By using the website, apps, and services of Micro Benefits Limited (“Provider”), you, the Customer (“Customer”), acknowledge and agree that the Customer is and will remain the exclusive owner of all data provided to Provider (“Customer Data”) under this Data Security Policy (“Data Security Policy”). Provider will access, use, or otherwise handle Customer Data to perform the Services (“Hosted Services”) under the applicable SaaS Subscription Order Form (“SaaS Order Form”) or to perform other obligations expressly authorized under the Software as a Service Agreement (“SaaS Agreement”) and, in the case of users of the Provider’s apps, the End User License Agreement (“EULA”). Except as expressly authorized under the SaaS Agreement and/or EULA, Provider will not collect, use, store or transmit any Customer Data unless Customer Data is encrypted, aggregated, anonymized, pseudonymized, or sanitized so that third parties viewing said data sets cannot ascribe the Customer Data to the Customer or individuals. Provider will keep and maintain Customer Data using such degree of care as is appropriate to avoid unauthorized use or disclosure of Customer Data. Provider will implement and maintain reasonable administrative, technical and physical safeguards to protect Customer Data, as appropriate to the nature and scope of Provider’s activities and Services.
Provider will, on an ongoing basis, ensure that its information security program and safeguards are designed, maintained, updated and adjusted, as necessary, to protect against reasonably foreseeable internal and external risks to the security, confidentiality and integrity of Customer Data. Provider will only allow authorized persons with a need to handle Customer Data to perform Services or other obligations under this Agreement to access or handle Customer Data, and Provider will remain responsible for any handling of Customer Data within its custody or control by its Representatives. If Provider becomes aware, or reasonably believes, that Customer Data may have been accessed or acquired by an unauthorized party, Provider will promptly notify the Customer via the Customer’s primary business email contact(s).