22 November 2022
12:00 AM
PST
|
APAC
TERMS AND CONDITIONS OF PURCHASE (“Terms”)
NOVEMBER 2022
- CONTRACT: (a) The purchase PO (“PO”) to which these terms and conditions of purchase (“Terms”) are attached and these Terms constitute the entire contract between the parties for any dealings with the Buyer (“the Contract”). (b) The acceptance of the PO by the Seller implies ipso facto acceptance of these Terms which are an integral part thereof and which govern the contractual relations between the parties, subject to the provisions of the specific terms of the PO, with the Seller definitively waiving its own General Terms of Sale. Acceptance is limited to the terms hereof and no revision of this these Terms, nor any additions thereto, shall be effective (whether or not in Seller's acknowledgement or other form) unless agreed to in writing by Buyer's authorized representative. Shipment of any materials ordered hereunder constitutes acceptance of the Terms whether or not Seller has acknowledged the Terms. (c) In the event of any inconsistency between these Terms and the PO or any supplemental conditions attached hereto, the PO or such supplemental conditions shall prevail, (d) Buyer shall have the right to make changes within the general scope of these Terms, but no additional charge will be allowed unless authorized in writing by Buyer, if such changes affect the delivery schedule or the amount to be paid by Buyer, Seller shall notify Buyer immediately and negotiate an adjustment.
- DEFINITIONS: "Materials" as used in this PO means supplied products, equipment and any other articles covered by this PO, whether tangible or intangible. To the extent possible, these Terms shall likewise apply to services contracted (“Services”), notwithstanding the reference to Materials which shall be deemed to include services, and/or a combination of services and goods, products, equipment.
- PRICE: (a) Unless otherwise provided in the PO, the prices mentioned in the PO are firm and non-revisable and are understood as being carriage paid and inclusive of packaging expenses. This PO shall not be filled at higher prices than specified herein. If price is omitted, the materials shall be billed at price last quoted or paid, or at the prevailing market price, whichever is lower. (b) Terms of Payment: In the absence of provisions to the contrary in the PO, payments are made by Bank Transfer at ninety (90) days net from the end of the month of delivery / acceptance, on the 10th of the following month. Debit notes issued by Buyer shall be automatically deducted from payments subject to Buyer having received the corresponding invoice.
- DELIVERY: If any shipment or delivery or performance of Services is made which is not in all respects in accord with this Contract (including time of shipment or delivery as time shall be of essence), Buyer reserves the right to reject such delivery and, if Buyer so elects, Buyer may treat this Contract as repudiated by Seller and cancel any outstanding deliveries hereunder, without prejudice to Buyer's rights to claim damages or to enforce any other remedy provided by law. All expenses of transportation and storage, if any, resulting the reform shall be for the Seller's account. In case the contracted Service is not performed in accordance with the Specifications, the Buyer reserves the right to elect to have the Seller redo it if practicable or have a third-party perform the Service the expenses of either of which shall be for the account of the Seller without prejudice to Buyer's rights to claim damages or to enforce any other remedy provided by law.
- SPECIFICATIONS: Buyer shall have the right to inspect at Seller's plant or upon receipt, as its election, any and all Materials and to reject those which do not conform to Buyer's specifications, or if not so specified, which do not conform to standard specifications. In case of Services, the Buyer reserves the right to inspect the works or Services being performed and to reject the whole or any portion thereof which, in the opinion of the Buyer is defective and/or does not comply with the specifications of the Services. All costs incurred and damages sustained by Buyer as a result of rejections made under the provisions hereof shall be for Seller's account and Buyer may return such Materials at Seller's expense. Materials are subject to Buyer's inspection and approval notwithstanding prior payment to obtain discount.
- WARRANTIES: Seller hereby represents and warrants to Buyer that it has established standard operating procedures (“SOP”) for the manufacturing and/or supplying of Materials and such SOP contains operating standards or procedures consistent with prevailing industry and/or GMP standards. Seller represents and warrants that all Materials shall be manufactured, packaged, labeled, supplied and delivered hereunder: (i) in a professional, clean, safe and sanitary manner, with all reasonable care and skill; (ii) in accordance with the specifications established by Buyer; (iii) in accordance with Seller’s SOP as established by Seller; and (iv) free from defect, contamination, adulteration or misbranding. Seller further represents and warrants that all Materials will be merchantable by Buyer and fit for the intended use by purchasers of Materials from Buyer. Seller agrees to take such reasonable measures as may be required by Buyer to ensure the physical integrity and security of all shipments to Buyer against the unauthorized introduction of harmful or dangerous materials, drugs, contraband, weapons of mass destruction or the introduction of unauthorized personnel in transportation conveyances or containers. Such measures may include, but are not limited to, physical security of manufacturing, packing and shipping areas, restrictions on access of unauthorized personnel to such areas, personnel screening to the maximum limits of law and regulation in Seller’s or manufacturer’s country and development, implementation and maintenance of procedures to protect the security and integrity of all shipments. Seller further agrees to indemnify, defend and hold Buyer and retailers of Buyer's products harmless against any and all claims, losses, damages and liabilities arising out of an assertion that any product Seller sells to Buyer is adulterated, misbranded, defective or unsafe. Buyer agrees to give Seller prompt notice of claims and to cooperate with Seller in defending Buyer.
- PACKING: The products are delivered with the packaging required for due and proper preservation. Unless otherwise provided for, the packaging is not subject to a deposit but, if this were the case, it shall be returned at Seller’s expense. Buyer is not responsible for any charges in respect of packing, boxing, storage or cartage unless otherwise agreed by the parties.
- EXCUSABLE DELAY: (a) Neither party shall be liable for any delay or failure of performance due solely to strikes, fires or other causes beyond its control and without its fault or negligence, provided that the party subject to such delay shall have given written notice to the other of any such cause for delay or anticipated delay promptly following the commencement thereof. If Seller should be unable, due to such cause, to meet all of its delivery commitments for Materials ordered herein as they become due, Seller shall not discriminate against Buyer or in favor of any other customer in making deliveries of such Materials. Seller shall use its best efforts to make deliveries as expeditiously as possible taking such cause for delay into account. However, if Buyer believes that the delay or anticipated delay in Seller's deliveries may impair its ability to meet its production schedules or may otherwise interfere with its operations, Buyer may at its option, and without liability to Seller, cancel outstanding deliveries hereunder wholly or in part. (b) Lead-times – Liquidated Damages In the event of delays in delivery or acceptance, which are not attributable to an event of force majeure or to Buyer’s negligence, the Seller shall owe penalties for delay calculated on the total amount of the PO at a rate of 1% per calendar week of delay up to a maximum of 5% of this amount. Over and above this maximum limit, Buyer reserves the right:
• to claim its actual loss from the Seller and
• to unilaterally announce, at any time and as of right, total or partial termination of the PO for breach of the Seller (without prejudice to any damages), with, in this case, the extent of the delay being considered as caused directly by the default of the Seller.
- TITLE: Title to, and risk of loss of, Materials purchased under this PO shall rest upon Seller until such Materials are delivered at F.O.B. (“Free On Board”) point specified in this PO, or, if no such point is given, then when they are delivered to public carrier consigned to Buyer, or are delivered to Buyer, whichever delivery shall occur first. However, if Materials purchased are of an explosive, inflammable, toxic or otherwise dangerous nature, Seller shall hold Buyer harmless against any claims asserted against Buyer on account of any personal and property damages caused by such Materials, or by the transportation thereof, prior to the completion of unloading at Buyer's plant or warehouse. In case of Services, title to, and risk of loss of the works, progress, supplies or materials shall rest upon the Seller until the Services are accepted by the Buyer to its reasonable satisfaction.
- INSURANCE OF MATERIALS: Seller shall insure the items under this PO in accordance with the terms on Clause 15 herein. The foregoing provisions shall apply to the performance or rendering of Services, mutatis mutandis.
- INFRINGEMENT: It is anticipated that Materials to which this PO relate will be possessed, used and/or sold by the Buyer and/or its customers. If by reason of any of these acts a suit is brought or threatened for infringement of any patent on Materials, their manufacture or use, or for infringement of any trademark, trade name or copyright, Seller shall at its expense defend such suit and indemnify Buyer and its customers against all loss and expense including lawyer's fees in connection with such suit or threatened suit, and including court-awarded damages and costs.
- LABOR: If this PO covers the performance of labor on Buyer's premises, Seller agrees to indemnify and protect Buyer against all claims and liabilities for injury or damage to any person or property arising out of the performance of this PO, Seller also agrees to furnish Buyer upon request, with a certificate of Seller's insurance carriers showing that it carries adequate Workmen's Compensation, public liability, and property damage insurance, and showing the amount of coverage, number of policy and date of expiration. The Seller shall comply with the provisions of applicable labor laws, rules and regulations, most especially the payment of wages. The Seller hereby undertakes that its workers assigned to perform the Services for the Buyer shall be entitled to wages and benefits legally due to them, to all labor and occupational safety and health standards, to social and welfare benefits, and other legally mandated contributions. The Seller hereby agrees to indemnify and hold the Buyer free and clear from any and all claims which may arise on account of the Seller’s non-payment or late payment of wages or benefits or violation of applicable labor laws. There shall be no employer-employee relationship between the Buyer and workers assigned by the Seller to perform the Services for the Buyer. Instructions given by the Buyer to said workers shall be construed simply in accordance with the desire of the Buyer to ensure efficient services result. The Seller shall retain and exercise the sole, exclusive and absolute right as the employer to select, direct, and discipline over the said workers. The determination of wages, salaries or compensation of the said workers shall be within the sole and full control of the Seller.
- TAXES: Unless otherwise provided herein, prices shown on this PO are deemed to include all taxes not expressly imposed by law on the Buyer of Materials ordered hereunder. Further, unless otherwise specified, all prices are deemed to be inclusive Value-Added Tax (“VAT”), and shall be subject to withholding tax if required by law and/or regulations.
- GUARANTEE OF COMPLIANCE OF LAW: Seller shall comply, and shall ensure that all Subcontract Sellers, if any, comply, fully with any and all laws, regulations, rules and agreements (including without limitation those of the Ministry of Health, Customs Department, and the Ministry of Agriculture) in any and all jurisdictions applicable to or affecting Seller’s obligation hereunder (collectively, “Laws”), and shall ensure that all Subcontract Sellers, if any, make, such adjustments as may be necessary to effect and maintain such compliance throughout the Term. Any costs, including but not limited to, fines, penalties, interest, storage, transportation charges, loss of product resulting from Seller or their Subcontract Seller issuing incorrect shipping documentation, failing to issue all necessary shipping documentation, loading incorrect product or incorrectly marked product shall be payable by the Seller. Without limiting the generality of the foregoing, (i) Seller’s facilities shall comply with all product safety, sanitation and environmental Laws, and (ii) all Materials shall be clearly and accurately labeled and packaged in the manner requested by Buyer and otherwise as required by all Laws. Upon request by Buyer, Seller shall furnish Buyer with a copy of any and all documentation of any kind demonstrating that Seller is in compliance with, and has complied with, all Laws.
Additionally, under the Foreign Corrupt Practices Act (“FCPA”), it is a criminal offense for certain persons and entities to make a payment, offer or promise to pay, or authorize a payment, promise or offer of money or anything of value (such as some gifts, entertainment, and the payment of pleasure travel expenses), directly or indirectly, to any Foreign Government Agent for the purpose of influencing an official act or decision or securing any improper advantage in order to obtain, retain or direct business or otherwise to obtain a business benefit. Foreign Government Agent is defined as any officer, agent or employee of a foreign government (which includes foreign Customs Agents) or any department, agency or instrumentality thereof (including government-owned or controlled commercial enterprises), any foreign political party or official thereof, any candidate for foreign political office, or any officer or employee of a public international organization. The accounting provisions of the FCPA require Companies to maintain reasonably complete and accurate books and records and to devise and maintain reasonably sufficient systems of internal accounting controls. It is the policy of the Seller to comply fully with the requirements of the FCPA, to conduct its worldwide business in accordance with the laws and commercial customs prevailing in each country in which it conducts business, to reflect a high standard of ethics in all its business transactions and to avoid any intervention in the political affairs of any foreign country. At no time shall Seller or its Agents engage, directly or indirectly in any way, in making any payment or in offering or promising to make any payment that potentially could be deemed a violation of the FCPA. Any violation of the FCPA by the Seller or its Agents is ground for immediate cancellation of this PO without any liability to the Buyer whatsoever. - INDEMNIFICATION: Seller shall indemnify and hold Buyer harmless, its subsidiaries, affiliates, and controlling companies, and all of their respective directors, officers, agents and employees, and Buyer's customers, from and against any and all liability, actions, claims, demands, liens, suits, losses, costs, damages, judgments and expense, including reasonable attorney's fees, incurred or to be incurred as follows: (a) those arising out of death of or injury to any person or damage of property which resulted or is alleged to have resulted from the furnishing, use or operation of the Materials supplied by the Seller; (b) those arising in connection with the failure or alleged failure of Seller or Materials to fully comply with all warranties and guarantees of Seller otherwise with respect thereto; or (c) those arising out of Seller’s negligence or willful misconduct, (d) any and all other breaches including but not limited to breach of intellectual property rights, confidentiality clauses, privacy laws and/or any other terms pursuant to this PO; Seller shall be responsible for the defense of all such actions, claims, demands and suits, and pay all costs and charges resulting therefrom; provided that Buyer may, at its option, participate in the judgment, order or decree against Buyer without Seller's consent. Buyer may, with Seller's consent, settle any such actions, claims demands and suits. Seller shall keep Buyer fully informed at all times with respect to material developments in all actions, claims, demands and suits being defended by Seller in accordance herewith, including written status reports on a quarterly basis. Seller represents and warrants that it has and will maintain, at Seller's expense, product liability insurance, in such company or companies as shall be satisfactory to Buyer with coverage in amounts that are reasonable under the circumstances or as may be specified by Buyer. All such policies shall provide that coverage thereunder shall not be terminated or changed without at least fifteen (15) days prior written notice to Buyer and Buyer shall be furnished certificates of insurance and evidence of renewals, on request. The purchase of such insurance and furnishing of such certificates shall not be in satisfaction of Seller's obligations hereunder of Seller's indemnification PO herein.
- DESIGN, TOOLS, DIES, ETC.: (a) If the Materials hereunder are to be produced by Seller in accordance with designs, drawings or blueprints furnished, by Buyer, Seller shall return the same to Buyer at latter's request upon completion or cancellation of this PO, and shall not be used by Seller in the production of Materials for any third party without Buyer's written consent; (b) Unless otherwise agreed herein Seller at its cost shall supply all material, equipment, tools and facilities required to perform this PO. Any items manufactured specifically in the context of performing this PO becomes the exclusive property of Buyer as soon as it is created and may only be used by the Seller in order to meet orders placed by Buyer. Any material, equipment, tools or other property furnished by Buyer or specifically paid for by it, shall be Buyer's property. Any such property shall be used only in filling orders from Buyer and may on demand be removed by Buyer without charge. Seller shall maintain such property at its own risk and shall be responsible for all loss of or damage to the same while in Seller's custody. Seller shall at its cost and expense, store and maintain such property in good condition and repair. Buyer makes no warranties of any nature with respect to any property it may furnished.
- ASSIGNMENT: No assignment of this PO or of monies due or to become due hereunder shall be made without prior written consent of Buyer.
- INSOLVENCY: Buyer may cancel this PO if Seller files a voluntary petition under the applicable law and regulations pertaining to insolvency and bankruptcy, or is adjudicated a bankrupt, or if Seller becomes insolvent or commits an act of bankruptcy.
- GRAPHICS ARTS AND MATERIALS: All film, negatives, engravings, electros, dies, etc. and all copies or duplicates thereof made by Seller or to Seller's PO for the production of the Material on this PO are to become the property of the Buyer and are to be surrendered upon request. After completion or termination of this contract, Seller shall not make, use or duplicate for Seller or any other customer of Seller, any label, trademark or trade name of Buyer, or any printed materials supplied to Seller by Buyer or made by Seller for Buyer in carrying.
- CONFIDENTIALITY: For purposes of this PO, “Confidential Information” means any non-public information or material, whether written, oral, or in any other form, received or obtained at any time, whether before, on or after the date hereof, that is described as (or provided under circumstances indicating it is) confidential or proprietary. Confidential Information includes, but is not limited to, knowhow, product prices, marketing surveys and plans, flow charts, technical documentation, formulas, ingredients, weight control concepts, and information concerning the design, specifications and methods for the development, manufacture, packaging, supply, marketing, distribution and sale of products, in addition to the terms and conditions of this PO. Moreover, Confidential Information includes not only the information itself, but any document, sketch, design, video tape, reproduction, chart, graph, written application, or other writing or other form of communication or documentation (whether visual, audio, or otherwise) of that information. Confidential Information does not include information that a party can demonstrate with competent written proof is: (i) already lawfully known by that party at the time of first receipt from the other party and is not subject to any other nondisclosure agreement between the parties; (ii) now, or which later becomes, generally known to the industry through no fault of that party, or which is later published or generally disclosed to the public by the other party; (iii) otherwise lawfully and independently developed by that party (other than the Product Rights in the case of development by Seller), or lawfully acquired from a third party without any obligation of confidentiality; or (iv) required by any governmental authority having jurisdiction over that party asserting a right to obtain such information, including without limitation where disclosure is required to be made for the purpose of Buyer obtaining Approvals in any jurisdiction; provided however, that prior to any such disclosure pursuant to this clause (v) (except where such disclosure is required to be made to a governmental authority in agreement for Buyer to obtain Approvals in any jurisdiction) the party concerned shall promptly advise the other party in the event of any request by a governmental authority for the Confidential Information and shall cooperate with the other party to assert any right of objection to such request or to seek a protective agreement or to take other appropriate action to protect the Confidential Information.
Without limiting the generality of the foregoing, Seller acknowledges and agrees that any and all of the Product Rights (including without limitation for proposed New Products), Buyer’s intellectual property and trade secrets, and information relating to any and all aspects of developing, manufacturing, distributing or multi-level marketing of Buyer’s products are the Confidential Information of Buyer.
Each party agrees to hold in confidence and not to disclose or reveal to any person or entity any Confidential Information of the other party disclosed hereunder without the clear and express prior written consent of a duly authorized representative of the other party, except to those persons and entities who (i) are required to have the Confidential Information in agreement for the party receiving the information hereunder to exercise its rights or perform its obligations under this PO or for testing, evaluating or sampling proposed products for inclusion in this PO, and (ii) are bound by an obligation of confidentiality no less stringent than that set forth in this PO. Each party further agrees not to use or disclose any Confidential Information of the other party for any purpose at any time, other than for the limited purpose(s) referred to in this PO. In the event that a party is directed to disclose any portion of any Confidential Information of the other party or any other materials proprietary to the other party in conjunction with a judicial proceeding or arbitration, the disclosing party shall immediately notify the other party both orally and in writing and shall provide the other party with reasonable cooperation and assistance in obtaining a suitable protective agreement and in taking any other steps to preserve confidentiality. - PRIVACY AND CYBER SECURITY To the extent that any of the data/information extended to Seller by Buyer and/or collected/processed by Seller on behalf of Buyer, pursuant to this PO, consists of “Personal Data” or “Buyer Data” as defined in the relevant data privacy and data protection laws, regulations and EXHIBIT 1 and 2, the Seller shall:-
(I) at all times comply with EXHIBIT 1: DATA PROTECTION AND PRIVACY and EXHIBIT 2: CYBER SECURITY;
(ii) not conduct itself, and shall procure that its employees and sub-contractors shall not conduct themselves, in such a manner so as to cause Buyer to be in breach of its obligations (as a “data user”) as stated in applicable data privacy and data protection laws;
(iii) implement the necessary technological and organisational security measures, and shall provide details of the same to Buyer if requested, in PO to protect the personal data from loss, misuse, modification, unauthorised or accidental access of disclosure, alteration or destruction; and
(iv) indemnify Buyer against all losses, costs, expenses, damages, liabilities, demands, claims, actions and proceedings that may be incurred by Buyer as consequence of a breach of this clause.
- LAWS These Terms shall be governed by and construed in accordance with the laws of Singapore without reference to any conflict of law rules which may apply the laws of another jurisdiction. Any dispute or difference of any kind whatsoever which may arise between Buyer and Seller under, out of, or in connection with this PO or with the carrying out of the Service (whether during the progress of the Services or after their completion, and whether before or after the termination, abandonment or breach of this PO) shall be referred to the senior management of both parties with a view to settling such dispute or difference amicably and in good faith failing which it shall be adjudicated under the jurisdiction of the courts of Singapore. Should either party commence any legal action or proceeding in order to enforce or interpret any term or provision of this PO, the prevailing party shall recover its reasonable costs and lawyer’s fees.
EXHIBIT 1: DATA PROTECTION AND PRIVACY
A. To the extent the Services involve the processing of personally identifiable information on behalf of Herbalife (“Personal Data”), Seller agrees at all times:
(I) To process Personal Data solely to fulfill its obligations to Herbalife under this PO, and on Herbalife’s behalf, and for no other purposes, unless required to do otherwise by data privacy laws to which Seller is subject. In such case, Seller will inform Herbalife of that legal requirement before processing, unless that law prohibits Seller from providing such information on important grounds of public interest within the meaning of data privacy laws;
(ii) To process Personal Data solely in accordance with Herbalife’s instructions as set forth herein and as communicated in writing from time to time, and to respond promptly to all enquiries by Herbalife regarding the processing of the Personal Data;
(iii) To immediately inform Herbalife if, in Seller’s opinion, an instruction from Herbalife infringes data privacy laws;
(iv) Not to process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Seller will not process Personal Data outside of the direct business relationship between Herbalife and Seller;
(v) Not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Herbalife;
(vi) Not to disclose or transfer Personal Data to any third party, including subcontractors, without Herbalife’s prior written permission except where such disclosure or transfer is required by any applicable law, regulation, or governmental authority in which case Seller will promptly notify Herbalife in writing prior to complying with any such request for disclosure and shall comply with Herbalife’s reasonable directions with respect to such disclosure or transfer;
(vii) Where Seller sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Seller will (i) take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with data privacy laws; and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on Seller under this Exhibit I.
(viii) Not to sell Personal Data. For purposes of this paragraph, “sell” shall have the meaning set forth in the California Consumer Privacy Act (CCPA), Cal. Civil Code § 1798.140(t);
(ix) Where processing credit card data, to process such data in a manner fully compliant with the applicable rules and regulations of the payment card clearing networks and the requirements of the Payment Card Industry Data Security Standard (PCI-DSS), as updated or amended, or its successor;
(x) Not to transfer Personal Data to any other country outside the country in which the data originated without Herbalife’s prior written permission;
(xi) To provide assistance to Herbalife as reasonably required to ensure that Personal Data is accurate and, where necessary, kept up to date and to use best efforts to ensure that Personal Data which are inaccurate or incomplete are erased or rectified;
(xii) To ensure that Herbalife is promptly notified of any communication received from any individual relating to that individual’s rights to access, modify, delete or correct the Personal Data and to comply with all Herbalife’s reasonable instructions in responding to such communications;
(xiii) To provide reasonable assistance to and cooperation with Herbalife for Herbalife’s consultation with regulatory authorities in relation to the processing or proposed processing of Personal Data, including complying with any obligation applicable to Seller under data privacy laws to consult with a regulatory authority in relation to Seller’s processing or proposed processing of Personal Data;
(xiv) To ensure that technical and organizational measures are adopted to protect Personal Data against accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access and against all other unauthorized or unlawful forms of processing or required by any applicable data protection law; and provide a description of such technical and organization measures at Herbalife’s request; and maintain the confidentiality of such technical and organizational measures;
(xv) To inform Herbalife in writing within 24 hours of discovery of any suspected accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access to the Personal Data (“Security Incident”) by contacting our vendor security incident emergency line at 310-216-6055; and
(xvi) To train staff responsible for processing the Personal Data regarding the obligations set forth in this Agreement and to ensure such staff have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
B. Seller agrees that Herbalife may inspect, with reasonable notice, its processing of Personal Data, and that Seller will furnish Herbalife with all materials necessary for Herbalife to confirm that Seller has complied with the obligations set forth in this Agreement. Herbalife reserves the right to audit Seller. At Herbalife’s request, Seller shall cooperate with any requests for inspection from a supervisory authority with respect to Personal Data processed by Seller pursuant to this Agreement.
C. Seller represents and warrants that nothing in any applicable data protection legislation (or any other applicable laws or regulations) prevents it from fulfilling its obligations under this Agreement and undertakes and agrees that, in the event of a change in any such laws that is likely to have a material adverse effect on Seller’s compliance with this Agreement or in the event Seller otherwise cannot comply with this Agreement for whatever reason(s), Seller shall notify Herbalife within fifteen (15) days.
D. In the event of the termination of this Agreement in part or in whole, Seller shall, within fifteen (15) days of Herbalife’s request, send Herbalife all Personal Data held by Seller on behalf of Herbalife, together with all copies in any media of such data or destroy the same, unless Seller is required, by any applicable law, regulation or governmental authority, to retain such data or a part thereof. In the event Herbalife requests Personal Data to be destroyed, Seller agrees to take reasonable measures to ensure no data is recoverable to the maximum extent feasible and shall provide Herbalife with a certificate of destruction.
E. Seller represents and warrants that it will comply with applicable privacy and data protection legislation in its collection, use and processing of Personal Data in performance of the Services hereunder. Seller hereby certifies that it understands its restrictions and obligations set forth herein and will comply with them.
F. In the event of a Security Incident, at Herbalife’s request and pursuant to Herbalife’s instructions, Seller shall assist with and/or perform all remediation efforts that are required by applicable law or by any governmental authority in similar circumstances, regardless of whether applicable law explicitly imposes such remediation obligations on Seller or Herbalife or both. Such remediation efforts may include without limitation, investigation and resolution of the causes and impacts of the Security Breach; development and delivery of notices to affected individuals; provision of free credit reports, credit monitoring and repair, and identity restoration products for affected individuals, and/or such other measures that Herbalife determines are reasonable and commensurate with the nature and level of severity of the Security Incident (collectively, “Remediation Measures”). Seller shall be solely responsible for the costs and expenses of all Remediation Measures, whether undertaken by Seller or Herbalife. Notwithstanding anything to the contrary contained this Agreement, there shall be no limitation of liability applicable to the above referenced Remediation Measures.
G. Notwithstanding anything to the contrary contained this Agreement, Seller agrees to indemnify, defend and hold harmless Herbalife, its affiliates and their respective agents, officers and employees from and against any and all demands, losses, costs, expenses, obligations, liabilities, damages, recoveries and deficiencies, including interest, penalties, reasonable attorneys’ fees, cost of investigation and legal or other expenses or costs arising out of or relating to a Security Incident or breach of this Exhibit I by Seller, its officers, agents, servants, employees, designees, assignees or permittees. Notwithstanding anything to the contrary contained this Agreement, there shall be no limitation of liability applicable to the above referenced indemnity obligation.
H. Herbalife shall have the right to terminate this PO immediately in the event of a material breach of this Exhibit I.
EXHIBIT 2: CYBER SECURITY
PURPOSE: The purpose of these requirements (“Requirements”) is to establish minimum data security standards and data privacy requirements for any person or entity that performs services for Buyer (“Seller”) and has access to Buyer’s networks, any information system(s) owned or operated by or on behalf of Buyer, or Buyer Data. Seller shall comply with these Requirements as well as in accordance with any contractual agreement between such Seller and Buyer that also addresses privacy or security.
Defined terms used herein are found in Section 2 (Definitions) below.
SECTION 1: SECURITY REQUIREMENTS
1.1. Use of Buyer Data:
Seller shall not access, use, disclose or otherwise process Buyer Data unless necessary to perform its obligations under this Agreement and as communicated in writing from time to time.
1.2. Ownership of Buyer Data:
Buyer shall retain all right, title, and interest in and to Buyer Data. Nothing herein shall be interpreted or construed to grant Seller any license or other right under any patent, copyright, trademark, trade secret, or other proprietary right to Buyer Data. Seller shall not create or maintain data which are derivative of Buyer Data, except for the purpose of performing its obligations under this Agreement with Buyer or as explicitly authorized by Buyer in writing. Any derivative of Buyer Data, regardless of how created, shall be deemed Buyer Data.
1.3. Compliance:
Seller is expected to be aware of and shall comply with all applicable privacy and security laws to which it is subject, including country/location specific requirements, and shall not by act or omission place Buyer in violation of any applicable privacy or security law, including, but not limited to, HIPAA, GLBA, GDPR, PCI DSS, SOX, the Massachusetts Data Security Regulations, 201 C.M.R. 17.00 et. seq., the Nevada encryption statute, N.R.S. § 603A, and the California data security law, Cal. Civil Code § 1798.80 et. seq. Seller policies and practices shall comply with all applicable laws, regulations, and contractual obligations under its agreements with Buyer. Where local laws appear to prevent compliance with these Requirements, Seller is responsible for immediately notifying Buyer to determine appropriate compensating controls. Seller represents that it is presently in compliance, and will remain in compliance with the applicable laws and agrees to provide notice to Buyer within fifteen (15) days, wherever applicable, in the event of a change in any such laws that is likely to have a material adverse effect on Seller’s compliance with this Agreement or in the event Seller otherwise cannot comply with this Agreement for whatever reason(s).
1.4. Breach Notification:
Seller shall notify Buyer immediately but in no event later than 24 hours from the date/time of discovery of any Data Security Breach by contacting our Seller security incident emergency line at +1 310-216-6055. In the event of a Data Security Breach, at Buyer’s request and pursuant to Buyer’s instructions, Seller shall assist with and/or perform all remediation efforts that are required (a) by applicable law, or (b) by any governmental authority, regardless of whether applicable law explicitly imposes such remediation obligations on Seller or Buyer or both. Such remediation efforts may include without limitation, investigation and resolution of the causes and impacts of the Security Breach; development and delivery of notices to affected individuals; provision of free credit reports, credit monitoring and repair, and identity restoration products for affected individuals, and/or such other measures that Buyer determines are reasonable and commensurate with the nature and level of severity of the Security Incident (collectively, “Remediation Measures”). Seller shall be solely responsible for the costs and expenses of all Remediation Measures, whether undertaken by Seller or Buyer, and Seller shall cooperate in good faith with Buyer so that Buyer may take any action or other steps that it reasonably determines to be necessary or appropriate in light of the Data Security Breach. Buyer shall retain the right to aid in the investigation of the Data Security Breach. Seller must provide updates as requested by Buyer regarding any Seller-led investigation into the Security Breach. Seller shall be solely responsible for the costs and expenses of all Remediation Measures, whether undertaken by Seller or Buyer.
Seller agrees that it will not inform any third party of a Data Security Breach without first obtaining Buyer’s prior written consent, other than, to the extent required by applicable law, to inform affected individuals that the matter has been forwarded to Buyer. If such disclosure is, in the opinion of legal counsel, required by applicable law, the Parties agree to work with each other regarding the content of such disclosure so as to minimize any potential adverse impact upon the Parties and the affected individuals.
Notwithstanding anything in the Agreement to the contrary, Seller shall indemnify, hold harmless and defend Buyer (including its affiliates and their respective agents, officers and employees) from and against any and all suits, claims, demands, proceedings and other actions brought by a third party, and reimburse Buyer for all associated expenses and costs (including but not limited to, assessments, fines, losses, penalties, settlements, costs of complying with statutory notice obligations, costs of providing identity protection assistance and other services procured for data subjects, technical consultant fees, and attorneys’ fees), arising out of or related to a Data Security Breach caused by the acts or omissions of the Seller, its officers, agents, servants, employees, designees, assignees or permittees. This Section shall not be subject to the Limitation of Liability in the Agreement.
1.5. Data Protection:
Seller shall not disclose Buyer Data to any third party (including, without limitation, Seller’s subsidiaries and affiliates and any person or entity acting on behalf of Seller) without Buyer’s Authorized Representative’s prior written permission, except where such disclosure or transfer is required by any applicable law, regulation, or governmental authority in which case Seller will promptly notify Buyer in writing prior to complying with any such request for disclosure and shall comply with Buyer’s reasonable directions with respect to such disclosure or transfer.
Prior to the disposal, reuse, or repurposing of systems, devices, or media used to store or process Buyer Data, such systems, devices, and media shall be securely erased or purged in accordance with data security standards and best practices. Data that cannot be securely erased shall be physically destroyed using industry standard techniques. Seller shall ensure that Buyer Data stored/available with its Sellers (including, but not limited to Seller’s subsidiaries and affiliates and any person or entity acting on behalf of Seller) has been destroyed in accordance with Buyer guidelines.
1.6. Remote Access Control:
Seller shall use a Buyer-approved method to connect to Buyer’s networks or any information systems owned or operated by or on behalf of Buyer, which may include multi-factor authentication and encrypted sessions. Buyer reserves the right to monitor all systems and measures used to connect to Buyer networks or any information systems owned or operated by or on behalf of Buyer.
Seller shall not install technology that provides remote access to any Buyer networks or any information systems owned or operated by or on behalf of Buyer, including, without limitation, wireless access points, modems, Virtual Private Networks, and remote access software.
Seller shall require all remote network and system access to its own networks and information systems to use multi-factor authentication and encrypted sessions.
1.7. Background and Screening Checks:
The Seller shall perform commercially-reasonable background checks in compliance with applicable law on any personnel that will have access to Buyer networks, information systems owned or operated by or on behalf of Buyer, or Buyer Data, and ensure that any such personnel do not have a criminal history involving offenses related to theft, fraud, bribery, securities laws violations, or similar crimes.
1.8. Security Awareness and Education:
Seller shall implement and maintain a program to provide staff (including but not limited to employees and contractors) with access to Buyer networks, information systems owned or operated by or on behalf of Buyer, or Buyer Data a periodic data security awareness training. The training shall cover the obligations set forth in this Agreement and Seller’s security policies and standards for the secure handling of Buyer Data. If Seller’s services include software development, Seller shall train on secure application development to ensure developers program in accordance with secure coding techniques and principles.
1.9. Right to Audit:
Upon request, Seller shall submit to a reasonable data security and privacy audit of its systems, policies and procedures by Buyer or, at Buyer’s request, by an independent third party, to verify Seller’s compliance with this Cyber Security Exhibit. If any deficiencies or irregularities are discovered pursuant to such audit, Seller shall promptly remediate the identified deficiencies and irregularities.
Upon request of Buyer, Seller shall provide Buyer with a copy of its most current third-party information security audit report and/or certification, if any, including but not limited to ISO 27001/27002 certifications, PCI-DSS AOCs, and SOC 1/SOC 2 reports.
1.10. Technical and Organizational Security Measures:
Seller shall implement and maintain appropriate and reasonable technical and organizational security measures to protect Buyer networks, information systems owned or operated by or on behalf of Buyer, and Buyer Data stored or processed by Seller from a Data Security Breach. Seller shall create and maintain policies and procedures to implement the requirements discussed herein for the protection of Buyer Data. Information Security roles and responsibilities shall be clearly defined and implemented.
1.11. Cryptographic Controls:
Seller shall employ appropriate encryption when transmitting Buyer Data across public or wireless networks. Seller shall encrypt during storage any and all Highly Sensitive Personal Data and other Buyer Data deemed highly sensitive by Buyer, such as authentication credentials and cryptographic keys.
1.12. Access Control:
Seller shall limit access to Buyer networks, information systems owned or operated by or on behalf of Buyer, and Buyer Data to employees and contractors that require access to perform the Seller’s obligations under the Agreement consistent with the concept of least privilege. Seller shall implement and maintain a formal and documented process for granting, periodically reviewing, and revoking access to all systems that process or store Buyer Data. Individuals’ access rights shall be strictly limited to a need-to-know basis and shall be based on a unique User ID. The access shall be revoked or modified as appropriate within 24 hours, if a valid need does not exist.
1.13. Network, Operating System, and Application Control:
Seller shall maintain appropriate network security measures, including but not limited to firewalls to segregate Seller’s internal networks from the internet, risk-based network segmentation, and intrusion prevention or detection systems to alert Seller to suspicious network activity.
Seller shall securely operate IT infrastructure and applications that process, store, or transmit Buyer Data by deploying key operational management controls, including, without limitation, the maintenance of system and network documentation, employment of a secure change management process, the implementation of an incident management process, and ensuring that local logging has been enabled on all systems and networking devices to capture detailed information such as event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
1.14. Malware Protection:
Where technically feasible, Seller shall deploy anti-malware software on all IT systems that access, store, or process Buyer Data, Buyer networks, or information systems owned or operated by or on behalf of Buyer. Seller shall ensure that all such anti-malware software has the latest signatures and definition files. Sellers shall also deploy adequate mechanisms to detect and issue alerts about potential unauthorized activity and respond appropriately to protect all systems that process, store, or transmit Buyer Data.
1.15. Physical Security:
Seller shall implement appropriate safeguards and controls that restrict unauthorized physical access to facilities containing information systems, devices, and other equipment used to access or otherwise process Buyer Data, Buyer networks, or information systems owned or operated by or on behalf of Buyer. Seller shall implement clear desk procedures to secure Buyer Data in any printed/media form from unauthorized access within Seller facilities.
1.16. Data Security Risk Management:
Seller shall have an established process that periodically assesses risk within the organization with respect to the possession, transmission and processing of Buyer Data and take necessary risk response measures to appropriately manage identified risks.
1.17. Password Management and Authentication Controls:
Seller shall ensure that systems which process Buyer Data or access Buyer networks or information systems owned or operated by or on behalf of Buyer employ strong password complexity rules, and shall employ the following additional safeguards: Passwords shall be configured to expire every 90 days or less, systems shall lockout after three failed login attempts, and systems shall enable O/S screen saver locks after a period of 15 minutes of inactivity. Seller shall encrypt or use appropriate hashing with a salt for authentication credentials during storage and transmission. Seller shall prohibit its users from sharing passwords. Seller shall change all default passwords before deploying any new hardware or software asset.
1.18. System Security:
Seller shall establish and maintain secure configuration standards consistent with industry standards on all network devices and hosts that store, process, or transmit Buyer Data or access Buyer networks or information systems owned or operated by or on behalf of Buyer. Seller shall remove or disable non-essential functionality (i.e., hardening each system) such as scripts, drivers, features, subsystems, or file systems (e.g., unnecessary web servers, default, or sample files, etc.).
Seller shall ensure that all software used in its information systems and infrastructure maintains up-to-date security patches and upgrades. Seller shall be responsible for identifying and timely remediating any vulnerabilities identified in its networks, devices, and information systems.
1.19. Software Development Life Cycle (SDLC):
Seller shall adhere to industry accepted Software Development Lifecycle (SDLC) principles and secure coding practices with respect to the development and maintenance of application(s) used to store, process, or transmit Buyer Data. Seller shall ensure that all such applications are designed and maintained so as to meet availability requirements specified in the Agreement.
1.20. Business Continuity Planning:
Seller shall maintain a reasonable business continuity plan and a disaster recovery program to ensure the availability of applications/systems at an agreed level. The plan and programs must be designed to ensure that Seller can continue to function through operational interruption and continue to provide services, as specified in the Agreement.
Alternative sites where Buyer Data is stored in the form of backups shall have same level of security as mentioned in these Requirements, and any such backups shall be encrypted at rest.
1.21. Subcontractor Selection:
Seller shall select and retain only those third party providers capable of implementing appropriate safeguards for Buyer Data and information systems as determined through security assessments and other due diligence.
1.22. Return of Buyer Data:
Seller shall return, delete, or destroy (at Buyer’s sole discretion), or arrange for the return, deletion, or destruction of, all Buyer Data including all originals and copies of such Buyer Data in any medium and any materials derived from or incorporating such Buyer Data, upon the expiration or earlier termination of the Agreement between Buyer and Seller, or when there is no longer any legitimate business need (as determined by Buyer) to retain such Buyer Data, or otherwise upon the written instruction of Buyer, in all cases no later than ten (10) days from the date of Buyer’s instruction pursuant to this Section. Seller shall provide a certificate of destruction, if requested by Buyer.
If applicable law prevents or precludes the return or destruction of any Buyer Data, Seller shall notify Buyer of such reason for not returning or destroying such Buyer Data and shall not Process such Buyer Data thereafter without Buyer’s express prior written consent. Seller’s obligations under these Requirements to protect the security of Buyer Data shall survive termination of its business relationship with Buyer.
SECTION 2: DEFINITIONS
For purposes of these Requirements, the following definitions shall apply:
“Data Security Breach” means: (a) the loss or misuse (by any means) of Buyer Data, including, without limitation any unauthorized access by or disclosure to unauthorized individuals; (b) the inadvertent, unauthorized and/or unlawful processing, corruption, modification, transfer, sale or rental of Buyer Data; or (c) any other incident that compromises the security, confidentiality, or integrity of Buyer Data, Buyer networks, or information systems owned or operated by or on behalf of Buyer.
“Highly Sensitive Personal Data” refers to Personal Data the unauthorized access to or disclosure of which could reasonably result in adverse consequences for the data subject, including increased risk of identity theft. Highly Sensitive Personal Data includes but is not limited to (a) Social Security number, passport number, driver’s license number, or similar national identifier; (b) financial or medical account authentication data, such as passwords or PINs; and (c) Cardholder Data, including credit card numbers and CVV codes.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder.
“PCI-DSS” means the current version of the Payment Card Industry (PCI) Data Security Standard (DSS), its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“SOX” means the Sarbanes - Oxley Act of 2002 and regulations promulgated thereunder.
“Personal Data” means any information relating to an identified or identifiable Individual; an identifiable Individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, genetic, physiological, mental, economic, cultural or social identity. Examples of Personal Information are first and last name, mailing address, telephone number, email address, credit card information, and banking information.
“Buyer Data” means all information processed by Seller for or on behalf of Buyer or otherwise received by Seller from Buyer pursuant to the Agreement, including any information derived from such information. Buyer Data includes without limitation: (i) Personal Data of employees, contractors, customers, or leads of Buyer; and (ii) information the unauthorized disclosure of which could cause significant harm to Buyer or the individual to whom the data pertains.
“GLBA” means the Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act of 1999, and the regulations promulgated within.
“GDPR” means the General Data Protection Regulation of the European Union (EU) and the regulations promulgated within.
“AOC” means Attestation of Compliance which must be completed by a Qualified Security Assessor (QSA) or merchant (if merchant internal audit performs validation) as a declaration of the merchant's compliance status with the Payment Card Industry Data Security Standard (PCI-DSS).
“SOC 1” & “SOC 2” means System and Organization Controls Report(s), which is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting as defined by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). See the report type 1 and type 2 definitions below:
The type 1 (SOC1) report reflects the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
The type 2 (SOC2) report reflects the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.