Security Policy




1.1.         General.  Consultant shall comply (and shall ensure that its employees and subcontractors comply) with (i) iDirect’s security and privacy policies (including without limitation its information security standards and any obligations related to handling personal information and data of iDirect’s clients); (ii) iDirect’s work place policies and procedures in effect for any facility of iDirect or an Affiliate where the Services are performed; and (iii) policies, procedures and guidelines promulgated by iDirect or an Affiliate that are designed to adhere to applicable laws, regulations or regulatory guidance or designed to address regulatory issues.  In the event of any conflict between the obligations of Consultant under this Agreement or under any iDirect or its Affiliate policy and procedure, Consultant shall comply with the more restrictive obligation(s).  In addition, Consultant shall ensure that all Services are performed in a manner that shall minimize any interference with iDirect’s or an Affiliate’s normal business operations.

1.1.         Equipment and Network Security.  If access to iDirect’s or an Affiliate’s computer systems, other equipment or personal property (“iDirect’s Systems”) is required in order for Consultant to fulfill its services obligations to iDirect, then iDirect shall determine the nature and extent of such access. If iDirect or an Affiliate provides Consultant with remote access to iDirect’s Systems, then any and all information relating to such remote access shall be considered iDirect’s Confidential Information and shall be subject to the obligations of confidentiality set forth in the Agreement. Consultant shall not download, install or access any software application on iDirect’s Systems without iDirect’s written permission (which written permission can take the form of an email from the iDirect project manager designated on the applicable SOW).  In addition, any and all access to iDirect’s Systems shall be subject to the following:

(a)           iDirect’s Systems shall be used solely to perform services for iDirect, and shall not be used for any purpose other than the legitimate business purposes of iDirect.

(b)          Access to iDirect’s Systems shall be restricted to Consultant’s personnel who need access in order for Consultant to fulfill its obligations under this Agreement; and no access rights shall be transferred to any other individuals without the prior written consent of iDirect.

(c)           Consultant shall ensure that its personnel do not attempt to break, bypass or circumvent iDirect’s or an Affiliate’s security systems, or attempt to obtain access to any hardware, programs or data beyond the scope of the access granted by iDirect in writing.

(d)          Without limiting any of its other rights, iDirect reserves (for itself and its Affiliates) the rights to restrict and monitor the use of iDirect’s Systems, and to access, seize, copy and disclose any information, data or files developed, processed, transmitted, displayed, reproduced or otherwise accessed in conjunction with such use. iDirect or an Affiliate may exercise its rights reserved hereunder: (i) to verify the performance of services; (ii) to assure compliance by Consultant’s personnel with iDirect’s or the Affiliate’s policies and procedures; (iii) to investigate conduct that may be illegal or may adversely affect iDirect, an Affiliate or its or their employees; or (iv) to prevent inappropriate or excessive personal use of iDirect’s Systems. Consultant shall advise its personnel concerning iDirect’s rights hereunder.

1.3.         Compliance Reviews.  Consultant shall permit representatives of iDirect, upon prior notice and at reasonable times, to examine and verify compliance with Consultant’s obligations under this Agreement with respect (a) to the safeguarding and use of iDirect’s Confidential Information, and (b) the detection, prevention, and mitigation of an actual or attempted theft or misappropriation of personal information of clients of iDirect or an Affiliate. Such examination and verification activities may include conducting information security assessments (“ISA”) of Consultant and of Consultant’s practices and procedures.   Should the findings of an ISA disclose or indicate security problems or concerns, iDirect shall detail such findings in a notice to Consultant, and work with Consultant to identify means for correcting the problems and addressing the concerns to iDirect’s reasonable satisfaction.  Consultant’s failure to correct the problems or adequately address the concerns expeditiously shall constitute a material breach of this Agreement.  iDirect acknowledges that the findings of any ISA shall be deemed to be Consultant’s Confidential Information.  Notwithstanding the foregoing, Consultant grants iDirect the right to distribute and use the findings of any ISA with any Affiliate, auditor or regulator as may be necessary to transact business with Consultant or to fulfill any compliance or information security process or policy of iDirect or its Affiliates.

1.4.         Security Incident Reporting Process.  Consultant shall develop, implement, document and maintain an information security incident reporting process (hereinafter a “SIRP”), copy of which Consultant shall provide to iDirect within thirty (30) days after executing the Agreement, in order to (a) ensure that both Parties have the immediate ability to address, contain and mitigate any possible risk stemming from any actual, alleged or potential unauthorized disclosure, compromise or theft of iDirect’s Confidential Information (including but not limited to, the unauthorized use of iDirect’s Systems or data, improper handling or disposal of data, theft of information or technology assets, and/or the inadvertent or intentional disclosure of iDirect’s Confidential Information); and (b) ensure a consistent process for identifying, reporting, investigating and closing information security incidents.  Such SIRP shall (i) provide an accurate and up-to-date list of Consultant and iDirect personnel to be contacted in the event of an actual or suspected information security incident, (ii) detail incident severity definitions consistent with iDirect’s policies, standards and processes, and (iii) set specific escalation procedures and timeframes for same based upon the breach severity level of the actual or suspected information security incident.  At a minimum, Consultant shall (iv) mandate that all Consultant personnel notify their management in the event that any Consultant personnel become aware of any action which indicates that there has been or may be an information security incident; and (v) notify an officer of iDirect immediately, or at minimum within twenty-four (24) hours, in the event of any actual or likely disclosure of iDirect Confidential Information. In the event of an actual or suspected information security incident, Consultant will cooperate with iDirect to mitigate any harm and will take all steps reasonably necessary to investigate and remediate the effects of such occurrence, ensure the protection of those individuals that are affected or likely to be affected by such occurrence, prevent the re-occurrence, and comply with applicable laws.  iDirect shall be responsible for determining whether any notification of individuals is necessary in response to an information security incident, and shall make any such required notifications to individuals.  Consultant shall not inform any third party of any information security incident, except as may be strictly required by applicable law, without first obtaining iDirect’s prior written consent.   Notwithstanding any limitations of liability in the Agreement, Consultant will promptly and fully reimburse iDirect for all reasonable and documented costs actually incurred by iDirect in addressing and responding to an information security incident.


2.1          Subcontractors.  Consultant may not subcontract the performance of any portion of this Agreement, any Statement of Work, Services or deliverables without iDirect’s prior written consent.  In cases in which iDirect consents to such subcontracting, the following terms and conditions shall apply (in addition to such other terms and conditions as may be agreed upon by the parties in writing):

(a)           In all events, Consultant shall ensure in advance of any subcontractor performing any Services, that any subcontractor agrees contractually to be bound by the terms and conditions of this Agreement and, further, that iDirect, its affiliates, successors or assigns, as the case may be, shall have direct recourse against such subcontractors.  In no event shall Consultant be relieved of any of the provisions of this Agreement by virtue of any subcontract or assignment hereof.

(b)          Consultant shall be responsible for the performance of all of its subcontractors and shall monitor and manage such subcontractors. Consultant shall remain directly responsible for the performance of Services and provision of deliverables subcontracted by Consultant.

(c)           Even if an inadequacy in a subcontractor’s performance does not amount to a breach of this Agreement, if iDirect notifies Consultant that it is dissatisfied with the performance of any subcontractor, Consultant shall use its best efforts to address iDirect’s concern regarding such subcontractor, and if iDirect so requests, for any reason that is not unlawful, Consultant shall immediately remove that individual from the iDirect engagement and replace the individual with other qualified personnel approved in advance by iDirect. Further, iDirect shall have the right to reject any personnel of subcontractor whose qualifications, in iDirect’s reasonable judgment, do not meet the standards considered by iDirect as necessary for the performance of the Services.

(d)          Consultant shall be responsible for the payment of all its subcontractors.

2.2          Background Checks.  iDirect reserves the right to request any prospective Consultant (and its employees or subcontractors) that is required to be present at iDirect’s premises, to submit to criminal background checks at iDirect’s expense.  Failure to pass a background check may exclude the individual from activity, assignment to or access to all of iDirect’s locations or systems.  

2.3          Conduct at iDirect’s Facilities.  When using, or having access to, iDirect’s facilities, Consultant (and its Personnel) shall (a) observe and comply with iDirect’s security procedures, rules, regulations, policies, working hours and holiday schedules; (b) use their best efforts to minimize any disruption to iDirect’s business operations; and (c) keep such facilities in good order, not commit or permit waste or damage to such facilities, and not use such facilities for any unlawful purpose or act.

2.4          Consultant’s personnel.  Consultant shall provide qualified personnel, and such personnel shall perform the Services in a timely, professional and workmanlike manner in accordance with applicable industry standards.  For purposes of the Agreement, “personnel” means and includes Consultant’s directors, officers, employees, agents, auditors, consultants and subcontractors.  Consultant, and not iDirect, shall have the sole authority to hire, fire, direct, control, discipline, reward, evaluate, schedule, supervise, promote, suspend and/or terminate Consultant’s personnel.  In addition, Consultant shall be solely responsible for the acts of its personnel, whether of commission or omission, and for all other charges and liabilities arising out of the employer-employee relationship or other contractual relationship with Consultant’s personnel. 

2.5          Removal of personnel.  iDirect shall have the right to reject any personnel of Consultant whose qualifications, in iDirect’s reasonable judgment, do not meet the standards considered by iDirect as necessary for the performance of the Services.  In addition, if iDirect becomes dissatisfied with any of Consultant’s personnel providing the Services for any reason that is not unlawful, iDirect may notify Consultant of the details of such dissatisfaction, and if iDirect requests, Consultant shall immediately remove that individual from the iDirect engagement and replace the individual with other qualified personnel in accordance with the requirements of this Agreement.  Consultant agrees that if any of Consultant’s personnel fails to comply with any applicable laws, ordinances, regulations, codes, or with iDirect’s security or work place policies and procedures (whether or not specified herein), or fails (in iDirect’s sole determination) to perform assignments in a professional and competent manner, then Consultant shall bar such individual from performing any services for iDirect immediately upon receiving a request from iDirect. 

2.6          Replacement personnel.  Consultant shall use its best efforts to ensure the continuity of its personnel assigned to perform the Services.  If, for any reason (including pursuant to iDirect’s request), Consultant replaces personnel who have been providing the Services with other personnel, Consultant shall ensure that (i) the skills of the replacement either equal or exceed those of the replaced personnel, and (ii) fees for the Services provided by the replacement personnel shall be no higher than the rates charged for the Services provided by the personnel they replace.  Further, iDirect shall not be obligated to pay for any time replacement personnel spend working on an engagement until such time as they have reached the level of proficiency required to effectively perform their required roles as mutually agreed upon by the Parties.