Laserfiche WebLink
EXHIBIT 1: <br />DATA SECURITY & PRIVACY ADDENDUM <br />This Data Security & Privacy Addendum applies to Empower and its Affiliates and describes how Empower <br />protects Personal Data and Plan Data (the "Addendum"). Capitalized terms used but not defined herein <br />have the meanings given to them in the Master Service Agreement executed by Empower and Plan <br />Sponsor under which Empower provides services to Plan Sponsor ("Agreement"), <br />1. Definitions. The following terms have the meanings set out below and similar terms shall be <br />construed accordingly: <br />"Data" means Personal Data and Plan Data. <br />"Data Protection Laws" means any law with respect to the protection of Personal Data that is <br />applicable to Empower's Services under the Agreement or any Schedule thereto. <br />"Information Security Breach" means a confirmed compromise of an information system within <br />the authority or responsibility of Empower that results in: (i) the unauthorized acquisition, disclosure, <br />modification or use of unencrypted Personal Data, or encrypted Personal Data where the encryption key <br />has also been compromised; and (ii) a reasonable likelihood of identity theft or fraud against a data subject <br />in the Plan. An Information Security Breach includes, without limitation, theft andfor malicious use of Data <br />by Empower personnel. A good faith but unauthorized or unintentional acquisition, disclosure, modification <br />or use of Personal Data by an employee or contractor of Empower or a party who has signed a <br />confidentiality agreement with Empower does not constitute a Security Breach if the Personal Data is not <br />subject to further unauthorized acquisition, disclosure, loss, modification, or use. <br />"Personal Data" shall mean information that identifies or is reasonably capable of being associated <br />with a Participant in the Plan or an eligible employee of Plan Sponsor and includes personally identifiable <br />financial information as defined by Title V of the Gramm-Leach-Bllley Act, but excluding data that is publicly - <br />available and data from which individual identities have been removed and that is not linked or reasonably <br />linkable to any individual. <br />"Plan Data" shall mean non-public Plan level information that is provided to Empower in <br />connection with receipt of the Services. Plan Data excludes data that is de -identified and aggregated for <br />benchmarking and research purposes. <br />"Subprocessor" means any person (including any third party service provider and any Empower <br />Affiliate, but excluding personnel employed by such parties) engaged by Empower to process Personal <br />Data. <br />2. Direction. Plan Sponsor Directs Empower and its Affiliates (and authorizes Empower and its <br />Affiliates to Direct each Subprocessor), where applicable, to process Personal Data as follows: (a) <br />processing in accordance with the Master Agreement and any amendments thereto as executed by the <br />parties; and (b) processing initiated by Participants in their use of the Services. Plan Sponsor represents <br />that it is and covenants that it will at all relevant times remain duly and effectively authorized to give the <br />Direction set out herein. <br />3. Security. In order to protect Personal Data, Empower will implement appropriate technical and <br />organizational measures designed to protect Personal Data in accordance with the requirements of any <br />Data Protection Laws. In addition to the foregoing, Empower's security program shall conform to the <br />commitments described below. <br />city I y otfncl - 19 — 16 9/19/2023 <br />