EBSCO License Agreement

LAST UPDATED: October 2023

By using the services available at this site or by making the services available to Authorized Users, the Authorized Users and the Licensee agree to comply with the following terms and conditions (the "Agreement"). For purposes of this Agreement, "EBSCO" is EBSCO Publishing, Inc.; the "Licensee" is the entity or institution that makes available databases and services offered by EBSCO; the "Sites" are the Internet websites offered or operated by Licensee from which Authorized Users can obtain access to EBSCO's Databases and Services; and the "Authorized User(s)" are employees, students, registered patrons, walk-in patrons, or other persons affiliated with Licensee or otherwise permitted to use Licensee's facilities and authorized by Licensee to access Databases or Services. "Authorized User(s)" do not include alumni of the Licensee. "Services" shall mean EBSCOhost, EBSCO Discovery Service, EBSCO eBooks, Flipster and related products to which Licensee has purchased access or a subscription. "Services" shall also include eBooks to which a Licensee has purchased access or a subscription and periodicals to which Licensee has purchased a subscription. "Databases" shall mean the products made available by EBSCO. EBSCO disclaims any liability for the accuracy, completeness or functionality of any material contained herein, referred to, or linked to. Publication of the servicing information in this content does not imply approval of the manufacturers of the products covered. EBSCO assumes no responsibility for errors or omissions nor any liability for damages from use of the information contained herein. Persons engaging in the procedures included herein do so entirely at their own risk.

I. LICENSE

A. EBSCO hereby grants to the Licensee a nontransferable and non-exclusive right to use the Databases and Services made available by EBSCO according to the terms and conditions of this Agreement. The Databases and Services made available to Authorized Users are the subject of copyright protection, and the original copyright owner (EBSCO or its licensors) retains the ownership of the Databases and Services and all portions thereof. EBSCO does not transfer any ownership, and the Licensee and Sites may not reproduce, distribute, display, modify, transfer or transmit, in any form, or by any means, any Database or Service or any portion thereof without the prior written consent of EBSCO, except as specifically authorized in this Agreement.

B. The Licensee is authorized to provide on-site access through the Sites to the Databases and Services to any Authorized User. The Licensee may not post passwords to the Databases or Services on any publicly indexed websites. The Licensee and Sites are authorized to provide remote access to the Databases and Services only to their patrons as long as security procedures are undertaken that will prevent remote access by institutions, employees at non-subscribing institutions or individuals, that are not parties to this Agreement who are not expressly and specifically granted access by EBSCO. For the avoidance of doubt, if Licensee provides remote access to individuals on a broader scale than was contemplated at the inception of this Agreement then EBSCO may hold the Licensee in breach and suspend access to the Database(s) or Services. Remote access to the Databases or Services is permitted to patrons of subscribing institutions accessing from remote locations for personal, non-commercial use. However, remote access to the Databases or Services from non-subscribing institutions is not allowed if the purpose of the use is for commercial gain through cost reduction or avoidance for a non-subscribing institution.

C. Licensee and Authorized Users agree to abide by the Copyright Act of 1976 as well as by any contractual restrictions, copyright restrictions, or other restrictions provided by publishers and specified in the Databases or Services. Pursuant to these terms and conditions, the Licensee and Authorized Users may download or print limited copies of citations, abstracts, full text or portions thereof, provided the information is used solely in accordance with copyright law. Licensee and Authorized Users may not publish the information. Licensee and Authorized Users shall not use the Database or Services as a component of or the basis of any other publication prepared for sale and will neither duplicate nor alter the Databases or Services or any of the content therein in any manner, nor use same for sale or distribution. Licensee and Authorized Users may not use artificial intelligence tools or machine learning technologies with any of the content included in the Databases or Services for any purpose. Licensee and Authorized Users may create printouts of materials retrieved through the Databases or Services online printing, offline printing, facsimile or electronic mail. All reproduction and distribution of such printouts, and all downloading and electronic storage of materials retrieved through the Databases or Services shall be for internal or personal use. Downloading all or parts of the Databases or Services in a systematic or regular manner so as to create a collection of materials comprising all or part of the Databases or Services is strictly prohibited whether or not such collection is in electronic or print form. Notwithstanding the above restrictions, this paragraph shall not restrict the use of the materials under the doctrine of "fair use" as defined under the laws of the United States. Publishers may impose their own conditions of use applicable only to their content. Such conditions of use shall be displayed on the computer screen displays associated with such content. The Licensee shall take all reasonable precautions to limit the usage of the Databases or Services to those specifically authorized by this Agreement.

D. Authorized Sites may be added or deleted from this Agreement as mutually agreed upon by EBSCO and Licensee.

E. Licensee agrees to comply with the Copyright Act of 1976, and agrees to indemnify EBSCO against any actions by Licensee that are not consistent with the Copyright Act of 1976.

F. The computer software utilized via EBSCO's Databases and Service(s) is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this software, or any portion of it, is not allowed. User shall not reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the software, or create derivative works from the software.

G. The Databases are not intended to replace Licensee's existing subscriptions to content available in the Databases.

H. Licensee agrees not to include any advertising in the Databases or Services.

II. LIMITED WARRANTY AND LIMITATION OF LIABILITY

A. EBSCO and its licensors disclaim all warranties, express or implied, including, but not limited to, warranties of merchantability, noninfringement, or fitness for a particular purpose. Neither EBSCO nor its licensors assume or authorize any other person to assume for EBSCO or its licensors any other liability in connection with the licensing of the Databases or the Services under this Agreement and/or its use thereof by the Licensee and Sites or Authorized Users.

B. THE MAXIMUM LIABILITY OF EBSCO AND ITS LICENSORS, IF ANY, UNDER THIS AGREEMENT, OR ARISING OUT OF ANY CLAIM RELATED TO THE PRODUCTS, FOR DIRECT DAMAGES, WHETHER IN CONTRACT, TORT OR OTHERWISE SHALL BE LIMITED TO THE TOTAL AMOUNT OF FEES RECEIVED BY EBSCO FROM LICENSEE HEREUNDER UP TO THE TIME THE CAUSE OF ACTION GIVING RISE TO SUCH LIABILITY OCCURRED. IN NO EVENT SHALL EBSCO OR ITS LICENSORS BE LIABLE TO LICENSEE OR ANY AUTHORIZED USER FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR SPECIAL DAMAGES RELATED TO THE USE OF THE DATABASES OR SERVICES OR TO THESE TERMS AND CONDITIONS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

C. Licensee is responsible for maintaining a valid license to the third-party resources configured to be used via the Services (if applicable). EBSCO disclaims any responsibility or liability for a Licensee accessing the third-party resources without proper authorization.

D. EBSCO is not responsible if the third-party resources accessible via the Services fail to operate properly or if the third-party resources accessible via the Services cause issues for the Licensee. While EBSCO will make best efforts to help troubleshoot problems, Licensee acknowledges that certain aspects of functionality may be dependent on third party resource providers who may need to be contacted directly for resolution.

III. PRICE AND PAYMENT

A. License fees have been agreed upon by EBSCO and the Licensee, and include all retrospective issues of the Product(s) as well as updates furnished during the term of this Agreement. The Licensee's obligations of payment shall be to EBSCO or its assignee. Payments are due upon receipt of invoice(s) and will be deemed delinquent if not received within thirty (30) days. Delinquent invoices are subject to interest charges of 12% per annum on the unpaid balance (or the maximum rate allowed by law if such rate is less than 12%). The Licensee will be liable for all costs of collection. Failure or delay in rendering payments due EBSCO under this Agreement will, at EBSCO's option, constitute material breach of this Agreement. If changes are made resulting in amendments to the listing of authorized Sites, Databases, Services and pricing identified in this Agreement, pro rata adjustments of the contracted price will be calculated by EBSCO and invoiced to the Licensee and/or Sites accordingly as of the date of any such changes. Payment will be due upon receipt of any additional pro rata invoices and will be deemed delinquent if not received within thirty (30) days of the invoice dates.

B. Taxes, if any, are not included in the agreed upon price and may be invoiced separately. Any taxes applicable to the Database(s) under this Agreement, whether or not such taxes are invoiced by EBSCO, will be the exclusive responsibility of the Licensee and/or Sites.

IV. TERMINATION

A. In the event of a breach of any of its obligations under this Agreement, Licensee shall have the right to remedy the breach within thirty (30) days upon receipt of written notice from EBSCO. Within the period of such notice, Licensee shall make every reasonable effort and document said effort to remedy such a breach and shall institute any reasonable procedures to prevent future occurrences of such breaches. If the Licensee fails to remedy such a breach within the period of thirty (30) days, EBSCO may (at its option) terminate this Agreement upon written notice to the Licensee.

B. If EBSCO becomes aware of a material breach of Licensee's obligations under this Agreement or a breach by Licensee or Authorized Users of the rights of EBSCO or its licensors or an infringement on the rights of EBSCO or its licensors, then EBSCO will notify the Licensee immediately in writing and shall have the right to temporarily suspend the Licensee's access to the Databases or Services. Licensee shall be given the opportunity to remedy the breach or infringement within thirty (30) days following receipt of written notice from EBSCO. Once the breach or infringement has been remedied or the offending activity halted, EBSCO shall reinstate access to the Databases or Services. If the Licensee does not satisfactorily remedy the offending activity within thirty (30) days, EBSCO may terminate this Agreement upon written notice to the Licensee.

C. The provisions set forth in Sections I, II and V of this Agreement shall survive the term of this Agreement and shall continue in force into perpetuity.

V. NOTICES OF CLAIMED COPYRIGHT INFRINGEMENT

EBSCO has appointed an agent to receive notifications of claims of copyright infringement regarding materials available or accessible on, through, or in connection with our services. Any person authorized to act for a copyright owner may notify us of such claims by contacting the following agent: Kim Stam, EBSCO Publishing, 10 Estes Street, Ipswich, MA 01938; phone: 978-356-6500, fax: 978-356-5191; email: [email protected]. In contacting this agent, the contacting person must provide all relevant information, including the elements of notification set forth in 17 U.S.C. 512.

VI. GENERAL

A. Neither EBSCO nor its licensors will be liable or deemed to be in default for any delays or failure in performance resulting directly or indirectly from any cause or circumstance beyond its reasonable control, including but not limited to acts of God, war, riot, embargoes, acts of civil or military authority, rain, fire, flood, accidents, earthquake(s), strikes or labor shortages, transportation facilities shortages or failures of equipment, or failures of the Internet.

B. This Agreement and the license granted herein may not be assigned by the Licensee to any third party without written consent of EBSCO.

C. If any term or condition of this Agreement is found by a court of competent jurisdiction or administrative agency to be invalid or unenforceable, the remaining terms and conditions thereof shall remain in full force and effect so long as a valid Agreement is in effect.

D. If the Licensee and/or Sites use purchase orders in conjunction with this Agreement, then the Licensee and/or Sites agree that the following statement is hereby automatically made part of such purchase orders: "The terms and conditions set forth in the EBSCO License Agreement are made part of this purchase order and are in lieu of all terms and conditions, express or implied, in this purchase order, including any renewals hereof."

E. This Agreement and our Privacy Policy represent the entire agreement and understanding of the parties with respect to the subject matter hereof and supersede any and all prior agreements and understandings, written and/or oral. There are no representations, warranties, promises, covenants or undertakings, except as described in this Agreement and our Privacy Policy.

F. EBSCO grants to the Licensee a non-transferable right to utilize any IP addresses provided by EBSCO to Licensee to be used with the Services. EBSCO does not transfer any ownership of the IP addresses it provides to Licensee. In the event of termination of the Licensee's license to the Services, the Licensee's right to utilize such IP addresses will cease.

G. All information that EBSCO collects when Licensee accesses, uses, or provides access to, the Databases and Services is subject to EBSCO’s Privacy Policy, which is incorporated herein by reference. By accessing or using the Databases and/or Services, you consent to all actions taken by EBSCO with respect to your information in compliance with the Privacy Policy.



DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) supplements the EBSCO License Agreement (the “Agreement”) between the Customer (“Customer”) and EBSCO Publishing, Inc. (“EBSCO”).

  1. Definitions
    1. For the purpose of this Addendum the terms, “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” Processing,” “Subprocessor,” and “Supervisory Authority” shall have the same meanings as in applicable Data Protection Legislation, and their related terms shall be construed accordingly.
    2. Appropriate technical and organizational measures" shall be interpreted in accordance with applicable Data Protection Legislation.
    3. Customer Personal Data” means the Personal Data that is provided by Customer to EBSCO or that is processed by EBSCO on Customer’s behalf in connection with the Agreement.
    4. Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time where EBSCO does business, including the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC), the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et seq. (the “CCPA”), and all other applicable laws and regulations relating to the Processing of Personal Data, including any legislation that implements or supplements, replaces, repeals and/or supersedes any of the foregoing.
    5. International Data Transfer” means the transfer (either directly or via onward transfer) of Personal Data from within the European Economic Area/United Kingdom (as applicable) to a country not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the GDPR).
    6. User Personal Data” means the Personal Data provided directly by Customer’s end users to EBSCO through the products and services purchased by Customer.
  2. Data Processing: EBSCO as Processor for Customer
    1. Where Customer Personal Data is processed by EBSCO, EBSCO will act as the Processor and the Customer will act as the Controller.
      1. Subject Matter. The subject matter of the Processing is the Customer Personal Data.
      2. Duration. The Processing will be carried out for the duration set forth in the Agreement.
      3. Nature and Purpose. The purpose of the Processing is the provision of products and services to the Customer purchased by the Customer from time to time.
      4. Type of Customer Personal Data and Data Subjects. Customer Personal Data consists of the following categories of information relevant to the following categories of Data Subjects:
        1. Representatives of Customer: name, address; email address; billing information; login credentials; geolocation data; and professional affiliation.
        2. Customer’s end users of the EBSCO products and services purchased by Customer (where personalized account information is provided to EBSCO by Customer): name; address; and email address.
    2. EBSCO shall not Process Customer Personal Data other than on the Customer’s documented instructions (as set forth in this Addendum or the Agreement or as otherwise directed by Customer in writing). EBSCO will not Process Customer Personal Data for any purpose, including for any commercial purpose, other than for the specific purpose of performing the services specified in the Agreement. If Processing of Customer Personal Data inconsistent with the foregoing provisions of this section is ever required by applicable Data Protection Legislation to which EBSCO is subject, EBSCO shall, to the extent permitted by applicable Data Protection Legislation, inform the Customer of that legal requirement before proceeding with the relevant Processing of that Customer Personal Data.
    3. EBSCO will notify Customer promptly if, in EBSCO’s opinion, an instruction for the Processing of Customer Personal Data infringes applicable Data Protection Legislation.
    4. EBSCO shall ensure that all personnel who have access to and/or Process the Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
    5. EBSCO shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to protect against unauthorized or unlawful Processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data. When considering what measure is appropriate, each party shall have regard to the state of good practice, technical development and the cost of implementing any measures to ensure a level of security appropriate to the harm that might result from such unauthorized or unlawful Processing or accidental loss or destruction, and to the nature of the data to be protected.
    6. EBSCO shall assist Customer, taking into account the nature of the Processing, (A) by appropriate technical and organizational measures and where possible, in fulfilling Customer’s obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Legislation; (B) in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and the information available to EBSCO; and (C) by making available to Customer all information reasonably requested by Customer for the purpose of demonstrating that Customer’s obligations relating to the appointment of processors as set out in Article 28 of the GDPR have been met.
    7. EBSCO shall promptly notify Customer upon becoming aware of any confirmed Personal Data Breach affecting the Customer Personal Data.
    8. Upon termination of the Agreement, EBSCO shall, at Customer’s election, securely delete or return Customer Personal Data and destroy existing copies unless preservation or retention of such Customer Personal Data is required by any applicable law to which EBSCO is subject.
    9. EBSCO shall allow Customer and Customer’s authorized representatives to access and review up-to-date attestations, reports, or extracts thereof from independent bodies (e.g. external auditors, data protection auditors) or suitable certifications, or to conduct audits or inspections to ensure compliance with the terms of this Addendum. Any audit or inspection must be conducted during EBSCO’s regular business hours, with reasonable advance notice to EBSCO and subject to reasonable confidentiality procedures. In addition, audits or inspections shall be limited to once per year.
      EBSCO shall, in the event of third-party subprocessing that is subject to Data Protection Legislation, (A) inform Customer and obtain its prior written consent (execution of this Addendum shall be deemed as Customer’s prior written consent to such third-party subprocessing); (B) provide a list of third-party Subprocessors upon Customer’s request; and (C) inform Customer of any intended changes to third-party Subprocessors, and give Customer a reasonable opportunity to object to such changes. If EBSCO provides Personal Data to third-party Subprocessors, EBSCO will include in its agreement with any such third-party Subprocessor terms which offer at least the same level of protection for the Customer Personal Data as those contained herein and as are required by applicable Data Protection Legislation.
  3. Data Processing: EBSCO as Joint Controller With Customer
    1. EBSCO and Customer shall act as joint Controllers with respect to User Personal Data.
    2. EBSCO shall be responsible for providing Customer’s end user Data Subjects with the information required under GDPR Articles 13 and 14 (including by identifying a contact point for Data Subjects) before processing User Personal Data, and with informing Customer’s end users of the essence of EBSCO’s arrangement with Customer.
    3. EBSCO shall provide Customer’s end user Data Subjects with the ability to exercise their individual rights with respect to User Personal Data within a self-service portal.
  4. International Data Transfers
    1. To the extent that any Customer Personal Data is subject to any International Data Transfer, the parties agree to be bound by, and all terms and provisions of the Controller to Processor Standard Contractual Clauses adopted by the European Commission (“Processor Model Clauses”) shall be incorporated by reference to this Addendum with the same force and effect as though fully set forth in this Addendum, wherein:
      1. Customer is the “data exporter” and EBSCO International, Inc. is the “data importer;” an
      2. The provisions of Module Two are incorporated; the provisions under Modules One, Three, and Four, the footnotes, and Clauses 9, 11(a) Option and 17 Option 1 are omitted; the clauses shall be governed by the law of Ireland; and the competent supervisory authority is Ireland.
    2. To the extent that any User Personal Data is subject to any International Data Transfer, the parties agree to be bound by, and all terms and provisions of the Controller to Controller Standard Contractual Clauses adopted by the European Commission (“Controller Model Clauses”) shall be incorporated by reference to this Addendum with the same force and effect as though fully set forth in this Addendum, wherein:
      1. Customer is the “data exporter” and EBSCO is the “data importer;” and
      2. The provisions of Module One are incorporated; the provisions under Modules Two, Three and Four, the footnotes, and Clauses 9, 11(a) Option and 17 Option 1 are omitted; the clauses shall be governed by the law of Ireland; and the competent supervisory authority is Ireland.
    3. The Processor Model Clauses and Controller Model Clauses shall be collectively, the “Standard Contractual Clauses.” The applicable version of the Standard Contractual Clauses is those which were approved by the European Commission on June 4, 2021. In the event that the Standard Contractual Clauses are updated, replaced, amended or re-issued by the European Commission (with the updated Standard Contractual Clauses being the “New Contractual Clauses”) during the term of this Addendum, the New Contractual Clauses shall be deemed to replace the Standard Contractual Clauses and the parties undertake to be bound by the terms of the New Contractual Clauses effective as of the date of the update (unless either party objects to such change) and the parties shall execute a form of the New Contractual Clauses.
    4. The descriptions required by the Annexes of the Standard Contractual Clauses are replaced by the information in Schedule 1, Schedule 2, and Schedule 3 of this Addendum.
    5. To the extent that the UK Information Commissioner’s Office issues any standard contractual clauses for the purpose of making lawful International Data Transfers during the term of this Addendum that will impact the transfers of Customer Personal Data or User Personal Data (with such clauses being the “UK Standard Contractual Clauses”), to the extent possible, the UK Standard Contractual Clauses shall be deemed to be incorporated into this Addendum and the parties undertake to be bound by the terms of the UK Standard Contractual Clauses effective as of the date of their issuance (unless either party objects to such change) and the parties shall execute a form of the UK Standard Contractual Clauses.

SCHEDULE I: List of Parties and Description of Data Transfers

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

  1. Name:
    Address:
    Contact person’s name, position and contact details:
    Activities relevant to the data transferred under these Clauses:
    Signature and date:
    Role (controller/processor):
    Controller and Joint Controller

  2. Additional Information: EBSCO and Customer shall act as Joint Controllers with respect to User Personal Data (as defined in the Agreement). The Joint Controllers shall perform the following responsibilities accordingly:

Customer EBSCO

Personalization: Customer decides whether to enable features of personalized accounts in product

Authorize the processing of end user data by EBSCO via the Agreement between parties

  • Provide legal basis for processing end user data
  • Establish the purposes and scope of processing

Implementation of technical and organizational measures to ensure security of network

  • Access controls – provide guidelines to EBSCO for authorizing who may access the product under the customer’s subscription

Data Subject Access Requests

  • As needed, provides details of requests to EBSCO if request is received by Customer from end users (in the event that an end user submits a request through Customer rather than through EBSCO)

Implementation of organizational and technical measures

  • See Annex II and Security Whitepaper for details

Maintenance and support of product

  • Security patches
  • Feature updates
  • Technical support
  • Availability and up-time

Data storage, including backups

Establish the purposes and scope of processing via the Agreement between Parties

Data Subject Access Requests

  • Receives and processes Data Subject Access Requests and honors the data subject rights of information, access, rectification, erasure, restricted processing, data portability, right to object, and the right to avoid automated decision-making
  • Manages the contact form, email address, and phone number for intake of privacy requests
  • Upon request, notifies customer of data subject request

Provide legal basis for processing end user data

  • Agreement between parties establishes contract to provide services
  • Collection of individual consent and acceptance of terms of use, privacy policy, etc. from end users

Incident response

  • Implementation of process
  • Notification of customer

Subprocessors - vetting and notifying customer of new subprocessors

Privacy Risk Assessments – conduct PRA/DPIA as needed for vendors, features, products, etc. which process personal information

Data importer(s):
For Customer Personal Data:

  1. Name: EBSCO Publishing, Inc.
    Address: 10 Estes Street, Ipswich, MA 01938
    Contact person’s name, position and contact details:
    Activities relevant to the data transferred under these Clauses:
    Academic and scholastic research, creation and customization of user profiles
    Signature and date:
    Role (controller/processor):
    Joint Controller, Processor

  2. Additional Information: Customer will act as the Controller of Customer Personal Data where Customer Personal Data is processed by EBSCO. EBSCO will act as the Processor of Customer Personal Data.
    Customer Personal Data” means the Personal Data that is provided by Customer to EBSCO or that is processed by EBSCO on Customer’s behalf in connection with the Agreement.

For User Personal Data:

  1. Name: EBSCO International, Inc.
    Address: 10 Estes Street, Ipswich, MA 01938
    Contact person’s name, position and contact details:
    Activities relevant to the data transferred under these Clauses: Academic and scholastic research, creation and creation of user profiles
    Signature and date:
    Role (controller/processor): Joint Controller and Processor
  2. Additional Information: Customer will act as the Controller of User Personal Data where User Personal Data is processed by EBSCO. EBSCO will act as the Joint Controller of User Personal Data.

    User Personal Data” means the Personal Data provided directly by Customer’s end users to EBSCO through the products and services purchased by Customer.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: Entity information required for handling the subscription and users of applications, including but not limited to students, teachers, employees, authors

Categories of personal data transferred: First name, last name, email address, authentication information, search information, research notes

Sensitive Data transferred (if applicable), and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: Not Applicable

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous

Nature of the processing: Providing access to EBSCO databases; storing user information in customized profiles; facilitating the retrieval of user search history;

Purpose(s) of the data transfer and further processing: To perform the obligations between the parties, per the Agreement, to provide research tools, to personalize the experience and to prevent harvesting. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As long as reasonably necessary, some personalization information will be held until deletion is requested by a customer or user.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority, in accordance with Clause 13, is the Supervisory Authority of Ireland.


SCHEDULE II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of Data

EBSCO shall maintain and use appropriate safeguards to prevent the unauthorized access to or use of Customer Personal Data and to implement administrative, physical and technical safeguards to protect Customer Personal Data. Such safeguards shall include:

  1. Network and Application Security and Vulnerability Management:
    1. Measures of pseudonymization and encryption of personal data: Personal data is encrypted at rest using the 256-bit Advanced Encryption Standard (AES-256), and in transit using Transport Layer Security (TLS) encryption. Cryptographic key management is in place as outlined in National Institute of Science and Technology (NIST) standard 800-57.
    2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: EBSCO has an ongoing commitment to certification against relevant International Organization for Standardization (ISO) standards, including ISO standards 27001, 27017, 27018 and 27701 both on-premise and at Amazon Web Services (AWS) managed data centers. EBSCO is hosted both within the Amazon Web Services platform and within legacy on premise data centers in Ipswich, MA and Boston, MA. Applications and data are distributed for purposes of high availability and resilience. Features such as automatic recovery and automatic scaling have been implemented. Applications together with their container configuration can be redeployed within minutes, if necessary.
    3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: All applications and data are distributed across multiple nodes and the nodes are distributed across multiple availability zones within Amazon Web Services to ensure high availability of the service. The use of a container-based architecture further helps to ensure high availability of the service. For example, applications automatically restart if they encounter issues and if a specific node fails, it is removed from service and traffic is directed to the remaining ‘healthy’ nodes. Where appropriate, nodes are set to automatically scale to handle unexpected spikes in traffic. Regular service management meetings review the performance and future capacity needs of the service. The infrastructure enables horizontal and vertical scaling to be implemented with significantly reduced lead times compared to a physical infrastructure.

      For our legacy on premise, EIS employs two concurrent data centers with failover capabilities in the event that one of the sites experiences an outage. EBSCO’s on-premise data centers are protected with uninterruptable power supplies, fire suppression systems and limited access only to personnel necessary for the ongoing operation of the data centers.

      EBSCO continuously monitors service availability. The current status can be found here: https://status.ebsco.com/

    4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: EBSCO contracts third party penetration testing on an annual basis. In addition, vulnerability scans are conducted through an automated code deployment pipeline. Our production environment is scanned continuously. We employ a managed 24/7 security operations team to continuously monitor our environment. EBSCO regularly applies security updates to our environment following our comprehensive vulnerability management process. These updates are done on a rolling basis using a Scaled Agile Framework for Enterprises (SAFe).

      Organizational measures are reviewed twice annually, through an internal audit as well as an external audit conducted on an annual basis by accredited third party auditors. In addition, regular access reviews to sensitive data and systems are conducted on a regular basis.

      EBSCO continually evaluates the security of its network and associated Services to determine whether additional or different security measures are required to respond to security risks or findings generated by periodic reviews.

    5. Measures for the protection of data during transmission: All data is encrypted in transit using TLS, both from the users’ browser to the applications as well as data in transit between EBSCO systems and subprocessors.
    6. Measures for the protection of data during storage: Personal Data is encrypted at rest using the 256-bit Advanced Encryption Standard (AES-256). All data storage is isolated from the public internet by a dedicated firewall to ensure only EBSCO personnel can access the database.
    7. Measures for ensuring system configuration, including default configuration: Standardized system configurations are enforced through automated code deployment pipelines where appropriate.
    8. Measures for internal IT and IT security governance and management: EBSCO’s Governance Risk and Compliance (GRC) Team maintains the EBSCO Information Security and Privacy Management system (ISPMS). The ISPMS is continuously monitored and improved to conform to or exceed the standards required by ISO 27001, ISO 27701, ISO 27017, and ISO 27108. The EBSCO ISPMS is comprised of the ISMS-Information Security Management System and PIMS-Privacy Information Management System. External and internal audits of the ISPMS are performed on an annual basis. Security logs are monitored continuously.
    9. Measures for certification/assurance of processes and products: In addition to the measures for internal IT management and IT security governance above, regular, mandatory training is delivered through an online learning platform to ensure all staff are familiar with their responsibilities and up to date with policies and procedures. Clear processes are in place to manage security related incidents and to liaise with law enforcement if required.
    10. Measures for ensuring data minimization: EBSCO follows best practices for minimizing data attributes to only those needed to perform required functions and allow its customers and user patrons the ability to extend the minimum default data set if required.
    11. Measures for ensuring data quality: Institutions and end users have the ability to review and update their information through a self-service module, or through contacting EBSCO according to the Privacy Policy. Where applicable, data validation controls are implemented in our environment.
  2. Logical access controls:
    1. Measures for user identification and authorization: A small number of the EBSCO Team with responsibilities for administering and supporting the system have access to the production environment and databases. This is strictly controlled by role and requires two-factor authentication to gain access.

      Customer Administrator access to end user data is only possible through using an EBSCOadmin administrator account. Only personnel designated by the customer and a small number of EBSCO’s privileged users have access to this information.

      Customers have the ability to set up different authentication options. Options include, but are not limited to, integration through Single Sign On (SSO) using SAML 2.0, username and password, IP whitelist authentication, patron ID, Google Campus Activated Subscriber Access (CASA), Universal CASA and Cookies.

  3. Secure media disposal controls:
    1. Measures for ensuring limited data retention: It is vital that personal data stored within EBSCO’s systems meets the requirements for data privacy and protection and part of that is ensuring personal data is not retained beyond what is necessary for the defined purpose.

      In many cases, EBSCO allows the ability for customers to anonymize end user data by pseudonymized SSO configuration or removing the option for User Patrons to personalize.
    2. Measures for allowing data portability and ensuring erasure: Upon request or through the self-service module, EBSCO customers can extract Database Usage Reports, Interface Usage Reports, Link Activity Reports, Login Usage Report and Title Usage Reports. This data can also be obtained upon request at contract termination, or at any time through EBSCOadmin.
  4. Logging Controls:
    1. Measures for ensuring events logging: EBSCO allows customers to view database usage reports, interface usage reports, link activity reports, login usage reports and title usage reports through EBSCOadmin.

      EBSCO employs Security Information and Event Management (SIEM) logs across our resources. These logs are monitored internally by our information security team and 24/7 managed security operations center (SOC). No customer action is required, and customers do not have access to these internal logs.

  5. Personnel Controls: Contracts for new staff and the onboarding process emphasize individual responsibilities for information security and the potential penalties for misuse. Staff resignations trigger an automated process to ensure access rights to EBSCO’s systems are revoked in a timely fashion.

    The IT Acceptable Use Agreement covers the acceptable use of EBSCO’s information assets. It is issued to both permanent and contract staff and forms part of the induction for new starters.

    Security awareness training is delivered through EBSCO’s online training platform. It is delivered at least annually and is mandatory for all employees.

  6. Physical security and environmental controls:
    1. Measures for ensuring physical security of locations at which personal data are processed: EBSCO is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. EBSCO has a comprehensive set of physical security controls which ensure that its data centers and offices are sufficiently protected. Access to data centers is limited only to necessary personnel, and all access is logged and reviewed for abnormalities

      EBSCO also contracts with AWS for the processing of customer data. AWS provides world class security within their hosted data centers. For more information on physical security in AWS hosted environments see: https://aws.amazon.com/compliance/data-center/controls/.

SCHEDULE III: List of Subprocessors

MODULE TWO: Transfer controller to processor

The controller has been notified of the use of the following subprocessors that may be utilized at the time of contract execution.