Any Client that receives QS Data must comply with this PDS Annex for so long as it is in possession of or has access to such QS Data. If there is a conflict between this PDS Annex and an Agreement, this PDS Annex will prevail unless the Agreement includes a specific cross-reference to the section of the PDS Annex intended to be modified.
a) “Agreement” means an agreement between Client and QS pursuant to which QS provides QS Data to Client.
b) “Approved” and/or “Approval” means the written consent by a vice-president or senior vice president of QS (consent can be submitted via email).
c) “Authorized Employees” means Client’s employees who have a need-to-know or otherwise access QS Data.
d) “Authorized Persons” means (i) Authorized Employees; (ii) Subcontractors; and (iii) Reseller Clients.
e) “Client” means a person or entity that has entered into an Agreement with QS to purchase clicks, calls, leads, impressions, requests for quotes, policies or other end user actions.
f) “Lead Data” means Personal Information delivered by QS to Client for the express purpose of enabling Client to contact and market its products and services to the associated end user.
g) “Personal Information” means information that: (i) identifies or can be used to identify an individual (including names, addresses, telephone numbers, e-mail addresses and other unique identifiers); or (ii) can be used to authenticate an individual (including government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, health data and other personal identifiers), in case of both subclauses (i) and (ii), including all Sensitive Personal Information.
h) “Ping Data” means Personal Information delivered by QS to Client to notify Client of the availability of a lead for sale and enable Client to respond to QS with a Ping Reply. Ping Data may become Lead Data when it is posted to Client as a Lead Data.
i) “Ping Reply” means (a) a rate for QS to communicate to an end user, (b) a price that Client offers to pay for Lead Data, or (c) an indication that Client accepts for QS to post the Personal Information to Client as Lead Data.
j) “QS” means QuinStreet, Inc. and its corporate affiliates and subsidiaries.
k) “QS Data” means Lead Data, Ping Data or Superclick Data.
l) “Rejected Data” means Lead Data delivered pursuant to a cost-per-lead Agreement that Client returns, rejects or is not otherwise obligated under an Agreement to compensate QS.
m) “Reseller Client” means a third party (other than a Subcontractor) who (i) meets the requirements set forth in Section 3(b) of this PDS Annex and (ii) to whom Client resells or otherwise transfers Lead Data.
n) “Security Incident” means any security incident if there is a reason to believe QS Data has been or may have been accessed by or disclosed to an unauthorized party.
o) “Sensitive Personal Information” means an (i) end user’s government-issued identification number (including social security and driver’s license number); (ii) financial account, credit card or debit card number, (iii) credit report information; or (iv) health or medical data.
p) “Subcontractor” means a Client service provider who (i) meets the requirements set forth in Section 3(a) of this PDS Annex and (ii) to whom Client transfers QS Data for the purpose of providing services for the benefit of Client.
q) “Superclick Data” means Personal Information delivered by QS to Client for the purpose of prepopulating forms on a Client’s website.
2) USE OF QS DATA
a) Client will comply with this PDS Annex in its collection, storage, disposal, use and disclosure of QS Data.
b) Lead Data
i.Client will only use Lead Data to contact an end user with respect to the particular products or services in which the end user expressed interest.
ii.Client will not disclose or transfer Lead Data to any person other than an Authorized Person without Approval.
iii.Client is prohibited from marketing to or disclosing Rejected Data. Unless otherwise Approved, Client will delete Rejected Data from its systems within ninety (90) days of receipt from QS or such longer time as may prescribed by applicable law.
c) Ping Data
i.Client will not use Ping Data in any way other than to return a Ping Reply. Unless otherwise Approved, Client will delete Ping Data from its systems within thirty (30) days of receipt from QS unless another time period is proscribed by applicable law.
ii.Client will not disclose Ping Data (which does not become Lead Data) to any person other than to Authorized Employees and Subcontractors.
d) Superclick Data
i.Client will not use Superclick Data in any way unless the end user associated with such data is redirected to Client’s website and expressly submits the Superclick Data to Client. Client will delete any Superclick Data not submitted by the end user to Client within thirty (30) days following receipt from QS unless another time period is proscribed by applicable law.
ii.Client will not disclose Superclick Data to any person other than to Authorized Employees and Subcontractors.
e) Notwithstanding any other provision of this PDS Annex, Client shall have to right to disclose QS Data to the extent expressly required by government authorities or by applicable law, in which case Client shall use its best efforts to notify QS before such disclosure or as soon thereafter as reasonably possible.
3) SUBCONTRACTORS; RESELLERS
a) Subcontractors. Client shall not transfer QS Data to a Subcontractor unless: (i) Subcontractor is Approved, and (ii) Client has entered into a written agreement with each Subcontractor pursuant to which Subcontractor agrees to (1) establish and maintain an information security program at least as stringent as those set forth in Section 4 of this Annex, (2) not to disclose or transfer the QS Data to any third parties unless Approved, and (3) not use any QS Data other than for the benefit of Client. Each provisions of this Section 3(a) shall apply mutatis mutandis to each Approved Subcontractor.
b) Resellers. Client may transfer Lead Data to a Reseller Client provided: (i) the resale of Lead Data by Client to Reseller Clients is Approved, (ii) the Lead Data is transferred to no more than 5 Reseller Clients (or such lesser number Approved by QS); and (iii) unless otherwise Approved by QS, Client has entered into a written agreement with each Reseller Client pursuant to which Reseller Client agrees (1) not to further transfer or disclose the Lead Data to any person other than as required by law, (2) to only use the Lead Data to contact the end user with respect to the particular products or services in which the end user expressed interest, and (3) to establish and maintain an information security program at least as stringent as that set forth in Section 4 of this Annex.
4) INFORMATION SECURITY
a) Client represents and warrants that its collection, access, use, storage, disposal and disclosure of QS Data does and will comply with all applicable privacy and data protection laws, regulations and directives.
b) Client shall establish and maintain administrative, physical and technical safeguards to protect QS Data, as well as a comprehensive written information security program describing the same that is based on a recognized industry security standard against which the program can be audited (such as ISO or NIST). At a minimum, Client’s safeguards for the protection of QS Data shall include: (i) limiting access to QS Data to Authorized Persons; (ii) implementing authentication and access controls within media, applications, operating systems and equipment; (iii) implementing appropriate physical controls to prevent unauthorized physical access to information assets, IT infrastructure and equipment; (iv) encrypting Sensitive Personal Information stored by Client; (v) encrypting Sensitive Personal Information transmitted over public or wireless networks; (vi) taking reasonable measures to ensure that QS Data is not stored on any portable removable media; (vii) performing a network-level vulnerability assessment in accordance with industry best practice; (viii) removing QS Data from any media taken out of service and destroying or securely erasing such media; (ix) providing appropriate privacy and information security training to Client’s employees; and (x) maintaining a documented incident response plan.
c) If QS Data includes Sensitive Personal Information, upon QS request, Client shall promptly and accurately complete a written information security questionnaire provided by QS or regarding Client’s business practices and information technology environment in relation to the Sensitive Personal Information being provided by QS to Client pursuant to an Agreement. QS shall treat the information provided by Client in the questionnaire as Client’s Confidential Information.
d) Transfers of QS Data between Client and QS, within Client’s computing environment, and between Client and any Authorized Person, will take place using appropriate encrypted protocols (e.g., SSL). All transfers of Sensitive Personal Information must take place via secured transmissions (HTTPS) or POST method.
5. SECURITY INCIDENT PROCEDURES. Client will notify QS of a Security Incident as soon as practicable, but no later than thirty-six (36) hours after Client becomes aware of it, by e-mailing QS with a read receipt at SecurityIncident@quinstreet.com, with a copy by e-mail to Client’s primary QS business contact.
6. INDEMNIFICATION WITH RESPECT TO PDS ANNEX. Client shall defend, indemnify and hold QS harmless from and against any claim, demand, action, judgment, decree, loss, damage, liability, cost and expense (including reasonable legal fees and expenses incurred responding to or mitigating a Security Incident) (“Losses”) incurred by QS in connection with (a) the use, disclosure or access to any QS Data or (b) any act or omission of a Subcontractor or Reseller Client. The limitation of liability provisions of the Agreement shall apply to this PDS Annex.
7. INSURANCE. At all times that Client accesses, processes or stores QS Data that includes Sensitive Personal Information, Client will maintain: (a) commercial general liability insurance in an amount not less than $1,000,000 per occurrence and $2,000,000 in the aggregate, (b) professional liability insurance coverage with limits of not less than $1,000,000 per occurrence and $2,000,000 in the aggregate, and (c) privacy/network security (cyber) liability coverage providing coverage for (i) privacy breaches (including liability arising from the loss or disclosure of Personal Information), (ii) system breach, (iii) introduction, implantation, or spread of malicious software code, and (iv) unauthorized access to or use of computer systems, with limits in the amount of two million dollars ($2,000,000) per occurrence, and no exclusions for unencrypted data, devices, or media.
QuinStreet Client Privacy and Data Security Annex – Version 09-12-2016