out of or occurring in connection with: (i) any acts or
omissions by Vendor or its employees or agents, including, without limitation, personal injury and death
claims; (ii) all claims of Vendor's employees, agents, and subcontractors, whether for injury, death,
compensation, social security, pension, unemployment compensation, etc.; (iii) the provision, ownership,
installation, operation, maintenance, use, or repair of any of the Services; and (iv) all third-party claims
alleging that any of the Services infringes any patent, copyright, trademark, or other proprietary right or
constitutes a misuse of any trade secret information. Vendor will not be relieved of the foregoing indemnity
and related obligations by allegations or any claim that Kelly was negligent; but Vendor is not liable to the
extent any injury or damage is finally judicially determined by a court of competent jurisdiction to have been
proximately caused by the sole negligence or willful act of Kelly.
9.2 Client’s Obligations
Kelly agrees to timely advise Vendor of any suit, claim, or proceeding, and to reasonably cooperate with
Vendor in the defense or settlement of such suit, claim, or proceeding, but Vendor will have sole control
thereof. If an injunction is obtained against Kelly's use of any of the Services, in whole or in part, Vendor
must promptly at Kelly’s option either: (i) procure right to continue using the Services enjoined from use or
replace or modify them so that Vendor’s use or possession is not subject to any such injunction, or (ii)
refund to Kelly all amounts paid to Vendor for the Services. If this indemnification provision is construed by
a court of competent jurisdiction to require indemnification over and above that permitted by applicable law
or public policy, the parties intend that the Agreement be judicially modified to afford Kelly the maximum
indemnification allowed.
10. INSURANCE
Vendor will maintain during the term of this Agreement at least the following types and limits of insurance with
insurers possessing an A.M. Best Rating of not less than A- and authorized to do business under the laws of the
State (s) and/or Country (ies) where work/services are performed:
Workers' Compensation on the Vendor employees, in amounts no less than required by law;
Employer's Liability insurance with a limit of $1,000,000;
Commercial Automobile Liability insurance with a $1,000,000 combined single limit on vehicles owned, leased, or
rented by Vendor;
Commercial General Liability insurance, including bodily injury and property damage, contractual liability, and
products and completed operations, with a $1,000,000 per occurrence, $2,000,000 aggregate;
Excess/Umbrella Liability with a limit of $5,000,000;
If Vendor is working on Kelly premises and has access to Kelly computer systems, software and/or any related
proprietary technology or information, valuable property or equipment, the following insurance coverage is also
required: Crime/Fidelity/Commercial Blanket Bond with limits of $3,000,000 per occurrence;
If Vendor is providing professional services, the following insurance coverage is also required:
Liability/Errors and Omissions insurance with a limit of $3,000,000; and
5
Confidential to Kelly Services, Inc. and Vendor
Professional
R07/13
If Vendor is performing professional information technology services and/or work and has access to Kelly
computer systems, software and/or any related proprietary technology/information, the following insurance
coverage is also required: Cyber Risk/Network Liability/Privacy insurance with a limit of $3 million.
Kelly Services, Inc. is to be included as an additional insured on Vendor’s Commercial General and Automobile
Liability policies. Vendor will provide Kelly with certificates of this insurance coverage evidencing the required
coverage upon signing of this Agreement and upon renewal of the policies describes above.
11. INDEPENDENT CONTRACTOR
Vendor is an independent contractor in the performance of this Agreement, and nothing contained in this
Agreement may be construed to create or constitute a joint venture, partnership, agency, franchise, lease, or
any other arrangement other than as expressly granted in this Agreement. Vendor is responsible for its
operation and any subcontracted operations. Vendor must exercise control over its employees, agents,
representatives, subcontractors, and suppliers and is solely responsible for the verification of identity and
employment eligibility, for the payment of any wages, salaries, or other remuneration of its employees, agents,
representatives, subcontractors, and suppliers, and for the payment of any payroll taxes, contributions for
unemployment or workers compensation, social security, pensions, or annuities that are imposed as a result of
the employment of Vendor's employees, agents, representatives, subcontractors, and suppliers. Vendor must
not pledge credit, incur any obligation or liability, hire any employee, nor purchase any merchandise or services
in the name of Kelly or any subsidiary or affiliate thereof. Unless otherwise provided in this Agreement, all costs,
charges, and expenses incurred in connection with Vendor’s performance of this Agreement must be borne by
Vendor.
12. ASSIGNMENT
Neither party may assign or otherwise transfer its rights, obligations, and/or duties under this Agreement
without the prior written consent of the other party, given at the other party's sole option; but Kelly may assign
this Agreement to a subsidiary or affiliate upon notice to Vendor. Any prohibited assignment is void.
13. INTELLECTUAL PROPERTY
Vendor hereby assigns, conveys, and transfers all right, title, and interest in and to the Services, which include
all related work product of Vendor and its employees, to Kelly. Vendor understands that all Services produced,
developed or otherwise created by Vendor or its employees hereunder are the exclusive property of Kelly.
Consistent with this understanding, Vendor must not use the Services for the benefit of any party other than
Kelly.
If applicable, Vendor warrants that all creators and/or contributors to the Services, including but not limited to,
all persons engaged by Vendor to make any contributions to the Services, were, at the time of the Services'
creation, bona-fide employees of Vendor who made their contributions to the Services within the scope of their
employment as work for hire or that Vendor has obtained and possesses a written assignment of the copyright,
title, and interest from all the creators or contributors not otherwise considered bona-fide employees. Vendor
must maintain an agreement with each of its employees consistent with the obligations set forth in sections 5,
13, and 14 and is responsible for enforcing such agreements. Vendor must provide a copy of such agreement at
the request of Kelly.
14. CONFIDENTIALITY
Both parties acknowledge that they are held to the terms of the mutual nondisclosure agreement signed prior to
the execution of this agreement.
15. ENFORCEABILITY
If any provision of this Agreement is held to be void or unenforceable by any judicial or administrative authority,
or is unlawful or unenforceable under any applicable law, the remaining provisions are considered to be
severable and their enforceability is not to be affected or impaired in any way by reason of such law or holding.
16. INVOICING AND PAYMENT
Vendor will generate a monthly or weekly consolidated invoice for all services set forth in Exhibit A, including any
applicable shipping and administrative fees. One complete copy of the invoice is sent to Kelly’s corporate office
with a statement of activity for the prior period. Kelly will not pay for any services that are invoiced greater than
90 days following the date services are actually performed. All invoices must include, at a minimum, the
following information: (i) Name and address of Vendor; (ii) Invoice number; (iii) Description of Services
6
Confidential to Kelly Services, Inc. and Vendor
R07/13
provided; (iv) Date; and (v) Dollar amount due. Kelly agrees to pay Vendor for Services rendered in the
amounts set forth in Exhibit A after the receipt of a correct invoice from Vendor. Kelly will pay all undisputed
invoice amounts within 45 days of invoice date. Any disputed invoice amounts will be documented in writing
and forwarded to Vendor within 45 days of invoice receipt. Within 45 days of Vendor’s receipt of documentation
of disputed amounts, Vendor will have responded to Kelly’s claim. Upon resolution of disputed items in favor of
Vendor, payment will be remitted within 10 days. If the resolution of disputed items is in favor of Kelly and not
contested, no further action is required.
17. TAXES
Unless otherwise provided for in Exhibit A, or in a Statement of Work, Vendor’s pricing and fees for professional
services are exclusive of applicable federal, state, local and foreign taxes, duties, assessments and levies
attributable to the provision of Vendor’s services. Vendor is solely liable and shall not be allowed to bill Kelly for
any Taxes based on or measured by Vendor’s property, capital, income or receipts.
Any sales, value added, or other tax properly imposed by a jurisdiction in connection with the Vendor’s services
(“Taxes”) shall be the responsibility of the Vendor. Any such Taxes required to be collected by the Vendor must
be separately stated on the invoice unless Kelly provides Vendor with a valid tax exemption certificate. Vendor
will indemnify and hold Kelly harmless from all interest, fines and penalties related to payment of back Taxes
that the Vendor failed to collect.
18. GENERAL
18.1 MOST FAVORED NATION
All of the benefits and terms granted by Vendor herein are at least as favorable as the benefits and terms
granted by Vendor to any previous buyer of the services described in this Agreement. Should Vendor enter
into any subsequent agreement with any other buyer, during the term of this Agreement, which provides for
benefits or terms more favorable than those contained in this Agreement, then this Agreement shall be
deemed to be modified to provide Kelly with those more favorable benefits and terms.
Vendor shall notify Kelly promptly of the existence of such favorable benefits and terms and Kelly shall
immediately have the right to receive the more favorable benefits and terms. If requested in writing by
Kelly, Vendor shall amend this Agreement to contain the more favorable terms and conditions.
18.2 PUBLICITY
<DO NOT WANT TO ALLOW> Neither party shall originate any publicity, news release or other public
announcement relating to this Agreement nor the existence of an arrangement between the Parties without
the prior written approval of the other Party, except as otherwise required by law and upon reasonable
notice to the other Party.
<WILLING TO ALLOW> The parties agree that any press release or public announcements describing
the services to be provided and the relationship created pursuant to this Agreement shall be acceptable
upon mutual agreement by the parties.
18.3 ESCROW OF SOURCE CODE
18.3.1 DEPOSIT
Vendor will place and maintain in escrow with an escrow agent (the “Escrow Agent”) two copies of
the most recent version of the Code.
18.3.2 ESCROW AGENT
The Escrow Agent is intended to be _______________.
18.3.3 UPDATES
So long as Client purchases the Services, Vendor will deliver to the Escrow Agent two complete
copies of the Source Code at least semi-annually, and within thirty (30) days after any change to
the Source Code that materially affects the Services.
18.3.4 RIGHT TO USE SOURCE CODE
The Software shall be released upon the occurrence of any one of the following events (“Release
Conditions”): (i) if the Vendor has ceased operating in the normal course of business; or (ii)
7
Confidential to Kelly Services, Inc. and Vendor
R07/13
Bankruptcy of the Vendor; or (iii) if Vendor is acquired by a competitor to Kelly. Subject to the
terms and conditions of this Agreement and the Release Conditions set forth in this section, Vendor
hereby grants to Client a license to use, copy and create derivative works of the Source Code to
operate, maintain and support the Software (in source and object code form) solely within the
scope of Services provided under this Agreement.
18.4 NOTICES
Any written notice required or permitted to be given hereunder shall be given by: (i) Registered or certified
mail, return receipt requested, postage prepaid; (ii) confirmed facsimile; or (iii) nationally recognized
overnight courier service to the other party at the addresses listed on the cover page or to such other
address or person as a party may designate in writing. All such notices shall be effective upon receipt.
Kelly Address for Notices:
Kelly Services, Inc.
999 W. Big Beaver Road
Troy, MI 48084
Attn: General Counsel
Vendor Address for Notices:
Vendor Name
Address
City, State Zip Code
Attn:
18.5 DIVERSITY
In an effort to promote diverse and minority business growth, Kelly requires that Vendor provide quarterly
reports indicating Tier I or Tier II diverse supplier spend as it relates to their business with Kelly. Reports
are to be directed to the purchasing department after the end of each quarter.
18.6 FORCE MAJEURE
Neither party shall be responsible for delays or failures in performance resulting from acts of God, acts of
civil or military authority, terrorism, fire, flood, strikes, war, epidemics, pandemics, shortage of power, or
other acts or causes reasonably beyond the control of that party. The party experiencing the force majeure
event agrees to give the other party notice promptly following the occurrence of a force majeure event, and
to use diligent efforts to re-commence performance as promptly as commercially practicable.
18.7 NON-SOLICITATION
Neither Party will knowingly, either directly or indirectly, solicit the other party’s employees for employment
without written authorization from the other Party.
18.8 CODE OF CONDUCT
Vendor will use commercially reasonable efforts to ensure that its employees or representatives comply with
its Code of Business Conduct and Ethics and any other policy in relation to corporate gifts, entertainment,
and bribery. Said policies will be made available to Kelly upon request. If either party has reason to believe
their employee or representative has committed a violation of their respective code of business conduct with
respect to the other party, said party will report the suspected violation of the Code of Business Conduct to
the other party in writing.
18.9 AUTHORITY TO CONTRACT
Each person signing below warrants and represents that he/she has full power and authority to execute this
Agreement on behalf of the party he/she represents. Upon request, each party must provide a Certified
Resolution or Certificate of Authority authorizing the undersigned to enter into and sign this Agreement.
18.10 REPRESENT AND WARRANT
Vendor and Kelly each expressly represent and warrant to the other that each has relied solely and
exclusively on its own judgment and the advice of its own attorneys in entering into this Agreement, and
that no representative or agent of the other has made any statement or representation to it beyond those in
this Agreement that have induced signing of this Agreement.
8
Confidential to Kelly Services, Inc. and Vendor
R07/13
18.11 AGREEMENT FINAL AND COMPLETE
This Agreement is the final and complete agreement between Kelly and Vendor with respect to the subject
matter hereof. No representations, inducements, promises, or understandings in relation to the subject
matter hereof, whether oral or written, exist unless expressly set forth in this Agreement, and this
Agreement supersedes all prior understandings, agreements, contracts, or arrangements between the
parties, whether oral or written, unless otherwise expressly incorporated in this Agreement. No agreement
or other understanding purporting to add to or to modify the terms and conditions hereof is binding unless
agreed to by duly authorized representatives of the parties in writing. Any terms or conditions in any forms
of the parties used in the performance of this Agreement that are in conflict with the terms and conditions
hereof are void.
18.12 BUSINESS DOWNTURN
In the event Kelly establishes to vendor’s satisfaction that: a) Kelly is unable to meet the Annual Volume
Commitment, notwithstanding Kelly’s best efforts to do so; and b) such failure results solely from a business
downturn beyond the Kelly’s control, which materially and permanently reduces the size or scope of Kelly’s
operations and the volume of Services required by Kelly hereunder. By way of illustration and not by
limitation, Business Downturn shall not include a change in Kelly’s usage of Services hereunder resulting
from a decision by Kelly to reduce its overall use of services, to alter its architecture, or to transfer portions
of its traffic or projected growth to other suppliers.
18.13 ARMS LENGTH TRANSACTION
This is an arms-length transaction and relationship. There exist no implied or otherwise unstated
covenants, rights, or obligations by, of or against either party. The parties expressly disclaim the existence
of any implied covenant of good faith and/or fair dealing.
9
Confidential to Kelly Services, Inc. and Vendor
R07/13
DESCRIPTION OF SERVICES
EXHIBIT A
10
Confidential to Kelly Services, Inc. and Vendor
R07/13
PRICING
EXHIBIT B
11
Confidential to Kelly Services, Inc. and Vendor
R07/13
SERVICE LEVEL AGREEMENT
EXHIBIT C
12
Confidential to Kelly Services, Inc. and Vendor
R07/13
IMPLEMENTATION
EXHIBIT D
13
Confidential to Kelly Services, Inc. and Vendor
R07/13
REPORTING
EXHIBIT E
14
Confidential to Kelly Services, Inc. and Vendor
R07/13
INFORMATION SECURITY AND PRIVACY COMPLIANCE
ATTACHMENT 1
This Information Protection, Security and Privacy Attachment (“Attachment 1”) sets forth certain duties and
obligations of the Supplier (as defined below) with respect to the protection, security and privacy of Kelly
Services Information in the course of performance under the Agreement that includes this Attachment. In the
event of a conflict between this Exhibit and other parts of this Agreement, the parties agree that this Attachment
shall supersede and control.
A.
Definitions
“Agreement” means the agreement between the Supplier or other party contracting with Kelly Services that
by its terms expressly includes this Exhibit as an attachment.
“Kelly Services Customer” means any third party (including individuals and entities) with a relationship to
Kelly Services and/or its business, products or services, including without limitation, actual and prospective
business customers.
“Kelly Services Information” means any Kelly Services Records or data of Kelly Services in the possession
of, or accessible by, Supplier or its computer or communication system(s), including Personal Data of any
kind.
“Kelly Services Personnel” means Kelly Services employees, officers, directors, agents, contract workers
and subcontractors, the family members of such persons, applicants for employment at Kelly Services and
applicants seeking to work as a Kelly Services contract worker or subcontractor, and also includes all such
persons when associated with Kelly Services affiliates.
“Malicious Code” means any computer instructions in Software that are not intended to provide the
functionality described in the Software specifications and that interfere with Kelly Services’ right to fully utilize
its license to the Software or interfere with or prevent Kelly Services’ use of the Software as contemplated in
this Agreement. Malicious Code includes without limitation such computer instructions commonly known as
computer viruses, “Trojan horses,” anomalies, self-destruction mechanisms, copy protection schemes, and
any other computer instructions that interfere with or prevent Kelly Services from using the Kelly Services
Information or Software as described in its specifications or as contemplated in this Agreement. Malicious
Code also includes without limitation any computer instructions that can: (i) disable, destroy, or otherwise
alter the Kelly Services Information or any hardware on which the Software executes; or (ii) reveal any data
or other information accessed through or processed by the Software to anyone outside of Kelly Services
without Kelly Services’ knowledge and prior approval.
“Patches” shall mean software update code provided by specific vendors to correct an identified vulnerability
within Software or on Supplier’s system, computer, network, or other equipment.
“Personal Data” means any information relating to a natural identifiable person, whether the person
identified is an employee, employee family member, applicant, consumer, customer, supplier, partner,
potential partner, or other individual and expressly includes Kelly Services Customers and Kelly Services
Personnel. An identifiable person is one who can be identified, directly or indirectly, in particular by reference
to an identification number or to one or more factors specific to his physical, physiological, mental, economic,
cultural or social identity. Personal Data includes both General Data and Sensitive Data:
a.
General Data includes, without limitation, the following types of information: names, dates of
birth, Social Security Numbers (SSN's) and related government/national identification numbers
(including tax identification numbers), home and business addresses, home and business email
addresses, home and business telephone numbers, employee ID numbers (e.g. core ID, Commerce
ID, etc), credit card numbers, and passwords.
b.
Sensitive Data includes, without limitation, the following types of information: racial or ethnic
origin, religious or philosophical beliefs, political affiliations/opinions, trade union membership,
medical or health-related Records, sexual orientation, disabilities, and background checks.
15
Confidential to Kelly Services, Inc. and Vendor
R07/13
“Privacy Laws” means all federal, state, and local U.S. or foreign laws, regulations, and/or rules relating to
Personal Data and other data privacy and data protection, as they may be enacted, adopted or amended
from time to time.
“Processing of Personal Data” means any operation or set of operations that is performed upon Personal
Data, and includes, without limitation, the following: access, collection, use, retention, copying, recording,
organization, storage, adaptation or alteration, retrieval, transmission, dissemination or otherwise making
available, and/or disposal or destruction of Personal Data.
“Record” means any recorded information used by Kelly Services that has value to Kelly Services for
conducting its business or meeting its legal obligations. This includes information created or received in any
form, including e-mails, paper documents, electronic documents, data base or application information, and
other electronic or photographic media.
“Security Incident” means the unauthorized access, use, alteration, destruction, or other Processing of,
or other compromise or breach of security (electronic or physical) involving or related to any Kelly Services
Information. Security Incidents include, but are not limited to, information system failures and loss of
service, denial of service, errors resulting from incomplete or inaccurate business data, and breaches of
confidentiality. Security Incidents will be considered confidential and will be treated in accordance with the
confidentiality requirements of this Agreement, except notice to Kelly Services Personnel, Kelly Services
Customers, or other parties pursuant to Privacy Laws or Kelly Services policy.
“Security Vulnerability” means a weakness at the network services, operating system, or application
level, or within associated functions of networks, computer systems, or Software that could allow a Security
Incident to occur. Security Vulnerabilities also include physical vulnerabilities to the premises containing or
permitting access to Kelly Services Information.
“Software” means computer software and related documentation as defined in this Agreement, or if none,
computer programs consisting of a series of instructions, algorithms, lines of code, application program
interfaces and statements in object code or source code form, along with any related materials and
technical data, and all textual material relating to and necessary for use of such programs, including without
limitation, flow charts, operating instructions, user manuals and related technical information and
modifications of such documentation.
“Supplier” means such supplier, vendor, or other business partner defined as a party in the Agreement
and obligated under this Attachment.
B.
Security Requirements
1.
Supplier will have full responsibility to implement and maintain reasonable information systems for
electronic and other media that are reasonably suitable to protect the security of Kelly Services
Information, and to comply with this Exhibit and the Agreement, including without limitation,
physical, network, host, web, application, and data security.
2.
Supplier will maintain reasonable security precautions consistent with industry best practices and
identify in writing and make available, upon request, to Kelly Services the system security standards
and documented processes used to reasonably secure Supplier’s systems. Supplier will meet the
minimum security and privacy standards of International Standard ISO 27001 and 27002, and Safe
Harbor.
3.
Supplier will provide annual, upon request, to Kelly Services, SAS70 Type II or SSAE-16 report that
includes, but not limited, to process and technology controls within the scope of services provided to
Kelly Services.
4.
To the extent Supplier Processes Personal Data, Supplier will meet or exceed the information security
requirements set forth in this Exhibit.
5.
Supplier will monitor for Security Incidents on the basis of 24 hours per day by 7 days per week by
365 days per year.
6.
Supplier will logically and/or physically segregate Kelly Services’ Personal Data from the data of any
third party.
16
Confidential to Kelly Services, Inc. and Vendor
R07/13
7.
Supplier will encrypt (utilizing strong encryption) Kelly Services’ Personal Data if it is stored on
laptops or portable media devices (e.g., USB drives, CD-ROMs, DVDs, backup tapes, etc.).
8.
Supplier will, unless a longer retention period is required by law, provide all Kelly Services’ Personal
Data to Kelly or upon request by Kelly, destroy all copies thereof in a manner to ensure that no
restoration of such data is possible upon the earlier of (i) termination of the Agreement in relation to
which the Kelly Services’ Personal Data was used; or, (ii) the purpose for which the Kelly Services’
Personal Data is being used has been completed (and, prior to disposal of any equipment on which
Kelly Services Personal Data has been stored or processed, Supplier shall comply with “NIST
Guidelines for Media Sanitization (Draft SP 800-88)”.
9.
Supplier will have a Security Incident response process in place to manage and to take immediate
corrective action for any Security Incident as identified in Section D of this Exhibit.
10. Supplier will implement and provide a copy annually, upon request, of disaster recovery/business
continuity plan to protect Kelly Services critical business processes from failing as a result of the
effects of any major failure or disaster.
11. Supplier will inform Kelly Services promptly in writing of the occurrence of any unauthorized access,
use, violation, compromise or breach of security (electronic or physical), other than incidental events
not intended to cause a security breach, involving or related to information of other customers or
other third parties (without being obligated to identify third parties by name) involving the computing
environment, information or communication systems, facilities or transportation means involved in
Processing Kelly Services Information.
12. Supplier will not transfer any Kelly Services’ Information to any 3rd party without the expressed
approval in writing from Kelly Services.
13. Supplier will be responsible for all costs incurred by Supplier and Kelly Services for security breach
remediation activity, as defined in Section D, for security breaches within the scope of Supplier’s
services.
C.
D.
Representation and Warranties
1.
Supplier represents and warrants that it has taken commercially reasonable actions to ensure that
Kelly Services Information is protected against any and all reasonably anticipated Security Incidents
and Security Vulnerabilities.
2.
Supplier represents and warrants that its systems are monitored for Security Incidents on the basis of
24 hours per day by 7 days per week by 365 days per year.
3.
Supplier represents and warrants that it has a Security Incident response process to manage and to
take immediate corrective action for any Security Incident, including Malicious Code.
4.
Supplier will provide certification of compliance to this Information Security and Privacy Compliance
Exhibit by either obtaining such certification from an independent information security service
company or through an annual self-assessment, as approved by Kelly Services.
5.
Supplier expressly warrants that its Processing of Kelly Services’ Personal Data will comply with all
applicable Privacy Laws.
Security Incident Notice
1.
Initial Notification of Security Incident:
Supplier shall notify the Kelly Services’ Global Security Department immediately of any security
incidents via the Kelly Services’ 24x7 Security Hotline at: +1 (248)-244-4250 within one (1) hour
of Supplier’s becoming aware of a Security Incident. Additionally, within twenty-four (24) hours of
Supplier becoming aware of a Security Incident, Supplier shall also notify Kelly Services in writing
via email to: Global.Security@KellyServices.com
17
Confidential to Kelly Services, Inc. and Vendor
R07/13
2.
Subsequent Reports and Notifications:
After the initial notification, Supplier shall subsequently notify the Kelly Services’ Global Security
Department of any security incidents, as required below, via the 24x7 Security Hotline at: +1
(248)-244-4250. Additionally, as required below, Supplier shall notify Kelly Services via email of
all Security Incidents and shall provide all written reports as follows:
3.
Security Incident Resolution Times:
In the event of a Security Incident, Supplier shall use continuous efforts to correct the Security
Incident immediately and notify Kelly Services’ Security Hotline upon resolution +1 (248)-2444250.
4.
Interim Status Reports
Supplier shall provide Kelly Services with an interim written status report of each Security Incident
within 4 hours, and at agreed upon intervals thereafter, based on the agreed upon severity of the
incident and such report shall include:








5.
Date of Security Incident
Brief description of Security Incident including known or suspected cause
Supplier Incident Coordinator
Kelly Services Incident Coordinator they are working with
Impact of the Security Incident to Kelly Services, including, if applicable, type of information
that was breached
Supplier’s Response Plan to this particular Incident
 What has been done so far
 What needs to be done/action items
Current Status
Expected timeframe for full service restoration
Final Report
Supplier shall provide Kelly Services with a final written report of each Security Incident within (3)
business days of resolution or a determination that the problem cannot be satisfactorily resolved
within such time period and such report shall include:








Supplier’s Name
Supplier’s Incident Coordinator and contact information
Kelly Services Incident Coordinator
Date Incident Occurred
Length of Outage
Incident Executive Overview
Incident Details:
•
List of individuals and other third parties that were involved with any aspect of the
incident handling (sometimes various services of an ISP are themselves outsourced to
another third-party)
•
How/when the incident was initially detected
•
When/How the incident was initially reported to Kelly Services
•
Description of what resources/services were impacted
•
Description of impact of Security Incident to Kelly Services (volume and type where
applicable)
•
Containment – How was the incident contained
•
Root Cause - What was the cause for disruption
•
Corrective Action During the Incident – What steps were taken to reduce exposure during
the incident (in most cases, there are interim steps taken to reduce exposure, e.g.,
Filtering, rerouting services, etc.).
•
Permanent Corrective Action/Preventative measures – What permanent corrective actions
have been put in place as a result of this incident
Conclusion
18
Confidential to Kelly Services, Inc. and Vendor
R07/13
E.
Post Mortem Reviews
Supplier shall coordinate the scheduling of a Post Mortem Review with the Kelly Services Incident
Coordinator. This review should be scheduled within seven (7) business days of the resolution of the
incident or a determination that the problem cannot be satisfactorily resolved within such time period.
F.
Security Vulnerability
Security Vulnerability Classification: Supplier shall classify a Security Vulnerability as critical risk, high risk,
medium risk, or low risk, as follows:

Critical Risk Vulnerability
A vulnerability that has a high probability of or actively being widely exploited in a manner
disruptive to normal business operations based on these factors: the vulnerability can be
exploited through the network without human intervention; the vulnerability is easily exploited
and takes limited technical knowledge; an exploit of a vulnerability is subject to worms;
software code scripts are widely known and easily available to exploit this vulnerability; the
vulnerability is popular and well known in the technical and Internet community; the
vulnerability could allow broad exposure/compromise of confidential information or a massive
denial of service or disruption of service.

High Risk Vulnerability
A vulnerability that has a high probability of being exercised based on these factors: the
vulnerability is easily exploited and takes limited technical knowledge; software code scripts
are widely known and easily available to exploit this vulnerability; the vulnerability is popular
and well known in the technical and Internet community; the vulnerability could allow broad
exposure/compromise of confidential information or a massive denial of service or disruption
of service.

Medium Risk Vulnerability
A vulnerability that has a lower probability of being exercised based on these factors: the
vulnerability is more complex to exploit and takes a higher degree of technical knowledge; the
vulnerability does not have broad popularity in the technical and Internet community; the
vulnerability could allow a more limited exposure/compromise of confidential information or a
contained and limited denial of service or disruption of service.

Low Risk Vulnerability
A vulnerability that has a low probability of being exercised based on these factors: the
vulnerability is very complex to exploit and takes a high degree of technical knowledge; the
vulnerability does not have broad popularity in the technical and Internet community; the
vulnerability could allow a very limited exposure/compromise of confidential information or a
very limited denial of service or disruption of service.
G.
Security Vulnerability Correction Completion Times
19
Confidential to Kelly Services, Inc. and Vendor
R07/13
Security Vulnerabilities shall be corrected within the following timeframes. Supplier may use
patches and other software update code to correct an identified vulnerability on a system,
computer, network, or other computer equipment to correct Security Vulnerabilities.
Vulnerability
Correction Completion Times
Critical Risk
Immediate correction up to seven (7) calendar days of
critical vendor patch release announcement, notification
from Kelly Services, or discovered security breach,
whichever is earlier.
High Risk
within seven (7) calendar days of vendor patch release, or
discovered security breach, whichever is earlier
Medium Risk
within one (1) month of occurrence
Low Risk
within three (3) months of occurrence
H. Suppliers’ Vulnerability and Penetration Testing
1.
Supplier shall conduct or arrange for an annual vulnerability assessment and penetration testing of
Supplier’s security processes and procedures, including vulnerability assessment and penetration
testing of its services and deliverables under the Agreement, in order to identify potential Security
Vulnerabilities (“Testing”). Supplier shall conduct or arrange for this Testing on all computers and
systems used directly or indirectly in support of Kelly Services business, including those of any
subcontractors of Supplier.
2.
Supplier shall select an independent, qualified vendor to conduct the Testing, such vendor to be
reasonably acceptable to Kelly Services.
3.
Supplier shall provide Kelly Services with a written report summarizing:


I.
Results of the Testing
Any risks identified during the Testing, including:
•
Classification of Security Vulnerability as critical risk, high risk, medium risk, or low risk
•
Detailed description of any Security Vulnerability
•
Corrective action taken or plan of action for correction of any identified Security
Vulnerability, including date of final resolution
4.
Supplier shall correct any identified Security Vulnerability
5.
All Testing conducted by Supplier will be subject to appropriate non-disclosure and confidentiality
obligations.
Kelly Services’ Security Assessment and Audit Rights
1.
Kelly Services reserves the right to request, at any time and upon reasonable notice, a security
assessment or audit for verification of Supplier’s security processes and procedures, including
vulnerability assessment and penetration testing of its services, deliverables, and protection of
Personal Data under the Agreement, as stated in this Exhibit, in order to identify potential security
breaches.
2.
Kelly Services will request the Supplier to provide a written report summarizing:


Results of the Security Assessment
Any risks identified during the Security Assessment, including:
•
Classification of any Security Vulnerability as critical risk, high risk, medium risk, or low
risk
•
Detailed description of any Security Vulnerability
20
Confidential to Kelly Services, Inc. and Vendor
R07/13
•
J.
Recommended corrective action for any identified Security Vulnerability.
3.
Supplier shall correct any identified Security Vulnerabilities within the timeframe as stated in Section
G.
4.
All Security Assessments conducted by Kelly Services will be subject to appropriate non-disclosure
and confidentiality obligations.
5.
If Kelly Services’ Security Assessment reveals that Supplier’s processes and procedures do not meet
the minimum standards of ISO 27001 or if the SAS70 Type II/SSAE-16 report shows deficiencies,
then Supplier shall promptly take appropriate actions to change its processes and procedures to
conform to such standards and will work with Kelly Services to implement such changes in a timely
manner. If Supplier does not implement such changes to conform to ISO 27001 standards or
rectify deficiencies found in the SAS70 Type II/SSAE-16 report within sixty (60) days, then Kelly
Services, at its option, may terminate the Work as defined in the agreement and/or the applicable
SOW at no cost to Kelly Services.
Incident Logs
1. Supplier shall maintain logs of all Security Incidents and will make the logs available for Kelly
Services’ review, upon request, (including review via electronic access), monthly or such
other time period as may be agreed.
K. Malicious Code Protection
1.
L.
Supplier shall develop and maintain a documented process for installation and maintenance of Malicious
Code protection software for all computer systems used directly or indirectly in support of Kelly Services
business. Such process shall include, at a minimum:
a. Active virus detection software installed with real-time protection enabled
b. Automated processes to apply latest virus definitions to all computer systems
c. Supplier shall ensure itself and its subcontractors at any tier have completed successfully
secure code training based on the Open Web Application Security Project (OWASP) or
similar standard. Certification of completion of such training shall be provided to Kelly
Services, upon request.
Third Parties
Supplier will contractually require all third parties, including subcontractors, with access to
Kelly Services Information to adhere to the security requirements of this Exhibit.
At a
minimum, third party agreements should contain an acknowledgement that the third party is
responsible for protecting Kelly Services Information in its possession, that the Kelly Services
Information can only be used for assisting in the completion of the contract objectives and
acknowledging that the audit provisions described in this Exhibit fully apply to them, their
systems, and their premises beyond the termination of the contract.
M. Special provisioning related to personal data of Kelly Services Personnel and Kelly Services
Customers
In the event Supplier has, or in the course of performance under this Agreement, will process Kelly Services
Information that includes Personal Data regarding Kelly Services Customers or Kelly Services Personnel,
then Supplier and its employees, officers, directors, agents, contract workers and/or others acting on its
behalf or under its control may not Process Personal Data except as required for purposes of fulfilling the
express purposes of this Agreement. Without limiting the requirements of this Exhibit, the special provisions
set forth below will apply to Personal Data regarding Kelly Services Customers and Kelly Services Personnel.
21
Confidential to Kelly Services, Inc. and Vendor
R07/13
1.
Privacy Laws - Any Personal Data Processed by the Supplier in the course of performing its Services
under this Agreement or as part of any deliverable or other information provided to Kelly Services will
be processed and protected in accordance with all applicable Privacy Laws. Supplier expressly warrants
that its Processing of Personal Data will comply with all Privacy Laws. Supplier will at all times perform
its obligations under this Agreement in such a manner as to not, by its actions, or inaction contrary to
this Agreement, cause Kelly Services to be in violation of applicable Privacy Laws.
2.
Ownership and Information Integrity - All Personal Data Processed by the Supplier is and will remain
the exclusive property of Kelly Services. Supplier will Process Personal Data only for the benefit of Kelly
Services, and only to the extent strictly necessary to perform its obligations under this Agreement, or as
otherwise required by law. Supplier may not otherwise use or modify the Personal Data, merge it with
other data or information, commercially exploit it, disclose it or take any other actions that may in any
manner adversely affect the integrity, security or confidentiality of such Personal Data, other than for
purposes of performance under this Agreement or as otherwise directed by Kelly Services in writing.
3.
Responsibility and Safeguards - Supplier will be fully responsible for any unauthorized Processing of
Personal Data in any physical, electronic or other form. Without limitation, Supplier will employ
administrative, physical, and electronic safeguards (including safeguards against Malicious Code and
other disabling or damaging codes) that (i) prevent the unauthorized Processing of Personal Data of
Kelly Services Customers or Kelly Services Personnel, and (ii) meet or exceed industry standards, as set
forth in ISO 27001 and 27002 regarding such safeguards. Particular requirements may be substituted
or waived by Kelly Services in writing upon consultation with Supplier, referencing this Exhibit. Supplier
will ensure, without limitation, the following:
a.
Delineation and Identification of Personal Data - Taking all necessary steps and implementing all
appropriate processes to delineate and identify Personal Data for special handling within Supplier’s
organization, including supplemental controls over certain types of Personal Data more particularly
regulated by Privacy Laws such as the limitation on use of SSN’s and related government/national
identification numbers, and, where applicable, the requirement to obtain consent for the disclosure
or other Processing of Personal Data.
b.
Secure Servers and Maintenance - Ensuring that all physical, network, host, web and data sites in
which Personal Data is stored are: (i) maintained in a secure manner that satisfies all the
requirements of this Exhibit; and (ii) identified to Kelly Services.
c.
Restricted Access - Ensuring that Personal Data will be accessible only by authorized Supplier
employees, officers, directors, agents, contract workers and others who have a legitimate business
need to access such information, with suitable user authentication, sign-on and access controls
that satisfy the requirements of this Exhibit. Kelly Services employees, contractors, and customers
must have reasonable access to their own personal information and be able to correct or amend
where it is inaccurate.
d.
Encryption of Personal Data (Transmission) - When Processing Personal Data, connections to Kelly
Services computing environments and any other transmission via data transmission services or
using the Internet will be protected using any of the following cryptographic technologies: IPSec,
SSL, SSH/SCP, PGP, or other technologies that provide substantially similar or greater levels of
security. Encryption algorithms will be of sufficient strength to protect data to commercially
reasonable security levels and will utilize industry recognized hashing functions. Transmission may
not use any cryptography algorithms developed internally by or for Supplier. Encryption must be in
full compliance with export laws applicable to the Kelly Services Information being transmitted.
e.
Encryption of Personal Data (Storage) - Storage, back-up or other retention of Personal Data at
rest will be protected using one or more of the encryption technologies approved in this Exhibit for
data transmission.
f.
Data Segregation (Virtual) - Maintaining capability to segregate and isolate Personal Data and
disable functionality of applications using it, so it can be returned upon request by Kelly Services or
in the event of a Security Incident.
22
Confidential to Kelly Services, Inc. and Vendor
R07/13
g.
Data Segregation (Physical) - Physically and electronically segregating Kelly Services Personal Data
by logically isolating it from third party and internal Supplier information, and deploying suitable
application controls, firewalls, air-gaps or private circuits so that Personal Data will not be
commingled or corrupted by data from other sources.
h.
Back-up, Emergency/Disaster Recovery Systems - Applying the requirements to Personal Data
stored on back-up media, servers or repositories, transported, or transmitted, stored or recovered
as part emergency or disaster recovery systems maintained by or for Supplier.
i.
Information Retention and Disposal - (i) Cooperating with Kelly Services in administering its
retention requirements concerning Kelly Services Information and employing Record controls
required to enable such compliance, and (ii) returning or if authorized by Kelly Services, discarding,
destroying and otherwise disposing of Personal Data in a secure manner to prevent unauthorized
Processing of Personal Data consistent with Kelly Services’ policies and applicable law.
j.
Media in Transit -Not permitting Personal Data to be transmitted, or stored for transfer and then
subsequently transported on physical media such as flash memory, computer hard drives,
removable disks, tapes, or other media, without encryption and other reasonable security
measures restricting access and use as required by this Exhibit.
k.
Employee Training - At Supplier’s expense, training its employees, officers, directors, agents and
contract workers and others with access to Personal Data regarding the Supplier’s privacy
protection and security obligations under this Agreement and generally concerning privacy and
Personal Data.
l.
Heightened Security Attention for Employees Handling Personal Data – Conducting heightened
screening and evaluation processes for Supplier’s employees, officers, directors, agents and
contract workers and others with access to Personal Data. Examples may include without
limitation, reference and background checks and adding security responsibilities to position
qualifications, performance appraisals and compensation programs.
m. Privacy Assessments - As stated in Section J, upon request from Kelly Services, Supplier will
conduct or arrange, at Supplier’s expense, reasonable assessments of Supplier’s information,
security and protection practices and capabilities relating to Personal Data, and provide such
reports as may be reasonably requested by Kelly Services. Supplier will also assist and cooperate
in responding to any privacy assessments Kelly Services may reasonably request relating to the
security and protection of Kelly Services Information.
n.
Data Transfer to and From Third Parties Outside of Originating Country - Ensuring that no Personal
Data is transmitted or permitted to be accessed from outside the country of its origin without
determining requirements of and complying with the Privacy Laws in the originating and
destination countries.
o.
Periodic Adjustment - Supplier shall regularly monitor, evaluate, and adjust, as appropriate, its
Security Program in light of any relevant changes in applicable law and regulations, technology,
internal or external threats to Kelly Services Data, requests from Kelly Services, and Supplier’s own
changing business arrangements, such as mergers and acquisitions, alliances and joint ventures,
outsourcing arrangements, and changes to information systems.
p.
System Changes - Supplier shall make no system change that may adversely affect the security of
the system or the security of Kelly Services Information.
q.
Choice – suppliers will ensure processes and applications within scope of services utilized to
support Kelly Services has the flexibility to allow for Kelly Services employees, customers, and
contractors can opt out from their personal information from being processed.
r.
Notification – supplier shall notify Kelly services employees, customers, and contractors the
collection and usage of personal information and allow for the ability to contact for opting out,
inquiries, or complaints. This information must be conspicuously displayed in clear language.
23
Confidential to Kelly Services, Inc. and Vendor
R07/13
s.
Onward Transfer – supplier shall disclose Kelly Services customer, employee, contractor personal
information to third parties only consistent with the principles of Notification and Choice (section q
and r above).
Remedies:
For the avoidance of doubt, failure to comply with the requirements of this Exhibit is a failure to
perform under this Agreement and subject to any provisions for breach set forth in this Agreement.
In addition to any remedies otherwise available, Supplier, at its sole expense, will be responsible
for and redress any damages or costs caused by, and take all reasonable steps to cure, such failure
to perform, and will implement all corrective actions reasonably required to prevent such
deficiencies and occurrences applicable to Supplier’s further performance under this Agreement.
24
Confidential to Kelly Services, Inc. and Vendor
R07/13