These Additional Terms and Conditions and the HWI – GE Quick Confirmation Agreement, each hereby made a part hereof (collectively, the “Agreement”) is entered into by and between the Hotel and the Group as such terms are defined in the HWI – GE Quick Confirmation Agreement. All capitalized terms as used herein that are not specifically defined shall have the meaning ascribed to them in the HWI – GE Quick Confirmation Only Agreement. For the entire term of your use and occupancy of the Hotel premises during your Event, you shall comply with all of the requirements set forth herein.
- BANQUET FUNCTIONS: For your organized food and beverage functions, the following will apply:
- Overtime: You agree to begin your Event promptly at the scheduled start time and to have your guests, invitees and other persons vacate the designated function space at the agreed upon end time. You must reimburse us for any overtime wage payments or other expenses incurred by us because of your failure to comply with these requirements.
- Price Increases: There may be increases in prices due to unforeseen changes in market conditions at the time of your Event. We will communicate these increases to you in advance. We will require written confirmation that you agree to pay these increased prices, or at your option we will make reasonable substitutions in menus and you agree to accept such substitutions.
- Set Up Charges: Should extensive meeting room set-ups or elaborate staging be required to meet your requests, there will be a reasonable set-up charge to cover Hotel costs and additional labor. If equipment is necessary that exceeds Hotel’s inventory, then you agree to pay for the reasonable cost of renting this additional equipment.
- Additional Spend: You agree to pay the Hotel for any food, beverages and other services not expressly set out in the Agreement and any appendix but provided on request of your authorized representative during the Event, at the prices set forth herein, or as to services not otherwise stated herein, the Hotel’s established rate for such services. On or before the arrival date, you will confirm to us in writing the names of those persons who you have authorized to sanction additional spend at the Event over and above the contracted amounts. All our records for additional spend (meeting room rental, audio/visual equipment, flipcharts, F&B functions and other incidentals) will be presented to one of your authorized signatories to be checked and signed on a daily basis. Any discrepancies will be noted and you may dispute charges for any discrepancies noted by you. Failure of your authorized signatory to review any or all charges on a daily basis will not be grounds for disputing the charges.
- Additional Charges: In addition to the customary charges associated with Group’s Event (for example, sleeping room rates, meeting room rental, banquet charges, audio-visual, etc.), Hotel may offer other services for which there may be fees either to Group or the individual attendee (as applicable). Examples of potential additional charges could include Package Handling, Business Center, Sign Making, Banner Hanging, Telephone Rental, Meeting Room Re-Key Fee, Electrical Power, Athletic Club, Parking, and Luggage Storage Charge. Prior to Group’s Event, Group may request that Hotel disclose to Group those potential additional charges that are in effect at the time of Group’s Event.
- Outside Food and Beverage: Due to applicable law, you may not bring alcoholic beverages into the Hotel for your Event. You must obtain our prior approval before you bring any food or non-alcoholic beverages from outside sources into our Hotel that you wish to serve to be served to your attendees. Reasonable and customary service fees will apply to any outside food or beverage served in our function space, regardless whether Hotel labor is required.
- Displays and Decorations; Your Property: You may, at your option, purchase insurance to cover your personal property, including decorations, special objects and other property. To the fullest extent permitted by law, we are not responsible for any loss or damage to property belonging to you or your attendees, unless caused by our gross negligence or intentional misconduct and do not maintain insurance covering it. All displays and/or decorations will be subject to our prior written approval, which approval shall not be unreasonably withheld, conditioned or delayed, and we reserve the right to contract and charge you for Hotel staff to provide the labor at Hotel’s standard rates, for any installations or removals of such. Hotel can advise you of such potential charges upon request.
- Outside Contractors: Should you elect to utilize outside contractors on Hotel premises during your Event, you must notify us at least 10 days in advance of your Event. We may require that your outside contractors sign a hold harmless, indemnification and insurance agreement in the form currently in use at the Hotel for similar outside contractors, and provide proof of insurance in amounts acceptable to us (amounts and types of insurance to be determined in our sole discretion based on the type of services the outside contractor will be providing) before the outside contractor will be allowed to provide services on our Hotel premises. In some instances, despite your use of an outside contractor, Hotel may be required, pursuant to obligations imposed on Hotel by labor unions or collective bargaining agreements, to utilize Hotel labor to provide certain services, and you agree to pay the actual fees and/or charges associated with these services.
- Conduct of Event: To the fullest extent permitted by law, and subject to the terms and conditions of the Limitation of Liability clause below, you assume full responsibility for any damage done to our premises used by you during your Event, but only to the extent such damage is caused by the negligence or willful misconduct of you, your employees, guests, agents, and contractors and any damage done resulting from the installation, placement, and removal of your displays, equipment, exhibits, or other items; provided, however, that you shall not be liable for damages done to our premises to the proportionate extent such damages are proximately caused by the negligence or willful misconduct of the Hotel’s employees, agents or contractors. For purposes of clarity, Group shall not be responsible for damage to guest sleeping rooms or public spaces of the Hotel not occupied by Group; in those instances, Hotel shall seek payment for damage from the responsible guest(s). You also agree that your Event will not create any unreasonable disturbance to other guests or meetings, such as excessive noise, smoke or fog machines, dry ice, confetti cannons, candles, incense, or any activity that generates offensive smells. Hotel reserves the right to end your Event immediately if you do not comply with Hotel’s request made to your authorized person to reduce or eliminate any such disturbance, in which case you will remain responsible for payment of all charges related to your Event and no refunds will be issued by Hotel.
- Fire Safety: For the safety of persons and property, no fireworks or incendiary devices may be used indoors at the Hotel. All room sets must be in compliance with the local Fire Department regulations, including those pertaining to occupancy load, mandatory aisles, ceiling clearance and fire exits. Any Event that has vehicle displays, fog machines, fueled cooking demonstrations, lasers, exhibits (including tabletop) or extensive productions with staging and props, must have a certified permit from the local Fire Marshall. All associated fees for permits, floor plan approval and stand-by fire watch are your responsibility and final approved copies of all such permits must be provided to us at least three (3) days prior to your Event. Should you require any rigging services for this Event, all such services must be arranged through the in-house audio-visual provider or the Hotel and you will be responsible for all costs, at Hotel’s standard rates, associated therewith.
- Security: If required, in Hotel’s reasonable judgment, in order to maintain adequate security measures in light of the size and/or nature of your Event, you will provide, at your expense, security personnel supplied by a licensed guard or security agency, which agency will be subject to Hotel’s prior approval. Such security personnel may not carry weapons. Your security agency will be required to provide proof of insurance and sign a hold harmless agreement before they will be allowed to provide services on Hotel premises. Hotel agrees to provide notice of this security requirement a minimum of 10 business days in advance of the Event.
- GUEST RESERVATION INFORMATION: If you request that Hotel provide you and/or your representative(s) with access to guest reservation information pertaining to guests who have reserved rooms at the Hotel as part of the Room Block (each, an “Attendee”) established pursuant to this Agreement, then you certify that you have already obtained, or will obtain, consent from each of your Attendees for the Hotel or Hilton Worldwide, Inc. to provide to you and/or your representative(s) such Attendee’s reservation information, and you further agree to reimburse Hotel and Hilton Worldwide, Inc. for any costs, damages, fees or expenses of any kind arising from any claim(s) by an Attendee relating to the Hotel’s or Hilton Worldwide, Inc.’s disclosure of any Attendee’s reservation information to you. Guest reservation information provided by GE to Hotel shall be treated by Hotel as GE Confidential Information.
- DISCLAIMER OF LIABILITY: To the fullest extent permitted by law, Group agrees that in no event will Hotel, Hotel’s Owner or Hilton Worldwide, Inc. be liable for (1) any services or products provided, or to be provided, to Group by any third party supplier or contractor (including, but not limited to, companies that provide meeting registration or management services, florists, decorators, musicians, etc.) hired by you, or (2) any liability arising out of any agreement between Group and any such third party supplier or contractor that Group hires or retains to provide services to Group’s Event. For the avoidance of doubt, this disclaimer applies even if such third party supplier or contractor (1) was recommended by Hotel to Group, (2) was as a preferred supplier / vendor of the Hotel, and/or (3) pays Hotel commissions or provides Hotel with other incentives based on their services paid for by Group.
- AUXILIARY AIDS (APPLICABLE FOR EVENTS HELD IN THE UNITED STATES ONLY): The Hotel represents that it contains accessibility features for individuals with disabilities and, where needed, the Hotel will provide equivalent facilitation, auxiliary aids and services, and reasonable modifications to policies and procedures to ensure that our guests have equivalent access to the Hotel’s goods, services, and accommodations. You agree that one week in advance of your Event, you will furnish to us a list of any auxiliary aids needed by your attendees in meeting or function space. Except as required by applicable laws, you agree that you will be responsible for the procurement and payment of all charges for any and all auxiliary aids. We will, upon your request, furnish you with the names of businesses you can contact to obtain these aids. You also agree to be responsible for compliance with the Americans with Disabilities Act (“ADA”) in the set up and conduct of meetings for your Event.
- COMPLIANCE WITH LAWS: Each party represents and warrants to the other party that as of the date of signing this Agreement, the party is currently not on the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) List of Specially Designated Nationals and Other Blocked Persons (including terrorists and narcotics traffickers) (the “OFAC List”). The OFAC List can be found by visiting http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx. If prior to the Event date a party is added to the OFAC List or any similar restricted party listings, including those maintained by other governments pursuant to applicable United Nations, regional or national trade or financial sanctions, then that party must immediately notify the other party. A party may cancel this Agreement without any liability to either party if that party reasonably believes it is necessary to do so in order to comply with that party’s respective obligations under applicable laws, rules or regulations, including (but not limited to) if the other party is added to any restricted party listings as described in this section. Each party represents and warrants that it shall comply with all applicable laws performing hereunder, including, but not limited to the ADA.
- PROMOTIONAL CONSIDERATIONS; USE OF NAME AND PUBLICITY: We have the right to review and approve any advertisements or promotional materials in connection with your Event that specifically reference the name of the Hotel or a name or logo owned by a subsidiary of Hilton Worldwide, Inc., including (but not limited to): Hilton, Hilton Hotels & Resorts, Conrad Hotels & Resorts, Canopy by Hilton, Curio – A Collection by Hilton, Waldorf Astoria Hotels & Resorts, Embassy Suites, DoubleTree by Hilton, Hilton Garden Inn, Hampton Inn, Hampton Inn & Suites, Home2 Suites by Hilton, Homewood Suites by Hilton, and Hilton Grand Vacations. You agree that we may share your Event and Planner information with our third party providers who offer support services to groups holding meetings/functions at our Hotel, including audio/visual services, decorators, florists, and others.
Hotel agrees that it shall not, without Group’s prior written consent in each instance, (i) use in advertising, publicity or otherwise, the name or logo of Group, or any Group officer or employee, nor any trade name, trademark, logo or simulation thereof owned by Group, or (ii) represent, directly or indirectly, that any product or any service provided by Hotel has been approved or endorsed by Group.
- IMPOSSIBILITY: If unanticipated events beyond the reasonable control of the parties (including, but not limited to: acts of God; declared war in the country in which the Hotel Is located; government regulation; terrorist attacks in the city in which the Hotel is located; or curtailment of transportation facilities either in the city in which the Hotel is located or in the countries/states of origin of the attendees that prevents at least 40% of the attendees from arriving for the first peak night of the Event) make it illegal or impossible or commercially impracticable to perform under this Agreement, the affected party may terminate this Agreement, without liability, upon providing written notice to the other party within ten (10) days of the occurrence. If the Event is properly cancelled by Group due to a valid Impossibility / force majeure occurrence, then upon written request by Group, Hotel agrees to refund to Group all prepaid deposits or advance payments paid to Hotel without deduction or liability.
- INDEMNIFICATION: To the fullest extent permitted by law, Group agrees to protect, indemnify, defend and hold harmless the Hotel, Hilton Worldwide, Inc. and the Hotel’s Owner, and their respective owners, managers, partners, subsidiaries, affiliates, officers, directors, employees and agents (collectively, the “Hotel Indemnified Parties”), from and against any and all claims, losses or damages to persons or property, governmental charges or fines, penalties, and costs (including reasonable attorney’s fees) (collectively, “Claim(s)”), in any way arising out of or relating to the Event that is the subject of this Agreement but only to the extent any such Claim(s) arise out of (i) the negligence, gross negligence or intentional misconduct of Group’s employees, agents, contractors, or attendees, or (ii) a violation or breach of any of the terms and conditions of this Agreement by Group including but not limited to the obligation of compliance with applicable laws or regulations. Nothing in this indemnification shall require Group to indemnify the Hotel Indemnified Parties for that portion of any Claim arising out of the negligence, gross negligence or intentional misconduct of the Hotel Indemnified Parties.
To the fullest extent permitted by law, Hotel agrees to protect, indemnify, defend and hold harmless Group, Group’s owners, managers, partners, subsidiaries, affiliates, officers, directors, employees and agents (collectively, the “Group Indemnified Parties”), from and against any and all Claims (as such term is defined above) arising out of or relating to the Event that is the subject of this Agreement but only to the extent any such Claim(s) arise out of (i) the negligence, gross negligence or intentional misconduct of Hotel’s employees, agents, or contractors, or (ii) a violation or breach of any of the terms and conditions of this Agreement by Hotel or any related act or failure to act by Hotel including, but not limited to, the obligation of compliance with applicable laws or regulations, obligation not to disclose GE Confidential Information. Nothing in this indemnification shall require Hotel to indemnify any of the Group Indemnified Parties for that portion of any Claim arising out of the negligence, gross negligence or intentional misconduct of the Group Indemnified Parties.
The party found to be at fault or responsible for any Claim will be required to indemnify the other party as provided in this section. To the fullest extent permitted by law, the parties agree that a comparative negligence standard will apply to any Claims and each party will be responsible for paying for the portion of the total Claims attributable to its fault. In the event of a settlement of any Claim, expenses will be allocated proportionately based upon the amount paid by each party.
This section shall not waive any statutory limitations of liability available to either party, including innkeeper’s limitation of liability laws, nor shall it waive any defenses a party may have with respect to any Claim. This section shall survive any termination or expiration of this Agreement.
- INSURANCE: Group agrees to maintain insurance or self-insurance reasonably commensurate with all activities arising from or connected with your Event, including, but not limited to, general liability insurance, with limits not less than $2,000,000 per occurrence, covering personal injury, property damage, and other liability arising from your Event pursuant to the terms of this Agreement. Hotel agrees to maintain general liability insurance with limits not less than $2,000,000 per occurrence, covering liability for personal injury, property damage, liquor liability, and automobile liability, as well as Workers Compensation insurance per applicable laws and Employers Liability insurance. Upon written request, each party shall make evidence of coverage available to the other party. For hotels that participate in Hilton Worldwide’s general liability insurance program, proof of Hotel’s insurance coverage is satisfied by a Memorandum of Insurance available at: http://www.marsh.com/moi?client=0291. The Hotel can confirm whether they participate.
- GOVERNING LAW: The parties acknowledge that Hilton Worldwide and Group are based in the United States, and both Hilton Worldwide and Group need certainty in enforcement of agreements and that, therefore, to the maximum extent possible, this Agreement shall be governed by and construed in accordance with the laws of the State of New York, USA, excluding any laws regarding the choice or conflict of laws.
- DISPUTE RESOLUTION; ATTORNEY’S FEES: Except with respect to any request for equitable relief or other interim or conservatory measures of protection, the parties will use their commercially reasonable efforts to informally and timely resolve any dispute concerning any matter related to this Agreement by presenting the dispute to senior representatives of Hotel and Group for their discussion and possible resolution in the order set forth herein. All negotiations pursuant to this section are confidential and shall be treated as compromise and settlement negotiations for purposes of applicable rules of evidence. If within a period of thirty (30) calendar days after submission of a disputed matter in accordance with this clause, the respective senior representatives are unable to agree upon a resolution of such dispute, then the dispute will be resolved by arbitration using one arbitrator before JAMS or the American Arbitration Association in New York City, New York. The parties further agree that in any arbitration proceeding, they may conduct reasonable discovery pursuant to the arbitration rules, and any arbitration award will be enforceable in State or Federal court in New York. The parties agree that the prevailing party in any arbitration or court proceeding arising out of or related to this Agreement will be entitled to recover an award of its reasonable attorney’s fees and expert witness fees and costs.
- DISPUTES INVOLVING CREDIT CARD PAYMENTS: As a condition of Hotel agreeing to accept your credit card as an approved form of payment for all Master Account charges, you agree that any dispute that you may raise with respect to any Master Account charges must be addressed directly between you and us and to work in good faith to resolve any such disputed invoices in a timely manner. Any dispute that cannot be timely resolved to the mutual satisfaction of the parties shall be resolved in accordance with the dispute resolution provisions as contained in this Agreement.
- SUCCESSORS AND ASSIGNS: Neither party shall sell, assign, delegate, or otherwise transfer any of its rights or obligations hereunder without the prior written consent of the other party, which consent shall not be unreasonably withheld, conditioned or delayed, and any attempt to do so in contravention of the foregoing is hereby deemed null, void and with no effect, except that GE may assign any of its rights and obligations under this Agreement to any GE affiliate (for purposes of the foregoing, the term “affiliate” shall mean a business entity now or hereafter controlled by, controlling or under common control with GE, where control exists when an entity owns or controls directly or indirectly 25% or more of the outstanding equity representing the right to vote for the election of directors or other managing authority of another entity). Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the parties, their respective successors and assigns. In the event that Group assigns, sells, conveys, pledges or otherwise disposes of all or substantially all of its assets (collectively referred to as “assignment”), by operation of law or otherwise, this Agreement and the obligations herein must also be assigned to and assumed by the successor organization. Group may not otherwise assign this Agreement or any rights hereunder. You may not re-sell reservations. If we become aware of any violation of this section, we may immediately terminate the Agreement without incurring any liability to you for contracted rooms or rates and you will be responsible for any damages resulting from the cancellation as set forth herein.
- SEVERABILITY; NON-WAIVER: Any provision in this Agreement that is held to be illegal or unenforceable in any jurisdiction shall be ineffective to the extent of such illegality or unenforceability without invalidating the remaining provisions and any such illegal or unenforceable provision shall be deemed to be restated to reflect as nearly as possible the original intentions of the parties in accordance with applicable law. Either party’s failure to enforce any term or condition of this Agreement does not waive that party’s right to enforce that or any other term or condition at any time.
- AMENDMENTS/CHANGES: Any amendments or changes to the arrangements described in this Agreement must be made in writing, signed by both you and us; provided, however, that this Agreement includes all signed or unsigned Event Orders for which services have been accepted by Group (and the terms and conditions contained therein and attached thereto) issued by us for this and related functions/events and that your final guarantee of attendance may be made by phone. For purposes of this Agreement and any amendment or modification thereto, or for any other notice or communication between the parties, signatures sent or received by email with a scanned document with signature attached or by facsimile transmission will be considered as enforceable and valid as an original signature by the party signing. The effective date of communications between the parties will be determined as follows: (i) communications sent via U.S. Mail (or local equivalent) or private mail delivery service (i.e., Fed Ex) or email will be effective as of the date sent; and (ii) Communications sent via facsimile will be considered effective as of the date and time on the facsimile confirmation sheet retained by the sender. For the avoidance of doubt, emails, including emails that bear an electronic “signature block” identifying the sender, do not constitute signed writings for purposes of this Agreement.
- LIMITATION OF LIABILITY: EXCEPT IN CONNECTION WITH THE INDEMNIFICATION OBLIGATIONS CONTAINED IN THE AGREEMENT, AND EXCEPT FOR PERSONAL INJURY OR PROPERTY DAMAGES, AND EXCEPT FOR DAMAGES CAUSED BY A PARTY’S NEGLIGENCE OR INTENTIONAL MISCONDUCT OR FRAUD OR A BREACH OF EITHER PARTY’S PRIVACY OBLIGATIONS, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF INCOME OR OPPORTUNITY, EVEN IF THE OTHER PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES PRIOR TO THEIR OCCURRENCE. FOR THE AVOIDANCE OF DOUBT, THE PREVIOUS SENTENCE SHALL NOT BE CONSTRUED SO AS LIMIT OR OTHER NEGATE GROUP’S OBLIGATION TO PAY CANCELLATION DAMAGES, PERFORMANCE DAMAGES (SOMETIMES REFERRED TO AS ATTRITION FEES), IF ANY, ACCORDING TO THE TERMS AND CONDITIONS SET FORTH IN THE AGREEMENT, GIVEN THAT IN SOME JURISDICTIONS, CANCELLATION OR PERFORMANCE DAMAGES MAY BE CONSIDERED TO BE A FORM OF SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES.
WITH RESPECT TO PERSONAL INJURY OR PROPERTY DAMAGES ONLY, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY AMOUNTS IN EXCESS OF USD $2,000,000.00. NOTHING IN THE FOREGOING SENTENCE IS INTENDED, NOR SHALL IT BE CONSTRUED, AS AN ATTEMPT BY ANY PARTY TO EXCLUDE OR LIMIT ITS LIABILITY FOR ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW, INCLUDING WITHOUT LIMITATION, ITS LIABILITY FOR DEATH OR PERSONAL INJURY CAUSED BY ITS NEGLIGENCE OR FOR ITS FRAUD OR MISREPRESENTATION OR FROM A BREACH OF THE CONFIDENTIALITY OR PRIVACY OBLIGATIONS HEREIN.
- CONFIDENTIALITY: In the event that a party may need to receive certain information or materials from the other party that are confidential (“Confidential Information”) including (1) personal information of employees (“Personal Information”) and (2) information related to the business of Group to which Hotel may have access in a closed meeting room reserved by Group provided that Group informs Hotel at least twenty-four hours prior to their Event that confidential information is being disseminated in that meeting room pursuant to the Closed Meeting Room Procedures described below, then each party agrees to keep the Confidential Information confidential and not use or disclose it to any third party, except as required by law. The foregoing confidentiality obligations shall not apply to Confidential Information that (i) is in the public domain without breach of this Agreement; (ii) is independently developed by the receiving party without use of or reference to the other party’s Confidential Information; (iii) was lawfully in the possession of the receiving party prior to its receipt from the other party; (iv) becomes known by the receiving party from a third party independently and not subject to an obligation of confidentiality; or (v) the disclosing party has a good faith belief it is required to disclose to comply with legal mandatory regulations, a judicial or official order or decree (provided that, to the extent permitted by law, the disclosing party first gives the other party immediate written notice of such order or rule and sufficient time to enable the other party to have the opportunity to quash or limit the scope of said order or rule).
Hotel will not be responsible for (a) Confidential Information that is disclosed in any manner by Group’s attendees to third parties while on Hotel premises; or (b) Hotel’s failure to return all written materials that are left by Group’s attendees at any place within or on Hotel premises, even if such materials are marked as being “Confidential.”
For purposes of this section, “Closed Meeting Room Procedures” are as follows:
- (a) In order for Hotel and Group to establish appropriate safeguards to maintain the privacy of a contracted meeting room, both Hotel and Group (or its designee) agree to meet at least 24 hours in advance of such closed meeting in order to discuss concerns and procedures to be implemented, taking into consideration the specific characteristics of the contracted meeting room (including, but not limited to, the location of the closed meeting room within the Hotel and the number of entrances to such room).
- (b) Except as otherwise agreed upon by the parties, Hotel agrees to alert its appropriate Hotel staff that Group’s assigned meeting room should remain locked and off limits to Hotel personnel during the duration of Group’s meeting.
- (c) Under no circumstances will Hotel or any of its personnel be responsible or liable for safeguarding or collecting any Group materials or property left behind in the meeting room(s), including materials that Group deems to be confidential or proprietary, even if such materials are identified as being “Confidential.”
- (d) Group shall be solely responsible for ensuring that Group’s materials are safeguarded before, during and following the conclusion of the meeting. Group shall be solely responsible for ensuring that all Group materials left in the meeting room(s) are properly collected and returned to Group or otherwise shredded or disposed (at Group’s option and sole cost).
- (e) Hotel will, upon Group’s request, furnish Group with the names of available local businesses that Group can contact to obtain third party services such as shredding services or security services.
- (f) Depending upon the scope of the mutually agreeable privacy safeguards for the meeting, Hotel reserves the right to assess, and Group agrees to pay, additional reasonable charges Hotel incurs to accommodate Group’s privacy safeguard requests.
- (g) If directed in writing by Group, Hotel shall not display Group’s name on any and all reader boards, public postings or signage. Instead, reader boards, public postings or signage shall refer to Group as follows: Business Meeting (or some other designation as identified by Group).
- Group Confidential Information is, and will remain, the property of Group. This Agreement does not grant, or otherwise give, Hotel ownership in, or other rights to, Group Confidential Information or any other Group intellectual property or proprietary materials. All rights in and related to Group Confidential Information, including, without limitation, copyrights, trademarks, trade secrets, patents, and all other intellectual property rights or proprietary rights, are hereby exclusively reserved by Group.
- PROTECTION OF GUEST PRIVACY: The Hotel handles Personal Information as such term is described in Hilton Worldwide’s Global Privacy Statement (http://www1.hilton.com/en_US/hi/customersupport/privacy-policy.do) and in accordance with applicable law. Hotel will comply with GE’s Privacy and Data Protection policy attached hereto and made a part hereof. Hotel understands and acknowledges that certain of its activities are subject to the Payment Card Industry Data Security Standards (PCI DSS) for the protection of cardholder data.
- HOTEL PERSONAL INFORMATION: Hotel understands and agrees that GE may require Hotel to provide certain personal information such as the name, address, telephone number, and e-mail address of Hotel’s representatives in transactions to facilitate the performance of the Agreement, and that GE and its contractors may store such data in databases located and accessible globally by their personnel and use it for necessary purposes in connection with the performance of the Agreement, including but not limited to Hotel payment administration. GE will be the data controller of this data for legal purposes, and agrees to use reasonable technical and organizational measures to ensure that Hotel personal information is processed in conformity with applicable data protection laws. Hotel may obtain a copy of the Hotel personal information by written request, or submit updates and corrections by written notice to GE.
- GE POLICIES; CODE OF CONDUCT: Each party acknowledges that it is in their mutual interest to ensure ethical behavior. Each party shall be responsible for ensuring that its employees comply at all times with its then current policies regarding conduct of employees. From time to time and upon reasonable request by the other party, each party shall discuss with the other party its then current policies regarding conduct of employees and impact upon its contractual obligations. Hotel acknowledges that it has read and understands the GE Integrity Guide for Suppliers, Contractors and Consultants, which may be updated or modified by you from time to time (the “Guide”) located at the following Internet address http://www.gesupplier.com/html/SuppliersIntegrityGuide.htm. Hotel agrees to fully comply with all relevant requirements of the Guide with regard to provision of the Services. For instance, the following requirement in the Guide shall not pertain to the Hotel and the Hotel’s provision of services in support of the Event: “ and (iv) to adopt policies and establish systems to procure tantalum, tin, tungsten, and gold from sources that have been verified as conflict free, and to provide supporting data on your supply chain for tantalum, tin, tungsten, and gold to GE when requested, on a platform to be designated by you.) The Hilton Worldwide Code of Conduct policy, which may be viewed at http://ir.hiltonworldwide.com/files/doc_downloads/HW.Code%20Of%20Conduct-NOV2013-L17.pdf, is applicable to those hotels that are managed or operated by Hilton Worldwide, Inc. or one of its affiliates.
- INDEPENDENT CONTRACTORS: The relationship of the parties hereunder is that of independent contractors. Nothing in this Agreement will be deemed to create a partnership, joint venture, agency trust or similar relationship between the parties, and neither party will be deemed to be an agent of the other party. Without limitation to the foregoing, neither party has any right, power, or authority to act or to create any obligation, express or implied, on behalf of the other. Nothing in this Agreement shall be interpreted or construed as creating or establishing the relationship of employer and employee between GE and either Hotel or Hotel personnel.
- AUDIT RIGHTS: At Group’s written request, Hotel will allow Group (directly and/or through third parties) to audit and inspect only those Hotel books and records that specifically pertain to the Event that is the subject of this Agreement. Each of the parties will bear their own respective costs and expenses associated with any of the foregoing. Adjustments in favor of Group arising from any such audit shall be recognized as an adjustment of any future payment due Hotel or, if no future payment is due Hotel, Hotel shall promptly pay the amount of any such adjustment to you. Hotel shall cooperate fully with Group, or its designees, in connection with audit functions, in such a manner not to unduly interfere with Hotel’s operations.
APPENDIX: PRIVACY AND DATA PROTECTION
This Appendix governs whenever a Supplier Processes GE Data, including Personal Data, Sensitive Personal Data, or GE Restricted Data, or has access to a GE Information System in connection with the relevant Contract Document (as those terms are defined below). In the event of any inconsistency or conflict between this Appendix and the Contract Document with respect to a subject covered by this Appendix, the provision requiring the higher level of protection for GE Data shall prevail. The requirements in this Appendix are in addition to any confidentiality obligations between GE and the Supplier under the Contract Document.
Part A: Definitions
(i) Affiliate, if not defined in the Contract Document, with respect to either party, shall mean any entity (including but not limited to, joint ventures, corporations, limited liability companies, partnerships, limited partnerships, business trusts or other entities, subsidiaries, businesses, operating divisions, units thereof) that is directly or indirectly in control of, controlled by, or under common control with such party whether now existing, or subsequently created or acquired during the Term of the Contract Document.
(ii) Contract Document, as used in this Appendix, means the relevant contract, agreement, statement of work, task order or purchase order governing the provision of services by Supplier to GE.
(iii) Controlled Data is technical information with distribution and/or handling requirements proscribed by law or regulation, including but not limited to sensitive but unclassified government data and license required export controlled data. Controlled Data shall be subject to the same controls specified below for GE Restricted Data.
(iv) GE means the General Electric Company, a General Electric Company operating unit, or a General Electric Company Affiliate signing the Contract Document with Supplier.
(v) GE Data is any GE or its Affiliate’s Confidential Information, as defined in the Contract Document, that is Processed in connection with performance of the Contract Document. For clarity, Personal Data, Sensitive Personal Data, Controlled Data and GE Restricted Data that GE provides to Supplier are GE Data.
(vi) GE Information System(s) means any systems and/or computers managed by GE, which includes laptops and network devices.
(vii) GE Restricted Data is information that GE or its Affiliate identifies as ‘restricted data’ in the Contract Document, or at the time of disclosure that GE identifies as “Restricted,” “Highly Confidential,” or similar in connection with performance of the Contract Document. GE Restricted Data, includes, but is not limited to:
- Critical business information, including details of mergers, acquisitions or dispositions; financial results prior to public reporting; and security vulnerability information relating to GE Information Systems and/or products, and
- Critical technical information, including computer source code; non-public invention disclosure and/or patent data.
(viii) Highly Privileged Accounts, or HPAs, are accounts with system level administrative or super-user access to devices, applications or databases, administration of accounts and passwords on a system, or ability to override system or application controls.
(ix) Mobile Devices means tablets and smartphones running mobile operating systems (e.g., iOS, Blackberry OS, Android, or Windows Mobile operating systems). Laptops are not considered to be Mobile Devices.
(x) Personal Data is a category of GE Data that includes any information that relates to an identified or identifiable natural person (Data Subject), as such relation is defined under applicable law or regulation, that GE provides to Supplier. Legal entities are Data Subjects where required by law or regulation.
(xi) Process or Processing means to perform any operation or set of operations upon GE Data, whether or not by automatic means, including but not limited to, collecting, recording, organizing, storing, adapting or altering, retrieving, accessing, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, blocking, erasing, or destroying.
(xii) Security Incident is any actual or suspected event in which GE Data is or may have been lost, stolen, improperly altered, improperly destroyed, used for a purpose not permitted under the Contract Document or this Appendix, or accessed by any person other than Supplier Personnel pursuant to the Contract Document or this Appendix.
(xiii) Security Notices are any written communications, notices, filings, press releases, or reports related to any Security Incident.
(xiv) Sensitive Personal Data is a category of Personal Data considered to be especially sensitive and includes medical records and other personal health information, including protected health information (PHI) subject to the U.S. Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated under that Act (collectively, HIPAA), and/or any medical, demographic, visual or descriptive information that can be used to identify a particular patient/individual under HIPAA or other similar law and regulations; personal bank account and payment card information and other financial account information; customer bank account and payment card information; national identifiers; and special data categories of data under applicable data protection law (such as race, nationality, political opinions, trade union membership, home life, and sexual orientation). Sensitive Personal Data shall be subject to the same controls specified below for GE Restricted Data.
(xv) Supplier is the entity that is a party to the Contract Document.
(xvi) Supplier Information System(s) means any Supplier systems and/or computers used to Process GE Data pursuant to the Contract Document, which includes laptops and network devices.
(xvii) Supplier Personnel means Supplier’s employees, as well as its permitted affiliates, suppliers, subcontractors, and agents and their respective employees.
Parts B-E and I-K apply to all Suppliers that Process any GE Data.
Part B: Collecting, Processing and Sharing GE Data
Supplier shall implement appropriate organizational, technical, and physical measures and controls to protect and maintain the security and confidentiality of GE Data to prevent accidental, unauthorized or unlawful destruction, alteration, unauthorized disclosure or access, modification or loss of GE Data; misuse of GE Data; and unlawful Processing of GE Data. Supplier is responsible for compliance with all terms of the Contract Document and this Appendix by Supplier Personnel and for following GE or the applicable GE Affiliate’s instructions concerning the Processing of GE Data.
Organizational security controls shall include the following at a minimum:
- Supplier and Supplier Personnel shall Process GE Data, and access and use GE Information Systems, only on a need-to-know basis and only to the extent necessary to perform services under the Contract Document or as otherwise instructed by GE or the applicable GE Affiliate in writing.
- Prior to providing access to any GE Data to any Supplier Personnel, Supplier must obligate them to comply with the level of security required in the Contract Document and this Appendix and verify such compliance through an appropriate due diligence process.Unless otherwise agreed upon in the Contract Document, Supplier must obtain GE’s prior written approval to provide access to any GE Data to any of its own suppliers or subcontractors or agents that were not pre-qualified by or otherwise disclosed to GE in writing prior to Supplier’s performance of services under the Contract Document. Supplier shall take reasonable steps to maintain continuing compliance by such Supplier Personnel, with this Appendix and shall remain responsible at all times for their compliance.
- Supplier must maintain formal written policies and procedures for the administration of information security throughout its organization consistent with the requirements of this Appendix.
- Supplier Personnel with access to GE Data must participate in appropriate information security awareness training provided by the Supplier prior to obtaining access to GE Data and thereafter on at least an annual basis while such personnel have access to GE Data.
- Supplier shall maintain a current inventory of Supplier Information Systems.
- Supplier must ensure each account (including GE assigned accounts) through which GE Data may be accessed is attributable to a single individual with a unique ID (not shared) and each account must require authentication (e.g., password) prior to accessing GE Data.
- Supplier shall undertake reasonable measures to terminate Supplier Personnel access to GE Data, whether physical or logical, no later than the date of personnel separation or personnel transfer to a role no longer requiring access to GE Data; where Supplier Personnel have been assigned GE SSO credentials, Supplier must notify GE of any such separation or transfer no later than the day of that event.
- GE Data shall not be Processed on personal accounts (e.g., individual email or cloud services accounts (e.g., Gmail, Yahoo, Dropbox, Google Drive)) or on personally-owned computers, devices or media.
- Unless prohibited by applicable law or regulation, Supplier shall notify GE promptly and act only upon GE’s instruction concerning any request by a third party, including without limitation law enforcement, governmental authority, or in connection with litigation or other court process for disclosure of GE Data or for information concerning the Processing of GE Data in connection with the Contract Document or this Appendix, as well as any request received from an individual concerning his/her Personal Data.
Technical security controls on Supplier Information Systems shall include the following at a minimum:
- Supplier must use strong passwords consistent with technology industry practices, including minimum password length, lockout, expiration period, complexity, encryption, changing of default passwords, and usage of temporary passwords.User account credentials (e.g., login ID, password) must not be shared.
- Supplier must implement and maintain controls to detect and prevent unauthorized access, intrusions and computer viruses and other malware.At a minimum such controls must include network layer security devices (e.g. firewalls and intrusion detection/prevention systems), client and server-side antivirus programs that include up-to-date antivirus definitions, and installation into production of all critical patches or security updates as soon as possible, but not later than thirty (30) days from the release of any such updates or patches.
- Supplier must maintain documented change management procedures that provide a consistent approach for controlling, implementing and documenting changes (including emergency changes) for Supplier Information Systems that includes appropriate segregation of duties.
- Unless otherwise expressly agreed in the Contract Document, development and testing environments must be physically and/or logically separated from production environments and must not contain GE Data unless specified in the Contract Document.Production changes must be approved by the Supplier’s appropriate system owner, as such person is designated in the Contract Document, and such changes must not be made by any Supplier developers.
- Any back-up media containing GE Data stored at Supplier’s site must be kept in a secure location (e.g., locked office or locked file cabinet) and be encrypted to a standard consistent with industry practice.If off-site media storage is used, Supplier must have a media check-in/check-out process with locked storage for transportation. Back-up information must be given the same level of physical and environmental protection as the level of control applied at the main site.
- Workstations must not be left authenticated when unattended and must be password or PIN protected when not in use.An inactivity lock must be implemented on workstations.
- Network layer security devices must allow only authorized connections and rule sets must be reviewed at minimum semi-annually.
- Mobile Devices used to Process GE Data (including emails) must have strong mobile device security controls, including required passcode, minimum passcode length, inactivity lock, and a process in place to immediately remotely wipe lost or stolen devices.
Physical security controls shall include the following at a minimum on all Supplier facilities where GE Data may be Processed:
- Physically secure perimeters and external entry points must be suitably protected against unauthorized access (e.g. barriers such as walls, card controlled entry gates).Access to all locations must be limited to Supplier Personnel and authorized visitors only. Reception areas must be manned or have other means to control physical access.
- Visitors must be required to sign a visitors register (maintained for at least one year) and be escorted or observed at all times, upon each entry to and exit from the premises.
- A clear desk policy must be enforced throughout the Supplier facilities. Documents that contain GE Data must be kept secured (e.g. locked office or file cabinet) when not in use.
Part C: Security Incidents
- Security Incidents on Suppliers Information Systems must be logged, reviewed on a periodic basis (minimum quarterly), secured, and maintained for a minimum of twelve (12) months.
- Supplier must develop and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform any required recovery actions to remedy the impact.
- If, in the course of investigating a Security Incident, Supplier recognizes that GE Data has been compromised, Supplier will notify GE at or around the time that Supplier sends any legally-required notifications of the Security Incident to the affected individuals and where it could result in substantial harm or substantial inconvenience to the affected individuals; provided, however, that GE acknowledges that Supplier’s response to any such Security Incident will take priority over any discussions with GE related to the Security Incident.Supplier shall report any Security Incidents to GE’s Cyber Incident Response Team at email@example.com or 1-800-4GE-CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with GE in its investigation of a Security Incident, whether discovered by Supplier, GE, or a third party, which shall include providing GE a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information GE reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management of the Security Incident, and shall identify such individual to GE promptly.
- If requested by GE, and at GE’s direction, Supplier shall send Security Notices regarding a Security Incident.Unless prohibited by applicable law or regulation, Supplier shall provide GE with reasonable notice of, and the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except GE shall not have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should GE elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice.
- Other than approved Security Notices, or to law enforcement or as otherwise required by law or regulation, Supplier may not make or permit any public statements concerning GE’s involvement with any such Security Incident to any third-party without the explicit written authorization of GE’s Legal Department.
Part D: Audits
- Supplier shall monitor the effectiveness of its security program by conducting self-audits and risk assessments of Supplier Information Systems against the requirements of written policies and procedures maintained as required by this Appendix no less frequently than every twelve (12) months. Supplier shall be responsible for ensuring consistency of its security operations, including proactive monitoring and mitigation of all vulnerabilities across all of its sites.
- Intentionally deleted.
- Supplier must use commercially reasonable efforts to remediate any items rated as high or critical (or similar rating indicating similar risk) in any audits or assessments of Supplier Information Systems.
GE audit rights:
- Upon request, with reasonable advance notice and conducted in such a manner not to unduly interfere with Supplier’s operations, GE reserves the right to conduct an audit of Supplier’s compliance with the requirements in this Appendix relating to GE Data including but not limited to: (i) a review of Supplier’s applicable policies, processes, and procedures, (ii) a review of the results of Supplier’s most recent vulnerability assessment (e.g., application vulnerability scanning, penetration testing, and similar testing results) and accompanying remediation plans, and (iii) on-site assessments of Supplier’s physical security arrangements and Supplier Information Systems during Supplier’s regular working hours that will not unreasonably interfere with Supplier’s operations, pursuant to a mutually agreeable audit plan.GE reserves the right to conduct an onsite audit of Supplier on thirty (30) days prior written notice during regular business hours. This right shall survive termination or expiration of the Contract Document so long as Supplier Processes GE Data provided under the Contract Document. Supplier agrees to cooperate fully with GE or its designee during such audits and shall provide access to facilities, appropriate resources, provide applicable supporting documentation to GE, and complete security assessment questionnaires that may be requested.
- GE acknowledges and agrees that nothing in Section D4 above shall oblige Supplier to divulge any information relating to its other customers to GE in such a manner that may put Supplier in breach of its obligations of confidentiality to such customers or any other legal requirements.
- Subject to the confidentiality provisions of the Contract Document, GE or its representative may review, audit, monitor, intercept, access and, disclose any information provided by Supplier that is Processed or stored on GE Information Systems or on GE Mobile Devices accessing the GE network.
Part E: Regulatory Requirements
In the event Supplier Processes GE Data that is subject to additional regulatory requirements, or in a manner subject to additional regulatory requirements, Supplier agrees to cooperate with GE to comply with such requirements. Such cooperation may include, without limitation:
- Execution of additional agreements required by applicable law (e.g., EU Standard Contractual Clauses available at http://www.gesupplier.com/html/GEPolicies.htm ) or regulation.
- Implementation of additional security controls required by applicable law (e.g. Department of Defense FAR Supplement (cross referencing NIST), U.S. Federal Information Security Management Act (FISMA), HIPAA, US Sarbanes-Oxley Act, U.S. Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) Section 501(b) Standards for Securing Customer Information, Payment Card Industry Data Security Standards (PCI DSS) security requirements, Federal Financial Institutions Examination Council (FFIEC) guidance).
- Completion of regulatory filings applicable to Supplier (e.g. EU data protection authority filings).
- Completion of required regulatory audits (e.g., U.S. Food and Drug Administration (FDA), central banks such as the U.S. Federal Reserve).
Part F applies to any Supplier that Processes Personal Data (including Sensitive Personal Data)
Part F: Personal Data
- Unless and except to the extent expressly provided in the Contract Document, Supplier must, in each case, seek and obtain GE’s prior written approval regarding the scope of any Personal Data provided by GE to Supplier , as well as any notices to be provided and any consent language to be used when collecting such information from a Data Subject.In the case of Personal Data collected directly from Data Subjects by Supplier, Supplier shall comply with applicable data privacy laws and regulations, including those concerning notice, consent, access and correction/deletion.For further clarity, as a global hospitality provider, Hilton Worldwide, Inc. (“Hilton Worldwide”) collects, uses, processes and shares personal information of Hilton Worldwide’s HHonors members, guests and team members in accordance with Hilton’s relevant privacy policies. So that GE does not unintentionally interfere with such individuals’ choices regarding their personal information, Hilton Worldwide will continue to be deemed the data controller for such personal information where notice and consent has been provided and obtained pursuant to Hilton Worldwide’s privacy policies. Accordingly, and for the avoidance of doubt, nothing in this Appendix shall be construed to restrict Hilton Worldwide/Supplier from lawfully using or disclosing Personal Data of a Data Subject acquired as a result of the Data Subject’s reservation or stay at the Supplier’s hotel, received as part of Hilton Worldwide’s HHonors loyalty program, provided in the Data Subject’s personal capacity as a customer of Hilton Worldwide or the Supplier, or available to Hilton Worldwide / Supplier from another source without breach of any agreement or violation of law.
- Supplier acknowledges and understands that certain GE businesses (including but not limited to GE Healthcare) and business processes are certified to the US-EU and US-Swiss Safe Harbor Frameworks (Safe Harbor).Supplier also acknowledges and understands that, as Safe Harbor-certified entities, the relevant GE businesses are obligated to require Supplier to provide at least the same level of privacy protection for Personal Data as is required by the relevant Safe Harbor principles. This Appendix is designed and intended to satisfy this requirement of the Safe Harbor and, therefore, Supplier agrees to comply with this Appendix in its entirety.
- Supplier warrants and represents that it shall comply with all applicable laws and regulations applicable to Supplier’s activities concerning Personal Data governed by this Appendix, including those concerning notice and consent, onward transfer to a third party, and international transfer, and shall act only on GE’s written instruction concerning any such transfers. Supplier must receive approval from GE prior to (i) moving Personal Data from its GE-approved hosting jurisdiction to a different hosting jurisdiction; or (ii) provisioning remote access to such Personal Data from any location other than the hosting jurisdiction or other GE-approved jurisdiction.
- Encryption must be implemented in any of the following instances: (i) any computers, devices or media (e.g., laptop computers, phones/PDAs, USB drives, back-up tapes) containing Personal Data must be encrypted at rest; and/or (ii) transferring Personal Data over public networks (such as the Internet).In either case, Supplier must maintain cryptographic and hashing algorithm types, strength, and key management processes consistent with industry practices.
- In the event Supplier Processes Personal Data that is subject to additional regulatory requirements, or in a manner subject to additional regulatory requirements, Supplier agrees to cooperate with GE to comply with such requirements.Such cooperation may include, without limitation: a) Entry into U.S. Protected Health Information Agreement, available at http://www.gesupplier.com/html/GEPolicies.htm, where Supplier will Process any PHI. b) Where applicable, certification that the Supplier meets the requirements of the US-EU or US-Swiss Safe Harbor and is properly listed on the US Department of Commerce Safe Harbor list with respect to the data accessed and services provided under the relevant Contract Documents. If Supplier’s Safe Harbor certification lapses for any reason during the term, Supplier shall promptly notify GE and shall timely agree with GE upon alternative means of satisfying the associated legal requirements concerning adequacy of international data transfers.
Part G applies to Suppliers that Process Sensitive Personal Data, Controlled Data, and/or GE Restricted Data. The requirements of this Part G are in addition to all other applicable requirements of Parts A through F above. References to GE Restricted Data in this Part G shall be deemed to also refer to Sensitive Personal Data and/or Controlled Data as the context requires.
Part G: Protecting GE Restricted Data, Controlled Data, and Sensitive Personal Data
- Supplier must have an IT security organization with clearly defined information security roles, responsibilities and accountability.
- Supplier must perform vulnerability assessments on Supplier Information Systems at least annually.For Supplier Information Systems that are internet facing, Supplier must engage an independent external party to perform the vulnerability assessment and shall remediate as required in Part D.3.
- Supplier Information Systems consisting of networks used to access or store GE Restricted Data must have security controls that can detect and prevent attacks by use of network layer firewalls and intrusion detection/prevention Systems (IDS/IPS) in a risk based manner (e.g., between the Internet and DMZ, and between DMZ and internal servers containing GE Restricted Data).IDS/IPS high and critical priority alerts must be continuously monitored and responded to as soon as reasonably practicable.
- Any Supplier Personnel accessing Supplier’s internal network remotely must be authenticated using a minimum two-factor authentication method and such transmissions must be encrypted at a level consistent with industry standards.
- Supplier must have or implement hardening and configuration requirements consistent with industry practices.
- Supplier must have or implement appropriate data loss prevention (DLP) controls (e.g., disabling of USB ports, DLP software, URL/Web filtering) to detect and prevent unauthorized removal of GE Restricted Data from Supplier Information Systems.
- Supplier must implement processes to support the secure creation, modification, and deletion of these accounts and any HPAs.Supplier must review and update access rights at least annually, and at least quarterly for HPAs. HPA usage must be reviewed at minimum weekly. All HPA access must be established using encrypted mechanisms (e.g., secure shell).
- Supplier must use an auditable process (e.g., certification of destruction) to remove GE Restricted Data from Supplier Information Systems prior to disposal or re-use in a manner that ensures that the GE Restricted Data may not be accessed or readable.
- Encryption must be implemented in any of the following instances: (i) any computers, devices or media (e.g., laptop computers, phones/PDAs, USB drives, back-up tapes) containing GE Restricted Data must be encrypted at rest; (ii) where technically feasible, GE Restricted Data must be stored in encrypted form, except where encryption is mandatory in such cases as set forth above; and/or (iii) transferring GE Restricted Data over public networks (such as the Internet).
- Where encryption is required, Supplier must maintain cryptographic and hashing algorithm types, strength, and key management processes consistent with industry practices.
- Supplier Information Systems consisting of servers and/or network equipment used to store or access GE Restricted Data must be kept in a secure room containing additional access control mechanisms, located on the interior of the building with no windows unless safeguards are in place to prevent shattering and unauthorized entry.Telecommunications equipment, cabling and relays receiving data or supporting services must be protected from interception or damage.
- Physical access must be monitored, recorded and controlled with physical access rights reviewed at minimum annually.Physical access logs detailing access must be stored for a period of one (1) year unless prohibited by local law. If not staffed 24×7, alarms and entry point security cameras must be installed for off-hours access monitoring with recordings retained for at least thirty (30) days.
- Supplier must receive approval from GE prior to moving GE Restricted Data from its GE-approved physical location or jurisdiction to a different physical location or jurisdiction.
Unless otherwise provided for in the Contract Document, Part H applies to any Supplier Information System(s) (i) that Processes GE Restricted Data, Controlled Data, and/or Sensitive Personal Data, and/or (ii) where an outage of the Supplier Information System(s), as identified in the Contract Document, is likely to significantly adversely impact GE or overall GE operations, financial position, regulatory compliance, and/or reputation.
Part H: Disaster Recovery
Unless a disaster recovery (DR) program is otherwise set forth in more detail elsewhere in the Contract Document, Supplier must maintain a DR program for all Supplier Information Systems and facilities used to provide services under the Contract Document to GE. The DR program must be designed to ensure that Supplier has a methodology by which a system can continue to function through an operational interruption or disaster. At a minimum, the DR program should include the following elements:
- Supplier’s operational procedures must verify the successful completion of backups and the backup media must be tested regularly (at minimum quarterly) to ensure that it will operate in the event of an emergency.
- For rooms containing Supplier Information Systems consisting of servers and/or network equipment used to provide services to GE, controls must be implemented to mitigate the risk of power failures (e.g., surge protectors, uninterruptible power supplies, and generators), and environmental conditions (e.g., temperature and humidity).
- Supplier must maintain inventories that list all critical Supplier Information Systems. The inventories must be updated at minimum annually.
- DR plans must be developed for all Supplier Information Systems and facilities that are used to provide services to GE and reviewed/approved at minimum annually.
- Supplier must conduct full scale DR tests annually against DR plans (unless otherwise agreed with GE) for Supplier Information Systems that Supplier reasonably believes are critical for providing services to GE to ensure that such Supplier Information Systems can be recovered in a manner that meets the contractual service levels specified in the Contract Document.DR results must be documented and provided to GE upon request.
Part I: Termination
- Subject to Part I.2 below and to any provision of the Contract Document to the contrary, Supplier shall within 30 (thirty) days of termination of the Contract Document, or if requested during the term of the Contract Document, cease all Processing of GE Data and shall return to GE all hard copies and reproductions of such GE Data.In lieu of returning hard copies and reproductions, GE may, at its sole discretion, require Supplier to destroy, using agreed upon methods to ensure such GE Data is not recoverable, all copies and reproductions of GE Data provided to, developed by, or used by Supplier in the performance of services under the Contract Document and certify to such destruction.
- GE acknowledges that due to its standard back-up procedures and/or a requirement of certain laws/regulations to which Supplier is subject, Supplier may be required to maintain copies and/or back-up copies of GE Data (including as part of records, documents or broader data sets) beyond the period described in Part I.1.In such cases, notwithstanding the requirements of Part I.1, GE agrees that Supplier may continue to retain such GE Data in copies and/or back-up copies beyond the period prescribed in Part I.1 provided that (i) Supplier has a documented retention period and secure deletion procedure for such copies and back-up copies, with back-up copies retained no longer than 6 (six) years from the date on which they were captured, and business or legally required copies retained only to the end of their business or legally required retention period; (ii) such copies and back-up copies shall be deleted in accordance with such documented procedure; (iii) Supplier shall perform no Processing of GE Data other than that necessitated by retaining or deleting the relevant copies and back-up copies; and (iv) Supplier shall continue to comply with all the requirements of this Appendix in relation to any such retained GE Data until the same is securely deleted.
- Termination or expiration of the Contract Document, for any reason, shall not relieve the Supplier from obligations to continue to protect GE Data against the impermissible disclosure in accordance with the terms of the Contract Document and this Appendix.
Part J: Material Breach
- Notwithstanding anything to the contrary herein or in the Contract Document, Supplier’s (including Supplier Personnel) failure to comply with the material obligations set forth in this Appendix also constitutes a material breach of the Contract Document, with such rights and remedies set forth therein or under applicable law and regulation.
- GE or the applicable GE Affiliate owning any of the GE Data being accessed pursuant to the Contract Document may enforce the terms of this Appendix as permitted or required by applicable law and regulation.
- Supplier shall pay for or reimburse GE or the applicable GE Affiliate for all costs, losses and expenses relating to any Security Incident that was proximately caused by Supplier, including without limitation, costs of forensic assessments, Security Notices, credit monitoring or other fraud alert services, and all other remedies either required by applicable law and regulation or which are customary in the industry or required under GE’s then-current policies or contractual commitments.