As we continue to focus on privacy initiatives here at Mozilla, we have repeatedly come up against vendor form contracts that don’t protect our users’ data the way we think they should. The need to negotiate these terms from scratch in nearly every such deal was also a topic of discussion at a recent IAPP conference I attended. Tech trans specialists (ie, attorneys that negotiate technology and ip agreements), both in house and at law firms, shared their frustration with the fact that few providers seem to have such terms but virtually all customers require them these days. So both customers and vendors were spending many cycles negotiating these terms for each contract.
Hoping to avoid drafting these terms from scratch for each relationship, we (with some help from outside counsel) created a contract addendum. We wanted to share these publicly so other organizations and individuals can use them as they see fit and hopefully contribute to the addendum’s evolution over time. So feel free to use and share these terms, but we hope you will share back your improvements so everyone can benefit. If you want to be anonymous in your contributions, you can email improvements to me directly at jmartin at mozilla dot com.
We also welcome you to share your experiences and insights in negotiating terms with or on behalf of service providers that receive customers’ customers’ data.
I am attaching our addendum for Safe Harbor-compliant vendors and our guidelines that we provide to vendors to explain in “plain English” what we seek. We are also happy to share our non-Safe Harbor-compliant addendum if there is interest.
Here is the basic addendum for vendors that are Safe Harbor compliant:
Protection of MozillaData
1. Conflict. Notwithstanding anything to the contrary in the Agreement or elsewhere: (a) in the event of a conflict between the terms of this Addendum including the Annex (this “Addendum”), on the one hand, and the terms of the Agreement on the other hand, the terms of this Addendum will govern; and (b) no limitation of liability or disclaimer shall apply to this Addendum. Provider shall ensure that Provider Affiliates and any third parties assisting Provider Affiliates in providing the Services hereunder are contractually required to agree to terms in favor of Mozilla no less restrictive than the terms contained in this Addendum. To the extent Provider uses third parties to perform the Services hereunder (“Provider Affiliates”), Provider shall be fully liable for all acts and omissions by Provider Affiliates.
2. General. Provider acknowledges that as result of this Agreement, Provider may obtain information relating to or potentially relating to individuals, including without limitation individuals who are users of Mozilla’s software and websites and employees and contractors of Mozilla and its subsidiaries (such information collectively referred to as “Mozilla Data”). Provider represents and warrants that Provider shall not and shall cause Provider Affiliates not to
a. collect, use or disclose Mozilla Data for any purpose, except as expressly permitted under this Agreement or by Mozilla in writing;
b. correlate or aggregate any Mozilla Data with any other data obtained through other products, services, web properties or from third parties;
c. provide Mozilla Data to any third parties without Company’s explicit prior written consent.
Provider represents and warrants that Provider and Provider Affiliates shall adhere to the most current version of any applicable Mozilla privacy policies, including without limitation those located at http://www.mozilla.com/en-US/privacy-policy, http://www.mozilla.com/en-US/legal/privacy/firefox- en.html and http://www.mozilla.com/en-US/legal/privacy/firefox/mobile/ and shall not take any actions that will cause Mozilla to violate such privacy policies.
3. Data Protection Requirements. Provider represents and warrants that the Services, and Provider and Provider Affiliates’ performance of the Services, will at all times during the term of this Agreement, comply with: (a) the highest industry data security standards; (b) all applicable federal, state, local and international privacy, data protection, and security laws, rules and regulations, including without limitation, laws relating to the collection, use, reuse, processing, storage, security, protection, handling, cross-border transfer and disclosure of Mozilla Data, including without limitation Data Protection Directive (Directive 95/46/EC), the Directives on Privacy and Electronic Communications (Directive 2002/58/EC and Directive 2009/136), Canada’s Personal Information Protection and Electronic Documents Act and applicable provincial privacy legislation, New Zealand’s Privacy Act 1993, and with any other applicable national legislation relating to data protection and privacy (all such laws, rules and regulations collectively, “Data Protection Requirements”); (c) the provisions of this Agreement, including the Annex. Provider represents and warrants that at all times during the term of this Agreement and for so long as Provider has any Mozilla Data it shall remain in compliance with and certified as compliant with the US Department of Commerce’s Safe Harbor principles and requirements. Provider shall not and shall not permit Provider Affiliates to perform any act that will cause Mozilla to be in breach of its obligations under the Data Protection Requirements. Provider shall defend, indemnify and hold harmless Mozilla from and against all losses, damages, claims, judgments, expenses and liabilities (including without limitation attorneys fees) related to a claim of breach of this Addendum.
4. Data Safeguards. Provider shall and shall cause each Provider Affiliate to, establish and maintain administrative, technical and physical safeguards (including without limitation software safeguards) in accordance with the highest industry standards and all Data Protection Requirements to ensure the security and confidentiality of Mozilla Data and other records and information of Mozilla, and to protect and safeguard against threats or hazards to the integrity of, and the unlawful, intentional, unauthorized or accidental destruction, loss, alteration, theft, misappropriation, disclosure or use of Mozilla Data and other Mozilla records and information that are in the possession or control of Provider or Provider’s affiliates, including without limitation where the processing involves the transmission of data over a network (the “Data Safeguards”). Provider shall revise and maintain the Data Safeguards in accordance with all applicable laws and prevailing industry best practices.
5. Information Security Breach and Remedial Actions. Without limiting any other provision of this Agreement, if (x) Provider or any Provider Affiliate deliberately or inadvertently collects, uses, or discloses Mozilla Data in breach of the Data Protection Requirements or this Agreement or (y) Mozilla, Provider, or a Provider Affiliate discovers, is notified of, or has reasonable awareness that an unauthorized access, acquisition, theft, disclosure or use of Mozilla Data has occurred or is likely to occur (each such event in (x) and (y), an “Information Security Breach”), Provider shall immediately notify Mozilla of such Information Security Breach. Furthermore, at Mozilla’s option, Provider shall: (a) investigate, remediate, and mitigate the effects of the Information Security Breach; and (b) provide Mozilla with assurances satisfactory to Mozilla that such Information Security Breach will not recur. Additionally, if any Information Security Breach or other unauthorized access, acquisition or disclosure of Mozilla Data occurs or is likely to have occurred and (i) applicable laws (including without limitation Data Protection Requirements) require, in Mozilla’s sole discretion, notification of public authorities, agencies or individuals whose data were so affected or other remedial actions or (ii) Mozilla determines in its sole discretion that Mozilla remedial measures (including without limitation notice, credit monitoring services or the establishment of a call center to respond to Mozilla inquiries), are warranted (collectively, the ”Remedial Actions”), Provider will at Mozilla’s request undertake such Remedial Actions. All Remedial Actions and notifications shall be at Provider’s expense. Provider shall maintain an inventory of Mozilla Data breaches, including without limitation the facts surrounding the breach, its effects, the remedial action taken and the names, addresses and state of residence of all impacted individuals.
6. Post Termination Activity. Upon expiration or termination of this Agreement for any reason, or upon request by Mozilla, Provider shall (and shall cause each Provider Affiliate to) immediately: (a) stop processing Mozilla Data; and (b) destroy Mozilla Data in accordance with Mozilla’s written instructions unless Mozilla requests that Provider return all Mozilla Data to Mozilla, in which case Provider shall return all Mozilla Data to Mozilla within 15 days of termination or expiration of the Agreement.
7. Interest in Mozilla Data. Provider acknowledges that Mozilla owns all right, title, and interest in and to Mozilla Data. Mozilla reserves all rights not granted to Provider under this Agreement.
And here is our plain English set of guidelines that we try to provide to vendors upfront:
Mozilla’s Deal Requirements
Mozilla looks for vendors who are willing to work with us to ensure our data* is protected and kept confidential. Specifically, we ask our vendors to commit to the following and want to ensure before moving to a contract discussion that you are willing to work with Mozilla on these points. The actual agreement terms will go into more detail.
You should know that Safe Harbor compliant vendors receive fast track status in our contract review process. If you are not, we need to pass on to you the Model Clauses that the EU has put out to ensure that people’s data is treated right.
-You’ll only use our data to provide the services and won’t disclose or collect it for any other purpose and you won’t correlate or aggregate it with any other data;
-You’ll comply with our privacy policies.
-You’ll agree to comply with all privacy laws that apply to us, including the EU laws around data and security.
-You’ll use industry best practices to secure our data.
-If there is a breach of our data, you will stand behind that and undertake remedial actions to correct the problem and notify and make whole all those affected.
-When our agreement ends, you will stop using and will destroy our data.
-We own all our data.
-If you break one of the promises above, you will stand behind that and compensate Mozilla and those affected without expecting Mozilla to pick up all or some of the tab.
If your company can provide these assurances, we’d like to talk to you more about working together.
*When we say “our data” we mean whatever data you are exposed to as part of our relationship, like Mozilla’s, its users’ and its employees’ data, depending on what services you provide.