Vendor Privacy and Security Policy

1. Purpose and Overview

The Vendor Privacy and Security Policy (this “Policy”) sets forth the confidentiality, security, and privacy requirements applicable to JBM, Inc Information Processed on behalf of JBM, Inc, and any of its subsidiaries (“JBM, INC”). All vendors are required to put this minimum set of controls in place in order to ensure that our systems are protected and comply with security and data protection requirements and standards worldwide.

2. Definitions

  1. “Agreement” means any written document, verbal agreement, or contract between Vendor and JBM, Inc under which Vendor performs services for JBM, Inc where JBM, Inc Information is provided to Vendor.

  2. “Applicable Laws” refers to any and all statutes, laws, treaties, rules, codes, ordinances, regulations, permits, interpretations, certificates, judgements, decrees, injunctions, writs, orders, subpoenas, or like action of a government authority applicable to: (i) the Agreement and/or this Policy; (ii) the performance of obligations or other activities by Vendor related to the Agreement; and (iii) a party, a party’s affiliates (if any), a party’s subcontractors (if any), or to any of their representatives. To the extent that Personal Information is being disclosed by JBM, Inc or collected or received by Vendor on behalf of JBM, Inc pursuant to the Agreement, applicable laws may include, but are not limited to, the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), the California Security Breach Notification Law, the California Online Privacy Protection Act, Canada’s law on Personal Information Protection and Electronics Document Act (PIPEDA), the EU Directive 96/46/EC and the EU General Data Protection Regulation. To the extent that Protected Health Information is being disclosed by JBM, Inc pursuant to the Agreement, applicable laws also include: the Health Insurance Portability and Accountability Act of 1996, The Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Privacy and Security Rule regulations of HIPAA and the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and all amendments to and further regulations of the HIPAA and HITECH Acts (collectively, “HIPAA”).

  3. “Attestation of Compliance” refers to the Payment Card Industry Data Security Standards (PCI DSS) Attestation of Compliance. If the Vendor will be receiving, storing and/or processing credit card information on behalf of JBM, Inc, Vendors must complete this declaration annually to confirm that they are in agreement with the Data Security Standards for handling credit card data electronically.

  4. “Business Associate” refers to a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information on behalf of, or provides services to, a covered entity as defined under HIPAA. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. Business associate functions and activities include: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing.  Business associate services are: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial.

  5. “HIPAA Business Associate Agreement” refers to the contract between a HIPAA-covered entity and a HIPAA Business Associate required under the U.S. Health Insurance Portability and Accountability Act of 1996. This agreement protects Protected Health Information related to health by HIPAA guidelines. According to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, any Business Associate that serves a healthcare provider or institution is now subject to audits by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) and can be held accountable for a data breach and penalized for noncompliance.

  6. “Business Continuity and Disaster Recovery” refers to the practices in which Vendor prepares for unforeseen risks to continue operations including: (i) specific steps taken to resume operations in the event of a natural disaster, national emergency, or threats to a company’s normal operations; and (ii) the processes and procedures an organization must put in place to ensure that critical functions can continue during and after one of these events.

  7. “Personal Information” means any information or data provided by JBM, Inc and its affiliates or collected or received by Vendor on behalf of JBM, Inc that identifies, or when used alone or in combination with other information, reasonably identifies an individual person, or any other data considered to be personal data as defined under Applicable Laws. Personal Information may include, but is not limited to: (i) a first or last name or initials; (ii) a home or other physical address, including street name and name of city or town; (iii) an email address or other online contact information, such as an instant messaging user identifier or a screen name that reveals an individual’s email address; (iv) a telephone number; (v) a social security number, tax ID number or other government-issued identifier; (vi) an Internet Protocol (“IP”) address or host name that identifies an individual; (vii) a persistent identifier, such as a customer number held in a “cookie” or processor serial number, that is combined with other available data that identifies an individual; (viii) birth dates or treatment dates; or (ix) coded data that is derived from Personal Information. Additionally, to the extent any other information (such as, but not necessarily limited to, case report form information, clinical trial identification codes, personal profile information, IP addresses, other unique identifiers, or biometric information) is associated, combined with or otherwise reasonably linkable to Personal Information, then such information also will be considered Personal Information.

  8. “Protected Health Information” means any information, whether oral or recorded in any form or medium, that: (i) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (ii) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. This information becomes protected when it is: (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. The foregoing definition aligns with the HIPAA standard of Protected Health Information, and is subject to change in the event applicable laws are put into place to modify the foregoing definition.

  9. “Processing of Personal Information (Processing)” refers to any operations which are performed upon JBM, Inc Information, including, but not limited to, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking or dispersed erasure, or destruction.

  10. “Sensitive Personal Information” means any Personal Information that requires additional privacy and security protections, which includes:
    1. All government issued identification numbers;
    2. All financial account numbers;
    3. Individual medical records and biometric information;
    4. Reports of individual background checks and all other data obtained from a U.S. consumer reporting agency and subject to the Fair Credit Reporting Act;
    5. Data elements revealing race, ethnicity, national origin, religion, philosophical beliefs, trade union membership, political orientation, sex life or sexual orientation, criminal records, histories of prosecutions or convictions, or allegations of crimes;
    6. Any information deemed to be sensitive data under Applicable Laws; and
    7. Any other information designated by JBM, Inc as Sensitive Personal Information.

  1. “JBM, Inc Information” refers to any Personal Information, Protected Health Information, Sensitive Personal Information or other confidential information provided by JBM, Inc and/or its affiliates and subsidiaries, either directly or indirectly in any form, and any data, materials, processes, or information a Vendor develops for us or receives as a result of this relationship that does not fall under Personal Information, Protected Health Information or Sensitive Personal Information.

3. Scope

  1. All JBM, Inc Information is subject to this Policy. All Vendor obligations under an Agreement are in addition to the requirements of this Policy.
  2. In the event of any conflict between this Policy and any Agreement, the conflict will be interpreted and construed in a manner which provides the broadest security and protection of JBM, Inc Information.
  3. Vendor will only use JBM, Inc Information for the purposes for which it was provided under the current Agreement and for no other purpose.

4. General Obligations

  1. Vendor will implement the appropriate administrative, technical, and physical safeguards to ensure the security, privacy, confidentiality, integrity, and availability of JBM, Inc Information. Vendor will not Process or otherwise use any JBM, Inc Information in any manner other than what is instructed by JBM, Inc in the current Agreement between the parties.
  2. In the event Vendor believes that it can no longer comply with this Policy, Vendor shall immediately notify JBM, Inc and not proceed with any act that would violate this Policy until such noncompliance is resolved to JBM, Inc ’s satisfaction.
  3. Vendor will immediately inform JBM, Inc in writing of any: (i) request for access to any JBM, Inc Information received by Vendor from an individual who is (or claims to be) the subject of the data; (ii) request for access to any JBM, Inc Information received by Vendor from any government official (including any data protection agency or law enforcement agency); (iii) inquiry, claim, or complaint regarding the Processing of JBM, Inc Information received by Vendor; and (iv) other requests with respect to JBM, Inc Information received from JBM, Inc employees or other third parties, other than those set forth in an Agreement between the parties. Vendor understands that it is not authorized to respond to these requests unless explicitly authorized by the Agreement or JBM, Inc in writing, except for the request received from a governmental agency with a subpoena or similar legal document compelling disclosure by Vendor. In the case of a request received from a governmental agency, Vendor will immediately notify JBM, Inc and reasonably cooperate with JBM, Inc to eliminate or narrow any such disclosure.

5. Termination of Access

  1. Vendor’s access to any JBM, Inc Information and JBM, Inc systems is subject to Vendor’s continuing compliance with this Policy. JBM, Inc may immediately and automatically revoke Vendor’s access to a part or all JBM, Inc Information and/or JBM, Inc systems without liability for any reason or no reason.

6. Informational Retention and Disposal

  1. Vendor must limit its collection of any JBM, Inc Information to what is necessary to perform such services as requested by JBM, Inc or to fulfill any legal requirements. All hard copy data which is no longer required must be shredded by use of a cross-cut shredder.
  2. At the end of the specified retention period, or upon the written request of JBM, Inc at any time, Vendor will return or destroy, and certify in writing that it has destroyed and returned, all JBM, Inc Information (along with all copies and all media), as directed, within forty-eight (48) hours. Nothing in this Policy will prevent Vendor from maintaining information, still subject to confidentiality obligations, as required by law or any regulatory authority to which Vendor is subject.

7. Minimum Information Security Controls

Vendor must implement and maintain the minimum information security controls as set forth below.

  1. Audit of Security Controls

    1. Vendor shall maintain all necessary documentation to show compliance with the Policy.
    2. Additionally, upon request, Vendors shall allow JBM, Inc or an independent third party to audit Vendor’s compliance with this Policy. JBM, Inc reserves the right to audit (or to engage a third party to audit) all network device configurations and administration processes at any time, including, but not limited to, inbound and outbound packets, firewalls, network peripherals and attached computer systems.
    3. If set forth in the Agreement, Vendor may be required to obtain a formal audit of the security controls conducted by an unaffiliated third party. If this is necessary, Vendor must provide JBM, Inc with written audit results. Results must be an ISO/ICE 27000/2 or other appropriate ISO/IEC certification. Vendor’s information security management program must comply with internationally recognized, generally applicable ISO/IEC standards.
    4. If any such audit reveals material gaps or weaknesses in Vendor’s security program, JBM, Inc shall be entitled to suspend transmission of JBM, Inc Information to Vendor and JBM, Inc may, at its election, terminate the Agreement without penalty. Vendor’s Processing of any of this information is to cease until such issues are resolved to JBM, Inc’ satisfaction.

  1. Security Management

Vendors must have a comprehensive written information security program, based on best practice standards for their industry. The program must contain:

    1. Written information privacy and security policies that are revised on a regular basis and regularly communicated to appropriate personnel and third-party providers and;
    2. Security training and awareness activities performed regularly and designed to enable employees and contractors to identify information privacy risks.

  1. Risk Management

Vendors must perform periodic risk assessments to evaluate risk profile regarding the collection, storage, and use of JBM, Inc Information.

    1. Risk Mitigation. Vendors must continually identify and mitigate internal and external risks that could result in the compromise of confidential information, including JBM, Inc Information.
    2. Risk Assessment. Vendors must conduct regular information privacy and security risk assessments in each area of proper operation.
    3. Media Sanitization. Vendors must ensure that media sanitization conforms to NIST SP 800-88, Media Sanitization, or any successor standard.

  1. Personnel Security/ Human Resources Security

Vendor shall implement controls to enable employees, contractors, and service providers to adhere to policies and standards according to roles and access and to reduce the risk of theft, fraud, loss, and misuse of facilities or information.

    1. Vendor must ensure that employees, contractors, and third-party users understand their responsibilities and are suitable for the roles for which they are considered, including through any appropriate personnel screening.
    2. Vendor shall appoint, properly train and identify to JBM, Inc in writing an individual within Vendor’s organization who is authorized to respond to inquiries from any data protection authority, Vendor, or a data subject concerning Vendor’s collection, access, use, storage, and/or transfer of Personal Information. Vendor will deal promptly with all inquiries relating to Personal Information and provide all required information to JBM, Inc.
    3. Security roles and responsibilities of employees, contractors and third-party users must be defined and documented to incorporate JBM, Inc data protection control requirements including background checks to the extent permitted by applicable law.
    4. All employees, contractors, and third-party users must be notified of the consequences for not following this Policy in connection with the handling of JBM, Inc Information.
    5. All assets used to manage or store JBM, Inc Information must be protected against unauthorized access, disclosure, modification, destruction or interference.
    6. All employees, contractors and third-party users must be provided with education and training in privacy and security procedures and the correct information Processing requirements.
    7. If Vendor has knowledge that an agent is using or disclosing JBM, Inc Information in a manner contrary to this Policy, Vendor will take reasonable steps to prevent or stop the use or disclosure.

  1. Operations Management

    1. Vendor must provide appropriate security and protection from unauthorized access, damages and interference of assets based on classification, information sensitivity, and other factors.
    2. All software used by Vendor in providing services to JBM, Inc must be properly licensed before entering into an Agreement with JBM, Inc.
    3. Vendor is responsible for data protection, privacy compliance, and security control validation/certification of its sub-contractors.
    4. Vendor will protect against the risk of malicious code by using anti-virus products on clients and servers; use an appropriate blocking strategy on the network perimeter; filtering input to applications; and creating, implementing and training staff in an appropriate computing policies and practices.

  1. Security Breach

    1. Security Breach. Vendor must comply with specified incident response process for JBM, Inc Information and JBM, Inc systems. Vendor shall follow documented responsibilities and procedures to respond to information security incidents quickly, effectively, and in an orderly way. “Security Breach” means any act or omission that compromises either the security, confidentiality or integrity of the JBM, Inc Information or the physical, technical, administrative or organizational safeguards put in place that relate to the security, confidentiality, or integrity of the JBM, Inc Information.

    2. Cost Allocation. Vendor shall bear all costs associated with resolving a Security Breach, including those costs associated with conducting an investigation, notifying consumers and others as required by law or the Payment Card Industry Data Security Standard, providing consumers with one year of credit monitoring, and responding to consumer, regulator and media inquiries.

    3. Reporting. Vendor shall report any Security Breach through appropriate management channels as quickly as possible. Any Security Breach involving or impacting JBM, Inc or a JBM, Inc affiliate or subsidiary must be reported to JBM, Inc. Notification must be within twenty-four (24) hours from detection if JBM, Inc Information, the JBM, Inc brand, logo or trademarks are involved or compromised.

    4. Cooperation with JBM, Inc. Vendor shall cooperate with JBM, Inc in investigations of any incidents involving JBM, Inc Information or JBM, Inc systems. Vendor shall cooperate with JBM, Inc and JBM, Inc employees, affiliates and representatives in responding to inquiries, claims, and complaints regarding the Processing of JBM, Inc Information, including, but not limited to: (a) assisting with any investigation as requested by JBM, Inc ; (b) providing JBM, Inc with physical access to facilities and operations affected; (c) facilitating interviews with Vendor’s representatives and others involved in the matter; and (d) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably requested by JBM, Inc .

    5. Providing Notice to Third Parties. Vendor shall not inform any third party of any Security Breach which affects JBM, Inc, without first obtaining the prior written consent of JBM, Inc, other than to inform a complainant that the matter has been forwarded to JBM, Inc’ legal counsel. JBM, Inc shall have the sole right and authority to determine: (i) whether notice of the Security Breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in JBM, Inc ’ discretion; (ii) the contents of such notice; (iii) whether any remediation may be offered to affected persons; and (iv) the nature and extent of any such remediation.

  1. Encryption and Data Management Controls

    1. Cryptographic controls must be used to protect the confidentiality, integrity, and availability of JBM, Inc Information in transit and while in Vendor’s possession. Controls for the management and use of cryptographic keys must be developed, implemented, and reviewed by Vendor on a periodic basis.

    2. Vendor must encrypt: (i) laptops and all other portable devices storing JBM, Inc Information which is Personal Information; as well as (ii) files containing JBM, Inc Information on all laptops or other portable devices; (iii) all messages containing JBM, Inc Information (or files containing Personal Information) during transit over public networks; and (iv) all files containing Personal Information included in a message sent over public networks.

    3. If the Processing involves the transmission of JBM, Inc Information over a network, Vendor shall have implemented appropriate supplementary measures to protect the JBM, Inc Information against the specific risks presented by the Processing. JBM, Inc Information may only be transmitted in an encrypted format.

    4. JBM, Inc Information may not be stored on any portable computer devices or media (including laptop computers, removable hard disks or flash drives, personal digital assistants (PDAs) or computer tapes) unless the JBM, Inc Information is encrypted, or the hard drive that contains the JBM, Inc Information on the portable computer device or media is fully encrypted.

    5. Vendor should also be aware of any regulations, standards, or industry or sector specific guidelines that set forth minimum guidelines for encrypting personal data.

  1. Access Controls

Access to resources including JBM, Inc Information must be regulated through the use of information security access controls and authorization mechanisms commensurate with risk.

    1. General. Vendor will secure its computer networks using multiple layers of access controls to protect against unauthorized access. In particular, Vendor will: (i) group network servers, applications, data and users into security domains; (ii) establish appropriate access requirements within and between each security domain; and (iii) implement appropriate technological controls to meet those access requirements consistently; including (for example) firewalls.

    2. Remote Access. Vendor will secure remote access, with multi-factor authentication, to and from its systems by disabling remote communications at the operating system level if no business need exists and/or tightly controlling access through management approvals, robust controls, logging and monitoring access events and subsequent audits.

    3. Password Policy. Vendor must limit access to the minimum necessary to perform the required function. Vendor must maintain and enforce a password policy which addresses password length, composition, complexity, lockout, history and expiration.

    4. Termination of Access. Vendor must revoke access for any vendor employee, contractor, or third-party user to JBM, Inc Information, and facilities which process JBM, Inc Information, or provide access to JBM, Inc systems upon termination of their employment, contract or agreement, or adjust access upon a change of responsibility.
    5. Security Zones. Vendor will define physical security zones and implement appropriate preventative and detective controls in each zone to protect against the risks of physical penetration by malicious or unauthorized people, damage from environmental contaminants, and electronic penetration through active or passive electronic emissions.

  1. Firewalls

  2. Vendor must appropriately leverage firewall infrastructure to segregate sensitive environments and restrict the use of insecure protocols. Network segments connected to the internet must be protected by a firewall which is configured to secure all devices behind it.

  3. Business Continuity and Disaster Recovery

    Vendor must have appropriate Business Continuity and Disaster Recovery capabilities to prevent or mitigate business interruption and associated impact. Vendor must test the Business Continuity and Disaster Recovery capability regularly.
    1. Vendor must counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and ensure their timely resumption.
    2. Vendor shall have an established disaster recovery/business continuity plan that addresses ongoing access to the JBM, Inc Information as well as security needs for backup sites and alternative communication networks.

  1. Compliance
    Information security and data protection controls and processes must comply with Applicable Law and contractual obligations, to avoid a breach and compromise of JBM, Inc Information. Vendor must comply with all changes in applicable laws of which Vendor is notified. If Vendor is unable to do so, it must notify JBM, Inc immediately and JBM, Inc may terminate the Agreement, unless the parties mutually agree in writing upon steps to be taken to enable Vendor to so comply.

    1. JBM, Inc Privacy Policy. Vendor shall only use JBM, Inc Information in accordance with the JBM, Inc Privacy Policy, as amended and updated from time to time.

    2. PCI Data Security Standards. If Vendor has access to or will create, receive, store, process, or transmit JBM, Inc cardholder information (e.g. credit, debit, stored value, or prepaid card information), Vendor, at its own expense, warrants:

      1. Vendor is, and will remain, responsible for securing cardholder information in its care, custody, possession, or control;
      2. Vendor will comply with the applicable current Payment Card Industry Data Security Standards (“PCI Standards”); and

      3. Vendor will provide JBM, Inc with an annual third-party Attestation of Compliance. If a third-party provider will have access to or will create, receive, store, process, or transmit JBM, Inc cardholder information to perform under the Agreement, Vendor warrants that it will require this of the third-party provider and will provide JBM, Inc with the third-party provider’s annual Attestation of Compliance issued by another party unaffiliated with the third-party provider.

    1. HIPAA Protected Health Information.

If Vendor has access to or will create, receive, store, process, or transmit Protected Health Information, Vendor, at its expense, warrants:

      1. Vendor is, and will remain, responsible for securing Personal Health Information in its care, custody, possession or control;
      2. Vendor will comply with HIPPA, including all applicable privacy and security standards; and
      3. Vendor will sign the JBM, Inc HIPAA Business Associate Agreement.
    1. International Law

To the extent that the scope of the Agreement between JBM, Inc and Vendor extends beyond the United States, the following applies:

      1. Vendor shall not transfer JBM, Inc Information across any national borders or permit remote access to the JBM, Inc Information by any employee, contractor, or another third party unless Vendor has the prior written consent of JBM, Inc for such transfer or access.
      2. If Vendor has access to or will create, receive, store, process, or transmit JBM, Inc Information of customers in non-US countries, Vendor represents and warrants that all Processing, storage, retention, and destruction of personal data by Vendor and third-party providers will be in compliance with all then-current applicable international, federal, provincial, state, and local laws, rules, regulations, and ordinances, including without limitation, data breach notification laws. For the purpose of clarification and without limiting the preceding, if Vendor collects, receives, processes, stores, retains, or destroys JBM, Inc Information of any citizen of Canada, Mexico or the European Union in connection with performing services for JBM, Inc, then the following provisions apply:

        1. All Processing, storage, retention and disposal of JBM, Inc Information of citizens of Canada will comply with Canada’s law on Personal Information Protection and Electronics Document Act (“PIPEDA”) and any provincial laws which may apply based on location;
        2. All Processing, storage, retention and disposal of JBM, Inc Information of citizens of European Union comply with the EU Directive 95/46/EC and the General Data Protection Regulation, including all implementing legislation and successor statutes, laws, rules, regulations, and directives.

8. Insurance

    1. Vendor shall, at its own cost, take out and maintain cybersecurity insurance on terms reasonably satisfactory to JBM, Inc, with a reputable insurer. Such insurance shall cover any and all losses, claims, demands, proceedings, damages or costs arising from or in connection with breach of this Policy.

Vendor shall ensure that the beneficial interest of JBM, Inc is noted on the face of the insurance policy and shall make full details of the insurance and proof of payment of the insurance premium available to JBM, Inc on request.

9. European Data Transfers

    1. If Vendor is a U.S. entity, Vendor must certify to the United States Department of Commerce and the European Commission that it adheres to the EU-US Privacy Shield Framework. The EU-US Privacy Shield provides a set of guidelines that establish an adequacy standard which governs data-sharing between the European Union and the United States. If Vendor is a non-U.S. entity, Vendor agrees to provide the same level of protection to any Personal Information Processed under this Agreement as required by the Privacy Shield Principles.

    2. For purposes of this Agreement, JBM, Inc is a data controller and Vendor is a data processor. Vendor will act strictly in accordance with the direction of JBM, Inc and will not determine on its own, the purpose(s) for which Personal Information will be accessed and/or processed.

    3. Vendor must certify that: (i) it has certain protections and procedures in place which meet EU data protection and privacy standards; and (ii) it adheres to the Privacy Shield Principles of notice, choice, security, data integration and purpose limitation, access, accountability for the onward transfer of personal data, recourse, enforcement, and liability.

    4. Privacy Principles
      1. Notice. When Vendor collects JBM, Inc Information directly from individual members in the EU, it must inform them of the purposes for which it collects and uses their personal information, the types of third-party agents to which Vendor discloses that information, and the choices and means, if any, that Vendor offers EU members for limiting the use and disclosure of their personal information. The notice must be provided in clear and conspicuous language when members are first asked to provide Personal Information to Vendor.
      2. Use of Data. If Vendor receives Personal Information from JBM, Inc, its subsidiaries, affiliates, or other entities in the EU, it must use such information in accordance with the notices such entities provided and the choices made by members to whom such personal information relates, and in accordance with any contractual obligations between the parties.
      3. Choice. Vendor must offer EU members the opportunity to opt-out as to whether their Personal Information is (a) to be disclosed to a non-agent third party, or b) be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the EU member. Vendor must provide EU members with reasonable methods to exercise their choices.
      4. Accountability for Onward Transfer. Vendors may provide JBM, Inc Information to agents to perform tasks on behalf of and under Vendor’s instructions. Vendor obtains assurances from its agents that they will safeguard JBM, Inc Information consistently with this Policy. Such agents must agree to use such JBM, Inc Information only for the purposes for which they have been engaged by Vendor and they must either: (i) comply with the Privacy Shield Principles or other mechanisms permitted by the applicable European data protection laws for transfers and processing of JBM, Inc Information; or (ii) agree to provide adequate protections for the JBM, Inc Information that are no less protective than those set out in this Policy.

10. Amendments

    1. These provisions are subject to change by amendment. Vendor will be notified of such changes to this Policy and is responsible for complying with the most up to date version of this Policy.