Data Protection

Vendor shall implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Client data against unauthorized access, disclosure, alteration, and destruction. Vendor shall restrict access to Client data to personnel with a legitimate need to know in connection with the Services. Vendor shall notify Client without undue delay, and in any event within seventy-two (72) hours, of any confirmed unauthorized access to or disclosure of Client data.