Blackfoot Data Security Certification Page 1 of 2
Exhibit B
Data Security Certification
Personal Information Protection:
Only authorized employees will be allowed access to the City's data in any form. Data will be
accessed only for the purposes as identified in this contract and will be bound in writing by
confidentiality obligations sufficient to protect Personal Information and Highly Sensitive
Personal Information in accordance with the terms of this agreement.
Authorized Employee Access / Screening:
Contractor will notify the City of Kalispell of all Contractor employees, affiliates,
subcontractors, or agents anticipated to have access to the system. Contractor will conduct
background checks on any such employees and will bar any that have a criminal record from
having access to the system.
Notification of Vulnerability:
Contractor will notify the City of Kalispell if it discovers any vulnerability to the system that
could result in unauthorized personnel obtaining Highly Sensitive Personal Information or highly
sensitive information about municipal facilities.
Data Location (if offsite):
All data must be stored within the United States.
Data Ownership:
The Contractor acknowledges that the data entered into the system by City of Kalispell
representatives belong solely to the City of Kalispell and are not to be accessed or used in any
way by the Contractor or its affiliates, subcontractors, or agents without consent from the City of
Kalispell.
Definitions:
“Highly Sensitive Personal Information” means an (i) individual’s government-issued
identification number (including social security number, driver’s license number, or state-
issued identified number); (ii) financial account number, credit card number, debit card
number, credit report information, with or without any required security code, access
code, personal identification number or password, that would permit access to an
individual’s financial account; or (iii) biometric or health data.
“Personal Information” means the information provided to Contractor by or at the
direction of Customer, or to which access was provided to Contractor by or at the
direction of Customer, in the course of Contractor’s performance under this Agreement
that: (i) identifies or can be used to identify an individual (including, without limitation,
names, signatures, addresses, telephone numbers, e-mail addresses, and other unique
identifiers); or (ii) can be used to authenticate an individual (including, without
limitation, employee identification numbers, government-issued identification numbers,
passwords or PINs, financial account numbers, credit report information, biometric or
health data, answers to security questions and other personal identifiers), in case of both
Page 2 of 2
subclauses (i) and (ii), including, without limitation, all Highly Sensitive Personal
Information. Customer’s business contact information is not by itself deemed to be
Personal Information.
XXXXXXXXXXXXXXXXXX (PROVIDER):
By: ________________________________
Signature
___________________________________
Title
___________________________________
Date