This data processing agreement forms part of the Agreement, as defined below, and applies where an L.E.K. Consulting (“L.E.K.”) entity acts as a processor, service provider, or comparable term when Processing Personal Information on behalf of the counterparty to the Agreement (“Client”).

1. Background
   The services that L.E.K. agreed to perform for Client may require L.E.K. to Process Personal Information, as defined below, on Client’s behalf and subject to Client’s reasonable instructions.
   
   This data protection agreement sets out the additional terms and conditions that govern L.E.K.’s processing of personal information that Client makes available to L.E.K. or directs L.E.K. to acquire as part of L.E.K.’s performance of services.

2. Definitions

   “Agreement” – the contract for services between L.E.K. and Client that describes the scope of work that L.E.K. has agreed to perform.
    

   “Data Subject” – an individual whose data are governed by this DPA.
    

   “DPA” – this data processing agreement.
    

   “Personal Information” – any information that directly or indirectly identifies or describes a known or identifiable individual, which Client has directed L.E.K. to acquire or otherwise made available to L.E.K. for use in the performance of services as defined in the Agreement. Where defined by an applicable privacy or data protection law, Personal Information will also have that meaning. In case of a conflict between applicable law and this DPA, the definition provided by law will control.
    

   “Process” – any activity involving Personal Information including but not limited to acquisition, use, storage, retention, disclosure to a third party, alteration, and destruction. Processing can be manual or automated. Processing will also have the meaning established in an applicable privacy or data protection law, which will control over any conflict with this DPA.
    

   “Personal Information Breach” – any incident that: (1) violates the confidentiality, integrity, or availability of Personal Information; or (2) results in illegal or unauthorized Processing of Personal Information. Where defined by an applicable privacy or data protection law, Personal Information Breach will also have that meaning. In case of a conflict between applicable law and this DPA, the definition provided by law will control.

3. Client’s Obligations
   When directing L.E.K. to acquire Personal Information or when making Personal Information available to L.E.K. for Processing in connection with the services, Client will:
   1. Comply with applicable laws when identifying the nature and scope of Personal Information Processing L.E.K. will conduct on Client’s behalf.
   2. Decide upon and communicate to L.E.K. the nature and scope of L.E.K.’s Processing of Personal Information through written instructions incorporated into the Agreement including but not limited to incorporating instructions in one or more Engagement Letters, Statements of Work, or equivalent documents, and change orders to the same.
   3. Provide Data Subjects with appropriate notices about the nature L.E.K.’s Processing as required by applicable law.
   4. Conduct necessary risk assessments and obtain necessary consents from Data Subjects to enable L.E.K. to Process Personal Information in connection with its services.
   5. Provide Data Subjects with a mechanism to exercise their legal rights, ask questions, and raise complaints about the Processing of their Personal Information.\
   6. Instruct L.E.K. on how to support Client’s decisions regarding Data Subjects’ and other third parties inquiries, complaints, and rights requests.
   7. Take commercially reasonable steps to ensure that its instructions regarding L.E.K.’s Processing of Personal Information, as incorporated into the Agreement in a Statement of Work or other similar writing, are consistent with applicable law.

4. L.E.K.’s Obligations

   When Processing Personal Information on Client’s behalf, L.E.K. will:

   1. Process Personal Information only within the scope of its direct business relationship with Client: (1) to perform its services, (2) where necessary to exercise its rights and perform its obligations under the Agreement, (3) to follow Client’s instructions as incorporated into the Agreement, and / or (4) where permitted or required by applicable law.
   2. Certify that it understands these restrictions and will comply with them.
   3. Inform Client if it reasonably believes that an instruction violates applicable law.
   4. Implement safeguards to protect the confidentiality, integrity, and availability of Personal Information in its custody and prevent unauthorized Processing of Personal Information subject to this DPA. Safeguards must comply with well-known, generally accepted standards for information security and privacy management.
   5. Take appropriate steps to demonstrate the ongoing effectiveness of the safeguards applicable to Personal Information subject to this DPA and make this information available to Client upon request not more than once per calendar year.
   6. Perform the services using only personnel who are under an obligation to maintain the confidentiality of Personal Information; who have received appropriate training on how to adequately protect against Personal Information Breaches; and who have, where permitted by law, successfully completed a background check.
   7. Not subcontract any services to third parties that require Processing of Personal Information without: (1) informing Client in advance; (2) obtaining Client’s permission to subcontract services, which permission Client will not unreasonably withhold or delay; and (3) requiring subcontractors to agree to data protection requirements that are substantially similar to those contained in this DPA. Notwithstanding anything in this section to the contrary, Exhibit B – Approved Subcontractors, identifies those entities that Client authorizes L.E.K. to subcontract Services to subject to the terms of this DPA.  
   8. Provide commercially reasonable assistance to Client in meeting Client’s compliance obligations related to the Processing of Personal Information such as by providing information to support privacy risk assessments, regulatory filings, and stakeholder consultations, and other obligations that Client may have as a result of its engagement of L.E.K. to perform the services identified in the Agreement.
   9. Treat Personal Information it Processes under this DPA as Client’s Confidential Information subject to all applicable requirements provided in the Agreement.
   10. Keep records of its Processing of Client’s Personal Information that are sufficient to enable Client to verify that L.E.K.’s Processing activities are consistent with the requirements of this DPA.
   11. Securely and permanently destroy Client’s Personal Information at the conclusion of L.E.K.’s services upon Client’s instructions or pursuant to L.E.K.’s internal retention schedules, whichever occurs first. Notwithstanding anything in this section to the contrary, L.E.K. may retain Client’s Personal Information were required by law or applicable professional standards and / or to exercise its contractual rights or fulfill contractual obligations. In such circumstances, L.E.K. will not Process the Personal Information for any purpose other than required retention and will continue to protect the Personal Information as described in section 5 of this DPA.
   12. On request, provide Client with commercially reasonable information necessary to enable Client to verify L.E.K.’s compliance with this DPA, including providing documents demonstrating that L.E.K. has successfully completed independent, external audits against widely known, generally accepted standards for information security and privacy management and, where additional information is necessary, permitting Client to audit its data protection practices for compliance with this DPA.
   13. Engage an independent, external assessor to audit L.E.K.’s information security and privacy management systems against well-known, generally accepted standards and certify that its practices are effective. L.E.K. will maintain these certifications and make them proof of certifications available to Client upon request.
5. Security
   L.E.K. will maintain reasonable and appropriate administrative, physical, and technical safeguards against accidental, unauthorized or unlawful Processing including but not limited to access, copying, modification, reproduction, display or distribution of Personal Information, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Information as described in Exhibit A – Information Security Measures, which is incorporated into this DPA and the Agreement by this reference.
   
   L.E.K. will notify Client of any Personal Information Breach affecting Personal Information that it Processes under this DPA without undue delay. This notice will include a description of the categories of Personal Information affected, the approximate number of Data Subjects and records impacted, and the measures taken or proposed to remediate the Personal Information Breach.
   
   If L.E.K. suffers a Personal Information Breach, it will provide commercially reasonable assistance proportionate to its responsibility for the Personal Information Breach to Client in: (a) providing information about the root cause, nature, and extent of the Personal Information Breach and the remedial measures that L.E.K. has implemented or will implement to prevent the Personal Information Breach from occurring again; (b) mitigating the effects of the Personal Information Breach; (c) making notifications to affected Data Subjects and regulators where Client determines they are required by applicable law; and (d) providing remedies to affected Data Subjects.
6. Cross Border Transfers of Personal Information
   L.E.K. will not transfer Personal Information it Processes under this DPA outside the jurisdiction where it will perform services under the Agreement unless: (a) Client provides its consent to the transfer; and (b) L.E.K. ensures that the transfer is consistent with applicable law by, including but not limited to, conducting legally required risk assessments of the recipient and executing appropriate data transfer agreements.
7. Third Parties
   With respect to third parties, L.E.K. will:
   1. Not sell (as defined by applicable law) Personal Information Processed under this DPA to any third party.
   2. Remain primarily responsible for its Client-approved subcontractors’ protection of Personal Information and primarily liable to Client for its subcontractors’ Processing of Personal Information.
   3. Exercise commercially reasonable supervision over its subcontractors’ Processing of Personal Information to ensure that subcontractors comply with their contractual and legal obligations.
   4. Terminate the services of any subcontractor who is unable to protect Client’s Personal Information to level substantially similar to what L.E.K. provides under this DPA.
   5. Upon termination of any subcontractor’s services, require the subcontractor to return or securely destroy any Client Personal Information the subcontractor Processes on L.E.K.’s behalf.

8. Complaints, Data Subject Requests, and Third-Party Rights

   L.E.K. will provide commercially reasonable assistance to Client in the handling of:

   1. Requests from Data Subjects to enforce rights they may have over the Processing of their Personal Information under applicable law or Client’s applicable privacy policies.
   2. Requests for information or to audit Processing of Client’s Personal Information by a regulator with jurisdiction over the Processing.

   
   L.E.K. will not handle requests, inquiries, complaints, or other communications from Data Subjects, regulators, or other third parties related to Processing of Personal Information that arises out of its performance of services under the Agreement. If it receives such communications, L.E.K. will first attempt to refer the third party directly to Client. If the third party refuses to engage Client directly, L.E.K. will notify Client of the communication and provide Client with commercially reasonable assistance in its handling unless prevented from doing so by law.

   
   If a request, inquiry, complaint, or other communication from a third party legally prohibits L.E.K. from referring the matter to Client, informing Client of the communication, or otherwise prevents L.E.K. from notifying Client of the matter, L.E.K. will respond to the minimum extent necessary to conclude the matter.

9. Term and Termination

   This DPA will remain in effect until: (a) L.E.K. ceases to provide services under the Agreement; or (b) L.E.K. no longer retains any Client Personal Information it Processes under this DPA, whichever occurs later.

   
   If a change in applicable law prevents either party to this DPA from fulfilling any of its obligations under the DPA, the parties may agree to suspend the Processing of Personal Information until they are able to comply with the new requirements. If the parties are unable to bring the Processing into compliance within a mutually agreed upon time frame, either party may terminate services upon 30 days written notice to the other party. 
    

Exhibit A

L.E.K. represents and warrants that it will operate, maintain, and continuously improve information security and privacy safeguards that fall within the following domains:

1. Policy and Management

   A comprehensive information security policy, risk assessment program, and privacy program with administrative, technical, and physical safeguards for the protection of client confidential information that has been documented, approved by management, communicated to appropriate constituents and has an owner to maintain and review the policy on at least an annual basis.

   
   Performing background screening to assess work and criminal history prior to allowing employee, contractor, or other third-party access to Client data.

   
   An IT Security Incident Management and Breach Response program.

   
   Internal audit, risk management or compliance function identifies and tracks resolution of outstanding information security and privacy management.

   
   An internal compliance & ethics reporting mechanism and training program for employees to report compliance issues.

   
   Formal information security and privacy awareness training, for employees, contractors, agents (and other parties as appropriate) to ensure confidentiality and privacy of client data.

2. Third Party Management

   A supplier management program in which all of the following are in place:

   1. Due diligence performed initially and on an ongoing basis.
   2. Legally binding confidentiality and/or non-disclosure agreements (NDA).
   3. Legally binding contractual requirements to adhere to at least the same level of information security controls and requirements as Vendor’s own.

3. Physical and Infrastructure Security

   Physical and environmental security controls that apply to Client data that are consistent with industry best practices in order to prevent unauthorized access, use, disclosure, or loss.

   Controls for visitors permitted inside offices and data centers that contain or process Client data that contain, at a minimum:\

    

   1. Visitors must sign in and out.
   2. Visitors must provide a government issued ID.
   3. Visitors must be escorted through secure areas.
   4. Visitors must wear badge distinguishing them from employees.
   5. Visitor logs are maintained for at least 90 days.

   
   Anti-virus installed on all workstations, servers, and appliances (where applicable), and security patches kept up to date.
   Firewalls in use for both internal and external connections.
   Network devices configured to prevent communications from unapproved networks.
   Critical network segments isolated
   Unauthorized devices prevented from connecting to the network (Both physically and wirelessly)
   Intrusion Detection and/or Prevention Systems (IPS/IDS) deployed at ingress points in all network zones.
   
   All wireless networks password protected and encrypted using strong encryption (WPA2 or higher).
   Unused services turned off on all Servers, and Appliances (Server Hardening)

4. Data, Transmission, and Retention
   Removable media policy or program (CDs, DVDs, tapes, disk drives, all other portable storage devices) that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review the policy.
   All media and devices containing Client data are disposed of securely to prevent recovery, including wiping or overwriting assets prior to reuse.
   Encryption in transit while outside the network, regardless of media or transmission method. Including, but not limited to tape, electronic, etc.
   All data stored on portable data storage devices encrypted, including USB storage, disk drives, laptops, etc.
   Locked, tamper evident transport containers, with tracking devices, are used to protect against physical damage while physical media is in transit.
   All copies of Client data, including backups, can be permanently and irretrievably deleted upon request.
   Data Loss Prevention (DLP) technology is used to detect and block the exfiltration of sensitive data through channels such as email, http, or ftp.
   Secure Email used and configured to automatically encrypt emails containing sensitive data (Such as SSN, Banking/Credit Card Numbers, PHI).

5. Access Control

   An access control policy that has been approved by management, communicated to appropriate constituents and has an owner to maintain and review the policy.
   Users are required to authenticate to all applications (including at least, but not limited to: All Business Applications, FTP, Web Applications) with at least a unique username and strong password of at least 10 characters with password changes required at a regular interval.

   
   Access control on all applications, operating systems, databases, and network devices ensures users have least privilege.

   
   A termination and/or change of status process in place to immediately revoke or modify access when an employee (or contractor) is terminated or transferred.

   
   System, vendor, and service accounts disallowed for normal operations and monitored for usage.

   
   A remote access policy for systems transmitting, accessing, processing and storing L.E.K. systems or data that has been approved by management and communicated to appropriate constituents.

   
   Controls to prevent remote users from copying sensitive data to unauthorized devices and printing to unauthorized printers.

   
   Encrypted communications are required for all remote connections.

   
   Multi-factor authentication required for remote access.

6. Information Systems Acquisition, Development, and Maintenance

   
   If application development is performed, a development, test, and staging environments are separate from the production environment.

   
   Systems and applications are patched on a periodic and consistent basis.

   
   External web application components (web server, application, database) are physically separated and placed across an n-Tier DMZ.

   
   Vulnerability scans and penetration tests are performed on all externally facing applications at least annually and are results tracked, remediated and reported to management.

   
   Data segmentation and separation between Client data and other clients is provided.

   
   Event logging is implemented and configured within all applications to support incident investigation.

7. Business Continuity and Disaster Recovery

   A documented policy for business continuity and disaster recovery that factors in loss of workspace, loss of critical systems, critical third parties, and loss of critical workforce which has been approved by management, communicated to appropriate constituents and has an owner to maintain and review the policy.

   
   Business Continuity and Disaster Recovery tests are performed at least annually.