Clarifire DATA SECURITY RESPONSIBILITIES ADDENDUM (DRSA)
This Addendum (“DSRA”) becomes part of the agreement between Clarifire and the Client (each may be referred to individually as Party and jointly as Parties) upon execution of any agreement for Clarifire products or services (“Agreement”) unless excluded as specified herein. It is understood by both Parties that this DSRA sets forth the Party’s respective obligations in connection with the sharing, storing, processing and securing of data pursuant to the Agreement.
In order to continually enhance and streamline data security, this DSRA may be modified from time to time by Clarifire and the modified versions will supersede any prior version upon notice to the Client. Clients will be notified of any modifications by email sent to the Client’s designated point of contact. Notification will be deemed effective upon receipt by the point of contact in their inbox. The current and any earlier versions of this DSRA can be found at https://www.eclarifire.com/DRSA.
1. Scope. This DSRA applies to all Agreements except those that expressly exclude it and are governed by specific data security terms in a Statement of Work or other applicable policy or provisions. Further, these DSRA terms only apply to processes and environments controlled by Clarifire (“Clarifire Systems”), including all data transferred to Clarifire Systems, not to any data or processes that remain and/or reside with Clients or third-party systems selected by Clients.
1.1. Exclusions. This DSRA is not applicable to any demonstration sites or functions (“Demos”) that are utilized to market Clarifire’s products and services. Demos involve only fictitious data and no data that requires security is to be utilized. This DSRA is also not directly applicable to any agreement in which the Party contracting with Clarifire is a law firm or lawyer (“Law Firm”) that has been retained by a Party to an Agreement with Clarifire and which Law Firm will be granted access to Clarifire Systems by authorization of the Party. In such situations, the Parties agree and understand that the Client granting access to a Law Firm will reference this DSRA in any agreement it has with the Law Firm or provide notice of this DSRA to the Law Firm as necessary for its understanding of its responsibilities.
1.2. Operation of Addendum with Agreements. This DSRA will prevail if there are any conflicts between the terms of an Agreement (including but not limited to any provisions referenced in an Agreement such as a privacy policy and website terms of use) and the terms of this DSRA. Further, this DSRA is deemed to be incorporated into all Agreements, including those that pre-existed this DSRA or do not expressly reference this DSRA, unless expressly excluded in this DSRA. Therefore, except as excluded, Clarifire’s obligations as stated herein are binding upon Clarifire with respect to all Clients who are Parties to an Agreement with Clarifire, and Clarifire has provided notice of this Addendum to all Parties to pre-existing Agreements.
2. Ownership and Use of Data. Subject to any other provisions of this Addendum, Clarifire agrees not to retain, use, or disclose data submitted to Clarifire Systems by Client (“Client Data”) for any purpose other than those expressly set forth in the Agreement. Clarifire shall not sell to or share Client data with third parties, nor derive any products, services, or benefits from Client data, unless specifically permitted by the terms of an Agreement. Data resulting from Clarifire’s services is referred to as “Services Data.” Client retains and/or acquires the rights in and to Client Data and Services Data as specified in an Agreement, and Clarifire acquires no rights other than all rights necessary to perform the services under an Agreement and/or as further set forth in the Agreement. Client acquires no rights or interest in and to Clarifire products and services, other than the limited rights necessary for Client to utilize the products and services pursuant to the Agreement.
3. Data Accuracy. Client is solely responsible for ensuring that all Client Data transferred into Clarifire Systems for processing is current, relevant, accurate, and complete. Client agrees that Clarifire has no liability for any errors and/or inaccuracies in Clarifire Systems outputs (Services Data) that are the result of faulty Client Data. Client further agrees to indemnify and defend Clarifire against any third-party actions resulting from faulty Client Data.
4. Data Security and Privacy. Client acknowledges that Clarifire restricts access to the Clarifire Systems exclusively to Authorized Users located within the United States, but Clarifire does not impose geographical limitations within the United States from which Client’s Authorized Users may access Client Data within the Clarifire Systems. For an additional fee, Clarifire provides the service of IP address white-listing to enhance security, and Client acknowledges that it is aware of this offering. Should Clients choose not to subscribe to this white-listing service, Client is solely responsible for any and all liability for any security breaches or incidents resulting from Client’s Authorized Users accessing the Clarifire Systems from unauthorized or unverified locations, such as personal mobile devices and computers. Further, Client is solely responsible for implementing the technical and procedural controls within its organizations and processes to safeguard the confidentiality and integrity of Client Data including (by way of example but not limited to) privacy screens for monitors, Group Policy Objects (GPOs) such as lock screens and other security settings, user access provisioning, separation of duties, and other controls that are warranted for security and privacy protection under the circumstances and to comply with security and privacy regulations. Clarifire shall implement technical and procedural measures to safeguard the confidentiality, integrity, availability, and privacy of Client Data within the Clarifire Systems.
4.1. Identity Access Management. Client shall manage its Clarifire Systems user accounts, permissions, and access controls to ensure that only authorized individuals will have access to sensitive data and functionalities, including, but not limited to, strict prohibitions against the sharing of user accounts. Client is solely responsible for the selection of personnel who will be granted access to Clarifire Systems and Clarifire shall have no responsibility or liability for Client’s selection of Authorized Users and/or monitoring of such Users.
4.2. Security Monitoring and Reporting. Client shall conduct vigilant oversight of its workforce to detect unauthorized access to the Clarifire Systems and to address promptly any occurrences of erroneous, inappropriate, or malicious utilization of Client Data within Clarifire Systems. The Client shall promptly notify Clarifire if assistance is needed to rectify any issues with the Clarifire Systems or Client Data as a result of a security event. Clarifire shall conduct ongoing monitoring and analysis of the Clarifire Systems to identify potential threats, detect vulnerabilities, and mitigate against potential attacks. Clarifire shall promptly notify Client of any security breaches in accordance with contractual and regulatory obligations.
4.3. Incident Management. Client shall respond promptly to security incidents pertaining to its use of Clarifire Systems. Clarifire shall promptly address security incidents associated with the operation of the Clarifire Systems, with the aim of mitigating adverse effects on service operations and restoring normal functionality expeditiously.
5. Disaster Recovery. Client shall employ disaster recovery plans and procedures that include its integration with Clarifire Systems. Clarifire shall deploy backup and recovery mechanisms aimed at safeguarding Client Data and Service Data against loss or corruption, thereby facilitating data preservation and retrieval in the event of emergencies.
6. Communication and Collaboration. Clarifire shall furnish various communication and collaboration avenues, comprising the RESCUE Application, telephone, and electronic mail. Client shall utilize the foregoing communication and collaboration channels provided by Clarifire. Clarifire is not responsible for receiving and responding to any communications outside of the channels provided by Clarifire.
7. Training and Education. Clarifire shall provide the initial CLARIFIRE Application training to Client users. Client shall furnish the requisite training and educational resources to users concerning Client’s internal protocols for utilization of the CLARIFIRE Application, including compliance with the Client’s internal security standards and practices.
8. Performance Monitoring. Clarifire shall conduct ongoing monitoring and analysis of the performance of the CLARIFIRE Application, promptly addressing any issues or bottlenecks that may impede its functionality. Client shall promptly notify Clarifire of any performance discrepancies that have the potential to impact the CLARIFIRE Application and Clarifire’s obligations under the Agreement.
9. Clarifire Infrastructure Management. Clarifire shall maintain and manage the underlying hardware and software infrastructure essential for the delivery of the Clarifire Services.
10. Clarifire Platform Security. Clarifire shall implement and sustain security measures designed to safeguard the Clarifire Services against unauthorized access, data breaches, and other security threats.
11. System Availability and Reliability. Clarifire shall guarantee the availability and reliability of the Clarifire Services in accordance with the Agreement, including any SLAs referenced therein, with the objective of minimizing downtime and disruptions.
12. Industry Standards and Regulations. The Clarifire Services shall adhere to pertinent industry regulations and standards, including, but not limited to CCPA, HIPAA, and SOC 2, contingent upon the nature of the service provided and the specifications of Client in the Agreement.
13. Change Management. Clarifire shall institute change management protocols for the Clarifire Services, aimed at mitigating security risks, adapting to emerging cyber threats, and facilitating the seamless execution of cybersecurity initiatives.
14. Fraud Detection. Client is solely responsible for fraud detection analysis to detect any fraud in consumer supplied data or any other data before it becomes part of the Client Data transferred to the Clarifire Systems. Client understands that the Clarifire Systems do not include processes to detect fraudulent mortgage applications or any other suspicious or fraudulent data or information and Clarifire has no contractual obligation to provide such detection. Client further agrees that Clarifire bears no liability for any Services Data or operations that are faulty as a result of such fraudulent or suspicious data.
15. Compliance with Terms of Service. Client is solely responsible for its compliance with all applicable Terms of Service and Acceptable Use policies including, but not limited to, safeguards to prevent unauthorized access to the Clarifire Systems, the sharing of credentials, and/or any other misuse or negligent use of the Clarifire Systems by Client and/or any persons gaining access through Client.
16. Integration of Systems. Client is solely responsible for incorporating the Clarifire Systems into Client’s security frameworks and business processes (“Clients Systems”). Client agrees that unless expressly set forth in an Agreement, integration of systems is not part of the Clarifire services, and Clarifire has no responsibility to modify its systems and/or assist in efforts to integrate the Parties’ respective systems.
17. Termination. Upon contract termination, Clarifire shall decommission Client's CLARIFIRE Application instance, dispose of the data in accordance with NIST SP 800-88 guidelines, and furnish Client with a destruction certificate.