Vendor Privacy and Security Policy
1. Purpose and Overview
The Vendor Privacy and Security Policy (this “Policy”) sets forth the confidentiality, security, and privacy requirements applicable to JBM, Inc Information Processed on behalf of JBM, Inc, and any of its subsidiaries (“JBM, INC”). All vendors are required to put this minimum set of controls in place in order to ensure that our systems are protected and comply with security and data protection requirements and standards worldwide.
- “Agreement” means any written document, verbal
agreement, or contract between Vendor and JBM, Inc under which Vendor
performs services for JBM, Inc where JBM, Inc Information is provided to
- “Applicable Laws” refers to any and all statutes,
laws, treaties, rules, codes, ordinances, regulations, permits,
interpretations, certificates, judgements, decrees, injunctions, writs,
orders, subpoenas, or like action of a government authority applicable to:
(i) the Agreement and/or this Policy; (ii) the performance of obligations
or other activities by Vendor related to the Agreement; and (iii) a party,
a party’s affiliates (if any), a party’s subcontractors (if any), or to
any of their representatives. To the extent that Personal Information is
being disclosed by JBM, Inc or collected or received by Vendor on behalf
of JBM, Inc pursuant to the Agreement, applicable laws may include, but
are not limited to, the Fair Credit Reporting Act (FCRA), the Children’s
Online Privacy Protection Act (COPPA), the California Security Breach
Notification Law, the California Online Privacy Protection Act, Canada’s
law on Personal Information Protection and Electronics Document Act
(PIPEDA), the EU Directive 96/46/EC and the EU General Data Protection
Regulation. To the extent that Protected Health Information is being
disclosed by JBM, Inc pursuant to the Agreement, applicable laws also
include: the Health Insurance Portability and Accountability Act of 1996,
The Health Information Technology for Economic and Clinical Health
(HITECH) Act, and the Privacy and Security Rule regulations of HIPAA and
the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules under the HITECH Act and all amendments to and further
regulations of the HIPAA and HITECH Acts (collectively, “HIPAA”).
- “Attestation of Compliance” refers to the Payment Card
Industry Data Security Standards (PCI DSS) Attestation of Compliance. If
the Vendor will be receiving, storing and/or processing credit card information
on behalf of JBM, Inc, Vendors must complete this declaration annually to
confirm that they are in agreement with the Data Security Standards for
handling credit card data electronically.
- “Business Associate” refers to a person or entity that performs
certain functions or activities that involve the use or disclosure of
Protected Health Information on behalf of, or provides services to, a
covered entity as defined under HIPAA. A member of the covered
entity’s workforce is not a business associate. A covered health care
provider, health plan, or health care clearinghouse can be a business
associate of another covered entity. Business associate functions and
activities include: claims processing or administration, data analysis,
processing or administration, utilization review, quality assurance,
billing, benefit management, practice management, and repricing.
Business associate services are: legal, actuarial, accounting,
consulting, data aggregation, management, administrative, accreditation,
- “HIPAA Business Associate
refers to the contract between a HIPAA-covered entity and a HIPAA Business
Associate required under the U.S. Health Insurance Portability and
Accountability Act of 1996. This agreement protects Protected Health
Information related to health by HIPAA guidelines. According to the Health
Information Technology for Economic and Clinical Health (HITECH) Act of
2009, any Business Associate that serves a healthcare provider or
institution is now subject to audits by the Office for Civil Rights (OCR)
within the U.S. Department of Health and Human Services (HHS) and can be
held accountable for a data breach and penalized for noncompliance.
- “Business Continuity and Disaster
refers to the practices in which Vendor prepares for unforeseen risks to
continue operations including: (i) specific steps taken to resume
operations in the event of a natural disaster, national emergency, or
threats to a company’s normal operations; and (ii) the processes and
procedures an organization must put in place to ensure that critical
functions can continue during and after one of these events.
- “Personal Information” means any information or data
provided by JBM, Inc and its affiliates or collected or received by Vendor
on behalf of JBM, Inc that identifies, or when used alone or in
combination with other information, reasonably identifies an individual
person, or any other data considered to be personal data as defined under
Applicable Laws. Personal Information may include, but is not limited to:
(i) a first or last name or initials; (ii) a home or other physical
address, including street name and name of city or town; (iii) an email
address or other online contact information, such as an instant messaging
user identifier or a screen name that reveals an individual’s email
address; (iv) a telephone number; (v) a social security number, tax ID
number or other government-issued identifier; (vi) an Internet Protocol
(“IP”) address or host name that identifies an individual; (vii) a
persistent identifier, such as a customer number held in a “cookie” or
processor serial number, that is combined with other available data that
identifies an individual; (viii) birth dates or treatment dates; or (ix)
coded data that is derived from Personal Information. Additionally, to the
extent any other information (such as, but not necessarily limited to,
case report form information, clinical trial identification codes,
personal profile information, IP addresses, other unique identifiers, or
biometric information) is associated, combined with or otherwise
reasonably linkable to Personal Information, then such information also
will be considered Personal Information.
- “Protected Health Information” means any information, whether
oral or recorded in any form or medium, that: (i) is created or received
by a health care provider, health plan, public health authority, employer,
life insurer, school or university, or health care clearinghouse; and (ii)
relates to the past, present, or future physical or mental health or
condition of any individual, the provision of health care to an
individual, or the past, present, or future payment for the provision of
health care to an individual. This information becomes protected when it
is: (i) transmitted by electronic media; (ii) maintained in electronic
media; or (iii) transmitted or maintained in any other form or medium. The
foregoing definition aligns with the HIPAA standard of Protected Health
Information, and is subject to change in the event applicable laws are put
into place to modify the foregoing definition.
- “Processing of Personal Information
refers to any operations which are performed upon JBM, Inc Information,
including, but not limited to, collection, recording, organization,
storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, blocking or dispersed erasure, or destruction.
- “Sensitive Personal Information” means any Personal Information that requires additional privacy and security protections, which includes:
- All government issued identification numbers;
- All financial account numbers;
- Individual medical records and biometric information;
- Reports of individual background checks and all other data obtained from a U.S. consumer reporting agency and subject to the Fair Credit Reporting Act;
- Data elements revealing race, ethnicity, national origin, religion, philosophical beliefs, trade union membership, political orientation, sex life or sexual orientation, criminal records, histories of prosecutions or convictions, or allegations of crimes;
- Any information deemed to be sensitive data under Applicable Laws; and
- Any other information designated by
JBM, Inc as Sensitive Personal Information.
- “JBM, Inc Information” refers to any Personal Information, Protected Health Information, Sensitive Personal Information or other confidential information provided by JBM, Inc and/or its affiliates and subsidiaries, either directly or indirectly in any form, and any data, materials, processes, or information a Vendor develops for us or receives as a result of this relationship that does not fall under Personal Information, Protected Health Information or Sensitive Personal Information.
- All JBM, Inc Information is subject to this Policy. All Vendor obligations under an Agreement are in addition to the requirements of this Policy.
- In the event of any conflict between this Policy and any Agreement, the conflict will be interpreted and construed in a manner which provides the broadest security and protection of JBM, Inc Information.
- Vendor will only use JBM, Inc Information for the
purposes for which it was provided under the current Agreement and for no
4. General Obligations
- Vendor will implement the appropriate administrative, technical, and physical safeguards to ensure the security, privacy, confidentiality, integrity, and availability of JBM, Inc Information. Vendor will not Process or otherwise use any JBM, Inc Information in any manner other than what is instructed by JBM, Inc in the current Agreement between the parties.
- In the event Vendor believes that it can no longer comply with this Policy, Vendor shall immediately notify JBM, Inc and not proceed with any act that would violate this Policy until such noncompliance is resolved to JBM, Inc ’s satisfaction.
- Vendor will immediately inform JBM, Inc in writing of any: (i) request for access to any JBM, Inc Information received by Vendor from an individual who is (or claims to be) the subject of the data; (ii) request for access to any JBM, Inc Information received by Vendor from any government official (including any data protection agency or law enforcement agency); (iii) inquiry, claim, or complaint regarding the Processing of JBM, Inc Information received by Vendor; and (iv) other requests with respect to JBM, Inc Information received from JBM, Inc employees or other third parties, other than those set forth in an Agreement between the parties. Vendor understands that it is not authorized to respond to these requests unless explicitly authorized by the Agreement or JBM, Inc in writing, except for the request received from a governmental agency with a subpoena or similar legal document compelling disclosure by Vendor. In the case of a request received from a governmental agency, Vendor will immediately notify JBM, Inc and reasonably cooperate with JBM, Inc to eliminate or narrow any such disclosure.
5. Termination of Access
- Vendor’s access to any JBM, Inc Information and JBM, Inc systems is subject to Vendor’s continuing compliance with this Policy. JBM, Inc may immediately and automatically revoke Vendor’s access to a part or all JBM, Inc Information and/or JBM, Inc systems without liability for any reason or no reason.
6. Informational Retention and Disposal
- Vendor must limit its collection of any JBM, Inc Information to what is necessary to perform such services as requested by JBM, Inc or to fulfill any legal requirements. All hard copy data which is no longer required must be shredded by use of a cross-cut shredder.
- At the end of the specified retention period, or upon the written request of JBM, Inc at any time, Vendor will return or destroy, and certify in writing that it has destroyed and returned, all JBM, Inc Information (along with all copies and all media), as directed, within forty-eight (48) hours. Nothing in this Policy will prevent Vendor from maintaining information, still subject to confidentiality obligations, as required by law or any regulatory authority to which Vendor is subject.
7. Minimum Information Security Controls
Vendor must implement and maintain the minimum information security controls as set forth below.
- Audit of Security Controls
- Vendor shall maintain all necessary documentation to show compliance with the Policy.
- Additionally, upon request, Vendors shall allow JBM, Inc or an independent third party to audit Vendor’s compliance with this Policy. JBM, Inc reserves the right to audit (or to engage a third party to audit) all network device configurations and administration processes at any time, including, but not limited to, inbound and outbound packets, firewalls, network peripherals and attached computer systems.
- If set forth in the Agreement, Vendor may be required to obtain a formal audit of the security controls conducted by an unaffiliated third party. If this is necessary, Vendor must provide JBM, Inc with written audit results. Results must be an ISO/ICE 27000/2 or other appropriate ISO/IEC certification. Vendor’s information security management program must comply with internationally recognized, generally applicable ISO/IEC standards.
- If any such audit reveals material
gaps or weaknesses in Vendor’s security program, JBM, Inc shall be
entitled to suspend transmission of JBM, Inc Information to Vendor and JBM,
Inc may, at its election, terminate the Agreement without penalty.
Vendor’s Processing of any of this information is to cease until such
issues are resolved to JBM, Inc’ satisfaction.
- Security Management
Vendors must have a comprehensive written information security program, based on best practice standards for their industry. The program must contain:
- Written information privacy and security policies that are revised on a regular basis and regularly communicated to appropriate personnel and third-party providers and;
- Security training and awareness
activities performed regularly and designed to enable employees and
contractors to identify information privacy risks.
- Risk Management
Vendors must perform periodic risk assessments to evaluate risk profile regarding the collection, storage, and use of JBM, Inc Information.
- Risk Mitigation. Vendors must continually identify and mitigate internal and external risks that could result in the compromise of confidential information, including JBM, Inc Information.
- Risk Assessment. Vendors must conduct regular information privacy and security risk assessments in each area of proper operation.
- Media Sanitization. Vendors must ensure that media
sanitization conforms to NIST SP 800-88, Media Sanitization, or any
- Personnel Security/ Human Resources Security
Vendor shall implement controls to enable employees, contractors, and service providers to adhere to policies and standards according to roles and access and to reduce the risk of theft, fraud, loss, and misuse of facilities or information.
- Vendor must ensure that employees, contractors, and third-party users understand their responsibilities and are suitable for the roles for which they are considered, including through any appropriate personnel screening.
- Vendor shall appoint, properly train and identify to JBM, Inc in writing an individual within Vendor’s organization who is authorized to respond to inquiries from any data protection authority, Vendor, or a data subject concerning Vendor’s collection, access, use, storage, and/or transfer of Personal Information. Vendor will deal promptly with all inquiries relating to Personal Information and provide all required information to JBM, Inc.
- Security roles and responsibilities of employees, contractors and third-party users must be defined and documented to incorporate JBM, Inc data protection control requirements including background checks to the extent permitted by applicable law.
- All employees, contractors, and third-party users must be notified of the consequences for not following this Policy in connection with the handling of JBM, Inc Information.
- All assets used to manage or store JBM, Inc Information must be protected against unauthorized access, disclosure, modification, destruction or interference.
- All employees, contractors and third-party users must be provided with education and training in privacy and security procedures and the correct information Processing requirements.
- If Vendor has knowledge that an
agent is using or disclosing JBM, Inc Information in a manner contrary to
this Policy, Vendor will take reasonable steps to prevent or stop the use
- Operations Management
- Vendor must provide appropriate security and protection from unauthorized access, damages and interference of assets based on classification, information sensitivity, and other factors.
- All software used by Vendor in providing services to JBM, Inc must be properly licensed before entering into an Agreement with JBM, Inc.
- Vendor is responsible for data protection, privacy compliance, and security control validation/certification of its sub-contractors.
- Vendor will protect against the
risk of malicious code by using anti-virus products on clients and
servers; use an appropriate blocking strategy on the network perimeter;
filtering input to applications; and creating, implementing and training
staff in an appropriate computing policies and practices.
- Security Breach
- Security Breach. Vendor must comply with specified
incident response process for JBM, Inc Information and JBM, Inc systems.
Vendor shall follow documented responsibilities and procedures to respond
to information security incidents quickly, effectively, and in an orderly
way. “Security Breach” means any act or omission that compromises either
the security, confidentiality or integrity of the JBM, Inc Information or
the physical, technical, administrative or organizational safeguards put
in place that relate to the security, confidentiality, or integrity of
the JBM, Inc Information.
- Cost Allocation. Vendor shall bear all costs
associated with resolving a Security Breach, including those costs
associated with conducting an investigation, notifying consumers and
others as required by law or the Payment Card Industry Data Security
Standard, providing consumers with one year of credit monitoring, and
responding to consumer, regulator and media inquiries.
- Reporting. Vendor shall report any Security
Breach through appropriate management channels as quickly as possible.
Any Security Breach involving or impacting JBM, Inc or a JBM, Inc affiliate
or subsidiary must be reported to JBM, Inc. Notification must be within
twenty-four (24) hours from detection if JBM, Inc Information, the JBM,
Inc brand, logo or trademarks are involved or compromised.
- Cooperation with JBM, Inc. Vendor shall cooperate with JBM,
Inc in investigations of any incidents involving JBM, Inc Information or JBM,
Inc systems. Vendor shall cooperate with JBM, Inc and JBM, Inc employees,
affiliates and representatives in responding to inquiries, claims, and
complaints regarding the Processing of JBM, Inc Information, including,
but not limited to: (a) assisting with any investigation as requested by JBM,
Inc ; (b) providing JBM, Inc with physical access to facilities and operations
affected; (c) facilitating interviews with Vendor’s representatives and
others involved in the matter; and (d) making available all relevant
records, logs, files, data reporting and other materials required to
comply with applicable law, regulation, industry standards, or as
otherwise reasonably requested by JBM, Inc .
- Providing Notice to Third Parties. Vendor shall not inform any third
party of any Security Breach which affects JBM, Inc, without first
obtaining the prior written consent of JBM, Inc, other than to inform a
complainant that the matter has been forwarded to JBM, Inc’ legal
counsel. JBM, Inc shall have the sole right and authority to determine:
(i) whether notice of the Security Breach is to be provided to any
individuals, regulators, law enforcement agencies, consumer reporting
agencies or others as required by law or regulation, or otherwise in JBM,
Inc ’ discretion; (ii) the contents of such notice; (iii) whether any
remediation may be offered to affected persons; and (iv) the nature and
extent of any such remediation.
- Encryption and Data Management
- Cryptographic controls must be
used to protect the confidentiality, integrity, and availability of JBM,
Inc Information in transit and while in Vendor’s possession. Controls for
the management and use of cryptographic keys must be developed,
implemented, and reviewed by Vendor on a periodic basis.
- Vendor must encrypt: (i) laptops
and all other portable devices storing JBM, Inc Information which is
Personal Information; as well as (ii) files containing JBM, Inc Information
on all laptops or other portable devices; (iii) all messages containing JBM,
Inc Information (or files containing Personal Information) during transit
over public networks; and (iv) all files containing Personal Information
included in a message sent over public networks.
- If the Processing involves the
transmission of JBM, Inc Information over a network, Vendor shall have
implemented appropriate supplementary measures to protect the JBM, Inc Information
against the specific risks presented by the Processing. JBM, Inc Information
may only be transmitted in an encrypted format.
- JBM, Inc Information may not be
stored on any portable computer devices or media (including laptop
computers, removable hard disks or flash drives, personal digital
assistants (PDAs) or computer tapes) unless the JBM, Inc Information is
encrypted, or the hard drive that contains the JBM, Inc Information on
the portable computer device or media is fully encrypted.
- Vendor should also be aware of any
regulations, standards, or industry or sector specific guidelines that
set forth minimum guidelines for encrypting personal data.
- Access Controls
Access to resources including JBM, Inc Information must be regulated through the use of information security access controls and authorization mechanisms commensurate with risk.
- General. Vendor will secure its computer
networks using multiple layers of access controls to protect against
unauthorized access. In particular, Vendor will: (i) group network
servers, applications, data and users into security domains; (ii)
establish appropriate access requirements within and between each
security domain; and (iii) implement appropriate technological controls
to meet those access requirements consistently; including (for example)
- Remote Access. Vendor will secure remote access,
with multi-factor authentication, to and from its systems by disabling
remote communications at the operating system level if no business need
exists and/or tightly controlling access through management approvals,
robust controls, logging and monitoring access events and subsequent
- Password Policy. Vendor must limit access to the
minimum necessary to perform the required function. Vendor must maintain
and enforce a password policy which addresses password length,
composition, complexity, lockout, history and expiration.
- Termination of Access. Vendor must revoke access for any vendor employee, contractor, or third-party user to JBM, Inc Information, and facilities which process JBM, Inc Information, or provide access to JBM, Inc systems upon termination of their employment, contract or agreement, or adjust access upon a change of responsibility.
- Security Zones. Vendor will define physical security
zones and implement appropriate preventative and detective controls in
each zone to protect against the risks of physical penetration by
malicious or unauthorized people, damage from environmental contaminants,
and electronic penetration through active or passive electronic
- Vendor must appropriately leverage firewall
infrastructure to segregate sensitive environments and restrict the use of
insecure protocols. Network segments connected to the internet must be
protected by a firewall which is configured to secure all devices behind
- Business Continuity and Disaster
Vendor must have appropriate Business Continuity and Disaster Recovery capabilities to prevent or mitigate business interruption and associated impact. Vendor must test the Business Continuity and Disaster Recovery capability regularly.
- Vendor must counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and ensure their timely resumption.
- Vendor shall have an established
disaster recovery/business continuity plan that addresses ongoing access
to the JBM, Inc Information as well as security needs for backup sites
and alternative communication networks.
Information security and data protection controls and processes must comply with Applicable Law and contractual obligations, to avoid a breach and compromise of JBM, Inc Information. Vendor must comply with all changes in applicable laws of which Vendor is notified. If Vendor is unable to do so, it must notify JBM, Inc immediately and JBM, Inc may terminate the Agreement, unless the parties mutually agree in writing upon steps to be taken to enable Vendor to so comply.
from time to time.
- PCI Data Security Standards. If Vendor has access to or will
create, receive, store, process, or transmit JBM, Inc cardholder
information (e.g. credit, debit, stored value, or prepaid card information),
Vendor, at its own expense, warrants:
- Vendor is, and will remain, responsible for securing cardholder information in its care, custody, possession, or control;
- Vendor will comply with the
applicable current Payment Card Industry Data Security Standards (“PCI Standards”);
- Vendor will provide JBM, Inc with
an annual third-party Attestation of Compliance. If a third-party
provider will have access to or will create, receive, store, process, or
transmit JBM, Inc cardholder information to perform under the Agreement,
Vendor warrants that it will require this of the third-party provider
and will provide JBM, Inc with the third-party provider’s annual
Attestation of Compliance issued by another party unaffiliated with the third-party
- HIPAA Protected Health Information.
If Vendor has access to or will create, receive, store, process, or transmit Protected Health Information, Vendor, at its expense, warrants:
- Vendor is, and will remain, responsible for securing Personal Health Information in its care, custody, possession or control;
- Vendor will comply with HIPPA, including all applicable privacy and security standards; and
- Vendor will sign the JBM, Inc HIPAA Business Associate Agreement.
- International Law
To the extent that the scope of the Agreement between JBM, Inc and Vendor extends beyond the United States, the following applies:
- Vendor shall not transfer JBM, Inc Information across any national borders or permit remote access to the JBM, Inc Information by any employee, contractor, or another third party unless Vendor has the prior written consent of JBM, Inc for such transfer or access.
Vendor has access to or will create, receive, store, process, or
transmit JBM, Inc Information of customers in non-US countries, Vendor
represents and warrants that all Processing, storage, retention, and
destruction of personal data by Vendor and third-party providers will be
in compliance with all then-current applicable international, federal,
provincial, state, and local laws, rules, regulations, and ordinances,
including without limitation, data breach notification laws. For the
purpose of clarification and without limiting the preceding, if Vendor
collects, receives, processes, stores, retains, or destroys JBM, Inc Information
of any citizen of Canada, Mexico or the European Union in connection
with performing services for JBM, Inc, then the following provisions
- All Processing, storage, retention and disposal of JBM, Inc Information of citizens of Canada will comply with Canada’s law on Personal Information Protection and Electronics Document Act (“PIPEDA”) and any provincial laws which may apply based on location;
- All Processing, storage, retention and disposal of JBM, Inc Information of citizens of European Union comply with the EU Directive 95/46/EC and the General Data Protection Regulation, including all implementing legislation and successor statutes, laws, rules, regulations, and directives.
- Vendor shall, at its own cost, take out and maintain cybersecurity insurance on terms reasonably satisfactory to JBM, Inc, with a reputable insurer. Such insurance shall cover any and all losses, claims, demands, proceedings, damages or costs arising from or in connection with breach of this Policy.
Vendor shall ensure that the beneficial interest of JBM, Inc is noted on the face of the insurance policy and shall make full details of the insurance and proof of payment of the insurance premium available to JBM, Inc on request.
9. European Data Transfers
Vendor is a U.S. entity, Vendor must certify to the United States
Department of Commerce and the European Commission that it adheres to the
EU-US Privacy Shield Framework. The EU-US Privacy Shield provides a set
of guidelines that establish an adequacy standard which governs
data-sharing between the European Union and the United States. If Vendor
is a non-U.S. entity, Vendor agrees to provide the same level of
protection to any Personal Information Processed under this Agreement as
required by the Privacy Shield Principles.
purposes of this Agreement, JBM, Inc is a data controller and Vendor is a
data processor. Vendor will act strictly in accordance with the direction
of JBM, Inc and will not determine on its own, the purpose(s) for which
Personal Information will be accessed and/or processed.
must certify that: (i) it has certain protections and procedures in place
which meet EU data protection and privacy standards; and (ii) it adheres
to the Privacy Shield Principles of notice, choice, security, data
integration and purpose limitation, access, accountability for the onward
transfer of personal data, recourse, enforcement, and liability.
- Privacy Principles
- Notice. When Vendor collects JBM, Inc Information directly from individual members in the EU, it must inform them of the purposes for which it collects and uses their personal information, the types of third-party agents to which Vendor discloses that information, and the choices and means, if any, that Vendor offers EU members for limiting the use and disclosure of their personal information. The notice must be provided in clear and conspicuous language when members are first asked to provide Personal Information to Vendor.
- Use of Data. If Vendor receives Personal Information from JBM, Inc, its subsidiaries, affiliates, or other entities in the EU, it must use such information in accordance with the notices such entities provided and the choices made by members to whom such personal information relates, and in accordance with any contractual obligations between the parties.
- Choice. Vendor must offer EU members the opportunity to opt-out as to whether their Personal Information is (a) to be disclosed to a non-agent third party, or b) be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the EU member. Vendor must provide EU members with reasonable methods to exercise their choices.
for Onward Transfer.
Vendors may provide JBM, Inc Information to agents to perform tasks on
behalf of and under Vendor’s instructions. Vendor obtains assurances
from its agents that they will safeguard JBM, Inc Information consistently
with this Policy. Such agents must agree to use such JBM, Inc Information
only for the purposes for which they have been engaged by Vendor and
they must either: (i) comply with the Privacy Shield Principles or other
mechanisms permitted by the applicable European data protection laws for
transfers and processing of JBM, Inc Information; or (ii) agree to
provide adequate protections for the JBM, Inc Information that are no
less protective than those set out in this Policy.
- These provisions are subject to change by amendment. Vendor will be notified of such changes to this Policy and is responsible for complying with the most up to date version of this Policy.