| |
| Exhibit 4.a(7) Agreement No. 53258.A.012 |
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THE EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) IS THE TYPE THAT THE REGISTRANT TREATS AS PRIVATE OR CONFIDENTIAL
Amendment 12
To
Agreement No. 53258.C
between
AT&T Services, Inc.
and
Amdocs Development Limited
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
1
Agreement No. 53258.A.012
AMENDMENT NO.12
TO
AGREEMENT NO. 53258.C
This Amendment No. 12, effective as of the last date signed by a Party (“Effective Date”) and amending Restated and Amended Master Services and Software License Agreement Number 53258.C, is by and between Amdocs Development Limited, a Cyprus corporation (hereinafter referred to as “Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (hereinafter referred to as “AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties.”
WITNESSETH
WHEREAS, Supplier and AT&T are parties to the Master Services Agreement No.53258.C entered into on/with the effective date of on February 28, 2017 (as previously restated and amended, the “Agreement”); and
WHEREAS, Supplier and AT&T now desire to amend the Agreement as hereinafter set forth.
NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree as follows:
1.Section 1., AT&T Supplier Information Security Requirements (SISR) – v6.5, January 2020 of Appendix D – Security and Offshore Requirements is hereby deleted in its entirety and replaced with the following Section 1., AT&T Supplier Information Security Requirements (SISR) – v7.0, June 2023:
1.AT&T Supplier Information Security Requirements (SISR) – v7.0, June 2023
1.0. Introduction
The following AT&T Supplier Information Security Requirements (“Security Requirements”) apply to Supplier Entities’ Information Resources used when performing any action, activity, or work under this Agreement where any of the following occur (hereinafter referred to as “In-Scope Work”):
1.The collection, processing, storage, handling, backup, disposal, and/or access to In-Scope Information;
2.Providing or supporting AT&T-branded applications and/or services using non-AT&T Information Resources;
3.Access to AT&T’s Information Resources;
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
2
Agreement No. 53258.A.012
4.The development or customization, outside of mere configuration changes, of any software for AT&T; or
5.Website hosting and/or development for AT&T.
These Security Requirements do not (i) apply to commercial off the shelf products or materials acquired from a Supplier Entity unless Supplier performs In-Scope Work, or (ii) limit more stringent obligations, if any, such as privacy or security patching as set forth elsewhere in the Agreement.
1.2.Evidence of Compliance
1.2.1.Supplier must provide to AT&T or its delegate, in a time and manner as reasonably requested by AT&T:
a.Evidence of compliance with these Security Requirements, which includes copies of policies, procedures, reports, and other documentation supporting such compliance; and
b.A high-level network data flow diagram depicting cloud/non-cloud Information Resources and encrypted/non-encrypted data flows where In-Scope Information is in transit or at rest.
2.0. Security Domain
Supplier Entity must:
2.1.Corporate Policy Compliance
2.1.1.Maintain and adhere to documented Cybersecurity and Cybersecurity awareness program(s).
2.1.2.Maintain and adhere to documented policies for:
a.Any business continuity plan and/or disaster recovery plan requirements under the Agreement;
b.Any retention, return, and/or destruction requirements for In-Scope Information under the Agreement; and
c.Ensuring that In-Scope Information is only used for the performance of In-Scope Work.
2.2.Asset Management Security
2.2.1.Harden Information Resources by using a minimum-security baseline configuration based upon industry best practices to reduce potential ways of attack, including:
a.Changing default passwords, prohibiting weak passwords and exact matches to the UserID, removing unnecessary software, UserIDs, usernames, or logins, and disabling or removing unnecessary services (this requirement is not intended to apply to software that is part of a standard software configuration). Such hardening is to prevent exploits that attack flaws in the underlying code
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
3
Agreement No. 53258.A.012
and must be applied to Information Resources in Supplier Entities’ networks, as well as those networks hosted by Cloud Service Providers; and
b.Not using Information Resources to perform In-Scope Work past the date when:
i.They will no longer be supported by issued security updates which includes whenever a Supplier Entity ceases to obtain and/or implement such security updates (for example, if a Supplier Entity ceases to purchase and/or extend the maintenance services under which such security updates are provided); or
ii.Any extended security patching support ends.
2.2.2.Have and use documented policies to:
a.Install and run a current industry-standard antivirus solution to scan for and promptly remove or quarantine viruses and other malware; and
b.Configure end user devices to ensure end users are restricted from the ability to install unauthorized software or to disable required software.
2.2.3.Maintain and use documented policies, standards, and procedures for Portable Devices and laptop computers used to access and/or store In-Scope Information that include the following requirements:
a.All users must be authorized for such access and their identity authenticated;
b.Portable Devices and laptop computers must be physically secured and/or in the physical possession of authorized individuals;
c.Where technically feasible, use a remote wipe capability on Portable Devices to delete promptly and securely In-Scope Information when such devices are not in the physical possession of authorized individuals or otherwise physically secured; and
d.Jailbroken or rooted Portable Devices cannot be used to perform In-Scope Work.
2.2.4.Maintain and use a documented policy that prohibits the use of any:
a.Supplier Entity-issued Portable Devices and laptop computers to access and/or store In-Scope Information unless the device is administered and/or managed by a Supplier Entity; and
b.Non-Supplier Entity-issued Portable Devices and laptop computers to access and/or store In-Scope Information unless the device is segregated and protected by using a Supplier Entity-administered and/or -managed secure container-based and/or sandbox solution.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
4
Agreement No. 53258.A.012
2.3.1.Use Strong Encryption when storing In-Scope Information:
a.On all computing devices located in areas accessible by the public and physically secure such devices;
b.On Portable Devices and laptop computers;
c.Within a Cloud Service; and
2.3.2.Use Strong Encryption when transmitting or remotely accessing In-Scope Information:
a.Via any network that is not controlled by AT&T or Supplier Entities, regardless of the technology;
b.Via network-aware Portable Devices and laptop computers. Examples of such access include use of browsers and email;
c.Via all networks to, from, and within a Cloud Service;
d.Using radio frequency (RF) based wireless networking technologies (e.g., Bluetooth and Wi-Fi) except for the use of RF-based wireless headsets, keyboards, microphones, and pointing devices, such as mice, touch pads, and digital drawing tablets. Encryption must use key lengths greater than or equal to 256 bits for symmetric encryption and 2048 bits for asymmetric encryption; and
e.That is classified as AT&T’s SPI or AT&T’s SCD, regardless of the technology, over all other networks, including Supplier Entity networks. 2.3.3.Use encryption algorithms with the minimum key lengths of 128-bits for symmetric algorithms and 2048-bits for asymmetric algorithms and:
a.Rotate encryption keys for storage at least every two years; and
b.Renew digital certificates for transmission at least annually.
2.4.Identity and Access Management
2.4.1.Use Identity and access management that includes:
a.Enforcement of the rule of least privilege by requiring application, database, network, and system administrators to restrict access of all users to only the commands, In-Scope Information, and Information Resources necessary for them to perform authorized functions.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
5
Agreement No. 53258.A.012
b.Controls that are in-place to limit, protect, monitor, detect and respond to all Administrative User activities. Examples of such controls that must be enforced include:
ii.Individual accountability; and
iii.Authorization and approval.
2.4.2.Restrict access to security logs to authorized individuals and protect security logs from unauthorized modification.
2.4.3.Assign unique UserIDs to authorized individual users, Administrative Users, and Service Accounts. Assign individual ownership to Service Accounts. If Service Accounts are shared among users, individual accountability must be maintained at all times.
2.4.4.Maintain a documented UserID lifecycle change management policy for all Information Resources across all environments that includes:
a.Manual and/or automated processes for approved account creation and/or modification;
b.Account disabling within three (3) business days of user termination or the occurrence of any other condition rendering the account as no longer needed, followed by removal of the account within ninety (90) days;
c.Disabling and/or removing inactive accounts assigned to individuals after no more than ninety (90) days of inactivity except in cases where the account is assigned to a customer of AT&T or used by a current or retired employee of AT&T to process their own information; and
d.Initiating processes to review, no less than annually, access privileges and account validity for all users including Administrative Users.
2.4.5.Limit failed login attempts to no more than six (6) consecutive attempts by locking the user account. Access to the user account can be reactivated through the use of a manual process requiring verification of the user’s identity or, where such capability exists, can be automatically reactivated after at least three (3) minutes from the last failed login attempt.
2.4.6.Terminate interactive sessions on an end user’s device, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes. On all other Information Resources terminate inactive interactive sessions after a period not to exceed thirty (30) minutes.
2.4.7.Use Strong Encryption and/or one-way hashing based upon Strong Cryptography whenever authentication credentials are stored. This requirement applies to all classifications of users.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
6
Agreement No. 53258.A.012
2.4.8.Use Password and authentication credentials that must:
b.Be complex and meet the following password construction requirements:
i.Be a minimum of eight (8) characters in length;
ii.Include characters from at least two (2) of these groupings: alpha, numeric, and special characters;
iii.Not be the same as the UserID with which they are associated; and
iv.Expire at regular intervals not to exceed ninety (90) calendar days with the exception of Service Accounts which must expire at least annually.
c.Require a password reset at first login whenever a temporary credential is used. When providing a user with a new or reset password, or other authentication credentials, use a secure method to provide this information; and
d.Not be embedded (e.g., hardcoded passwords and SSH keys).
2.4.9.Require and enforce Multi-Factor Authentication:
a.For any remote access use of Information Resources;
b.For all Administrative Users of Cloud Services; and
c.For administrative and/or management access to Security Gateways, including any access for the purpose of reviewing log files.
2.4.10.For SaaS providers:
a.Authenticate all identities used by AT&T users with AT&T-approved identity management solutions (e.g., SAML); and
b.Provide or make available to AT&T, access and/or authorization logs upon request.
2.5.1.Install and use Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS) that monitor all traffic entering and leaving Information Resources in connection with In-Scope Work. Both Network and Host IDS/IPS are acceptable solutions. At a Supplier Entity’s discretion, this requirement is optional for implementations of Host Intrusion Detection Systems (HIDS) and/or Host Intrusion Prevention Systems (HIPS) on mobile devices.
2.5.2.Ensure that Supplier Entities’ Information Resources, when providing Internet-accessible services to AT&T, have Denial of Service (DoS/DDoS) and Security Gateway protections in place. Web servers must reside in a DMZ and Information Resources persistently storing In-Scope Information (such as application and database servers) must reside in an internal network.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
7
Agreement No. 53258.A.012
2.5.3.Ensure that each Security Gateway rule:
a.Is properly authorized and is traceable to a specific business request, at least annually; and
b.Explicitly or implicitly ends with a “DENY ALL” statement for each set.
2.5.4.In the event that a Supplier Entity has, or will be provided, access to AT&T’s or AT&T’s customers’ Information Resources in connection with In-Scope Work, then the Supplier Entity must not establish additional interconnections to AT&T’s and AT&T’s customers’ Information Resources without the prior consent of AT&T and must:
a.Use only the mutually agreed-upon facilities and connection methodologies to interconnect AT&T’s and AT&T’s customers’ Information Resources with Supplier’s Information Resources;
b.Limit access of AT&T’s and AT&T’s customers’ Information Resources to only Supplier Entity personnel who are designated and authorized to perform In-Scope Work; and
c.Disclose the intended use of and, upon AT&T’s request, allow AT&T or its delegate to scan portable external storage devices (e.g., USB drive) prior to physically attaching them to Information Resources used for In-Scope Work.
2.6.Supplier Entity Security Compliance
2.6.1.For all Supplier Entities performing In-Scope Work, Supplier must:
a.Ensure compliance with these Security Requirements, or requirements that are no less stringent;
b.Maintain and adhere to a documented program by which compliance to these Security Requirements is evaluated and all corrective actions are documented and implemented within no more than ninety (90) days; and
c.Provide documentation and/or evidence to substantiate such compliance, upon request.
2.7.Information Resource Lifecycle
2.7.1.Segregate In-Scope Information from any other customer’s and Supplier Entities’ own information, either by using logical access controls and/or physical access controls to provide protection from unauthorized access
2.7.2.Separate non-production Information Resources from production Information Resources and separate In-Scope Information from non-production Information Resources.
2.7.3.Maintain a documented change control policy including back-out procedures for all production environments.
2.8.Security Information and Event Management
2.8.1.Maintain documented policies and controls to:
a.Detect and terminate unauthorized attempts to access and/or change In-Scope Information, and/or system or application configuration files;
b.Log all successful and unsuccessful login attempts;
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
8
Agreement No. 53258.A.012
d.Monitor and investigate unauthorized activity and remediate any successful unauthorized activity;
e.Maintain logs of all sessions accessing AT&T’s Information Resources, if the agreed-upon connectivity methodology requires that Supplier Entity implement a Security Gateway. Such session logs must include origination IP address, destination IP address, ports/service protocols used, durations of access, and sufficiently detailed information to support a security incident or a forensic investigation (e.g., identification of the end user or application accessing AT&T); and
f.For any remote access use of Information Resources, continually log, detect, and:
i.Terminate unauthorized remote access attempts (e.g., anonymous VPN and known bad actors); and
ii.Investigate for potential termination of connection any Supplier Entity user or system performing In-Scope Work from countries other than those specifically allowed under the Agreement.
2.8.2.For applications which use a database that allows modifications to In-Scope Information, create logs:
a.By enabling database transaction logging features where transaction logging is supported; or
b.By implementing another mechanism that logs all modifications to In-Scope Information stored within the database, including timestamp, UserID, and information modified, where transaction logging is not supported.
2.8.3.Review, on no less than a weekly basis, Administrative User activities and all anomalies from security and security-related audit logs and document and resolve logged security problems in a timely manner. Automated processes may promptly issue alarms and/or alerts that cause prompt investigation and review by responsible individuals and, if automated processes successfully resolve a logged security problem, no further action by responsible individuals is required.
2.8.4.Retain all logs for a minimum of six (6) months either on-line or on backup media.
2.8.5.For threats, vulnerabilities, and non-compliances:
a.When presented with evidence by AT&T of a threat to AT&T’s or AT&T’s customers’ Information Resources originating from the Supplier Entities’ networks (e.g., worm, virus or other malware, bot infection, Advanced Persistent Threat (APT), DoS/DDoS attack, etc.), promptly cooperate and cause any other Supplier Entities to promptly cooperate with AT&T and take all reasonable and necessary steps to isolate, mitigate, terminate, and/or remediate all known or suspected threats;
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
9
Agreement No. 53258.A.012
b.When a Supplier Entity learns of or discovers a known threat/vulnerability impacting AT&T or AT&T’s customers (including notifications received from security researchers, industry resources, or bug bounty programs), promptly notify and cooperate with AT&T, and take all reasonable and necessary steps to isolate, mitigate, and/or remediate such known threat/vulnerability; and
c.In the event a Supplier Entity discovers that it is non-compliant, or AT&T finds a Supplier Entity to be non-compliant with these Security Requirements, implement corrective action promptly, but within no more than ninety (90) days after the Supplier Entity’s initial discovery or AT&T’s initial notification to the Supplier.
2.8.6.Maintain a documented procedure that must be followed in the event of a suspected attack upon, intrusion upon, unauthorized access to, loss, including theft of, or other security breach involving In-Scope Information and/or Supplier Entity-owned, -managed, or -used Portable Devices and/or laptop computers containing In-Scope Information in which Supplier must promptly:
a.Investigate or cause Supplier Entities to investigate in order to determine if such an attack has occurred; and
b.Notify AT&T if a confirmed attack including unauthorized access of In-Scope Information has occurred by contacting:
i.Asset Protection by telephone at 1-800-807-4205 from within the US and at 1-908-658-0380 from elsewhere; and
ii.Supplier’s contact within AT&T for service-related issues.
2.8.7.Provide AT&T with regular status updates whenever there is a successful attack upon, intrusion upon, unauthorized access to, loss of, including theft of, or other breach of In-Scope Information and/or Supplier Entity-owned, -managed or -used Portable Devices and/or laptop computers containing In-Scope Information. These status updates must include the actions taken to resolve the incident and must be provided at mutually agreed upon intervals for the duration of the incident. Within seven (7) calendar days of the closure of the incident, provide AT&T with a written report describing the incident, actions taken by the Supplier Entity during its response, and Supplier Entity’s plans for future actions to prevent a similar incident from occurring.
2.9.Vulnerability Management
2.9.1.Maintain and adhere to a documented vulnerability management policy for all Information Resources to:
a.Monitor industry resources (e.g., www.cert.org, the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), pertinent software vendor mailing lists and websites, and information from subscriptions to automated notifications) for timely notification and current statuses of all applicable security alerts and vulnerability reports that pertain to Information Resources;
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
10
Agreement No. 53258.A.012
i.At least [***], host-based or network-based scans;
ii.For all software developed or customized, outside of mere configuration changes, for AT&T and intended to run on AT&T’s Information Resources under the Agreement:
1.Static Analysis Security Testing (SAST) including Software Composition Analysis (SCA) must be performed prior to initial deployment, upon code changes, and at least [***];
2.Dynamic Analysis Security Testing (DAST) must be performed for all web applications prior to initial deployment, upon code changes, and at least every [***] months;
3.Penetration testing at least [***]; and
4.Upon request, make scan results and remediation plans available to AT&T.
iii.For all other software used to perform and/or support In-Scope Work, review and scan such software prior to initial deployment, upon code changes, and at least [***]; and
iv.For all internet-accessible applications used to support In-Scope Work, perform penetration testing at least [***].
c.Apply appropriate security patches or otherwise render the vulnerability not exploitable for all security vulnerabilities with a risk or severity rating of critical, high, or medium identified on Supplier Entities’ Information Resources, within the following risk-based timeframe:
i.Critical – within [***] days, unless the risk requires an accelerated schedule
ii.High – within [***] days
iii.Medium – within [***] days
d.Promptly provide a patch that renders the vulnerability non-exploitable upon discovery or notification of an exploitable vulnerability of software developed or customized, outside of mere configuration changes, for AT&T and installed on AT&T Information Resources, within the following risk-based timeframe:
i.Critical – within [***] days, unless the risk requires an accelerated schedule
ii.High – within [***] days
iii.Medium – within [***] days
iv.Low – within an agreed-upon timeframe
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
11
Agreement No. 53258.A.012
2.10.1.Ensure all Information Resources intended for use by multiple users and any areas where In-Scope Information is accessible are located in secure physical facilities with access restricted to authorized individuals only. For audit purposes, monitor and record access to such areas.
3.0. Definitions
Capitalized terms used within these Security Requirements but not defined herein shall have the meaning set forth in the Agreement.
“Administrative User” means a user with super user or elevated/enhanced security rights and permission for configuring, controlling, installing, or managing Information Resources, regardless of the types of devices and environments managed, including within any Supplier Entity’s facilities, such as within Cloud Service Provider (CSP) cloud environments.
“Cloud Service” means a service delivered via an “as a Service” cloud service model (e.g., Software as a Service (SaaS), Storage as a Service (STaaS), Database as a Service (DBaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)).
“Cloud Service Provider” or “CSP” means a Supplier Entity providing cloud-based computing services.
“Cybersecurity” means the protection of Information Resources and In-Scope Information from attacks, data theft, breaches, unauthorized access, social engineering, credential sharing, and other similar security threats.
“Demilitarized Zone” or “DMZ” means a physical or logical network or sub-network that separates an internal network from an outside network, such as the public Internet.
“In-Scope Information” means AT&T’s confidential and proprietary data, including AT&T Customer Information, which Supplier Entities collect, process, store, handle, or access in any manner while fulfilling their obligations under this Agreement, irrespective of the format and means of transmission.
“Information Resource(s)” means systems, applications, websites, networks, network elements, and other computing and information storage devices, along with the underlying technologies and delivery methods (e.g., social networks, mobile technologies, laptop computers, Portable Devices, Cloud Services, data analytics, call and voice/video recording, and Application Program Interfaces (APIs)).
“Multi-Factor Authentication” (also known as “MFA,” “Two-Factor Authentication,” and “Strong Authentication”) means the use of at least two of the following three types of authentication factors:
•A physical or logical credential the user has, such as an electronically readable badge, a token card, or a digital certificate;
•A knowledge-based credential, such as a password or PIN; and
•A biometric credential, such as a fingerprint or retina image.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
12
Agreement No. 53258.A.012
“Portable Devices” means media and systems, with the exception of laptop computers, capable of being easily carried, moved, transported, or conveyed that are used in connection with In-Scope Work. Examples of such devices include tablets, USB hard drives, USB memory sticks, Personal Digital Assistants (PDAs), and mobile phones (e.g., smartphones).
“Security Gateway” means a set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers. Examples include firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.
“SCD” or “Sensitive Customer Data” means customer data that has been assessed as requiring a higher level of protection. SCD refers to the data elements listed in the Table 2 - AT&T SCD Data Elements located at the end of these Security Requirements. All data elements in Table 2 are considered In-Scope Information.
“SPI” or “Sensitive Personal Information” means private, personal information that, if compromised or exposed, could present a risk to individuals and would legally require AT&T to disclose the exposure. SPI refers to the data elements listed in the Table 1 - AT&T SPI Data Elements located at the end of these Security Requirements. All data elements in Table 1 are considered In-Scope Information.
“Service Account” means a UserID used for installing, executing, or administering an application or system. Service Accounts manage the local events/processes of an application or system.
“Strong Cryptography” means the use of cryptography based on industry-tested, accepted, and uncompromised algorithms and proper key management practices which incorporate a documented policy for the management of the encryption keys, and associated processes adequate to protect the confidentiality and privacy of the keys and credentials used as inputs to the cryptographic algorithm.
“Strong Encryption” means the use of encryption technologies based upon Strong Cryptography.
“Supplier Entity” or “Supplier Entities” means the Supplier, its affiliates, and their respective Subcontractors (including Cloud Service Providers).
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
13
Agreement No. 53258.A.012
4.0. Table 1 - AT&T SPI Data Elements
Data elements in the following tables must be treated as SPI when used in their entirety, unless explicitly stated otherwise. This applies to all data formats including scanned images, screen captures and recordings, PDFs, JPGs and any other unified communication, and collaboration tools/content.
4.1.Individual Identification and Familial Information
| |
Data Element | Description |
Government Issued Identification Number | Includes: 1.Driver’s License Number 2.Taxpayer Identification Number - In an individual’s name. Excludes those in a company name. 3.U.S. Social Security Number 4.National/State/Region issued identity number 5.Government Identity Card 6.Government identifiers for professionals 7.Government-sponsored health or food plan identifier 9.Alien Registration Number 10.Birth Certificate Number 11.Other government issued identification number Excludes: 1.Customer Application Identification Number (Application ID), and 2.Representative Accountability Database (RAD) ID, and 3.Any such numbers that are issued on the understanding that they must be a matter of public record, e.g., U.S. FCC Radio License. |
Date of Birth (DOB) | An individual’s full and complete date of birth (DOB), i.e., including month, day, and year. Excludes partial DOB. |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
14
Agreement No. 53258.A.012
| |
Data Element | Description |
Payment Card Number | Primary Account Number (PAN) for all types of payment cards. Includes: 1.AT&T corporate payment card number 2.Consumer payment card number |
Payment Card Security Data | The security data used in association with a payment card (corporate, personal, etc.) to confirm legitimate use. Includes: 1.Card Security Codes (CSC) 2.Personal Identification Numbers (PINs) used with payment cards but excludes PINs used to authenticate access to AT&T systems (see “Customer Authentication Credentials” data element). |
Financial Institution Account Number | Includes: All types of financial institution accounts (savings, checking, investments, pensions, etc.) both personal and business in an individual’s name. Excludes: Bank routing number. |
4.3.Computer Identification and Authentication
| |
Data Element | Description |
Biometric Data | Measures of human physical and behavioral characteristics used for authentication purposes, for example DNA, fingerprint, voiceprint, retina, or iris image. Includes: Full biometric data. Excludes: 1.Templates (e.g., “vector” equivalents) that contain discrete data points derived from biometric data (i.e., templates that do not hold the complete biometric image, where the template cannot be reverse engineered back to the original biometric image), and genetic test information. |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
15
Agreement No. 53258.A.012
| |
Customer Authentication Credentials Applies to Customers only | Values used by customers to authenticate and permit access to: 1.The customer’s personal information, including Customer Proprietary Network Information (CPNI) and AT&T Proprietary Information (SPI) — or — 2.An application enabling the customer to subscribe to, or unsubscribe from, AT&T services — or — 3.An AT&T service to which the customer is subscribed Includes: 1.Personal Identification Numbers (PINs), passwords, and passcodes 2.Templates (e.g., “vector” equivalents) of biometrics, photographs, or signatures Excludes: 1.Card Security Codes (CSCs) and PINs used in association with payment cards. |
Customer Authentication Credential Hints Applies to Customers only | Answers to questions used to retrieve customer authentication credentials. |
Work Vehicle Location | Information that identifies the current or past location of an AT&T work vehicle that is directly associated with a personal identifier for an AT&T Employee or Non-Payroll Worker (NPW) which allows for Location-Based Information tracking of such individual. The work vehicle’s location (e.g., a map address, or latitude and longitude together with altitude where known) may be determined because it is a connected vehicle or has some other Satellite Navigation (SatNav) capable device assigned to that vehicle, or by some other means such as network connectivity. |
Location-Based Information (LBI) | Information that identifies the current or past location of a specific individual’s mobile device. A mobile device’s location (e.g., a map address, or latitude and longitude together with altitude where known) derived from the mobile device through activities such as GPS or network connectivity rather than as a result of user action (e.g., revealing location in the content of an email or SMS). |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
16
Agreement No. 53258.A.012
4.4.Background and Other Related Data
| |
Data Element | Description |
Criminal History | Information about an individual’s criminal history, e.g., criminal check portion of a background check. |
Background Checks | Third party (non-AT&T) checks including credit history, employment history, and driving records. Excludes criminal history (see Criminal History). |
Racial or Ethnic Origin Subject to non-U.S. Jurisdiction* | Data specifying and/or confirming an individual’s racial or ethnic origin. |
Trade Union Membership Subject to non-U.S. Jurisdiction* | Data specifying and/or confirming that an individual is a member of a trade union. |
Information Related to an Individual’s Political Affiliation or Religious Belief | Data specifying and/or confirming an individual’s political affiliation or religious or similar beliefs. |
Information Related to an Individual’s Sexual Orientation Subject to non-U.S. Jurisdiction* | Data specifying and/or confirming an individual’s sexual life or orientation. |
| |
Data Element | Description |
U.S. Protected Health Information (PHI) | Includes: 1.Any U.S. health information used in AT&T’s Group Health Care plans or belonging to AT&T’s customers that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individuals that includes information about: •The individual’s past, present, or future physical or mental health or condition; •The provision of health care to the individual; — or — •The past, present, or future payment for the provision of health care to the individual. |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
17
Agreement No. 53258.A.012
| |
| 2.Health information of retirees, employees, or employee beneficiaries used by AT&T for purposes other than a group health plan is not PHI. For medical and health information not related to AT&T’s Group Health Care plans, see "Medical and Health Information." |
Medical and Health Information | Any information concerning physical or mental health conditions or disabilities. Includes: 2.Health plan beneficiary number 3.Medical device identifiers and serial numbers 4.Prescription (Rx) number 5.Health insurance identification or account number 6.Medical treatment – Information about the management and care of a patient or the combating of disease or disorder. 9.Medical payment information 11.Medical images and metadata 12.Drugs, therapies, or medical products or equipment used 13.Family health or morbidity history - an account of all medical events and problems experienced by members of the individual’s family 14.Other medical and health information |
Genetic Information | Includes: Information about an individual’s genetic tests. Excludes: Full DNA (see Biometric Data). |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
18
Agreement No. 53258.A.012
| |
Data Element | Description |
Customer Web Browsing and Search History | Includes: 1.Information about what searches AT&T customers perform 2.Web sites AT&T customers visit 3.Web pages AT&T customers view 4.Applications AT&T customers use on an AT&T Network (wireline and wireless including Wi-Fi) Excludes: 1.Searching, browsing, and activities associated with customers’ use of official AT&T corporate web sites (e.g., any web sites that resolve directly to, or redirect to, *att.com, *cricketwireless.com). Note: Exclusion from this row does not preclude potential pre-classification in another data element (e.g., customer viewing history). 2.History captured at the network level prior to processing (e.g., raw data streams not associated with a customer). |
Customer Viewing History | Information about programs watched or recorded, games and applications used, etc. |
Customer Web Communications Payload - AT&T Use | When captured as part of service analysis, e.g., Deep Packet Inspection (DPI) data. |
*Footnotes:
Where a data element has the term “Subject to non-U.S. jurisdiction” associated with it, that data element is to be classified as AT&T Proprietary (SPI) when applied to data elements subject to the non-U.S. jurisdiction, irrespective of whether the data is created, handled, processed, destroyed, or sanitized inside or outside of the United States.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
19
Agreement No. 53258.A.012
5.0. Table 2 - AT&T SCD Data Elements
Data elements in the following table must be treated as SCD when used in their entirety, unless explicitly stated otherwise. This applies to all data formats including scanned images, screen captures and recordings, PDFs, JPGs and any other unified communication, and collaboration tools/content.
5.1.SCD (Customer Privacy) – Involving Personally Identifiable Information
| |
Data Element | Description |
Customer “messaging” content | Includes: Email, text messages, conference call recordings, and voice mail call recordings. Excludes: “Messaging” between customers and AT&T. |
Customer Telemetry Data Customer Use | Automated communications for monitoring by the customer (rather than AT&T). Including all data that is generated by AT&T’s customers’ use of the Digital Life® service or any other Internet of Things (IOT) service that is used by the customer to monitor or control the service. For example, video files. |
2.Table 3.24.g is hereby deleted and replaced with the following Table 3.24.g to add additional approved locations:
Table 3.24.g
| | | | |
| Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized) | Cities where services will be performed for AT&T | Services to be performed at approved Physical Location | Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services |
[***] | [***] | [***] | Development, Testing, Operations Support | Amdocs |
[***] | [***] | [***] | Development, Testing, Operations Support | Amdocs |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
20
Agreement No. 53258.A.012
| | | | |
| Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized) | Cities where services will be performed for AT&T | Services to be performed at approved Physical Location | Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services |
[***] | [***] | [***] | Development, Testing, Operations Support | Amdocs |
[***] | [***] | [***] | Development, Testing, Operations Support | Amdocs |
[***] | [***] | [***] | Development, Testing, Operations Support | Amdocs |
[***] | [***] | [***] | Development, Testing, Operations Support | Amdocs |
[***] | [***] | [***] | Development, Testing, Operations Support | Amdocs |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
21
Agreement No. 53258.A.012
| | | | |
| Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized) | Cities where services will be performed for AT&T | Services to be performed at approved Physical Location | Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services |
[***] | [***] | [***] | Monitoring & Alerting, Security and Compliance Support, Infrastructure and Stability Support, Program Status & Governance, Development, Testing, Operations Support | Amdocs |
[***] | [***] | [***] | Solution Design Creation: process description, APIs description, deployment diagrams, Development, Testing, Operations Support | Amdocs |
Original signatures transmitted and received via facsimile or other electronic transmission of a scanned document, (e.g., .pdf or similar format) are true and valid signatures for all purposes hereunder and shall bind the Parties to the same extent as that of an original signature. This Amendment may be executed in multiple counterparts, each of which shall be deemed to constitute an original but all of which together shall constitute only one document.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
22
Agreement No. 53258.A.012
IN WITNESS WHEREOF, the Parties have caused this Amendment to Agreement No. 53258.C to be executed, as of the date the last Party signs.
| | | | | | |
Amdocs Development Limited | | AT&T Services, Inc. |
| | | | | | |
By: | | | | By: | | |
| | | | | | |
Name: | | | | Name: | | Steve Wehde |
| | | | | | |
Title: | | | | Title: | | Principal Technical Sourcing Management |
| | | | | | |
Date: | | | | Date: | | 3/28/2024 |
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
23