‪(480) 285-8227 dave@dealercomply360.com

Sample FTC Safeguards Vendor Agreement

This Vendor Agreement (“Agreement”) is entered into as of [Insert Date] by and between [Dealership Name] (“Dealership”), located at [Insert Address], and [Vendor Name] (“Vendor”), located at [Insert Address].

1. Purpose

The purpose of this Agreement is to ensure that Vendor complies with the data security requirements established under the FTC Safeguards Rule and protects the confidentiality, integrity, and security of Non-Public Personal Information (NPI) provided by Dealership.

2. Definitions

  • Non-Public Personal Information (NPI): Any information provided by or on behalf of Dealership that identifies or relates to an individual and is not publicly available.
  • Safeguards Rule: The Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR Part 314, as amended.

3. Vendor Obligations

3.1 Compliance with Safeguards Rule

Vendor agrees to comply with all applicable provisions of the FTC Safeguards Rule and any other relevant privacy and security laws.

3.2 Data Protection Measures

Vendor shall implement and maintain an information security program that includes administrative, technical, and physical safeguards to:

  • Protect the security, confidentiality, and integrity of NPI.
  • Identify and mitigate reasonably foreseeable risks to the security of NPI.
  • Ensure the secure disposal of NPI when no longer needed, in compliance with applicable law.

3.3 Access Control

Vendor shall:

  • Restrict access to NPI to employees, agents, or subcontractors who need the information to provide services to Dealership.
  • Require such individuals to agree to confidentiality obligations consistent with this Agreement.

3.4 Security Monitoring and Incident Response

Vendor shall:

  • Monitor its systems and processes for unauthorized access, use, or disclosure of NPI.
  • Notify Dealership immediately (and no later than 24 hours) upon discovering any actual or suspected data breach or unauthorized disclosure involving NPI.
  • Cooperate with Dealership in investigating and responding to the incident, including providing information necessary for Dealership to meet its legal obligations.

4. Audits and Reporting

4.1 Right to Audit

Dealership reserves the right to audit Vendor’s compliance with this Agreement upon reasonable notice and at mutually agreeable times.

4.2 Reporting Requirements

Vendor shall provide Dealership with annual certifications of its compliance with this Agreement and any applicable data security laws or regulations.

5. Subcontractors

Vendor shall not subcontract any services involving NPI without prior written consent from Dealership. Any subcontractor must agree to terms and obligations consistent with this Agreement.

6. Termination

6.1 Termination for Cause

Dealership may terminate this Agreement immediately if Vendor fails to comply with its obligations under this Agreement or applicable laws.

6.2 Obligations upon Termination

Upon termination of this Agreement, Vendor shall:

  • Return or securely destroy all NPI in its possession, custody, or control.
  • Certify in writing that such return or destruction has been completed.

7. Confidentiality

Vendor agrees to maintain the confidentiality of all NPI and not to disclose it to any third party except as expressly authorized by Dealership or as required by law.

8. Indemnification

Vendor agrees to indemnify, defend, and hold harmless Dealership from and against any losses, damages, costs, or liabilities arising from Vendor’s breach of this Agreement or failure to comply with applicable laws.

9. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of [Insert State], without regard to its conflict of laws principles.

10. Entire Agreement

This Agreement constitutes the entire understanding between the parties regarding the subject matter herein and supersedes all prior agreements and understandings.

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date first written above.

Dealership:
[Dealership Name]

By: ____________________________
Name: __________________________
Title: __________________________
Date: __________________________

Vendor:
[Vendor Name]

By: ____________________________
Name: __________________________
Title: __________________________
Date: __________________________

This sample vendor agreement aligns with the FTC Safeguards Rule and ensures vendors handling sensitive data comply with strict security and privacy obligations. Let me know if you need further customizations!