Unless otherwise defined herein, capitalized terms have the meanings ascribed to such terms in the Master Services Agreement (MSA).
A. Customer Responsibilities
- Customer may request that Olo make Customer Data available to Customer Third Party Providers in accordance with the process set forth in the Master Services Agreement. If Olo receives a request from a Customer Third Party Provider to share certain Customer Data with such Customer Third Party Provider, Olo will notify the Customer representative, as designated in the Order Form. Upon authorization, Olo will provide Customer Third Party Provider with access to such Customer Data.
- Customer will not, will not attempt to, and will not assist or knowingly permit any third party to: (i) except as otherwise expressly permitted by Olo copy, reproduce, distribute, republish, download, display, modify, disassemble, decompile, reverse engineer, or create derivative works of any Licensed Application (or portion thereof); (ii) breach, break, decrypt, disable, interfere with, or develop or use any workaround for, or otherwise misuse or damage, any Licensed Application; (iii) copy, distribute, sell, resell, or exploit for any commercial purposes any portion of the Licensed Applications; (iv) use any manual or automated software, devices or other processes, including, without limitation, spiders, robots, scrapers, data mining tools, and the like, to “scrape” or download data from any web pages contained in the Licensed Applications; or (v) use your access to the Licensed Applications to assist you or a third party, including, but not limited to, a Customer Third Party Provider, in building a competing or similar website, application or service.
B. Olo Responsibilities
- Olo will collect, use, disclose and otherwise process End User PII to provide the Services.
- Olo has in place a comprehensive, written information security program designed to protect the information under its custody, management or control, including all PII, from unauthorized access, use, disclosure, and loss and theft, using industry standard security practices and technologies. Olo's information security program includes the following safeguards: (a) secure business facilities, data centers, servers, and back-up systems and disaster recovery; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) encryption of PII placed on any electronic notebook, portable hard drive or removable electronic media with information storage capability, such as compact discs, USB drives, flash drives, tapes; (e) encryption of PII in transit over public networks; (f) segregating PII from information of other clients of Olo; and (g) personnel security and integrity including, but not limited to, background checks consistent with applicable law and the requirements of this Agreement.
- Olo will regularly, but in no event less than annually, evaluate the effectiveness of its information security program and shall promptly adjust and/or update such programs as reasonably warranted by the results of such evaluation.
- All Olo personnel with access to PII are provided appropriate information security and privacy training regarding Olo's obligations and restrictions under this Agreement and compliance with applicable laws and Olo's information security program.
C. Breaches of Security
- “Breach of Security” means any loss, misuse, disclosure of, or unauthorized access to PII under Olo’s custody, management or control that materially compromises the privacy, security, integrity or availability of the PII.
- Olo will promptly notify Customer of any Breach of Security by email to the Customer designee listed in the Order Form. The notification will include an explanation of any actions Olo determines it must take in response to a Breach of Security.
- Customer shall promptly notify Olo by email at Security@olo.com of any suspicious activity in connection with the Services, which Customer detects or of which Customer becomes aware, that may indicate an actual or suspected Breach of Security is occurring or has occurred. The notification should include an explanation of any actions Customer determines it must take in response to such actual or suspected Breach of Security.
- Olo will reasonably cooperate with Customer to mitigate any harm caused by a Breach of Security, and will take all steps that Olo determines are reasonably necessary or appropriate to isolate, investigate, and remediate the effects of such occurrence, ensure the protection of those End Users that are affected or likely to be affected by such occurrence, prevent the recurrence of any such Breach of Security, and comply with applicable laws.
- Olo may determine that responding to a Breach of Security requires Olo to suspend the Services. When this occurs, Olo will notify Customer of such suspension as soon as reasonably practicable. Any suspension under this Section 5 shall not be considered Downtime as defined under the Digital Ordering Terms & Conditions Addendum, if applicable to Customer’s use of the Services.
- Olo may determine that responding to a Breach of Security requires Olo to communicate directly with End Users by email, in-app or in-site messages, or other means, regarding actions that End Users must take to enable Olo to respond to a Breach of Security, including without limitation, resetting End Users’ login credentials. Olo will undertake such actions in its sole discretion.
- Except in the event a Breach of Security is directly caused by Olo’s action or omission, Olo will provide reasonable additional assistance under this Section 7 as reasonably requested by Customer, at Customer’s expense.
- Customer shall be responsible for determining whether any notification to End Users, regulators, law enforcement authorities, or other third parties is required in response to any Breach of Security, and for providing any such notifications. Customer may request that Olo notify affected End Users of a Breach of Security, in which case Olo will provide such notice to End Users solely using the contact information which End Users have provided in connection with the Services.
- To the extent a Breach of Security results directly from Olo’s action or omission, Olo will promptly reimburse Customer for all reasonable and documented costs actually incurred by Customer in notifying affected End Users and providing credit monitoring to End Users to the extent that notification and/or credit monitoring are required by applicable law or the parties agree in good faith that notification and/or credit monitoring is appropriate under the circumstances. The parties agree that credit monitoring is not appropriate unless the Breach of Security has materially compromised End Users’ government-issued identification numbers or financial account numbers.
- At all times during the duration of the Agreement, Olo shall be fully compliant with the Payment Card Industry Data Security Standards ("PCI DSS").
- At all times during the duration of the Agreement, Olo shall comply with all applicable rules and guidelines regarding service providers, third-party agents and processors as issued by the Card Associations (the "Card Rules”), as updated from time to time, and including Card Rules applicable to U.S. credit card transactions. The term “Card Associations” means MasterCard, VISA, American Express, Discover, or any other credit card brand or payment card network for or through which Olo processes payment card transactions on behalf of Customer.
- Olo shall validate its PCI DSS compliance as required by the applicable Card Rules. As of the date set forth below, Olo has complied with all applicable requirements to be considered compliant with PCI-DSS, and has performed all necessary steps to validate its compliance with the PCI-DSS. Without limiting the foregoing, Olo represents and warrants that it (i) undergoes yearly On-Site PCI Data Security Assessments ("Annual Assessment") by a qualified security assessor (“QSA”) and pursuant to its most recent Annual Assessment, it is currently certified as compliant with the current version of PCI DSS by the QSA; (ii) undergoes a quarterly network scan ("Scan") by an approved scanning vendor and that it is has passed its most recent Scan.
- Olo shall notify Customer within seven (7) days if it (i) receives a non-compliant Annual Assessment from a QSA, (ii) fails to complete any Annual Assessment prior to the expiration of the previous year's Annual Assessment, or (iii) is no longer in compliance with PCI DSS; provided that Olo shall first have a remediation period of thirty (30) days (“the Cure Period”) to come into compliance with PCI DSS after determining it is noncompliant, and if Olo cures such noncompliance within the Cure Period, Olo shall not be required to notify Customer hereunder.
- Olo agrees to supply evidence of its most recent Annual Assessment prior to or upon execution of this Agreement. Thereafter, Olo, upon Customer’s reasonable request, shall supply to Customer evidence of Olo's successful completion of its Annual Assessment.
- For the avoidance of doubt, and notwithstanding the foregoing, Customer shall be solely responsible for ensuring compliance with PCI DSS (a) of its custom built front end websites, mobile applications, or other web properties, or (b) to the extent Customer has incorporated any custom, non-standard software code into Olo’s standard white label front end website offering. Olo shall have no obligation to monitor such custom web properties for compliance with PCI DSS or to notify Customer of any noncompliance.
E. Security Vulnerabilities
If you believe you have found a security vulnerability in one of our products or our services, or if you have found sensitive Olo data outside of our systems, you may reach the Olo security team at email@example.com. The Olo security team can provide various methods to encrypt sensitive communications.
Updated September 8, 2020