(Vendor)
to set forth terms and conditions under which data, products, information systems, equipment, and other
information resources within or controlled remotely from Thysse are accessed, handled, used, or disclosed by the
VENDOR on behalf of Thysse.
2.1 THYSSE MANUFACTURES, SHIPS, PROCESSES, AND TRANSMITS SECURED DATA AND
PRODUCTS CONTAINING PII, CPII, AND/OR PHI INFORMATION.
2.2 THYSSE OUTSOURCES, PROCESSES, AND HOSTS AUTHORIZED PRODUCTS AND DATA CONTAINING
PII INFORMATION WITH VENDORS.
2.3 THYSSE DOES NOT ON THE BEHALF OF ITS CUSTOMERS OUTSOURCE, PROCESS, HOST, COLLECT,
OR OTHERWISE MAKE ACCESSIBLE TO ANY THIRD-PARTY VENDOR, SECURED PRODUCTS OR
DATA CONTAINING SPII AND/OR PHI INFORMATION.
2.4 VENDOR DOES NOT HAVE DIRECT ACCESS TO THYSSE-SECURED PRODUCTS OR DATA.
2.S VENDOR DISTRIBUTES SEALED PACKAGES WITH SECURED PRODUCTS CONTAINING PII, SPII, AND/OR
PHI INFORMATION THROUGH VENDORS, SUCH AS USPS, UPS, FEDEX, ETC.
3.1 THE VENDOR Will COMPLY WITH All APPLICABLE OBLIGATIONS AND ACTIVITIES WITHIN THIS
AGREEMENT INCLUDING, BUT NOT LIMITED TO, SAFETY, SECURITY, AND CONFIDENTIALITY.
4.1 The VENDOR will comply with safety measures as instructed by the main contact and posted
within the Thysse facility.
4.2 The VENDOR will comply with all facility, equipment, and product security measures as outlined in
this Agreement, as instructed by the main contact, and as posted within the Thysse facility.
4.3 The VENDOR will comply with all data access and data security measures as outlined in this
Agreement, as instructed by the main contact, and as posted within the Thysse facility.
4.4 Incidental exposures to Pl/, SPII, PHI and/or any other information within the Thysse facility will
not be used for the VENDOR'S own purpose or be divulged to others. The VENDOR must keep any
exposure to information from data or products during the course of conducting business with Thysse
confidential.
4.5 The VENDOR will not remove products or obtain product information from the Thysse facility or
from shipments in transit, unless doing so during the course of conducting business with Thysse, in
which case the VENDOR will take reasonable precautions to keep products and other information
secure.
4.6 The VENDOR will not remove copy, reproduce or transmit any data, or obtain data information from
the Thysse facility or from data hosted outside the facility, unless doing so during the course of
conducting business with Thysse, in which case the VENDOR will take reasonable precautions to
keep data or other information secure.
4.7 The nondisclosure provisions of this agreement shall survive termination of this agreement and
VENDOR'S duty to hold confidential information in confidence shall remain in effect until the
confidential information no longer qualifies as trade secret or until Thysse sends VENDOR
written notice releasing VENDOR from its agreement, whichever occurs first.
5.1 VENDOR personnel making pickups and deliveries will check-in with the shipping department located at
the shipping and receiving entrance of the Thysse facility. VENDORS under a signed Thysse Vendor
Access and Confidentiality Agreement are allowed access into the shipping and receiving areas of the
facility without the need of a badge by using the doorbell located at the shipping entrance. VENDOR
personnel must: a) identify themselves to the shipping department b) be wearing an identifying
uniform or insignia, c) be driving a vehicle identifiable as the VENDOR'S, and d) remain in the
shipping or receiving areas as directed by signage.
5.1.1 VENDORS will keep records of all pickup and delivery times and dates, items picked up or
delivered, and the identities of personnel making the pickups or deliveries for a period
not less than 90 days. VENDORS will make these records available to Thysse upon request
for auditing purposes within 10 days of notification.
5.2 VENDOR temporary personnel will register at the front entrance of the Thysse facility with their shift
supervisor 7:00AM - 4:00PM Monday- Friday. All temporary production personnel must wear a
''Temp" ID badge while in the facility, returning the badge to their supervisor at the end of the shift.
5.3 VENDOR temp-for-hire personnel will undergo the same conditions of employment and employee
credential processes as a Thysse employee. Temp-for-hire personnel may or may not be initially
issued a keycard to gain access into the facility. Until a keycard is issued, temp-for-hire personnel must
register in the main office. ID badges are not required.
5.4 All other VENDOR personnel will register directly in the main office of the Thysse facility,
8:00AM - 5:00PM Monday - Friday, where they will be assigned escorts.
5.5 VENDOR personnel, when accessing Authorized Secured, or Restricted data during the course of
conducting business with Thysse, will be issued login credentials by the IT administrator that are
commensurate with their access clearance. This includes remote access to servers located within the
Thysse facility or Thysse servers and accounts hosted online. The VENDOR will adhere to Thysse
strong password policy, and duration of access will be limited to process the required task.
5.6 VENDOR personnel, when transmitting Authorized data containing Pl/ information (i.e., mailing lists)
or transmitting Secured data (i.e., medical information), or transmitting Restricted data (i.e., system
files) during the course of conducting business with Thysse will do so via secure server
transfer or by other methods as dictated by governmental, legal, financial, or medical institutions and
agencies, provided that a secure method of transmission {encryption, authentication, etc.) is applied
and approved by Thysse’s IT administrator. Wireless transmission containing Authorized dot, Secured
data, or restricted data is not permitted.
5.7 The physical transfer or exposure of data via digital storage devices, digital media, printouts, or
electronic transmission of Restricted data may only take place between Thysse employees and
VENDOR personnel with a Restricted access clearance.
5.8 VENDORS will inform Thysse of any changes in process, procedure, or personnel that affect the
proper execution of this Agreement.
5.9 VENDOR activities may be logged and under 24/7 video surveillance. Thysse reserves the right to
photograph, record, and retain any activity logs within the Thysse facility.
5.10 VENDOR personnel bags, luggage, and vehicle cargo areas are subject to a search, at the discretion of
Thysse, upon entering and exiting the Thysse facility.
5.11 VENDOR personnel will abide by the "Thysse Acceptable Use Policy." The inappropriate use of
electronic and communication systems include, but are not limited to, participation in illegal activities,
gambling, outside commercial activities, accessing sexually explicit or violent material, using the
systems to harass or disable other systems, creation or distribution of viruses or destructive programs,
distributing pirated software or stolen data, or any other activity that causes injury.
5.12 VENDOR will notify Thysse within 24 hours of the discovery of a breach caused by the VENDOR,
by Thysse, or by any other entity. A breach is defined as any impermissible use or disclosure of data
or product information containing Pl/, SP/I, PHI, or other information identified as Secured
confidential material that poses a risk of financial, reputational, or other harm to the affected
individuals or entities associated with the information.
5.12.1 Regardless of breach responsibility, Thysse will be responsible for notifying: a) the
individual whose information was breached, b) the entity that provided the breached
information to Thysse, and c) any other entity or regulatory agency as directed by
law.
5.13 Violation of this Agreement may result in: a) disciplinary action, which may include the termination
of VENDOR business relations in part or in whole, b) the loss of VENDOR personnel access to
Thysse products, data, and facility, and c) if so warranted legal action.
5.14 Upon termination of this Agreements, all security and confidentiality obligations remain in force.
5.15 Within 24 hours of terminating this Agreement, or at the general request of Thysse, the VENDOR will return
all data, products, printouts, and related information, and/or provide written certification of destruction.