This excerpt taken from the GPS 10-Q filed Jun 9, 2009.
10.4 Security Procedures
As more specifically required pursuant to Section 2 (Security) of Exhibit A.2 (Cross Functional Services), Supplier shall adopt security measures for itself and its employees which shall include, but not be limited to:
A. Prohibition of the disclosure of Proprietary or Confidential Information within Suppliers organization except to individuals requiring access to such information to perform Suppliers obligations or exercise its rights under this Agreement;
B. Precluding access to Proprietary and Confidential Information by any Supplier employee, representative, agent or Subcontractor until such individual has been trained with regard to the handling of the Proprietary or Confidential Information, use of security measures identified herein, and (1) with respect to Suppliers employees, has completed Suppliers applicable * (or its successors) (provided, however, for purposes of this Agreement and with respect to Suppliers employees providing Services under this Agreement, * (or its successors) shall be deemed to apply to and include all of the Gap Systems), and (2) with respect to Suppliers representatives, agents, or Subcontractors, Supplier has included provisions comparable to *;
C. Requiring all (1) new employees to complete Suppliers applicable * (or its successors) (provided, however, for purposes of this Agreement and with respect to Suppliers employees providing Services under this Agreement, * (or its successors) shall be deemed to apply to and include all of the Gap Systems), and (2) representatives, agents, or Subcontractors, to execute Subcontractor, agent, or other agreements with provisions comparable to *;
D. Providing each individual authorized to electronically access Proprietary or Confidential Information with a unique access code and notifying such individual that disclosure of any password, access code, or security device shall result in disciplinary action, including termination;
E. Promptly canceling any password or security access code when an individual is terminated, transferred, or on a leave of absence and providing prompt notice of such event to Gap as agreed in the Gap Policies and Procedures and consistent with Gap System security requirements;
F. In the event employment is terminated involuntarily, ensuring that the individuals access to Proprietary or Confidential Information is blocked prior to notifying the individual of the involuntary termination;
G. Requiring that Gap procedures (provided in writing to Supplier or generally posted at the Gap Service Locations) are followed by Supplier Personnel to physically safeguard all telecommunication switches, computer rooms, and tape libraries, as well as restricting access to such sites to authorized personnel through card access system (CAS) badges where such systems are utilized;
H. Requiring that audit trails are established and maintained with regard to Trusted Identifications created by Supplier and provide such audit trails to Gap upon Gaps request.
Gap Confidential and Proprietary Information
Without limitation, *; and
I. Requiring, to the extent consistent with Gap Polices and Procedures (Exhibit D.1), that the Equipment and the Gap IT Environment have the firewalls, segmentation, encryption, or other safeguards designed to (1) protect the transmission of Gap Data and Proprietary or Confidential Information, (2) properly authenticate users, and (3) prohibit the unauthorized access to Gap Data or Confidential or Proprietary Information or the Gap IT Environment, all as set forth in Section 2 (Security) of Exhibit A.2 (Cross Functional Services).