Subcontractor Information Security Policy

PURPOSE AND SCOPE

PK, Inc. (“PK” or “Company”) is committed to protecting our confidential and proprietary information and the confidential and proprietary information of our customers. In order to protect such information, our vendors and subcontractors must follow these policies and procedures. From time to time, PK customers may require subcontractors to agree to additional terms or policies and procedures. In such cases, those terms, policies or procedures supersede this Information Security Policy for (“Information Security Policy”)

Subcontractors may report violations of the Onsite Policy through PK’s anonymous reporting hotline, hosted by third party EthicsPoint (for more information on EthicsPoint please read the FAQ available through the link below).

Web reporting: PK.ethicspoint.com

US Domestic Toll-free Hotline Number: 844-467-8516

 

PK INFORMATION SECURITY STANDARDS FOR SUBCONTRACTORS

In providing Services to PK, subcontractors and vendors (“Contractor”) will have access to Sensitive Data and Systems (as defined below). Contractor will comply with this Information Security Policy with respect to their access to Sensitive Data and Systems. Contractor is responsible for the actions and omissions of its employees, agents or subcontractors with respect to Sensitive Data and Systems.

Sensitive Data and Systems are the Confidential Information of PK. Contractor agrees that Contractor will: (i) keep and maintain all Sensitive Data and Systems in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, or disclosure; (ii) not create, collect, receive, access, or use Sensitive Data and Systems in violation of law; (iii) use Sensitive Data and Systems solely and exclusively for the purposes for which the Sensitive Data and Systems, or access to it, is provided, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Sensitive Data and Systems or otherwise use Sensitive Data and Systems for Contractor’s own purposes or for the benefit of anyone other than PK or PK’s customer; and (iv) not, directly or indirectly, disclose Sensitive Data and Systems to any person other than Authorized Persons, unless and to the extent required by governmental order, in which case, Contractor will, to the extent permitted by applicable law, notify PK before disclosure.

At a minimum, Contractor’s safeguards for the protection of Sensitive Data and Systems will include: (i) limiting access of Sensitive Data and Systems to Authorized Persons; (ii) securing business facilities, paper files, servers, backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (iii) implementing network, application, database, and platform security; (iv) securing information transmission, storage, and disposal; (v) implementing authentication and access controls within media, applications, operating systems, and equipment; (vi) encrypting Sensitive Data stored on any media; (vii) encrypting Sensitive Data transmitted over public or wireless networks; (viii) conducting risk assessments; (x) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; and (xi) providing appropriate privacy and information security training to Contractor’s employees.

During the term of each Authorized Person’s employment by Contractor, Contractor will at all times cause such Authorized Persons to abide strictly by Contractor’s obligations to PK. Contractor further agrees that it will maintain a disciplinary process to address any unauthorized access, use, or disclosure of Sensitive Data and Systems by any of Contractor’s employees, agents, or contractors.

Contractor will notify PK of a Security Incident as soon as practicable, but no later than twenty-four (24) hours after Contractor becomes aware of it. The notification must include all relevant details regarding the Security Incident. In addition, Contractor agrees:

Upon PK’s request, Contractor will, and will instruct all Authorized Persons, to promptly return to PK all copies, whether in written, electronic, or other form or media, of Sensitive Data and Systems in its possession or the possession of such Authorized Persons, or if directed by PK, securely dispose of all such copies in accordance with NIST data destruction controls, and certify in writing to PK that such Sensitive Data and Systems has been returned to PK or disposed of securely. Contractor will comply with all reasonable directions provided by PK with respect to the return or disposal of Sensitive Data and Systems.