Data Security and Protection Policy

The data security and protection terms (“Policy” or “Data Security Policy”) described herein are provided by BlueRush to each BlueRush customer (“Customer”) subject to the terms and conditions of the General Terms and Conditions or other applicable license agreement (“Agreement”) between each Customer and BlueRush or between a Customer and an authorized BlueRush partner. In the event of a conflict between the Agreement and this Data Security Policy the terms of the Agreement shall govern. Capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement.

1. Data Security. BlueRush will maintain, during the Term, an information security program that provides for the security and protection of Customer Confidential Information, Customer Data and Personal Data (“Customer Information”). The information security program may include, but is not limited to, multi-factor authentication for logging into data systems, conducting regular penetration tests, maintaining and regularly evaluating the security program, and maintaining system and facilities access controls. BlueRush employees and contractors are required to undergo regular data privacy and security training.
2. Security Measures. BlueRush will align with the physical, technical, operational and administrative measures and protocols regarding data security utilizing SSL, firewalls, encryption and physical security. BlueRush will, upon written request, provide Customer with copies of its data security policies and procedures designed to meet the requirements set forth in this Data Security
3. Disaster Recovery/Business Continuity Planning. BlueRush has a Disaster Recovery and Business Continuity plan, which it reviews and tests annually. Upon request, BlueRush will provide copies of its Disaster Recovery and Business Continuity planning and management practices, and the same shall be treated and Confidential Information under this Policy. If BlueRush experiences a business disruption in one of its services BlueRush will implement its disaster recovery plan and will make situational update reports at an appropriate frequency determined by BlueRush available to Customer that includes a summary description of the event, the impact to Customer, and an estimate of when services will return to normal.
4. Data Breach Notification. If BlueRush accesses Personal Data:
   • BlueRush is only authorized to use or disclose Personal Data for the purpose of performing under this Policy and providing the Services and Support to Customer;
   • BlueRush will store Personal Data in a secure manner and use at least the same degree of reasonable care to prevent unauthorized and improper disclosure as BlueRush uses in protecting its own confidential information, however, never less than the standard degree of care in BlueRush’s industry; and
   • In the event of a validated unauthorized use, disclosure or acquisition by a third party of Personal Data that compromises the security, confidentiality, or integrity of Personal Data maintained by BlueRush (“Security Breach”), BlueRush will notify Customer in writing of the breach within 72 hours and provide periodic updates afterwards that include (to the extent known by BlueRush) details of the cause of the Security Breach, measures being taken to mitigate the effects of the Security Breach, anticipated impact to Customer and individuals, and anticipated timeframe for stopping the Security Breach.
5. Sub-processors. Customer acknowledges and agrees that BlueRush may engage third-party sub-processors in connection with the provision of the BlueRush Products. To the extent BlueRush allows any sub-processor access to Personal Data BlueRush shall make available to Customer a current list of sub- processors upon Customer’s request. The sub- processors will be limited to use of Personal Data solely to the extent necessary to provide the BlueRush Product.