Data Security Policy

The purpose of the Community Data Security Policy (“Policy”) is to protect the confidentiality, security and availability of Data.   As a condition to providing goods and/or performing services for Community (“Services”), you must comply with this Policy, as updated from time to time.  

Definitions

  • •  “Applicable Data Protection Laws” means any applicable data protection or privacy laws, regulations, statutes and guidelines, including, but not limited to, Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, the California Consumer Protection Act (“CCPA”), GDPR and other similar laws and regulations.
  • •  “Community” means Community Coffee Company, L.L.C. and parent affiliates.
  • •  “Data” means Community and its customers’ and agents’ financial information, proprietary information, confidential information and Personal Information.
  • •  “Incident” means any account breach and/or a compromised account or systems.
  • •  “Personal Information” means any information provided to you by Community or obtained by you in fulfillment of Services for Community relating to an identified or identifiable person and that, either by itself or in combination with other pieces of information, identifies, or can be used to identify, an individual. Examples of Personal Information include, but are not limited to, names, phone numbers, addresses, credit and/or other payment card information, national identification numbers, and/or account or financial information of any Community affiliate’s employees, franchisees, sales associates, brokers, or customers (which, for the avoidance of doubt, includes loyalty program members).

General Security Requirements

  • •  You shall maintain an information security program that contains technical, physical and organizational measures to protect the security, confidentiality and integrity of Data, including as appropriate, a process for regularly testing, assessing and evaluating the effectiveness of the foregoing.
  • •  You shall require multiple-factor authentication for connections to your systems where possible.
  • •  You shall maintain a procedure for managing, changing and resetting passwords and for assigning logins and passwords. 
  • •  You shall ensure all transfers of Data are secure using SSL, IPsec VPN, HTTP / HTTPS, SFTP or other secure method. 
  • •  You shall maintain border protection devices to detect and prevent unauthorized access to your network and the Data, its backups or mirrors.
  • •  You shall perform regular internal or external security assessments of your computing environment.
  • •  If you use an application in performing the Services, you shall use multiple security levels and define security parameters from an individual level to a global level. 
  • •  You shall perform regular cybersecurity training for all employees with system access.
  • •  You shall comply with industry best practices related to privacy and Data security. 

Physical Security Requirements

  • •  You shall maintain physical controls to prevent and detect unauthorized access to your data center, if applicable, and to prevent unauthorized WLAN access or interception of Data. 
  • •  You shall maintain processes to screen employees and contractors who will have access to systems related to Data and those used in providing Services. 

Operational Security Requirements

  • •  You shall maintain, and provide to Community upon request, documented policies and processes for host security that define authorized Services, change management procedures and platform configuration. At a minimum, intrusion detection/prevention, valuation of OS and application vendor security alerts and installation of security patches (“hot fixes”) and service packs shall be included.
  • •  You shall maintain security configuration baselines for each of the applications, operating systems, security devices and network devices used in performing the Services.
  • •  At least once every four (4) months, you shall perform or have performed a Vulnerability Threat Assessment (“VTA”) against your production systems/servers and provide the result of the assessment to Community upon request.

Incident Response

  • •  You shall maintain a documented process to respond to an Incident that includes, among other things, prompt (not more than 12 hours from discovery) notification to Community if you have reason to believe that there has been an Incident. 
  • •  If the Incident is a security breach, a process to identify the extent of the breach.
  • •  You shall fully cooperate with Community to limit the unauthorized access, disclosure or use of Data; to seek the return of Data; to provide or assist in providing notice relating to the Incident to third parties if requested by Community and, notwithstanding any liability caps contained hereunder, pay the full cost of providing such notices or other remedies as required by law or regulatory authority.
  • •  You shall assist and support Community in any investigation of an Incident if and to the extent that such investigation relates to Data handled by you on behalf of Community.

Legal, Compliance and Audit Requirements

  • •  You shall comply with Applicable Data Protection Laws and this Policy. You shall not cause Community to be in noncompliance with any of the foregoing. 
  • •  You shall make available to Community all information and support necessary for Community to comply with and demonstrate compliance with its obligations under Applicable Data Protection Laws.
  • •  Upon request by Community, you shall promptly return or destroy all Data in accordance with Community’s instructions. 
  • •  You acknowledge that Community may monitor your activities while you are in Community systems and/or may audit your compliance with this Policy and Applicable Data Protection Laws both inside and outside of Community’s systems, including inspections at your premises. You shall be responsible for notifying employees and agents that such monitoring may take place if you deem necessary.
  • •  You acknowledge that Community may audit your compliance hereunder.  In such audit, you shall cooperate with Community and its authorized representatives and provide them with access to your relevant records and facilities.

Acknowledgements

  • •  You acknowledge that at no time will you acquire any ownership, license, rights, title or other interest in or to the Data. You shall only use Data for the sole purpose of providing the Services. 
  • •  You acknowledge that in the event you are unable to comply with the obligations in this Policy, you will promptly notify Community in writing.  Community shall then be entitled (at its option) to suspend the transfer of Data to you, require you to cease using or handling Data and/or immediately terminate any Agreement with you and/or an applicable Appendix, Exhibit or Schedule thereto.
  • •  You acknowledge that this Policy does not supersede the terms of any confidentiality agreement(s) entered between you and Community. 
  • •  You acknowledge that the obligations in this Policy shall remain in force notwithstanding termination or expiration of any Agreement between you and Community.

Effective: February 1, 2022