These terms set forth the additional terms and conditions that Vendor must adhere to if Vendor will be accessing any Fitbit Data, Fitbit Systems or Fitbit Facilities (as defined below) in connection with its providing Goods to Fitbit or provisioning of any Services or Software to Fitbit, and supplement the Fitbit Vendor Terms and Conditions.

ACCESS TO FITBIT SYSTEMS AND FACILITIES

Access, if any, to any Fitbit data resulting from Vendor providing Goods to Fitbit or provisioning of any Services or Software to Fitbit pursuant to this Agreement (“Fitbit Data”), as well as hardware, software or systems utilized or made available by Fitbit (“Fitbit Systems”) is granted solely to allow Vendor to provide the Goods to Fitbit or provision Services or Software to Fitbit and is limited to those specific Fitbit Systems, time periods, and personnel as are determined by Fitbit in its sole discretion from time-to-time. In connection with access to Fitbit Systems, Vendor will comply with all data security and business control and information protection policies, standards, obligations, and guidelines as may be required by Fitbit in its sole discretion from time to time. Vendor will not use Fitbit Systems during other time periods or by individuals not authorized by Fitbit. Any other use of any Fitbit System is expressly prohibited. Without limiting the foregoing, Vendor warrants that it has adequate security measures in place to comply with the above obligations and to ensure that access granted hereunder will not impair the integrity and availability of Fitbit Systems. To the extent Vendor is granted access to any Fitbit facilities (“Fitbit Facilities”), Vendor will comply with any safety, control, protection, and other policies and guidelines as Fitbit may provide from time-to-time and will be solely liable for its acts or omissions while at any site, including, without limitation, those resulting in personal injury or property damage.

PERSONAL INFORMATION

If in connection with our relationship Vendor processes any Fitbit Data that includes personal information of Fitbit customers and/or employees, then Vendor agrees to adhere to the following:

• At all times Vendor shall process personal information only for the purposes contemplated by our relationship.
• Vendor shall hold any and all personal information in strict confidence.
• Vendor shall limit access to personal information to its personnel who have a need to know the personal information for the purposes contemplated by our relationship.
• Except as required by applicable law, Vendor shall not share, transfer, disclose or otherwise provide access to any personal information to any third party, or contract any of its rights or obligations concerning personal information to a third party, unless Fitbit has authorized Vendor to do so in writing. To the extent required by applicable law or as otherwise authorised by Fitbit in writing pursuant to the foregoing, Vendor shall ensure that any such third party adheres to the requirements of applicable law and these terms.
• If any such personal information is received by Fitbit from its customers or employees within the European Union or Switzerland, then Vendor shall: (i) provide at least the same level of privacy protection for such personal information as is required by the EU – U.S. Privacy Shield framework principles; (ii) promptly notify Fitbit if at any time you cannot provide at least the same level of privacy protection for such personal information as is required by the Privacy Shield principles; and (iii) take reasonable and appropriate steps to stop and remediate, as requested by Fitbit, the processing of such personal information if at any time we notify you that you are not processing the personal information in a manner consistent with the Privacy Shield principles.
• Vendor shall develop, maintain and implement a comprehensive written information security program that complies with applicable Privacy Laws. Vendor’s information security program shall include administrative, technical and physical safeguards to protect personal information that are no less rigorous than accepted industry practices.
• Vendor shall immediately inform Fitbit in writing of any Security Incident (as defined below) of which Vendor becomes aware. Such notice shall summarize in reasonable detail the effect on Fitbit, if known, of the Security Incident and the corrective action taken or to be taken by Vendor. Vendor shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Fitbit in all reasonable and lawful efforts to prevent, mitigate or rectify such Security Incident. Vendor shall: (i) investigate such Security Incident and perform a root cause analysis thereon; (ii) remediate the effects of such Security Incident; (iii) provide Fitbit with such assurances as Fitbit shall request that such Security Incident is not likely to recur; and (iv) provide Fitbit with a root cause analysis report within twenty-four (24) hours after it becomes aware of such Security Incident. The content of any filings, communications, notices, press releases or reports related to any Security Incident must be approved by Fitbit prior to any publication or communication thereof. For purposes hereof, “Security Incident” means the attempted or successful unauthorised access, use, disclosure, modification, or destruction of Fitbit customer or employee information or interference with any of Vendor’s information system that interact with any Fitbit customer or employee information.
• Upon the occurrence of a Security Incident involving personal information of any Fitbit customers or employees in the possession, custody or control of Vendor or for which Vendor is otherwise responsible, Vendor shall reimburse Fitbit on demand for all Notification Related Costs (defined below) incurred by Fitbit arising out of, or in connection with, any such Security Incident. “Notification Related Costs” shall include Fitbit’s internal and external costs associated with investigating, addressing and responding to the Security Incident, including, without limitation: (i) preparation and mailing or other transmission of notifications or other communications to consumers, employees or others as Fitbit deems reasonably appropriate; (ii) establishment of a call centre or other communications procedures in response to such Security Incident (e.g., customer service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, consulting, forensic expert and accounting fees and expenses associated with Fitbit’s investigation of and response to such incident; and (v) costs for commercially reasonable credit reporting and monitoring services that are associated with legally required notifications or are advisable under the circumstances.
• Promptly upon the termination of our relationship or such earlier time as Fitbit requests, Vendor shall return to Fitbit, or at Fitbit’s request, securely destroy or render unreadable or undecipherable if return is not reasonably feasible or desirable to Fitbit, all personal information in Vendor’s possession, custody or control resulting from Vendor providing Goods to Fitbit or provisioning of any Services or Software to Fitbit pursuant to this Agreement. In the event and during the period that applicable law does not permit Vendor to perform such delivery or destruction of certain personal information, Vendor warrants that it shall ensure the confidentiality and security of such personal information in accordance with these terms.
• Vendor shall immediately inform us in writing of any requests relating to the personal information Vendor processes on our behalf and further that Vendor shall cooperate with Fitbit in our efforts to respond to any such request.