For Individuals For Employers For Partners

Agreements

Master Services Agreement & Data Security Agreement

Master Services Agreement - Terms & Conditions

Effective: August 1, 2018

This Master Services Agreement (“Master Agreement”) and its Terms and Conditions (“General Terms”) are incorporated into all agreements for products and services provided by Sentinel Group and its corporate entities, Sentinel Group, Inc., Sentinel Pension Advisors, LLC. and Sentinel Benefits Group, LLC., a Massachusetts corporation with a principal place of business located at 100 Quannapowitt Parkway, Wakefield, MA 01880 (“Sentinel”). With respect to each such agreement and all products and services provided by Sentinel, each Party agrees as follows:


  • 1.1. “Approved Statement of Work” means a Statement of Work that is approved and signed by an authorized agent of each Party.
  • 1.2. “Business Day” A day on which Sentinel and the New York Stock Exchange are both open for business. The Business Day ends at 4:00 p.m. Eastern Standard Time for purposes of processing transactions.
  • 1.3. “Client” means any Party to an Approved Statement of Work other than Sentinel.
  • 1.4. “Effective Date” means the date that services begin under the Approved Statement of Work.
  • 1.5. “Fees” means billing rates for services as described in the fee schedule of the Approved Statement of Work.
  • 1.6. “Intellectual Property Right” means any intellectual property right including, without limitation, any right, title, or interest in any patent, trademark, service, mark, trade dress, copyright, or trade secret, together with any and all goodwill relating thereto.
  • 1.7. “Party” means any party to an Approved Statement of Work, collectively the “Parties.”
  • 1.8. “Services and Deliverables” means the services described in an Approved Statement of Work.
  • 1.9. “Statement of Work” means any document that describes products or services to be provided by Sentinel to any other Party including amendments, exhibits, addendums or schedules.
  • 2.1. Once the Parties have fully agreed to the terms of a Statement of Work, each Party shall sign the Statement of Work, indicating its approval and deliver (electronically or otherwise) a copy of the signed Statement of Work to the other Party. A Statement of Work may be signed in counterparts, all of which taken together shall constitute one and the same Approved Statement of Work, once signed by all Parties.
  • 2.2. Sentinel shall have no obligation to execute, act on, or meet the commitments defined in any Statement of Work until it becomes an Approved Statement of Work.
  • 2.3. Sentinel shall provide to Client and its affiliates the Services and Deliverables in accordance with the applicable Approved Statement of Work. The terms and conditions  of this Agreement (hereinafter referred to as the “General Terms”) will apply to all Approved Statements of Work issued hereunder. In case of a conflict between any provision of these General Terms and any provision of an Approved Statement of Work, the provision of these General Terms will apply, unless expressly stated otherwise in the Approved Statement of Work. 
  • 2.4. Changes to Services: Client understands and agrees that Sentinel may modify this Master Agreement and any Approved Statement of Work by giving the Client at least sixty (60) days advance notice of the change. The notice will: (1) explain the modification of the services; (2) identify the effective date of the change; (3) explain Client’s right to reject the change or terminate services; and (4) state that pursuant to the General Terms of this Master Agreement, if Client fails to object to the change before the date on which the change becomes effective Client will be deemed to have consented to the change. If Client rejects the change, Sentinel shall not be authorized to make the change. In that event Client shall have an additional sixty (60) days from the effective date to locate a service provider in place and instead of Sentinel. If at the end of such additional (60) day period, the Parties have not reached agreement, the Approved Statement of Work and this Master Agreement shall terminate.
  • 3.1. Invoice Frequency: Sentinel shall issue invoices to Client as set forth in an Approved Statement of Work.
  • 3.2. Payment Terms: The Client agrees to pay all fees as described in the Approved Statement(s) of Work. Payment of fees is due upon Client receipt of the invoice, which will be transmitted via email to the Client’s designated billing contact(s). All fees paid to Sentinel are non-refundable. Termination of an Approved Statement of Work according to its terms does not terminate the Client’s duty to pay fees due to Sentinel for services performed under the Approved Statement of Work or this Master Agreement.
  • 3.3. Changes to Fees: Client understands and agrees that the fees shall continue in effect until Sentinel has provided notice to the Client of the change in the amount of the fee. Sentinel may change the fees charged by giving Client at least sixty (60) days advance notice of the change. The notice will: (1) explain the modification of the fee; (2) identify the effective date of the change; (3) explain Client’s right to reject the change or terminate services; and (4) state that pursuant to the General Terms of this Master Agreement, if Client fails to object to the change before the date on which the change becomes effective Client will be deemed to have consented to the change. If Client rejects the change, Sentinel shall not be authorized to make the change. In that event Client shall have an additional sixty (60) days from the effective date to locate a service provider in place and instead of Sentinel. If at the end of such additional (60) day period, the Parties have not reached agreement, the Approved Statement of Work and this Master Agreement shall terminate. 
  • 3.4. Minimum fee during first year of service: The client acknowledges that Sentinel will incur certain costs in the course of implementing services pursuant to the Approved Statement of Work. If the Client terminates an Approved Statement of Work for any reason other than material breach by Sentinel, and termination occurs within one year from the Effective Date, then Sentinel shall be entitled to a minimum fee equal to one (1) year of the agreed upon fees as detailed in the Approved Statement of Work. In addition to the minimum fee, the Client also agrees to pay all Additional Services fees for services that have been provided by Sentinel. At all times, fees for previously provided services are due on the termination date or the due date of the final invoice
  • 4.1. Sentinel acknowledges that:
    • 4.1.1. it has the power and authority to enter into and perform these General Terms and applicable Approved Statement of Work; and
    • 4.1.2. its Services and Deliverables will be prepared, completed and performed by trained, experienced and qualified personnel with reasonable skill, care and diligence in accordance with the applicable professional standards recognized by Sentinel’s profession and the General Terms of this Master Agreement.
  • 4.2. Client acknowledges that:
    • 4.2.1. It has the power and authority to enter into and perform these General Terms and any applicable Approved Statements of Work;
    • 4.2.2. No action, claim or charge has been filed against Client, and no person has threatened to file any such action, claim or charge, which may have any material adverse effect on the subject matter of these General Terms or any applicable Approved Statement of Work or on Client’s ability to perform its obligations under these General Terms or any applicable Approved Statement of Work;
    • 4.2.3. Client is not insolvent and will not be rendered insolvent by any of the transactions contemplated by these General Terms or any applicable Approved Statement of Work.
  • 4.3. Client will notify Sentinel as soon as possible of any bankruptcy, insolvency, moratorium, or other proceeding pending against them that may affect the enforcement of creditors’ rights.
  • 4.4. Client understands that Sentinel recommends that all of its Clients seek advice from appropriate legal, accounting and other qualified experts with regard to related legal, tax and accounting matters prior to acting on any information provided by Sentinel. Client agrees that Sentinel does not provide legal, accounting or tax advice and is not liable for failure to provide the same.
  • 4.5. Client acknowledges that Sentinel is entitled to rely upon all information necessary for it to carry out its duties hereunder that is provided by Client, Client’s representatives, or Client’s other service providers without independent verification by Sentinel. Client represents that all such information, including information effecting taxes and tax status, provided to Sentinel is and shall be true, correct and complete in all material respects. Client agrees to promptly notify Sentinel in writing of any material change in the information provided to Sentinel and to promptly provide any such additional information as may be reasonably requested by Sentinel.
  • 5.1. Term: This Master Agreement and Approved Statements of Work shall be in effect from the Effective Date and will automatically renew on an annual basis unless otherwise terminated by either Party.
  • 5.2. Termination: The Parties may terminate an Approved Statement of Work without penalty upon providing sixty (60) days advance written notice to the other Party. On the termination of the agreement, Sentinel will have no obligation to recommend or take any action with regard to the Services and Deliverables outlined in the Approved Statement of Work but will cooperate with the Client to facilitate the orderly transition of Services and Deliverables to a new provider. Such termination will not, however, affect the liabilities or obligations of the Parties arising from transactions initiated prior to such termination, and such liabilities and obligations shall survive any expiration or termination of this Master Agreement and Approved Statements of Work.
  • 5.3. Termination due to Insolvency: Parties shall have the right, but not the obligation, to unilaterally terminate this Master Agreement immediately based on the insolvency of the other Party, by a proceeding by or against the Party seeking to adjudicate either a bankruptcy or insolvency, or seeking liquidation, winding up, reorganization arrangement, adjustment, protection or relief under any law relating to bankruptcy, insolvency, reorganization of relief of debtors, or seeking the entry of an order for relief or the appointment of a receiver trustee or other similar official.
  • Except with regard to its confidentiality or indemnification obligations hereunder, (1) in no event shall either Party be liable to one another or any third party for any special, incidental, indirect, remote, speculative or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, or less of business information arising from its performance or failure to perform under these General Terms) and (2) in no event will either Party’s entire liability under these General Terms and any applicable Approved Statement of Work exceed the amount paid to Sentinel by Client pursuant to the applicable Approved Statement of Work.
  • 7.1. Each Party shall indemnify and hold harmless the other Party, its Affiliates, directors, officers, employees and agents from and against all losses, liabilities, judgments, awards, settlements, damages, fines, injuries, penalties and costs (including legal fees and expenses) to or in favor of others and all claims, causes of action and suits by others, including without limitation employees, subcontractors or agents of the indemnified Party and its Affiliates including  personal injury (including death) or real and/or tangible property damage, (collectively, “Losses”)  arising out of  their own negligent acts or omissions under this Agreement  or acts or omissions of their  employees, contractors or agents. 
  • 7.2. Each Party shall indemnify and hold harmless the other Party, its Affiliates, directors, officers, employees and agents from and against all Losses arising from (i) any breach of any representation or warranty set forth in this Agreement, and/or (ii) any breach of its information security and confidentiality obligations set forth in this Agreement and/or (iii) any claim that the other Party or its Affiliates’ use or possession of any or all Services or other related deliverables, or the exercise by the non-breaching Party of its rights granted under this Agreement, infringes, misappropriates or violates any Intellectual Property Rights.
  • 7.3. At the request of the indemnified Party from time to time after any such claims, the indemnifying Party shall at its sole expense defend, with counsel reasonably acceptable to the indemnified Party, all claims, suits or proceedings arising out of the foregoing. The indemnifying Party shall be notified promptly of any such claims, suits or proceedings in writing and, if requested to defend said action, given full and complete authority, information and assistance for the defense of same, provided, however, the indemnifying Party shall have no authority to enter into any settlement or compromise on behalf of the indemnified Party without the prior written consent of the indemnified Party, which consent shall not be unreasonably withheld. In all events, the indemnified Party shall have the right to participate in the defense of any proceedings with counsel of its own choosing, at its expense.
  • 7.4. All provisions concerning indemnification and liability survive the termination of this agreement.
  • 8.1. Any Information, whether or not protected by a patent, copyright and/or trade secret that has been provided orally or in writing by the disclosing Party or any of its Affiliates to the receiving Party pursuant to this Master Agreement (hereinafter “Confidential Information”) shall be treated by the receiving Party as being the proprietary information of the disclosing Party, and shall be held in strict confidence by the receiving Party. All financial, business and strategic data pertaining to the disclosing Party and its affiliates, and all other data, information and/or records of or pertaining to the disclosing Party’s and its affiliates’ customers, including but not limited to names, addresses, telephone numbers, account numbers, account and transaction information, customer lists and pricing information and any other “Non-Public Information” as defined in the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., shall be deemed Confidential Information of the disclosing Party. Such information pertaining to disclosing Party’s customers shall remain at all times during and after the term of this Master Agreement the exclusive property of the disclosing Party.
  • 8.2. With respect to all Confidential Information, the receiving Party shall not (i) provide or make available the Confidential Information in any form to any person other than those employees or contractors of the receiving Party who have a need to know such Confidential Information in order for the receiving Party to exercise its rights or perform its obligations under this Master Agreement; (ii) reproduce Confidential Information except for use reasonably necessary for the receiving Party to exercise its rights and perform its obligations under this Master Agreement; and (iii) exploit or use Confidential Information for any purpose other than as required for the receiving Party to exercise its rights and perform its obligations under this Master Agreement. In the event that the receiving Party is specifically authorized by this Master Agreement to disclose any Confidential Information to a third party, then the receiving Party shall require the third party to execute a Confidentiality Agreement the terms of which shall be no less restrictive than the terms set forth herein. 
  • 8.3. Notwithstanding the foregoing, “Confidential Information” shall not include information that was: in the public domain prior to the receipt of same by the receiving Party; in the receiving Party’s possession and/or known to the receiving Party prior to its receipt hereunder as evidenced  by written documentation and was not acquired directly or indirectly from the disclosing Party; received by the receiving Party from a third party where the receiving Party was without an obligation of secrecy with respect thereto and was not acquired directly or indirectly from the disclosing Party; and/or independently developed by the receiving Party without use of access or reference to, or any benefit of, the disclosing Party’s Confidential Information.
  • 8.4. Each Party shall notify the other Party immediately of any unauthorized access, possession, use, or knowledge, or attempt thereof, of Confidential Information and agrees to mitigate the impact of such an event. Each Party shall promptly provide the other Party with full details of any such event and use all available efforts to prevent a recurrence of any such event.
  • 8.5. In the event that a subpoena or other legal process in any way concerning the Confidential Information is served upon the receiving Party, the receiving Party shall notify the disclosing Party immediately upon receipt of such subpoena or other legal process and shall cooperate with the disclosing Party in any lawful effort by the disclosing Party to contest the legal validity of such subpoena or other legal process.
  • 8.6. The Parties agree that monetary damages will not be an adequate remedy if this Section regarding Confidential Information is breached and therefore, a disclosing Party shall, in addition to any other legal or equitable remedies, be entitled to seek injunctive relief against any breach or threatened breach of this Section.
  • 9.1. The Approved Statement of Work shall specify the type of Services and Deliverables to be provided, and ownership rights in the Deliverables to the extent required by either Party.
  • 9.2. Subject to the General Terms of this Master Agreement in no event shall Sentinel be precluded from independently developing for itself, or for others, whether in tangible or non-tangible form, anything that is competitive with, or similar to, any of the Deliverables provided that: (i) Sentinel does not use or infringe Client Intellectual Property Rights; and/or (ii) such Deliverables do not contain any of Client’ Confidential Information. In addition, Sentinel shall be free to use its general knowledge, skills and experience, and any ideas, concepts, know-how, and techniques that are acquired or used in the course of providing the Services, provided that Sentinel does not breach its obligations with respect to Client’ Confidential Information or otherwise use or infringe Client’ Intellectual Property Rights.
  • 9.3. The parties agree not to use the other Party’s name in any release or printed form without prior written authorization to do so.
  • Sentinel, including its employees or agents, is an independent contractor and is not to be considered an employee or agent of Client for any purpose. This Master Agreement does not obligate Client to use Sentinel exclusively or engage Sentinel to provide any Services and does not obligate Sentinel to accept offers to provide Services, exclusively or otherwise.
  • Neither Party may assign its rights or delegate its duties hereunder, whether by operation of law or otherwise, without the written notification of the other Party, which consent shall not be unreasonably withheld.
  • This Master Agreement and Approved Statements of Work will be interpreted under the laws of the state of Massachusetts, Michigan or New York, whichever location is closest to Client’s Address, without references to the principles of conflict of laws, provided that there is no inconsistency with federal laws. Each Party irrevocably agrees that any action, suit or other legal proceeding against them shall be brought in a court of the Commonwealth of Massachusetts or the State of New York. Each Party irrevocably submits to and accepts such jurisdiction and waives any objection (including any objection to venue, enforcement, or grounds of forum non conveniens) that might be asserted against the bringing of any such action, suit or other legal proceeding in such court.
  • If any provision of this Master Agreement is adjudged by any court or arbitration board of competent jurisdiction to be invalid or unenforceable, then such provision shall be modified to the extent possible and necessary to preserve the original intentions of the Parties, and the validity or enforceability of the remaining provisions shall not in any way be affected or impaired thereby.
  • All notices relating to the Master Agreement shall be delivered electronically or by mail to the Parties’ respective addresses and authorized contacts. Notices sent to Sentinel by mail should be addressed to: Sentinel Group, 100 Quannapowitt Pkwy., Suite 300, Wakefield, MA 01880.
  • Neither Party shall be liable for any failure to perform any of its obligations under this Master Agreement during any period in which such failure to perform arises directly or indirectly out of an act of nature, acts of the public enemy, embargoes, insurrection, riot, or the intervention of any government authority (collectively, “Excusable Cause”), provided that the Party so delayed immediately notifies the other Party of such delay in writing and uses its best efforts to minimize the adverse effect of such events. If such failure by Sentinel exceeds or is reasonably likely to exceed a cumulative period of 30 days, Client may terminate this Agreement, or any Statement of Work, immediately without liability.
  • Unless otherwise expressly provided, all rights, remedies, powers and privileges conferred under this Master Agreement upon Sentinel and Client shall be cumulative and shall not be deemed to exclude any other right that either Party may have at law or in equity.
  • This Master Agreement and Approved Statements of Work shall be binding upon and inure to the benefit of the Parties and their successors and assigns as permitted by the General Terms.

Data Security Agreement - Terms & Conditions

Effective: March 31, 2023

This Data Security Agreement (the "DSA") is incorporated into the following Agreements (the “Agreements”) between Client and Sentinel  Group, LLC (“Sentinel”): TotalChoice Administration & Recordkeeping Statement of Work; Total RecordKeeper Retirement Plan Services Statement of Work; TotalChoice Actuarial Compliance & Recordkeeping Retirement Plan Services Statement of Work; and TotalChoice Nonqualified 457(b), 457(f), 409A Administration & Recordkeeping Retirement Plan Services Statement of Work; and Health & Welfare Administration Statement of Work. 

In the course of providing the Services to Client pursuant to the Agreement, Sentinel may collect, host, or otherwise Process Client Personal Data. During the Term of the Agreement, and for so long thereafter as Sentinel continues to collect, host, or otherwise Process Client Personal Data (the “DSA Term”), Sentinel shall comply with the data privacy and security requirements set forth in this DSA. 

Capitalized terms used but not defined in this DSA shall have the meanings given to such terms in the balance of the Agreement.

  • 1.1 “Client Personal Data” shall mean any Personal Data received, accessible, collected, or generated by Sentinel from or about Client’s employees, participants, or participants’ beneficiaries (including, as applicable, prospective, current, and former employees, participants, or participants’ beneficiaries) in the course of Sentinel’s performance of the Services.
  • 1.2 “Culpable Data Breach” shall mean any Data Breach that is attributable to the acts or omissions of, or violation of this Agreement by, Sentinel, including, but not limited to, Sentinel’s: (a) failure to secure its systems against internal or external vulnerabilities it knew or should have known about based on information generally known in the industry; (b) failure to secure its systems against external threats it knew or reasonably should have known about based on information generally known in the industry; (c) failure to maintain the security of identity and access management within Sentinel’s systems for individuals who utilize Sentinel systems; (d) failure to utilize industry-standard encryption for data-at-rest and in-transit over public networks; (e) transfer of data to recipients not explicitly authorized to receive such data; or (f) failure to maintain a data security program that meets industry standards.
  • 1.3 “Data Breach” shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data, or any other Personal Data breach recognized under applicable Data Protection Laws.
  • 1.4 “Data Protection Laws” shall mean all applicable government-issued laws, rules, regulations, and guidance pertaining to data privacy, confidentiality, Processing, protection, security, or encryption.
  • 1.5 “Legal Process” shall mean a subpoena, request for production of documents, court order, or other requirement of a governmental or regulatory agency to disclose any information or respond to an official inquiry.
  • 1.6 “Personal Data” shall mean any information relating to an identified or identifiable natural person, or that is otherwise protected or regulated under Data Protection Laws; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • 1.7 “Processing” shall mean any operation or set of operations that is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • 2.1 General Requirements. Sentinel shall Process or otherwise use Client Personal Data solely to perform the Services on behalf of Client and in accordance with Data Protection Laws. Without limitation to the generality of the foregoing, Sentinel is specifically prohibited from selling Client Personal Data and from collecting, retaining, using, disclosing, or otherwise Processing Client Personal Data for a commercial purpose other than providing the Services as specified in the Agreement or in any manner outside of the direct business relationship between Sentinel and Client. To the extent required by Data Protection Laws, Sentinel further acknowledges and agrees that its execution of the Agreement constitutes its certification that it understands and will comply with the restrictions set forth in this Section.
  • 2.2 Return or Deletion of Client Personal Data. Within thirty (30) days following any termination or expiration of the Agreement, or following any applicable run-out period that survives thereafter, Sentinel shall, at Client’s election, unless legally prohibited, return or securely delete all Client Personal Data in the possession, custody, or control of Sentinel, and, at Client’s request, provide written certification that it has done so. With respect to any backup copies of Client Personal Data that are maintained pursuant to documented retention schedules of Sentinel, Sentinel shall retain such copies pursuant to such document retention schedules and shall delete such copies as soon thereafter as possible (and, in no event, later than the period set forth in its documented retention schedules and in compliance with Data Protection Laws).
  • 2.3 Assistance. Sentinel shall reasonably cooperate and assist Client to comply with Client’s obligations under Data Protection Laws. Without limitation to the foregoing, Sentinel shall reasonably assist Client to respond to any: (a) request by an individual data subject to exercise rights with respect to Client Personal Data; or (b) inquiry or other communication from a legal or regulatory authority with respect to Client Personal Data, and shall promptly notify Client’s receipt of either of the foregoing.
  • All of the restrictions and obligations in this DSA that apply to Sentinel should be read as applying to its personnel and subcontractors, and Sentinel shall be responsible and fully liable for the acts and omissions of its personnel and subcontractors as if they were the acts and omissions of Sentinel.
  • 3.1 Personnel. With regard to Sentinel personnel engaged in Processing Client Personal Data, Sentinel shall: (a) ensure that such personnel are informed of the confidential nature of the Client Personal Data and are subject to appropriate confidentiality obligations; (b) ensure that such personnel have received appropriate training on compliance with their responsibilities (including under this DSA and Data Protection Laws), conduct appropriate background checks on such personnel (in accordance with applicable law), and take all other commercially reasonable steps to ensure the reliability of such personnel; and (c) restrict such personnel’s access to Client Personal Data to that which is strictly necessary to perform their respective duties under the Agreement.
  • 3.2 Subcontractors. With regard to subcontractors engaged by Sentinel to Process Client Personal Data, Sentinel shall: (a) ensure that each subcontractor has agreed by written contract to be bound by confidentiality, security, and privacy protection and compliance obligations that are no less onerous than those set forth in this DSA and the Agreement; and (b) restrict such subcontractor’s access to Client Personal Data to that which is strictly necessary to perform their respective duties under the Agreement.
  • 4.1 Measures. Sentinel shall make commercially reasonable efforts to safeguard Client Personal Data against any Data Breach, shall maintain and enforce a written information security program that includes appropriate administrative, physical, and technical measures for protection of the security, confidentiality, accuracy, and integrity of Client Personal Data (the “Security Measures”), and shall regularly monitor compliance with these Security Measures. Such Security Measures: (a) shall be no less rigorous than accepted industry standards and practices for information security; (b) shall be appropriate to the risks presented by Processing the Client Personal Data, in particular from any potential Data Breach; (c) shall comply with any minimum requirements specified in Data Protection Laws; (d) shall be no less stringent than those set forth throughout this Agreement, including the minimum security safeguards set forth in Appendix 1 to this DSA; and (e) shall not be materially diminished during the DSA Term
  • 5.1 Notification and Cooperation. Notwithstanding any provision to the contrary, in the event of any Data Breach, Sentinel shall: (a) notify Client without undue delay and as soon as practicable, after becoming aware of the Data Breach, keep Client up-to-date about continuing developments in connection with the Data Breach, and provide Client with sufficient information to allow it to timely meet any obligations under Data Protection Laws; (b) not, without Client’s written consent, notify any third party about such Data Breach, except with regard to third-party advisors engaged by Sentinel to aid Sentinel in the investigation and analysis of the Data Breach (who are subject to reasonable confidentiality restrictions), or except as compliance with Data Protection Laws may preclude waiting for such Client consent (in which case Sentinel shall still provide Client with prior written notice, to the extent allowed); and (c) cooperate with Client to promptly investigate and resolve the Data Breach, including by conducting a root cause analysis and preparing a corrective action plan and sharing them with Client. Upon conclusion of Sentinel’s Data Breach investigation, Sentinel shall prepare and deliver to Client a final report that describes the extent of the Data Breach, the Client Personal Data compromised, all relevant corrective actions completed, and all efforts taken to mitigate the risks of further Data Breaches.
  • 5.2 Remediation. In the event of any Culpable Data Breach, Sentinel shall also take all commercially reasonable remedial steps to remedy the Data Breach, prevent any further Data Breach, mitigate any potential damage, and minimize any harm to Client.
  • 6.1 Audits. During the DSA Term, Sentinel shall undergo each year an independent evaluation by a recognized industry third-party audit firm, Service Organization Control (“SOC”) 2 Type II audit (or equivalent industry-standard successor audit) covering the relevant scope of systems, applications, and Services and shall ensure reports are generated from such audits (“Audit Report”). Upon Client’s written request, and not more than once annually, Sentinel shall provide to Client its then current Audit Report. Sentinel also performs a SOC 1 Type II audit covering business operating controls which is available upon written request.
  • 6.2 Conflicts. In the event of any conflict between this DSA and the balance of the Agreement, the terms of this DSA shall prevail, provided, however that this DSA shall not limit any additional Client rights related to Sentinel’s Processing, protection, or use of Client Personal Data in the balance of the Agreement.
  • 6.3 Amendments. Client and Sentinel agree to negotiate in good faith any amendments to this DSA that are required in order for the parties to meet the requirements of applicable Data Protection Laws.
  • 6.4 Survival. This DSA shall survive the expiration or termination of the Agreement, for the duration of the DSA Term.

APPENDIX 1 TO THE DSA

Minimum Security Safeguards

  • Securing business facilities, data centers, paper files, servers, back-up systems, and computing equipment, including all mobile devices and other equipment with information storage capability, used in connection with Client Personal Data;
  • Implementing network, device, application, database, and platform security in all data centers housing Client Personal Data;
  • Securing and encrypting Client Personal Data information transmission, storage, and disposal, and using current, industry-standard encryption types, and adhering to Client’s existing encryption protocols for any Client Personal Data transmitted over public or wireless networks;
  • Implementing authentication and access controls within media, applications, operating systems, and equipment used in connected with Client Personal Data;
  • Logically segregating Client Personal Data so that it is not commingled with Sentinel’s own data, or that of its other Clients; and
  • Maintaining appropriate security contact and escalation processes on a 24-hours-per-day, 7-days-per-week basis.
  • For any Sentinel information assets and information technology used to provide the Services: (a) physical protection mechanisms, to ensure such assets and technology are stored and protected; and (b) to the extent applicable, controls to physically secure all Client Personal Data and to properly destroy Client Personal Data when it is no longer needed;
  • For any Sentinel laptops and mobile devices that will be connected to Client’s computer systems or networks, installation of anti-malware software and threat-mitigating technologies, or connectivity restrictions as deemed appropriate by Client and approved by Client in advance; and
  • For any Sentinel facilities used to provide the Services: (a) appropriate facility entry controls, to limit physical access to systems that store or process Client Personal Data; and (b) processes to ensure access to such facilities is monitored and is restricted on a “need to know” basis.
  • Appropriate mechanisms for user authentication and authorization in accordance with a “need to know” policy;
  • Controls to enforce rigorous access restrictions for remote users, contractors, and service providers;
  • Timely and accurate administration of user account and authentication management;
  • Processes to ensure assignment of unique IDs to each person with computer access;
  • Processes to ensure Sentinel-supplied defaults for passwords and security parameters are changed and appropriately managed on an ongoing basis;
  • Mechanisms to track all Sentinel access to Client Personal Data by unique ID;
  • The use of strong passwords and other secure authentication credentials;
  • Mechanisms to encrypt or hash all passwords; and
  • Processes to immediately revoke accesses of inactive accounts or terminated/transferred users.
  • Documented and enforced technology configuration standards;
  • Processes to ensure regular testing of security systems and processes; and
  • A system of effective firewall(s) and intrusion detection technologies necessary to protect Client Personal Data.
  • Maintain mechanisms to keep security patches current;
  • Maintain processes to monitor, analyze, and respond to security alerts;
  • Use reasonable anti-malware and security monitoring controls, and keep signatures, models, and versions up to date; and
  • Conducting continuous vulnerability scanning of the infrastructure housing Client Personal Data, and remediating high- and medium-severity issues in a reasonable timeframe.

This website uses cookies. By accepting the use of cookies, this message will close and you will receive the optimal website experience. For more information on our cookie policy, please visit our Privacy Policy.

Form CRS & Disclosures Privacy Policy Certifications Sitemap
© Sentinel Group, All Rights Reserved.