VENDOR SERVICES AGREEMENT Agreement entered into this _____ day of _______________, ________ by and between Kelly Services, Inc., having its principal place of business at 999 West Big Beaver Road, Troy, Michigan 48084 ("Kelly"), and ________________________________________, having its principal place of business at __________________________________________________ ("Vendor"). In consideration of the mutual covenants, terms, and conditions herein contained, the parties agree as follows: DEFINITIONS. As used herein, the following terms shall have the meanings ascribed to them as set forth below: 1. SERVICES. The services and other materials provided to Kelly by Vendor (collectively, the “Services”) are described, and must be provided at the times and in the manner set forth in, Exhibit A attached hereto and incorporated herein by this reference. 1.1 SCOPE OF SERVICES. 1.2 ATTACHMENTS TO AGREEMENT 1.2.1 Exhibit A: Description of Services 1.2.2 Exhibit B: Pricing 1.2.3 Exhibit C: Service Level Agreement 1.2.4 Exhibit D: Implementation 1.2.5 Exhibit E: Reporting 1.2.6 Attachment 1: Information Security and Privacy Compliance 2. TERM This Agreement is binding on the parties upon full signing hereof. The term of the Agreement commences ___________________, ________ (the “Effective Date”) and shall remain in effect remains in effect for _____ years (the “Initial Term”) expiring on ___________________, ________ (the “Expiration Date”). 2.1 Extension of Term. The term may be extended or renewed for an additional term (“Renewal Term”) only by written agreement of the parties. If the term of the Agreement expires without being formally renewed or extended, both parties may continue to perform as set forth in this Agreement on a month-to-month basis until terminated by either party with thirty (30) days prior written notice. 2.2 Termination for Convenience Kelly may terminate this agreement, (in whole or in part), without penalty, at any time by giving the vendor notice of the termination at least thirty (30) days prior to the termination date specified in the notice. 2.3 Termination for Cause 2.3.1 Kelly Termination Kelly may terminate this agreement if Vendor fails to perform any of its material obligations under this agreement and does not cure such failure within thirty (30) days after being given notice specifying the nature of the failure. Without limiting this Subsection, repeated breaches by Vendor of its duties or obligations under this Agreement, or Vendor’s failure to achieve the Service Levels shall each be deemed a material breach of this agreement. 1 Confidential to Kelly Services, Inc. and Vendor R07/13 2.3.2 Vendor Termination Vendor may terminate this agreement by giving notice to Client if Client fails to pay undisputed Fees for a period of three (3) months or more and fails to make such payment within thirty (30) days after being given notice of such failure. 2.4 Sale of Business to Client Competitor If Vendor enters into an agreement to sell all or substantially all of its business to a direct competitor of Kelly, Vendor must inform Kelly prior to completion of the sale of this transaction. Under this circumstance, Client can immediately terminate the agreement such that any data Kelly deems to be confidential or proprietary can be destroyed before ownership changes hands. 2.5 Discontinuance of Services Upon receipt of any termination notice, Vendor shall discontinue the Services on the date and to the extent specified in the notice. Vendor shall be paid for the actual costs incurred during performance hereunder, up to the termination date specified in said notice, any costs not previously reimbursed by Kelly to the extent such costs are actual, necessary, reasonable and verifiable costs which have been incurred by Vendor and which are otherwise reimbursable hereunder. In no event shall such cost include unabsorbed overhead or anticipated profit. 3. GOVERNING LAW AND JURISDICTION THIS AGREEMENT, AND ALL OTHER ASPECTS OF THE BUSINESS RELATIONSHIP BETWEEN THE PARTIES, IS CONSTRUED, INTERPRETED, AND ENFORCED UNDER AND IN ACCORDANCE WITH THE LAWS OF THE STATE OF MICHIGAN WITHOUT REGARD TO CHOICE OF LAW PROVISIONS. VENDOR AGREES, WITH RESPECT TO ANY LITIGATION ARISING DIRECTLY OR INDIRECTLY OUT OF, OR THAT IN ANY WAY RELATES TO, THIS AGREEMENT, THE BUSINESS RELATIONSHIP OR ANY OTHER TRANSACTION, MATTER, OR ISSUE BETWEEN THE PARTIES, TO COMMENCE IT EXCLUSIVELY IN THE STATE OF MICHIGAN COURTS OF OAKLAND COUNTY, MICHIGAN OR THE UNITED STATES DISTRICT COURT AT DETROIT, MICHIGAN, AND VENDOR BY THIS AGREEMENT CONSENTS TO THE JURISDICTION OF THESE COURTS. 4. COMPLIANCE WITH LAWS Vendor shall comply with all applicable national, multi-jurisdictional, federal, state, and local laws, rules, statutes, treaties, regulations and orders, including compliance with Kelly’s current privacy policy and Safe Harbor certification requirements and local data protection and privacy laws. 4.1 FOREIGN CORRUPT PRACTICES ACT (FCPA). Vendor shall, and shall be responsible for ensuring that its representatives and subcontractors shall, perform all obligations of Vendor under the Agreement in compliance with all laws, rules, regulations and other legal requirements. Vendor represents and warrants that it is familiar with all applicable domestic and foreign antibribery or anticorruption laws, including those prohibiting Vendor, and, if applicable, its officers, employees, agents and others working on its behalf, from taking corrupt actions in furtherance of an offer, payment, promise to pay or authorization of the payment of anything of value, including but not limited to cash, checks, wire transfers, tangible and intangible gifts, favors, services, and those entertainment and travel expenses that go beyond what is reasonable and customary and of modest value, to: (i) an executive, official, employee or agent of a governmental department, agency or instrumentality, (ii) a director, officer, employee or agent of a wholly or partially government-owned or -controlled company or business, (iii) a political party or official thereof, or candidate for political office, (iv) an executive, official, employee or agent of a public international organization (e.g., the International Monetary Fund or the World Bank) (“Government Official”) or (v) any executive, officer, employee of agent of a third party; while knowing or having a reasonable belief that all or some portion will be used for the purpose of: (a) influencing any act, decision or failure to act by a Government Official in his or her official capacity, (b) inducing a Government Official to use his or her influence with a government or instrumentality to affect any act or decision of such government or entity, or (c) securing an improper advantage; in order to obtain, retain, or direct business. Vendor represents and warrants that it and its subcontractors would now be in compliance with all applicable domestic or foreign anti-bribery or anticorruption laws, including those prohibiting the bribery of Government Officials, and will remain in compliance with all applicable laws; that it will not authorize, offer 2 Confidential to Kelly Services, Inc. and Vendor R07/13 or make payments directly or indirectly to any Government Official; and that no part of the payments received by it will be used for any purpose that could constitute a violation of any applicable laws. 4.2 MASSACHUSETTS STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION. Vendor acknowledges that to the extent it maintains or has access to any Personal Information (“PI”) of any individual that resides in the Commonwealth of Massachusetts, Vendor is obligated to comply with the Massachusetts Office of Consumer Affairs and Business Regulation Standards for the Protection of Personal Information, 201 CMR 17.00 (“Massachusetts PI Standards”). PI is described as a Massachusetts resident’s first and last name in combination with one or more of the following: Social Security Number; driver’s license number or state-issued identification card; or financial account number, or credit card number, or debit card number. Vendor represents and warrants that from the Effective Date of this Agreement and for so long as it has PI of Massachusetts residents thereafter, even after termination of this Agreement, (i) Vendor shall be in compliance with the Massachusetts PI Standards and shall remain in compliance with such Standards as amended from time to time and (ii) that Vendor shall notify Kelly Services, Inc. in writing immediately if it is no longer in compliance with the Massachusetts PI Standards. Failure to notify Kelly of such non-compliance shall be considered a material breach of this Agreement. If at any time during the term of this Agreement, any part of PI that Vendor obtains from Kelly ceases to be required by Vendor for the performance of its obligations in this Agreement, Vendor shall promptly notify Kelly that such information is no longer required. Vendor shall at Kelly’s option either (i) return to such Kelly PI to Kelly or (ii) destroy all copies of such Kelly PI. Such instructions will include all Kelly PI in the Vendor’s possession or control and Vendor shall certify to Kelly that the same has been completed. 5. DATA PRIVACY AND SECURITY As a result of this Agreement, Vendor may obtain certain information relating to identified or identifiable individuals (“Personal Data”). Vendor shall, and shall ensure its employees, agents, representatives and Vendors (“Vendor Personnel”) collect, access, maintain, use, process and transfer Personal Data in accordance with the requirements set forth in this section and for the sole purpose of performing Vendor’s obligations under this Agreement. Protection of Personal Data. Vendor shall at all times comply with Kelly’s instructions regarding Personal Data, as well as all applicable laws, regulations and international accords, treaties, or accords, including without limitation, the EU/US Safe Harbor program (collectively, “Legal Requirements”), and shall refrain from engaging in any behavior which renders or is likely to render Kelly in breach of same. Without limiting the generality of the foregoing, with respect to any data received directly or indirectly from the European Economic Area or from Kelly’s European affiliates, Vendor shall abide by the Safe Harbor Privacy Principles of the U.S. Department of Commerce, located at http://www.export.gov/safeharbor, as may be amended from time to time (the “Safe Harbor Principles”), excluding the Notice, Choice and Enforcement provisions contained within the Safe Harbor Principles. Vendor shall take all appropriate legal, organizational, and technical measures to ensure the confidentiality of Personal Data, and protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing, keeping in mind the nature of such data. Vendor may only disclose Personal Data to third parties (including Vendor Personnel), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Vendor shall hold such third parties with access to Personal Data accountable for violations of this Agreement, including imposing sanctions, and where appropriate, terminating contracts and employment. Vendor shall take all reasonable steps to ensure that Personal Data is reliable for its intended use, and is accurate, complete and current. Immediately upon Kelly’s request, or as otherwise may be necessary to comply with this Agreement, Vendor shall correct, delete and/or block Personal Data from unauthorized processing and/or use. Vendor shall promptly notify Kelly’s General Counsel if it receives any requests from an individual with respect to Personal Data, including but not limited to “opt-out” specifications, information access requests, information rectification requests and all like requests, and shall not respond to any such requests unless expressly authorized to do so by Kelly. Vendor shall promptly and properly deal with inquiries and requests from Kelly in relation to the processing of Personal Data under this Agreement. Vendor acknowledges that it shall have no right, title or interest in any Personal Data obtained by it as a result of this Agreement. 3 Confidential to Kelly Services, Inc. and Vendor R07/13 Vendor shall provide other reasonable assistance and support, and assist and support Kelly in the event of an investigation by a data protection regulator or similar authority, if and to the extent that such investigation relates to the collection, maintenance, use, processing or transfer of Personal Data under this Agreement. Vendor shall provide to Kelly, its authorized representatives and independent inspection body designated by Kelly, on reasonable notice, (i) access to Vendor's information processing premises and records and (ii) reasonable assistance and cooperation of Vendor's relevant staff for the purpose of auditing Vendor's compliance with its obligations under this Agreement. In the event that Vendor is unable to comply with the obligations stated in this section 11 (b) (Data Privacy and Security), Vendor shall promptly notify Kelly, and Kelly may take any one or more of the following actions: (i) suspend the transfer of Personal Data to Vendor; (ii) require Vendor to cease processing Personal Data; (iii) demand the return or destruction of Personal Data; or (iv) immediately terminate this Agreement. Upon termination of this Agreement for any reason, Vendor shall promptly contact Kelly for instructions regarding the return, destruction or other appropriate action with regard to Personal Data. Security Procedures. Vendor shall maintain reasonable operating standards and security procedures, and shall use its best efforts to secure Personal Data through the use of appropriate physical and logical security measures including, but not limited to, appropriate network security and encryption technologies. Vendor shall use reasonable user identification or password control requirements and other security procedures as may be issued, from time to time by Kelly in relation to the Personal Data. Vendor shall promptly notify Kelly in the event that Vendor learns or has reason to believe that any person or entity has breached or attempted to breach Vendor’s security measures, or gained unauthorized access to Personal Data (“Information Security Breach”). Upon any such discovery, Vendor will (a) investigate, remediate, and mitigate the effects of the Information Security Breach, and (b) provide Kelly with assurances reasonably satisfactory to Kelly that such Information Security Breach will not recur. Additionally, if and to the extent any Information Security Breach or other unauthorized access, acquisition or disclosure of Personal Information occurs as a result of an act or omission of Vendor or Vendor’s Personnel, and if Kelly determines that notices (whether in Kelly’s or Vendor’s name) or other remedial measures (including notice, credit monitoring services, fraud insurance and the establishment of a call center to respond to customer inquiries) are warranted, Vendor will, at Kelly’s request and at Vendor’s cost and expense, undertake the aforementioned remedial actions. 6. AUDIT Upon 30 days notice, Kelly or a 3rd party of their choosing, may audit, copy, and inspect the records, transactions, and Vendor processes during the term of this agreement, and a period of at least 3 years after the termination of this agreement, or any Order, whichever occurs last. Vendor will maintain all records pertaining to services rendered or products delivered for the term of this agreement and for the ensuring 3 year period. In addition to record maintenance, Vendor will agree to provide 100% of transactions requested for the period under audit in a database format of either Microsoft Access of Excel. The transactions provided will agree to the total amount invoiced to Kelly for the period requested. Vendor agrees to review findings identified as a result of the audit and provide feedback within 30 days after receipt of the audit findings unless a different timeframe is agreed upon by both parties. Vendor agrees to refund all overcharges identified by Kelly Services or a 3 rd party auditor within 2 weeks after Vendor feedback has been provided. Kelly, without waiver or limitation of any rights, may deduct from any amounts due to Vendor in connection with this agreement, or any other Agreement between Kelly Services and Vendor any audit findings identified during the course of the audit not repaid by Vendor within the 2 week timeframe. At Kelly’s request, Vendor will at no charge provide Kelly with copies of any routine SSAE-16 Type I and II audit reports, or any successor reports (“SSAE-16 Reports”) directly related to the Services provided hereunder. 7. REPRESENTATIONS AND WARRANTIES Vendor represents and warrants that: (i) its performance under this Agreement will at all times conform to the highest professional and ethical standards; (ii) due care and its best efforts will be utilized by Vendor in the performance of this Agreement; (iii) it is under no obligation or restriction that would conflict with the Services required to be furnished by Vendor and its other obligations under this Agreement, or that otherwise would in any manner prevent the full performance by Vendor of the terms, conditions, and requirements of this Agreement (Vendor must immediately disclose to Kelly any actual or potential conflict of interest that may arise during the Vendor’s performance of this Agreement). In the event Vendor breaches any of the above warranties in any material respect, Kelly may exercise all rights and remedies available to it under applicable laws and all other rights and remedies under this Agreement. 4 Confidential to Kelly Services, Inc. and Vendor R07/13 8. LIMITATION OF LIABILITY Except with respect to damages arising from sections 5, 9, 13, and 14 herein, neither party is liable to the other party for incidental, consequential, punitive, or exemplary damages arising in connection with this Agreement or the performance, omission of performance, or termination hereof including, without limitation, lost sales and profits and other business interruption damages, even if the party has been advised of the possibility of such damages and without regard to the nature of the claim or the underlying theory or cause of action (whether in contract, tort, or otherwise). 9. INDEMNIFICATION 9.1 Vendor’s Obligations To the fullest extent permitted by law: Vendor must reimburse, indemnify, defend, and hold harmless Kelly, its subsidiaries and affiliates and each of its subsidiary’s and affiliate’s present, former, and future shareholders, employees, officers, and directors from and against all loss, damage, expense (including attorney’s fees and expenses), and penalty, and any claim or action therefore by or on behalf of any person, (collectively, “Loss”) arising out of or in connection with the performance or failure of performance of this Agreement including, without limitation, Loss arising out of or occurring in connection with: (i) any acts or omissions by Vendor or its employees or agents, including, without limitation, personal injury and death claims; (ii) all claims of Vendor's employees, agents, and subcontractors, whether for injury, death, compensation, social security, pension, unemployment compensation, etc.; (iii) the provision, ownership, installation, operation, maintenance, use, or repair of any of the Services; and (iv) all third-party claims alleging that any of the Services infringes any patent, copyright, trademark, or other proprietary right or constitutes a misuse of any trade secret information. Vendor will not be relieved of the foregoing indemnity and related obligations by allegations or any claim that Kelly was negligent; but Vendor is not liable to the extent any injury or damage is finally judicially determined by a court of competent jurisdiction to have been proximately caused by the sole negligence or willful act of Kelly. 9.2 Client’s Obligations Kelly agrees to timely advise Vendor of any suit, claim, or proceeding, and to reasonably cooperate with Vendor in the defense or settlement of such suit, claim, or proceeding, but Vendor will have sole control thereof. If an injunction is obtained against Kelly's use of any of the Services, in whole or in part, Vendor must promptly at Kelly’s option either: (i) procure right to continue using the Services enjoined from use or replace or modify them so that Vendor’s use or possession is not subject to any such injunction, or (ii) refund to Kelly all amounts paid to Vendor for the Services. If this indemnification provision is construed by a court of competent jurisdiction to require indemnification over and above that permitted by applicable law or public policy, the parties intend that the Agreement be judicially modified to afford Kelly the maximum indemnification allowed. 10. INSURANCE Vendor will maintain during the term of this Agreement at least the following types and limits of insurance with insurers possessing an A.M. Best Rating of not less than A- and authorized to do business under the laws of the State (s) and/or Country (ies) where work/services are performed: Workers' Compensation on the Vendor employees, in amounts no less than required by law; Employer's Liability insurance with a limit of $1,000,000; Commercial Automobile Liability insurance with a $1,000,000 combined single limit on vehicles owned, leased, or rented by Vendor; Commercial General Liability insurance, including bodily injury and property damage, contractual liability, and products and completed operations, with a $1,000,000 per occurrence, $2,000,000 aggregate; Excess/Umbrella Liability with a limit of $5,000,000; If Vendor is working on Kelly premises and has access to Kelly computer systems, software and/or any related proprietary technology or information, valuable property or equipment, the following insurance coverage is also required: Crime/Fidelity/Commercial Blanket Bond with limits of $3,000,000 per occurrence; If Vendor is providing professional services, the following insurance coverage is also required: Liability/Errors and Omissions insurance with a limit of $3,000,000; and 5 Confidential to Kelly Services, Inc. and Vendor Professional R07/13 If Vendor is performing professional information technology services and/or work and has access to Kelly computer systems, software and/or any related proprietary technology/information, the following insurance coverage is also required: Cyber Risk/Network Liability/Privacy insurance with a limit of $3 million. Kelly Services, Inc. is to be included as an additional insured on Vendor’s Commercial General and Automobile Liability policies. Vendor will provide Kelly with certificates of this insurance coverage evidencing the required coverage upon signing of this Agreement and upon renewal of the policies describes above. 11. INDEPENDENT CONTRACTOR Vendor is an independent contractor in the performance of this Agreement, and nothing contained in this Agreement may be construed to create or constitute a joint venture, partnership, agency, franchise, lease, or any other arrangement other than as expressly granted in this Agreement. Vendor is responsible for its operation and any subcontracted operations. Vendor must exercise control over its employees, agents, representatives, subcontractors, and suppliers and is solely responsible for the verification of identity and employment eligibility, for the payment of any wages, salaries, or other remuneration of its employees, agents, representatives, subcontractors, and suppliers, and for the payment of any payroll taxes, contributions for unemployment or workers compensation, social security, pensions, or annuities that are imposed as a result of the employment of Vendor's employees, agents, representatives, subcontractors, and suppliers. Vendor must not pledge credit, incur any obligation or liability, hire any employee, nor purchase any merchandise or services in the name of Kelly or any subsidiary or affiliate thereof. Unless otherwise provided in this Agreement, all costs, charges, and expenses incurred in connection with Vendor’s performance of this Agreement must be borne by Vendor. 12. ASSIGNMENT Neither party may assign or otherwise transfer its rights, obligations, and/or duties under this Agreement without the prior written consent of the other party, given at the other party's sole option; but Kelly may assign this Agreement to a subsidiary or affiliate upon notice to Vendor. Any prohibited assignment is void. 13. INTELLECTUAL PROPERTY Vendor hereby assigns, conveys, and transfers all right, title, and interest in and to the Services, which include all related work product of Vendor and its employees, to Kelly. Vendor understands that all Services produced, developed or otherwise created by Vendor or its employees hereunder are the exclusive property of Kelly. Consistent with this understanding, Vendor must not use the Services for the benefit of any party other than Kelly. If applicable, Vendor warrants that all creators and/or contributors to the Services, including but not limited to, all persons engaged by Vendor to make any contributions to the Services, were, at the time of the Services' creation, bona-fide employees of Vendor who made their contributions to the Services within the scope of their employment as work for hire or that Vendor has obtained and possesses a written assignment of the copyright, title, and interest from all the creators or contributors not otherwise considered bona-fide employees. Vendor must maintain an agreement with each of its employees consistent with the obligations set forth in sections 5, 13, and 14 and is responsible for enforcing such agreements. Vendor must provide a copy of such agreement at the request of Kelly. 14. CONFIDENTIALITY Both parties acknowledge that they are held to the terms of the mutual nondisclosure agreement signed prior to the execution of this agreement. 15. ENFORCEABILITY If any provision of this Agreement is held to be void or unenforceable by any judicial or administrative authority, or is unlawful or unenforceable under any applicable law, the remaining provisions are considered to be severable and their enforceability is not to be affected or impaired in any way by reason of such law or holding. 16. INVOICING AND PAYMENT Vendor will generate a monthly or weekly consolidated invoice for all services set forth in Exhibit A, including any applicable shipping and administrative fees. One complete copy of the invoice is sent to Kelly’s corporate office with a statement of activity for the prior period. Kelly will not pay for any services that are invoiced greater than 90 days following the date services are actually performed. All invoices must include, at a minimum, the following information: (i) Name and address of Vendor; (ii) Invoice number; (iii) Description of Services 6 Confidential to Kelly Services, Inc. and Vendor R07/13 provided; (iv) Date; and (v) Dollar amount due. Kelly agrees to pay Vendor for Services rendered in the amounts set forth in Exhibit A after the receipt of a correct invoice from Vendor. Kelly will pay all undisputed invoice amounts within 45 days of invoice date. Any disputed invoice amounts will be documented in writing and forwarded to Vendor within 45 days of invoice receipt. Within 45 days of Vendor’s receipt of documentation of disputed amounts, Vendor will have responded to Kelly’s claim. Upon resolution of disputed items in favor of Vendor, payment will be remitted within 10 days. If the resolution of disputed items is in favor of Kelly and not contested, no further action is required. 17. TAXES Unless otherwise provided for in Exhibit A, or in a Statement of Work, Vendor’s pricing and fees for professional services are exclusive of applicable federal, state, local and foreign taxes, duties, assessments and levies attributable to the provision of Vendor’s services. Vendor is solely liable and shall not be allowed to bill Kelly for any Taxes based on or measured by Vendor’s property, capital, income or receipts. Any sales, value added, or other tax properly imposed by a jurisdiction in connection with the Vendor’s services (“Taxes”) shall be the responsibility of the Vendor. Any such Taxes required to be collected by the Vendor must be separately stated on the invoice unless Kelly provides Vendor with a valid tax exemption certificate. Vendor will indemnify and hold Kelly harmless from all interest, fines and penalties related to payment of back Taxes that the Vendor failed to collect. 18. GENERAL 18.1 MOST FAVORED NATION All of the benefits and terms granted by Vendor herein are at least as favorable as the benefits and terms granted by Vendor to any previous buyer of the services described in this Agreement. Should Vendor enter into any subsequent agreement with any other buyer, during the term of this Agreement, which provides for benefits or terms more favorable than those contained in this Agreement, then this Agreement shall be deemed to be modified to provide Kelly with those more favorable benefits and terms. Vendor shall notify Kelly promptly of the existence of such favorable benefits and terms and Kelly shall immediately have the right to receive the more favorable benefits and terms. If requested in writing by Kelly, Vendor shall amend this Agreement to contain the more favorable terms and conditions. 18.2 PUBLICITY <DO NOT WANT TO ALLOW> Neither party shall originate any publicity, news release or other public announcement relating to this Agreement nor the existence of an arrangement between the Parties without the prior written approval of the other Party, except as otherwise required by law and upon reasonable notice to the other Party. <WILLING TO ALLOW> The parties agree that any press release or public announcements describing the services to be provided and the relationship created pursuant to this Agreement shall be acceptable upon mutual agreement by the parties. 18.3 ESCROW OF SOURCE CODE 18.3.1 DEPOSIT Vendor will place and maintain in escrow with an escrow agent (the “Escrow Agent”) two copies of the most recent version of the Code. 18.3.2 ESCROW AGENT The Escrow Agent is intended to be _______________. 18.3.3 UPDATES So long as Client purchases the Services, Vendor will deliver to the Escrow Agent two complete copies of the Source Code at least semi-annually, and within thirty (30) days after any change to the Source Code that materially affects the Services. 18.3.4 RIGHT TO USE SOURCE CODE The Software shall be released upon the occurrence of any one of the following events (“Release Conditions”): (i) if the Vendor has ceased operating in the normal course of business; or (ii) 7 Confidential to Kelly Services, Inc. and Vendor R07/13 Bankruptcy of the Vendor; or (iii) if Vendor is acquired by a competitor to Kelly. Subject to the terms and conditions of this Agreement and the Release Conditions set forth in this section, Vendor hereby grants to Client a license to use, copy and create derivative works of the Source Code to operate, maintain and support the Software (in source and object code form) solely within the scope of Services provided under this Agreement. 18.4 NOTICES Any written notice required or permitted to be given hereunder shall be given by: (i) Registered or certified mail, return receipt requested, postage prepaid; (ii) confirmed facsimile; or (iii) nationally recognized overnight courier service to the other party at the addresses listed on the cover page or to such other address or person as a party may designate in writing. All such notices shall be effective upon receipt. Kelly Address for Notices: Kelly Services, Inc. 999 W. Big Beaver Road Troy, MI 48084 Attn: General Counsel Vendor Address for Notices: Vendor Name Address City, State Zip Code Attn: 18.5 DIVERSITY In an effort to promote diverse and minority business growth, Kelly requires that Vendor provide quarterly reports indicating Tier I or Tier II diverse supplier spend as it relates to their business with Kelly. Reports are to be directed to the purchasing department after the end of each quarter. 18.6 FORCE MAJEURE Neither party shall be responsible for delays or failures in performance resulting from acts of God, acts of civil or military authority, terrorism, fire, flood, strikes, war, epidemics, pandemics, shortage of power, or other acts or causes reasonably beyond the control of that party. The party experiencing the force majeure event agrees to give the other party notice promptly following the occurrence of a force majeure event, and to use diligent efforts to re-commence performance as promptly as commercially practicable. 18.7 NON-SOLICITATION Neither Party will knowingly, either directly or indirectly, solicit the other party’s employees for employment without written authorization from the other Party. 18.8 CODE OF CONDUCT Vendor will use commercially reasonable efforts to ensure that its employees or representatives comply with its Code of Business Conduct and Ethics and any other policy in relation to corporate gifts, entertainment, and bribery. Said policies will be made available to Kelly upon request. If either party has reason to believe their employee or representative has committed a violation of their respective code of business conduct with respect to the other party, said party will report the suspected violation of the Code of Business Conduct to the other party in writing. 18.9 AUTHORITY TO CONTRACT Each person signing below warrants and represents that he/she has full power and authority to execute this Agreement on behalf of the party he/she represents. Upon request, each party must provide a Certified Resolution or Certificate of Authority authorizing the undersigned to enter into and sign this Agreement. 18.10 REPRESENT AND WARRANT Vendor and Kelly each expressly represent and warrant to the other that each has relied solely and exclusively on its own judgment and the advice of its own attorneys in entering into this Agreement, and that no representative or agent of the other has made any statement or representation to it beyond those in this Agreement that have induced signing of this Agreement. 8 Confidential to Kelly Services, Inc. and Vendor R07/13 18.11 AGREEMENT FINAL AND COMPLETE This Agreement is the final and complete agreement between Kelly and Vendor with respect to the subject matter hereof. No representations, inducements, promises, or understandings in relation to the subject matter hereof, whether oral or written, exist unless expressly set forth in this Agreement, and this Agreement supersedes all prior understandings, agreements, contracts, or arrangements between the parties, whether oral or written, unless otherwise expressly incorporated in this Agreement. No agreement or other understanding purporting to add to or to modify the terms and conditions hereof is binding unless agreed to by duly authorized representatives of the parties in writing. Any terms or conditions in any forms of the parties used in the performance of this Agreement that are in conflict with the terms and conditions hereof are void. 18.12 BUSINESS DOWNTURN In the event Kelly establishes to vendor’s satisfaction that: a) Kelly is unable to meet the Annual Volume Commitment, notwithstanding Kelly’s best efforts to do so; and b) such failure results solely from a business downturn beyond the Kelly’s control, which materially and permanently reduces the size or scope of Kelly’s operations and the volume of Services required by Kelly hereunder. By way of illustration and not by limitation, Business Downturn shall not include a change in Kelly’s usage of Services hereunder resulting from a decision by Kelly to reduce its overall use of services, to alter its architecture, or to transfer portions of its traffic or projected growth to other suppliers. 18.13 ARMS LENGTH TRANSACTION This is an arms-length transaction and relationship. There exist no implied or otherwise unstated covenants, rights, or obligations by, of or against either party. The parties expressly disclaim the existence of any implied covenant of good faith and/or fair dealing. 9 Confidential to Kelly Services, Inc. and Vendor R07/13 DESCRIPTION OF SERVICES EXHIBIT A 10 Confidential to Kelly Services, Inc. and Vendor R07/13 PRICING EXHIBIT B 11 Confidential to Kelly Services, Inc. and Vendor R07/13 SERVICE LEVEL AGREEMENT EXHIBIT C 12 Confidential to Kelly Services, Inc. and Vendor R07/13 IMPLEMENTATION EXHIBIT D 13 Confidential to Kelly Services, Inc. and Vendor R07/13 REPORTING EXHIBIT E 14 Confidential to Kelly Services, Inc. and Vendor R07/13 INFORMATION SECURITY AND PRIVACY COMPLIANCE ATTACHMENT 1 This Information Protection, Security and Privacy Attachment (“Attachment 1”) sets forth certain duties and obligations of the Supplier (as defined below) with respect to the protection, security and privacy of Kelly Services Information in the course of performance under the Agreement that includes this Attachment. In the event of a conflict between this Exhibit and other parts of this Agreement, the parties agree that this Attachment shall supersede and control. A. Definitions “Agreement” means the agreement between the Supplier or other party contracting with Kelly Services that by its terms expressly includes this Exhibit as an attachment. “Kelly Services Customer” means any third party (including individuals and entities) with a relationship to Kelly Services and/or its business, products or services, including without limitation, actual and prospective business customers. “Kelly Services Information” means any Kelly Services Records or data of Kelly Services in the possession of, or accessible by, Supplier or its computer or communication system(s), including Personal Data of any kind. “Kelly Services Personnel” means Kelly Services employees, officers, directors, agents, contract workers and subcontractors, the family members of such persons, applicants for employment at Kelly Services and applicants seeking to work as a Kelly Services contract worker or subcontractor, and also includes all such persons when associated with Kelly Services affiliates. “Malicious Code” means any computer instructions in Software that are not intended to provide the functionality described in the Software specifications and that interfere with Kelly Services’ right to fully utilize its license to the Software or interfere with or prevent Kelly Services’ use of the Software as contemplated in this Agreement. Malicious Code includes without limitation such computer instructions commonly known as computer viruses, “Trojan horses,” anomalies, self-destruction mechanisms, copy protection schemes, and any other computer instructions that interfere with or prevent Kelly Services from using the Kelly Services Information or Software as described in its specifications or as contemplated in this Agreement. Malicious Code also includes without limitation any computer instructions that can: (i) disable, destroy, or otherwise alter the Kelly Services Information or any hardware on which the Software executes; or (ii) reveal any data or other information accessed through or processed by the Software to anyone outside of Kelly Services without Kelly Services’ knowledge and prior approval. “Patches” shall mean software update code provided by specific vendors to correct an identified vulnerability within Software or on Supplier’s system, computer, network, or other equipment. “Personal Data” means any information relating to a natural identifiable person, whether the person identified is an employee, employee family member, applicant, consumer, customer, supplier, partner, potential partner, or other individual and expressly includes Kelly Services Customers and Kelly Services Personnel. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Personal Data includes both General Data and Sensitive Data: a. General Data includes, without limitation, the following types of information: names, dates of birth, Social Security Numbers (SSN's) and related government/national identification numbers (including tax identification numbers), home and business addresses, home and business email addresses, home and business telephone numbers, employee ID numbers (e.g. core ID, Commerce ID, etc), credit card numbers, and passwords. b. Sensitive Data includes, without limitation, the following types of information: racial or ethnic origin, religious or philosophical beliefs, political affiliations/opinions, trade union membership, medical or health-related Records, sexual orientation, disabilities, and background checks. 15 Confidential to Kelly Services, Inc. and Vendor R07/13 “Privacy Laws” means all federal, state, and local U.S. or foreign laws, regulations, and/or rules relating to Personal Data and other data privacy and data protection, as they may be enacted, adopted or amended from time to time. “Processing of Personal Data” means any operation or set of operations that is performed upon Personal Data, and includes, without limitation, the following: access, collection, use, retention, copying, recording, organization, storage, adaptation or alteration, retrieval, transmission, dissemination or otherwise making available, and/or disposal or destruction of Personal Data. “Record” means any recorded information used by Kelly Services that has value to Kelly Services for conducting its business or meeting its legal obligations. This includes information created or received in any form, including e-mails, paper documents, electronic documents, data base or application information, and other electronic or photographic media. “Security Incident” means the unauthorized access, use, alteration, destruction, or other Processing of, or other compromise or breach of security (electronic or physical) involving or related to any Kelly Services Information. Security Incidents include, but are not limited to, information system failures and loss of service, denial of service, errors resulting from incomplete or inaccurate business data, and breaches of confidentiality. Security Incidents will be considered confidential and will be treated in accordance with the confidentiality requirements of this Agreement, except notice to Kelly Services Personnel, Kelly Services Customers, or other parties pursuant to Privacy Laws or Kelly Services policy. “Security Vulnerability” means a weakness at the network services, operating system, or application level, or within associated functions of networks, computer systems, or Software that could allow a Security Incident to occur. Security Vulnerabilities also include physical vulnerabilities to the premises containing or permitting access to Kelly Services Information. “Software” means computer software and related documentation as defined in this Agreement, or if none, computer programs consisting of a series of instructions, algorithms, lines of code, application program interfaces and statements in object code or source code form, along with any related materials and technical data, and all textual material relating to and necessary for use of such programs, including without limitation, flow charts, operating instructions, user manuals and related technical information and modifications of such documentation. “Supplier” means such supplier, vendor, or other business partner defined as a party in the Agreement and obligated under this Attachment. B. Security Requirements 1. Supplier will have full responsibility to implement and maintain reasonable information systems for electronic and other media that are reasonably suitable to protect the security of Kelly Services Information, and to comply with this Exhibit and the Agreement, including without limitation, physical, network, host, web, application, and data security. 2. Supplier will maintain reasonable security precautions consistent with industry best practices and identify in writing and make available, upon request, to Kelly Services the system security standards and documented processes used to reasonably secure Supplier’s systems. Supplier will meet the minimum security and privacy standards of International Standard ISO 27001 and 27002, and Safe Harbor. 3. Supplier will provide annual, upon request, to Kelly Services, SAS70 Type II or SSAE-16 report that includes, but not limited, to process and technology controls within the scope of services provided to Kelly Services. 4. To the extent Supplier Processes Personal Data, Supplier will meet or exceed the information security requirements set forth in this Exhibit. 5. Supplier will monitor for Security Incidents on the basis of 24 hours per day by 7 days per week by 365 days per year. 6. Supplier will logically and/or physically segregate Kelly Services’ Personal Data from the data of any third party. 16 Confidential to Kelly Services, Inc. and Vendor R07/13 7. Supplier will encrypt (utilizing strong encryption) Kelly Services’ Personal Data if it is stored on laptops or portable media devices (e.g., USB drives, CD-ROMs, DVDs, backup tapes, etc.). 8. Supplier will, unless a longer retention period is required by law, provide all Kelly Services’ Personal Data to Kelly or upon request by Kelly, destroy all copies thereof in a manner to ensure that no restoration of such data is possible upon the earlier of (i) termination of the Agreement in relation to which the Kelly Services’ Personal Data was used; or, (ii) the purpose for which the Kelly Services’ Personal Data is being used has been completed (and, prior to disposal of any equipment on which Kelly Services Personal Data has been stored or processed, Supplier shall comply with “NIST Guidelines for Media Sanitization (Draft SP 800-88)”. 9. Supplier will have a Security Incident response process in place to manage and to take immediate corrective action for any Security Incident as identified in Section D of this Exhibit. 10. Supplier will implement and provide a copy annually, upon request, of disaster recovery/business continuity plan to protect Kelly Services critical business processes from failing as a result of the effects of any major failure or disaster. 11. Supplier will inform Kelly Services promptly in writing of the occurrence of any unauthorized access, use, violation, compromise or breach of security (electronic or physical), other than incidental events not intended to cause a security breach, involving or related to information of other customers or other third parties (without being obligated to identify third parties by name) involving the computing environment, information or communication systems, facilities or transportation means involved in Processing Kelly Services Information. 12. Supplier will not transfer any Kelly Services’ Information to any 3rd party without the expressed approval in writing from Kelly Services. 13. Supplier will be responsible for all costs incurred by Supplier and Kelly Services for security breach remediation activity, as defined in Section D, for security breaches within the scope of Supplier’s services. C. D. Representation and Warranties 1. Supplier represents and warrants that it has taken commercially reasonable actions to ensure that Kelly Services Information is protected against any and all reasonably anticipated Security Incidents and Security Vulnerabilities. 2. Supplier represents and warrants that its systems are monitored for Security Incidents on the basis of 24 hours per day by 7 days per week by 365 days per year. 3. Supplier represents and warrants that it has a Security Incident response process to manage and to take immediate corrective action for any Security Incident, including Malicious Code. 4. Supplier will provide certification of compliance to this Information Security and Privacy Compliance Exhibit by either obtaining such certification from an independent information security service company or through an annual self-assessment, as approved by Kelly Services. 5. Supplier expressly warrants that its Processing of Kelly Services’ Personal Data will comply with all applicable Privacy Laws. Security Incident Notice 1. Initial Notification of Security Incident: Supplier shall notify the Kelly Services’ Global Security Department immediately of any security incidents via the Kelly Services’ 24x7 Security Hotline at: +1 (248)-244-4250 within one (1) hour of Supplier’s becoming aware of a Security Incident. Additionally, within twenty-four (24) hours of Supplier becoming aware of a Security Incident, Supplier shall also notify Kelly Services in writing via email to: Global.Security@KellyServices.com 17 Confidential to Kelly Services, Inc. and Vendor R07/13 2. Subsequent Reports and Notifications: After the initial notification, Supplier shall subsequently notify the Kelly Services’ Global Security Department of any security incidents, as required below, via the 24x7 Security Hotline at: +1 (248)-244-4250. Additionally, as required below, Supplier shall notify Kelly Services via email of all Security Incidents and shall provide all written reports as follows: 3. Security Incident Resolution Times: In the event of a Security Incident, Supplier shall use continuous efforts to correct the Security Incident immediately and notify Kelly Services’ Security Hotline upon resolution +1 (248)-2444250. 4. Interim Status Reports Supplier shall provide Kelly Services with an interim written status report of each Security Incident within 4 hours, and at agreed upon intervals thereafter, based on the agreed upon severity of the incident and such report shall include: 5. Date of Security Incident Brief description of Security Incident including known or suspected cause Supplier Incident Coordinator Kelly Services Incident Coordinator they are working with Impact of the Security Incident to Kelly Services, including, if applicable, type of information that was breached Supplier’s Response Plan to this particular Incident What has been done so far What needs to be done/action items Current Status Expected timeframe for full service restoration Final Report Supplier shall provide Kelly Services with a final written report of each Security Incident within (3) business days of resolution or a determination that the problem cannot be satisfactorily resolved within such time period and such report shall include: Supplier’s Name Supplier’s Incident Coordinator and contact information Kelly Services Incident Coordinator Date Incident Occurred Length of Outage Incident Executive Overview Incident Details: • List of individuals and other third parties that were involved with any aspect of the incident handling (sometimes various services of an ISP are themselves outsourced to another third-party) • How/when the incident was initially detected • When/How the incident was initially reported to Kelly Services • Description of what resources/services were impacted • Description of impact of Security Incident to Kelly Services (volume and type where applicable) • Containment – How was the incident contained • Root Cause - What was the cause for disruption • Corrective Action During the Incident – What steps were taken to reduce exposure during the incident (in most cases, there are interim steps taken to reduce exposure, e.g., Filtering, rerouting services, etc.). • Permanent Corrective Action/Preventative measures – What permanent corrective actions have been put in place as a result of this incident Conclusion 18 Confidential to Kelly Services, Inc. and Vendor R07/13 E. Post Mortem Reviews Supplier shall coordinate the scheduling of a Post Mortem Review with the Kelly Services Incident Coordinator. This review should be scheduled within seven (7) business days of the resolution of the incident or a determination that the problem cannot be satisfactorily resolved within such time period. F. Security Vulnerability Security Vulnerability Classification: Supplier shall classify a Security Vulnerability as critical risk, high risk, medium risk, or low risk, as follows: Critical Risk Vulnerability A vulnerability that has a high probability of or actively being widely exploited in a manner disruptive to normal business operations based on these factors: the vulnerability can be exploited through the network without human intervention; the vulnerability is easily exploited and takes limited technical knowledge; an exploit of a vulnerability is subject to worms; software code scripts are widely known and easily available to exploit this vulnerability; the vulnerability is popular and well known in the technical and Internet community; the vulnerability could allow broad exposure/compromise of confidential information or a massive denial of service or disruption of service. High Risk Vulnerability A vulnerability that has a high probability of being exercised based on these factors: the vulnerability is easily exploited and takes limited technical knowledge; software code scripts are widely known and easily available to exploit this vulnerability; the vulnerability is popular and well known in the technical and Internet community; the vulnerability could allow broad exposure/compromise of confidential information or a massive denial of service or disruption of service. Medium Risk Vulnerability A vulnerability that has a lower probability of being exercised based on these factors: the vulnerability is more complex to exploit and takes a higher degree of technical knowledge; the vulnerability does not have broad popularity in the technical and Internet community; the vulnerability could allow a more limited exposure/compromise of confidential information or a contained and limited denial of service or disruption of service. Low Risk Vulnerability A vulnerability that has a low probability of being exercised based on these factors: the vulnerability is very complex to exploit and takes a high degree of technical knowledge; the vulnerability does not have broad popularity in the technical and Internet community; the vulnerability could allow a very limited exposure/compromise of confidential information or a very limited denial of service or disruption of service. G. Security Vulnerability Correction Completion Times 19 Confidential to Kelly Services, Inc. and Vendor R07/13 Security Vulnerabilities shall be corrected within the following timeframes. Supplier may use patches and other software update code to correct an identified vulnerability on a system, computer, network, or other computer equipment to correct Security Vulnerabilities. Vulnerability Correction Completion Times Critical Risk Immediate correction up to seven (7) calendar days of critical vendor patch release announcement, notification from Kelly Services, or discovered security breach, whichever is earlier. High Risk within seven (7) calendar days of vendor patch release, or discovered security breach, whichever is earlier Medium Risk within one (1) month of occurrence Low Risk within three (3) months of occurrence H. Suppliers’ Vulnerability and Penetration Testing 1. Supplier shall conduct or arrange for an annual vulnerability assessment and penetration testing of Supplier’s security processes and procedures, including vulnerability assessment and penetration testing of its services and deliverables under the Agreement, in order to identify potential Security Vulnerabilities (“Testing”). Supplier shall conduct or arrange for this Testing on all computers and systems used directly or indirectly in support of Kelly Services business, including those of any subcontractors of Supplier. 2. Supplier shall select an independent, qualified vendor to conduct the Testing, such vendor to be reasonably acceptable to Kelly Services. 3. Supplier shall provide Kelly Services with a written report summarizing: I. Results of the Testing Any risks identified during the Testing, including: • Classification of Security Vulnerability as critical risk, high risk, medium risk, or low risk • Detailed description of any Security Vulnerability • Corrective action taken or plan of action for correction of any identified Security Vulnerability, including date of final resolution 4. Supplier shall correct any identified Security Vulnerability 5. All Testing conducted by Supplier will be subject to appropriate non-disclosure and confidentiality obligations. Kelly Services’ Security Assessment and Audit Rights 1. Kelly Services reserves the right to request, at any time and upon reasonable notice, a security assessment or audit for verification of Supplier’s security processes and procedures, including vulnerability assessment and penetration testing of its services, deliverables, and protection of Personal Data under the Agreement, as stated in this Exhibit, in order to identify potential security breaches. 2. Kelly Services will request the Supplier to provide a written report summarizing: Results of the Security Assessment Any risks identified during the Security Assessment, including: • Classification of any Security Vulnerability as critical risk, high risk, medium risk, or low risk • Detailed description of any Security Vulnerability 20 Confidential to Kelly Services, Inc. and Vendor R07/13 • J. Recommended corrective action for any identified Security Vulnerability. 3. Supplier shall correct any identified Security Vulnerabilities within the timeframe as stated in Section G. 4. All Security Assessments conducted by Kelly Services will be subject to appropriate non-disclosure and confidentiality obligations. 5. If Kelly Services’ Security Assessment reveals that Supplier’s processes and procedures do not meet the minimum standards of ISO 27001 or if the SAS70 Type II/SSAE-16 report shows deficiencies, then Supplier shall promptly take appropriate actions to change its processes and procedures to conform to such standards and will work with Kelly Services to implement such changes in a timely manner. If Supplier does not implement such changes to conform to ISO 27001 standards or rectify deficiencies found in the SAS70 Type II/SSAE-16 report within sixty (60) days, then Kelly Services, at its option, may terminate the Work as defined in the agreement and/or the applicable SOW at no cost to Kelly Services. Incident Logs 1. Supplier shall maintain logs of all Security Incidents and will make the logs available for Kelly Services’ review, upon request, (including review via electronic access), monthly or such other time period as may be agreed. K. Malicious Code Protection 1. L. Supplier shall develop and maintain a documented process for installation and maintenance of Malicious Code protection software for all computer systems used directly or indirectly in support of Kelly Services business. Such process shall include, at a minimum: a. Active virus detection software installed with real-time protection enabled b. Automated processes to apply latest virus definitions to all computer systems c. Supplier shall ensure itself and its subcontractors at any tier have completed successfully secure code training based on the Open Web Application Security Project (OWASP) or similar standard. Certification of completion of such training shall be provided to Kelly Services, upon request. Third Parties Supplier will contractually require all third parties, including subcontractors, with access to Kelly Services Information to adhere to the security requirements of this Exhibit. At a minimum, third party agreements should contain an acknowledgement that the third party is responsible for protecting Kelly Services Information in its possession, that the Kelly Services Information can only be used for assisting in the completion of the contract objectives and acknowledging that the audit provisions described in this Exhibit fully apply to them, their systems, and their premises beyond the termination of the contract. M. Special provisioning related to personal data of Kelly Services Personnel and Kelly Services Customers In the event Supplier has, or in the course of performance under this Agreement, will process Kelly Services Information that includes Personal Data regarding Kelly Services Customers or Kelly Services Personnel, then Supplier and its employees, officers, directors, agents, contract workers and/or others acting on its behalf or under its control may not Process Personal Data except as required for purposes of fulfilling the express purposes of this Agreement. Without limiting the requirements of this Exhibit, the special provisions set forth below will apply to Personal Data regarding Kelly Services Customers and Kelly Services Personnel. 21 Confidential to Kelly Services, Inc. and Vendor R07/13 1. Privacy Laws - Any Personal Data Processed by the Supplier in the course of performing its Services under this Agreement or as part of any deliverable or other information provided to Kelly Services will be processed and protected in accordance with all applicable Privacy Laws. Supplier expressly warrants that its Processing of Personal Data will comply with all Privacy Laws. Supplier will at all times perform its obligations under this Agreement in such a manner as to not, by its actions, or inaction contrary to this Agreement, cause Kelly Services to be in violation of applicable Privacy Laws. 2. Ownership and Information Integrity - All Personal Data Processed by the Supplier is and will remain the exclusive property of Kelly Services. Supplier will Process Personal Data only for the benefit of Kelly Services, and only to the extent strictly necessary to perform its obligations under this Agreement, or as otherwise required by law. Supplier may not otherwise use or modify the Personal Data, merge it with other data or information, commercially exploit it, disclose it or take any other actions that may in any manner adversely affect the integrity, security or confidentiality of such Personal Data, other than for purposes of performance under this Agreement or as otherwise directed by Kelly Services in writing. 3. Responsibility and Safeguards - Supplier will be fully responsible for any unauthorized Processing of Personal Data in any physical, electronic or other form. Without limitation, Supplier will employ administrative, physical, and electronic safeguards (including safeguards against Malicious Code and other disabling or damaging codes) that (i) prevent the unauthorized Processing of Personal Data of Kelly Services Customers or Kelly Services Personnel, and (ii) meet or exceed industry standards, as set forth in ISO 27001 and 27002 regarding such safeguards. Particular requirements may be substituted or waived by Kelly Services in writing upon consultation with Supplier, referencing this Exhibit. Supplier will ensure, without limitation, the following: a. Delineation and Identification of Personal Data - Taking all necessary steps and implementing all appropriate processes to delineate and identify Personal Data for special handling within Supplier’s organization, including supplemental controls over certain types of Personal Data more particularly regulated by Privacy Laws such as the limitation on use of SSN’s and related government/national identification numbers, and, where applicable, the requirement to obtain consent for the disclosure or other Processing of Personal Data. b. Secure Servers and Maintenance - Ensuring that all physical, network, host, web and data sites in which Personal Data is stored are: (i) maintained in a secure manner that satisfies all the requirements of this Exhibit; and (ii) identified to Kelly Services. c. Restricted Access - Ensuring that Personal Data will be accessible only by authorized Supplier employees, officers, directors, agents, contract workers and others who have a legitimate business need to access such information, with suitable user authentication, sign-on and access controls that satisfy the requirements of this Exhibit. Kelly Services employees, contractors, and customers must have reasonable access to their own personal information and be able to correct or amend where it is inaccurate. d. Encryption of Personal Data (Transmission) - When Processing Personal Data, connections to Kelly Services computing environments and any other transmission via data transmission services or using the Internet will be protected using any of the following cryptographic technologies: IPSec, SSL, SSH/SCP, PGP, or other technologies that provide substantially similar or greater levels of security. Encryption algorithms will be of sufficient strength to protect data to commercially reasonable security levels and will utilize industry recognized hashing functions. Transmission may not use any cryptography algorithms developed internally by or for Supplier. Encryption must be in full compliance with export laws applicable to the Kelly Services Information being transmitted. e. Encryption of Personal Data (Storage) - Storage, back-up or other retention of Personal Data at rest will be protected using one or more of the encryption technologies approved in this Exhibit for data transmission. f. Data Segregation (Virtual) - Maintaining capability to segregate and isolate Personal Data and disable functionality of applications using it, so it can be returned upon request by Kelly Services or in the event of a Security Incident. 22 Confidential to Kelly Services, Inc. and Vendor R07/13 g. Data Segregation (Physical) - Physically and electronically segregating Kelly Services Personal Data by logically isolating it from third party and internal Supplier information, and deploying suitable application controls, firewalls, air-gaps or private circuits so that Personal Data will not be commingled or corrupted by data from other sources. h. Back-up, Emergency/Disaster Recovery Systems - Applying the requirements to Personal Data stored on back-up media, servers or repositories, transported, or transmitted, stored or recovered as part emergency or disaster recovery systems maintained by or for Supplier. i. Information Retention and Disposal - (i) Cooperating with Kelly Services in administering its retention requirements concerning Kelly Services Information and employing Record controls required to enable such compliance, and (ii) returning or if authorized by Kelly Services, discarding, destroying and otherwise disposing of Personal Data in a secure manner to prevent unauthorized Processing of Personal Data consistent with Kelly Services’ policies and applicable law. j. Media in Transit -Not permitting Personal Data to be transmitted, or stored for transfer and then subsequently transported on physical media such as flash memory, computer hard drives, removable disks, tapes, or other media, without encryption and other reasonable security measures restricting access and use as required by this Exhibit. k. Employee Training - At Supplier’s expense, training its employees, officers, directors, agents and contract workers and others with access to Personal Data regarding the Supplier’s privacy protection and security obligations under this Agreement and generally concerning privacy and Personal Data. l. Heightened Security Attention for Employees Handling Personal Data – Conducting heightened screening and evaluation processes for Supplier’s employees, officers, directors, agents and contract workers and others with access to Personal Data. Examples may include without limitation, reference and background checks and adding security responsibilities to position qualifications, performance appraisals and compensation programs. m. Privacy Assessments - As stated in Section J, upon request from Kelly Services, Supplier will conduct or arrange, at Supplier’s expense, reasonable assessments of Supplier’s information, security and protection practices and capabilities relating to Personal Data, and provide such reports as may be reasonably requested by Kelly Services. Supplier will also assist and cooperate in responding to any privacy assessments Kelly Services may reasonably request relating to the security and protection of Kelly Services Information. n. Data Transfer to and From Third Parties Outside of Originating Country - Ensuring that no Personal Data is transmitted or permitted to be accessed from outside the country of its origin without determining requirements of and complying with the Privacy Laws in the originating and destination countries. o. Periodic Adjustment - Supplier shall regularly monitor, evaluate, and adjust, as appropriate, its Security Program in light of any relevant changes in applicable law and regulations, technology, internal or external threats to Kelly Services Data, requests from Kelly Services, and Supplier’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. p. System Changes - Supplier shall make no system change that may adversely affect the security of the system or the security of Kelly Services Information. q. Choice – suppliers will ensure processes and applications within scope of services utilized to support Kelly Services has the flexibility to allow for Kelly Services employees, customers, and contractors can opt out from their personal information from being processed. r. Notification – supplier shall notify Kelly services employees, customers, and contractors the collection and usage of personal information and allow for the ability to contact for opting out, inquiries, or complaints. This information must be conspicuously displayed in clear language. 23 Confidential to Kelly Services, Inc. and Vendor R07/13 s. Onward Transfer – supplier shall disclose Kelly Services customer, employee, contractor personal information to third parties only consistent with the principles of Notification and Choice (section q and r above). Remedies: For the avoidance of doubt, failure to comply with the requirements of this Exhibit is a failure to perform under this Agreement and subject to any provisions for breach set forth in this Agreement. In addition to any remedies otherwise available, Supplier, at its sole expense, will be responsible for and redress any damages or costs caused by, and take all reasonable steps to cure, such failure to perform, and will implement all corrective actions reasonably required to prevent such deficiencies and occurrences applicable to Supplier’s further performance under this Agreement. 24 Confidential to Kelly Services, Inc. and Vendor R07/13
© Copyright 2024