DLL’s Business Partner Privacy and Data Security Terms
Last Updated: October 15, 2023
These Privacy and Data Security Terms (the “Terms”) are by and between De Lage Landen Financial Services, Inc., and its affiliates (“DLL”) and the vendor, dealer, business partner, or other entity on whose behalf you are agreeing to these Terms (the “Company”). Where any other agreements have been duly executed by DLL and the Company (collectively, the “Agreement”) in connection with which the Company receives or will receive DLL Confidential Information (as defined below) for the limited and specific business purposes set forth in the Agreement. Notwithstanding anything to the contrary in the Agreement, these Terms are subject to and hereby incorporated as a part of the Agreement. In the event of a conflict between the terms of the Agreement and these Terms, these Terms shall prevail with respect to the subject matter of the conflict. For the sake of clarity, any reference in these Terms to “industry standard,” “industry standards,” or “industry best practices” means commonly accepted best practices for the financial industry.
In consideration of DLL making available its financing programs on the terms contained therein to and/or through the Company and providing Company access to DLL’s Confidential Information, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, Company hereby acknowledges and agrees:
- Compliance with Requirements and Applicable Laws. Company and its authorized employees and agents, and those authorized contractors, subcontractors, or service providers who store or process any DLL Confidential Information and/or access any DLL systems or facilities (collectively, “Representatives”) shall comply with these Terms if they have access to DLL’s Confidential Information, regardless of whether any Agreement has been terminated. Company warrants and represents that it will comply with all applicable laws with respect to any Confidential Information, including NPI (as defined below), received, collected, processed, used, or stored by Company. Company shall be liable for any acts or omissions of its Representatives in breach of the Agreement or these Terms to the same extent as if it had committed such acts or omissions directly. DLL may update these Terms to include new privacy and data security requirements. Companies must monitor the “Last Updated” date above to stay informed of any updates (collectively referred to as “Requirements”).
- Confidential Information; Destruction of Information. For purposes of these Terms, in addition to the definition, if any, of “Confidential Information” (or such equivalent term as is used in the Agreement) provided in the Agreement, the term “Confidential Information” shall also include information related to DLL’s (or its affiliates) software, information (including NPI as defined below) relating to an identified or identifiable business partner, customer, borrower, or employee, financing terms, pricing policies, profit margins, non-public financial information, operating methods, marketing plans, databases, networks, systems, other technology, configurations, system accounts, user IDs, passwords, security plans, measures and settings, disaster recovery or business continuity plans and measures, and/or other business affairs. Access to DLL’s Confidential Information shall be only granted to Company’s Representatives on a "need to know" basis. Company shall impose the same level of privacy protection with third parties as strict as these Terms. If the Company’s Representatives are given access to DLL’s systems or facilities, such Representatives shall comply with DLL’s applicable network and facilities policies and any specified access or use restrictions. Any measures to destroy or dispose of Confidential Information as required by the Agreement shall be secure and in line with industry best practices. Promptly following termination of the Agreement, or earlier within five (5) business days following Company’s receipt of DLL’s written instructions, Company shall securely destroy DLL’s Confidential Information in accordance with this Section and provide written confirmation of the same to DLL.
- Information Security Plan. Company warrants that it has adopted, documented, implemented, and shall adhere to a commercially reasonable written information security plan that contains technical and organizational measures appropriate to the nature of the information to protect all Confidential Information in any medium or format in Company’s custody or control against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, use, and access, and against all other unlawful activities. If the Company performs penetration tests, DLL reserves the right to receive the results of such tests. Company shall ensure operational anti-malware tools will be used on systems that have access to DLL's networks, and the Company will reduce or eliminate the effects of any malware introduced into DLL's system. All Company’s Representatives with access to Confidential Information shall complete initial security awareness training by the Company proportional to the services provided by the Company to DLL prior to receiving access to such information. When sharing or storing DLL's Confidential Information including physical controls, outside of their systems, industry best practices for encryption must be used, including strong cryptographic technologies and key lengths which shall align with guidance from the National Institute of Standards and Technology.
- NPI and Personal Data Rights.
- “NPI” shall mean all information, disclosed by DLL (or its affiliates), or which Company or its Representatives collect, acquire, access, or derive in connection with the Agreement or on behalf of DLL, that, either individually or when combined with other information, identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, examples include, an individual’s identity, first and last name (or first initial and last name), social security number, driver’s license number, passport number, or any other government-issued identifier, credit card number, payment or debit card data, address, personal email address, account information, financial information, information regarding racial or ethnic origin, religious or philosophical beliefs, birth date, information concerning an individual’s sex life or sexual orientation, or other factors or information specific to that individual’s physical or financial identity. For the avoidance of doubt, NPI also includes all “consumer information”, all “non-public personal information”, all “non-public information”, all “personal information”, and all “sensitive personal information”, as each of those categories may be subject to regulation under any applicable laws. Company can only process NPI in accordance with these Terms.
- Company may have custody or control of NPI in which individuals have certain rights under applicable laws (such rights, individually and collectively, “Personal Data Rights”). Personal Data Rights may include, without limitation, the right (a) to receive a copy of NPI and/or to request that NPI be transmitted to another entity, (b) to receive information about the use and disclosure of NPI, (c) right to know retention period, and/or (d) require certain actions, including deleting, correcting, accessing, and prohibiting or limiting certain uses or disclosures of NPI. If Company receives a Personal Data Rights request regarding DLL’s NPI from an individual, Company shall immediately notify DLL (email sufficing) of such request. Company shall assist DLL in fulfilling any Personal Data Rights requests with respect to NPI in the custody or control of Company in accordance with applicable laws. Company shall not (i) “sell” or “share” NPI unless contemplated by the Agreement, as those terms are defined by the applicable law, (ii) sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic means, any Confidential Information (including, but not limited to, any NPI) to any third-party for monetary or other valuable consideration, (iii) retain, disclose, use or otherwise process any Confidential Information for any purpose (including any commercial purpose) other than the specific purpose specified in the Agreement, (iv) combine NPI with other information that Company receives from or on behalf of any other person or entity, and/or NPI collected by the Company itself, unless otherwise required by the Agreement, and/or (v) retain, use, or disclose any Confidential Information outside of the direct business relationship between Company and DLL. DLL has the right to take reasonable and appropriate steps to help ensure that the Company uses the NPI transferred by DLL in a manner consistent with DLL’s obligations under the applicable laws.
- “NPI” shall mean all information, disclosed by DLL (or its affiliates), or which Company or its Representatives collect, acquire, access, or derive in connection with the Agreement or on behalf of DLL, that, either individually or when combined with other information, identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, examples include, an individual’s identity, first and last name (or first initial and last name), social security number, driver’s license number, passport number, or any other government-issued identifier, credit card number, payment or debit card data, address, personal email address, account information, financial information, information regarding racial or ethnic origin, religious or philosophical beliefs, birth date, information concerning an individual’s sex life or sexual orientation, or other factors or information specific to that individual’s physical or financial identity. For the avoidance of doubt, NPI also includes all “consumer information”, all “non-public personal information”, all “non-public information”, all “personal information”, and all “sensitive personal information”, as each of those categories may be subject to regulation under any applicable laws. Company can only process NPI in accordance with these Terms.
- Security Incidents. “Security Incident” means (a) any actual or suspected unauthorized or unlawful use, modification, reproduction, removal, disclosure, loss, destruction, or access of DLL’s Confidential Information, and/or (b) any occurrence that could foreseeably result in an impairment of the confidentiality, integrity, or availability of DLL’s Confidential Information. If Company discovers or is notified of any Security Incident, which shall include any security event requiring notification to individuals or regulators under applicable law Company will notify DLL no later than twenty-four (24) hours after becoming aware of the Security Incident. Notice of a Security Incident shall be made to DLL’s Chief Legal Officer by (i) email at Legal-Notices@dllgroup.com, and (iii) phone at 610-386-5000. Company shall investigate and preserve all records and other evidence related to the Security Incident and take all appropriate actions to remediate the effects of the Security Incident and mitigate any risks that may arise from the Security Incident. Company shall cooperate in good faith with DLL in the handling of any Security Incident, including (without limitation) assisting DLL to notify affected individuals and governmental agencies. DLL may disclose the occurrence of a Security Incident involving its Confidential Information as required by law in DLL’s sole discretion, including, as applicable substitute notice. Company shall not notify a third party about a Security Incident involving DLL’s Confidential Information without DLL’s prior written consent, except as required by applicable law. DLL shall have the right to control the contents of any such communication to the extent it involves DLL’s Confidential Information, except where prohibited by applicable law. DLL has discretion, upon notice to Company, to take reasonable and appropriate steps to stop and remediate unauthorized use of NPI. Company agrees to reimburse DLL for all reasonable out-of-pocket costs and losses incurred in connection with a Security Incident, (all such costs, collectively, the “Security Incident-Related Costs”). Compliance with obligations under this section shall not mandate that DLL shall continue to do business under the Agreement if it determines in its reasonable business judgment that the Company has not taken appropriate steps to remediate such Security Incident. Each party shall be responsible for having any advisors or consultants execute an appropriate confidentiality agreement acceptable to the Company prior to participating in any investigations or remediation discussions.
- Indemnification. Company is responsible for indemnifying and protecting DLL, its affiliates, and their respective employees, officers, directors, shareholders, managers, members, and agents from any costs, damages, losses, judgments, settlements, and expenses (including reasonable attorney fees) associated with Security Incidents or claims by third parties. This includes any fines or penalties imposed by regulatory authorities. Company cannot settle any claims without DLL's written consent and cannot assign fault or responsibility to DLL or impose any obligations on them. This indemnification obligation is not subject to any limitations outlined in the Agreement.