This excerpt taken from the GPS 10-Q filed Jun 9, 2009.
3.20 Data Protection and Privacy
Supplier shall comply with Gaps Data Protection and Privacy Procedures as set forth in the Exhibit D.1 (Gap Policies and Procedures). In addition, subject to mandatory compliance with applicable law, Supplier shall perform a reference and criminal background investigation on all Supplier Personnel with access to Gap Data and/or the Gap IT Environment. Notwithstanding the foregoing, *. Within five (5) days of any investigation, Supplier shall notify Gap of adverse results of any such reference and criminal background investigation to the extent permitted by law. Supplier shall not permit any Supplier Personnel who Supplier knows has been convicted of a crime of dishonesty, breach of trust, or money laundering to provide Services under this Agreement, or to have access to any Gap Proprietary or Confidential Information or Gap Data.