Policy and Practices

Yellow Privacy Policy  

Last updated: September 1, 2021

Statement of Commitment

Information is one of the most powerful and valuable assets in business today. Yellow Corporation and our family of companies promise to safeguard the information you share with us as if it were our own. This privacy policy applies to www.myyellow.com.

This privacy notice does not apply to products or services provided, or information obtained, other than through the Website.  We may change this notice from time to time so please check back often.  If we significantly change our collection, use, or disclosure practices, we will try to send you a notice via email if you have provided us with an email address.  Please keep in mind that some of the services mentioned specifically in this notice may not be available on the site at this time.  

What Information Do We Collect?

The information we receive from you is voluntary.

Please note that data protection laws in the United States differ from those in Canada. By providing us your personal information, you consent to the collection, transfer and processing of your personal information to and from both the United States and Canada and agree that your personal information may be subject to access requests from governments, courts or law enforcement in the United States according to the laws of the United States.

As part of providing products and services to you, we may collect information, including personal information, about you or your business.  Personal information is data that can be used to identify you.  The information includes but is not limited to:

·         Name

·         Email address

·         Phone number

·         Company

·         Title

·         Other information you disclose when you ask us a question about our Website or our products and services.

·         Technical information about your use of our site including IP address, device identifier, and viewing information

·         Geo-location information telling us from where you are accessing the Website


Direct Collection

We collect much of the information listed above directly from you when you submit it on our Website.  This includes information you share on the Contact Us page of our Website


Indirect Collection – Cookies and Other Technology

As part of offering and providing customizable services, we use cookies and other online tracking technologies to store and sometimes track information about you.  We may use these technologies to:

·         Provide you with personalized content based on your use of our Website

·         Enable you to more easily use our site by remembering and using contact information, purchasing information, and registration information

·         Evaluate, monitor and analyze the use of our site and its traffic patterns to help improve our Website and services

·         Assist us with ad reporting functions such as to learn which ads are bringing users to our Website


The types of technologies we use include:


Cookies.  A cookie is a small amount of data that is sent to your browser from a Web server and stored on your computer’s hard drive.  Cookies enable us to identify your browser as a unique user.  Cookies may involve the transmission of information from us to you and from you to us.  Cookies may also be used by another party on our behalf to transfer information to us in accordance with their privacy statement.  Some cookies are “persistent cookies.”  They are used by us each time you access our Website.  Other cookies are called “session cookies.”  Session cookies are used only during a specific browsing session.  We may use a session cookie, for example, to remember that you have already navigated through a particular menu, or that you have entered your registration information for Yellow Corporation.  We may also use “analytics cookies” that allow web analytics services to recognize your browser or device and, for example, identify whether you have visited our Website before, what you have previously viewed or clicked on, and how you found us.  This information is provided anonymously for statistical analysis only.  Analytics cookies are usually persistent cookies.

Web Beacons. We may also employ a software technology called a clear GIF (Graphics Interchange Format), also known as a pixel tag or Web beacon. A clear GIF is a line of code that we place on our Websites or in e-mails which allows us to analyze our advertising and the general usage patterns of visitors to our Websites. These help us better manage content on our site by informing us what content or promotions are effective. Unless you consent, we do not collect personally identifiable information from you through the use of web beacons. You may not disable Web beacons.

Log Files. Like most standard website servers, we use log files. Log files track Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, platform type, date/time stamp and number of clicks. We utilize this information to analyze trends, administer the site, prevent fraud, track website navigation in the aggregate and gather broad demographic information for aggregate use.


SalesForce.  We use the SalesForce Customer 360 tool to help us better understand and communicate with our customer base.  SalesForce Customer 360 collects contact information such as name, mailing address, email address, phone number, age, etc. and couples that with product purchasing information on behalf of your business.

How Do We Use Your Information?

The general information you provide helps us build a better website in terms of functionality and content. With your permission, we may occasionally notify you of news at Yellow Corporation that may be of interest to you.

We use your registration information to provide you with access to Yellow Corporation to receive quotes, tracking and other information about shipping services from Yellow Corporation. The information that we collect in Yellow Corporation directly relates to the application or task that you have asked us to perform, such as a pickup request. As with the general information, we’ll use what you have provided to continue to build better service and business overall.


Distribution of Information in Yellow Corporation


The general and specific information that we collect will be shared in our organization to perform the activities you’ve asked us to do. In addition, individual data will be aggregated and analyzed to understand customer trends and requirements, so that we can continue to provide a service that is reliable, responsive and efficient.

Third-Party Distribution of Information 

Except as specified in this Privacy Policy or otherwise with your consent, Yellow Corporation will not sell, rent, trade or otherwise distribute your information to any other organization unless compelled by law or legal process. We may, however, disclose contact information to our agents for the purpose of performing services on behalf of Yellow Corporation such as website development and operation, preparing marketing materials, sending postal mail or email, analyzing website use, job applications, processing payments and processing data. To protect our customers’ privacy, we work only with companies that agree to maintain strong confidentiality protections and prohibit them from using the information we provide for any other purpose. 


We do not permit these companies to sell or otherwise distribute the information we give them to any other third party.


We may disclose “blinded” aggregated data and user statistics to prospective partners and other third parties.  Blinded data is data that does not identify an individual person.


We’ll ask for your consent before using your information for a purpose that extends beyond what you may reasonably expect from a freight company and that has a more significant privacy impact.


We also may disclose your information in special cases. For example, when we believe that we must disclose information to identify, contact or bring legal action against someone who may be violating our online terms, or may be causing injury to or interference with our rights or property, other website users or clients, or anyone else who may be harmed by such activities. We may disclose visitor information when subpoenaed, if ordered or otherwise required by a court of law, arbitrator or other similar proceeding or the rules governing such a proceeding, for government investigations, with government agencies if required by law and when we otherwise believe in good faith that any applicable law requires it.


We may engage in mergers, acquisitions or other such transactions with other companies. In such transactions, confidential client information generally is one of the transferred business assets. In the event of such a transaction client and site visitor information may be one of the transferred assets and may be disclosed in connection with negotiations relating to a proposed transaction. In such cases, the transferred information may become subject to a different privacy policy.

Choice and Consent

Direct Collection. The more we know about you, the better our ability to serve you and provide products and services that are of real value. Our Website is a voluntary information channel that is open to you at all times. You always have a choice regarding the tools that you use and the information that you provide. We don’t ask questions for the sake of asking questions, but do so because it is pertinent to our ability to serve and know you better. You always have the right to access your personal information and to modify or delete it as you wish.


Cookies. You may disable browser cookies in your browser or set your browser to warn you when a cookie is being sent. You may lose some features or functionality when you disable cookies.  Remember, also, that disabling cookies is browser specific. If you log on using Google Chrome, IE, Firefox or Microsoft Edge, you must also disable cookies in Safari if you use that browser at a different time.


Google Analytics. Google Analytics is a web analysis service provided by Google Inc. Google utilizes user data such as browser and computer settings like screen resolution, operating system and cookies that track whether a user is a returning visitor to track and examine the use of this website, to prepare reports on the user’s activities and share them with other Google services. Google may use the data collected to contextualize and personalize the ads of its own advertising network. The data collected by Google Analytics does not contain any information that personally identifies you. Click here to review the Google privacy policy.

You can also learn more about this technology and how to opt-out of this feature by installing the Google Analytics Opt-out Browser Add-on.


Web Beacons.  It is not possible to disable Web beacons.


Log Files.  It is not possible to disable log files.


How can I control my personal information?

You may contact us privacy@myyellow.com if you wish to view, edit, or delete your personal information from our database, and we will use commercially reasonable efforts to accommodate your request. 

If you believe that any inaccurate or inappropriate information has been obtained or provided to others through your use of this Website, you should contact a representative at privacy@myyellow.com.


How do we protect your information?

Financial Information

We do not currently collect financial information on the Website.

Other Information

Because information sent through the Internet travels from computer to computer throughout the world, when you give us information, that information may be sent electronically to servers outside of the country where you originally entered the information.  Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure.  Except as specifically stated, this site does not use security encryption measures.  Information that you disclose by use of this site (as with any site that is non-secure), by posting a message or using e-mail, potentially could be collected and used by others.  This may result in unsolicited messages from third parties or use of such information by third parties for their own purposes, legal or illegal.  As a result, while we strive to protect your personal information, we cannot ensure or warrant the security of any information you transmit to us or from our services, and you do so at your own risk.  Once we receive your transmission, we use commercially reasonable efforts to ensure its security on our systems.


Users From Outside the United States


The data protection and related laws of the United States may be different than those of your own country, including the European Union’s General Data Protection Regulation. This Website is not intended for use by persons located in the European Union. This Website is also not intended to be used by those under the age of 18.


Users in California

California Civil Code Section 1798.83 permits our website visitors who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@myyellow.com.


Please make sure to state that you are a California Resident.


Do Not Track


Do Not Track (DNT) is a privacy preference that users can set in their web browsers. While the United States Federal Trade Commission has endorsed DNT, our Website does not support DNT codes. However, except in the case of analytics cookies, remarketing and other features of Google Display Advertising described above, our Website limits tracking to the internal uses described above. Except in the case of analytics cookies our Website does not track your use across multiple websites; however, other websites to which we link may.  


Please review their privacy policies to understand how you may be tracked.


Scope of Notice

This notice applies to personal information we collect about California residents both online and offline. It applies to California residents who are users of our Website; our customers; individuals inquiring about our products; and all other California residents from whom we collect personal information.

As defined in the CCPA, personal information includes any information that identifies, relates to, or could reasonably be linked to a California resident or household.  It includes, but is not limited to: identifiers, characteristics of protected classes, commercial information, biometrics, internet or electronic information, geolocation data, audio/visual or similar information, employment and educational information, and inferences drawn from any identifiable information. Personal information does not include publicly available information from a public government record. 

This notice does not apply to information that is exempt from CCPA disclosure requirements. This includes personal information of individuals acting in their capacity as representatives of our clients, prospect clients, vendors, and other businesses that we conduct business with to the extent the information is collective with respect to a business-to-business transaction or business relationship. This disclosure also does not apply to individuals who are not California residents, any personal information exempted under Cal. Civ. Code Section 1798.145, or any other personal information not contemplated in the CCPA.

California Consumer Privacy Act

This Privacy Notice for California Residents supplements the information contained in above in our general privacy policy and applies solely to all visitors, users and others who reside in the State of California.

Your Rights

The California Consumer Privacy Act ("CCPA") grants State of California residents the following rights, to:

  • Know what personal information is being collected about them;
  • Know whether their personal information is sold or disclosed and to whom;
  • Say no to the sale of their personal information;
  • Access their personal information;
  • Have their personal information deleted; and
  • Have the right to equal service and price, even if they exercise their privacy rights under this law.
Categories of Personal Information We Collect

We collect information that identifies you, your household or your device or is reasonably capable of being connected with or linked to you, your household, or your device ("Personal Information"). Personal information does not include public information available from government records, de-identified or aggregated information or information that is protected by certain laws such as HIPAA for health-related information and the Gramm-Leach Bliley Act (GLBA) for certain financial information.

We collect the following categories of Personal Information:

  • Identifiers
    • First and last name
    • Email address
    • Mailing address
    • Phone number
    • Company name
    • Title
    • Internet Protocol (IP) Address
  • Personal Information Listed in the California Customer Records Statute
    • The above identifiers
  •  Financial, medical, or health information

                   o   Not collected

  • Characteristics of Protected Classifications

                   o   Not collected

  •  Commercial Information

                   o   Not collected

  • Biometric Information
    • Not collected
  • Commercial Information:
    • Bills of lading
    • Shipping information for freight and rate quotes
    • Overcharge claim information
    • Cargo claim information
  • Internet or Other Electronic Network Activity Information
    • Cookies
    • Domain name
    • Browser type
    • Operating system
    • Usage data
  • Geolocation Data
    • Information that tells us from where you access our Website
  • Sensory Data
    • Not collected
  • Professional or Employment-Related Information
    • Not collected
  • Non-public Education Information
    • Not collected
  • Inferences Drawn from Other Personal Information
    • Not collected


Categories of Sources of Personal Information

We collect information from the following categories of sources:

  •          Directly from you.  For example, when you register for Yellow Corporation or login as a guest.
  •          Indirectly. we use cookies and other online tracking technologies to store and sometimes track information about you.


 How We Share Your Personal Information

We share information in each of the above categories as follows:

  • All Categories of Information
    • We will share information in all of the above categories if our company is sold or we engage in a merger or other such transaction.
    • We will share information in all of the above categories of information in connection with a law enforcement request that is compliant with the California Electronic Communications Privacy Act.
  • Identifiers
    • We share identifiers with service providers who use that information only to provide services to us such as website development and operating, sending postal mail or email, analyzing website use, job applications, processing payments and processing data.
  • Internet or Other Electronic Network Activity Information
    • We share this information with our data analytics providers
How We Use Your Information

See "How Do We Use Your Information" above to learn how we use your information. We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated or incompatible purposes without providing you notice.


Exceptions to our Disclosure Limitations

We also may disclose your information in special cases related to our legal obligations and to protect from the misuse of our websites. We may share your personal information in regard to legal proceedings if stemming from a violation of our Terms of Use and Sale or causing injury to us, our property, our website, our clients or others. We may disclose visitor information when subpoenaed, if ordered or otherwise required by a court of law, arbitrator, or other similar proceeding, for government investigations, with government agencies if required by law, and when we otherwise believe in good faith that any applicable law requires it.

How We Retain and Store Your Personal Information

We retain your personal information for as long as necessary to fulfill the purpose(s) for which we collected it and to comply with applicable laws.  We use reasonable security precautions to protect your information while in storage.

Requests to Know

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of personal information we collected about you
  • The categories of sources for the personal information we collected about you
  • Our business or commercial purpose for collecting or selling that personal information
  • The categories of third parties with whom we share that personal information
  • The specific pieces of personal information we collected about you (also called a data portability request)

If we sold or disclosed your personal information for a business purpose, two separate lists disclosing: sales, identifying the personal information categories that each category of recipient purchased; and disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained

Requests to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.


We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information, provide a service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you. This includes fulfilling a shipping transaction or request, processing an overcharge claim and processing a cargo claim.
  • Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for such activities.
  • Debug online services to identify and repair errors that impair existing intended functionality.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
How To Submit a Request to Know or a Request to Delete

To request this information please submit a verifiable consumer request to us by either:

  • Calling us at 1.800.610.6500 or
  • Emailing us at privacy@myyellow.com and asking for a Consumer Request Form


Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. To designate an authorized agent, email us at privacy@myyellow.com and we will provide you with a form to make a designated agent request.


You may only make a verifiable consumer request for access or data portability twice within a 12-month period. To make a request, you must:


Complete and submit the CCPA Consumer Request (if a form is not available when you log onto the site, email us and we will provide you with a form).

Describe your request with sufficient detail that allows us to understand, evaluate and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.


We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.


We will try to respond to your request within forty-five (45) days of when we receive it. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another without hindrance, specifically by electronic mail communication.


We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.


We do not process privacy requests sent to us using third-party services.  This is because such services often request that we click on hyperlinks which we will not do for data security reasons.  These services are also susceptible to spoofing and other phishing attacks.  One of our highest priorities is to treat your information safely and securely.  If you live in a state that permits you to make a privacy request using a third-party agent, please have them contact us using the information above and we will take steps to identify them and ensure that they are your agent.


An amendment to the CCPA provides an exemption to the Right to Know and Right to Delete for personal information between a business and a person who is acting as an employee, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government where the information is used in the context of a business transaction. This exemption is currently set to expire on January 1, 2023. Until that date, we will not respond to requests to know or delete that meet this exemption. 

How to Submit an Opt-Out Request

We do not and will not sell your personal information to third parties. If we change that practice in the future, we will update our privacy policy and provide an opt-out link pursuant to the CCPA. We will treat any information that we collected prior to such a change as though you opted-out of the sale of your personal information.


Unless permitted by the CCPA, we will not:

  • Deny you goods or services
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
  • Provide you a different level or quality of goods or services
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services


However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information's value and contain written terms that describe the program's material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.

Your Nevada Privacy Rights

Nevada law (SB 220) permits customers in Nevada to opt-out of the sale of certain kinds of personal information. A sale under Nevada law is the transfer of this personal information to third parties for monetary consideration so these third parties can then resell or license the sold information. We do not sell your personal information to third parties as defined in Nevada law. If you are a Nevada resident and wish to opt-out of the sale of your personal information should we change our practices in the future, you must send a request by email to privacy@myyellow.com. Please make sure to state that you are a Nevada resident.   

How to Contact Yellow Corporation

By phone or by email, we’re always available to you:

Yellow Corporation

10990 Roe Ave.

Overland Park, KS 66211


Email: privacy@myyellow.com

Other Policies and Practices

Check out the links below to view our various corporate policy documents.

Vendor Supply Policy

Yellow believes in a supplier program that recognizes the diversity and beneficial contribution of our partners. This program reinforces our leadership role in those communities with which we share our livelihood and success.


We also believe this program has the potential of creating better partners, stronger customers, and economic growth for our community members.


We owe respect, dignity, and fair treatment to all. Our commitment is to provide fair and reasonable access to business opportunities without regard to business status, structure or ownership.

For more information, click here

Conducting Business with Yellow and Yellow Affiliates

Yellow actively partners with diverse suppliers that focus on providing high quality products and services. Business is awarded to suppliers through a competitive sourcing process and is focused on "best value". Best value is determined by evaluation of suppliers' proposals and selection of those offering the best combination of low cost, quality & technology. Our goal is to contract with the right suppliers for the right goods and services.

View PDF

Procurement Terms and Conditions

1. Definitions

“Affiliated Companies” means, collectively or individually, (1) all business units and divisions of YRC Enterprise Services, Inc. or its parents and (2) any entity controlled by, controlling, or under common control with Yellow Corporation. Such an entity shall be deemed to be an “Affiliated Company” only so long as such control exists.

A.   “Company” means YRC Enterprise Services, Inc. and/or any of its Affiliated Companies.

B.   “Delivery” means the point in time when the Supplier has delivered the goods or provided the services specified in the Purchase Order.

C.   “Master Agreement” means a master agreement for goods and/or services executed by Company and Supplier.

D.   “Order” means the purchase order issued by Company to Supplier which Supplier then invoices against for the goods or services provided to the Company by the Supplier.

E.   “Supplier” means the party providing goods or services to Company.

F.   “Purchases” means collectively or individually, the products or services purchased, or software licensed, pursuant to an Order.

G.   “Terms” means these Procurement Terms and Conditions.


2. Application. These Terms apply if: (a) Supplier ships or provides goods or services to Company; and (b) no executed master agreement is in effect between Company and Supplier. If a Master Agreement is in effect between the parties, the Master Agreement applies to the Order in lieu of these Terms. Except for terms expressly agreed to in writing and signed by a Company representative, any terms that conflict with or are not consistent with the Terms are not valid.


3. Conflicts. If a conflict exists between these Terms, the Order, and any other documents related to the purchases, the order of precedence is: (1) these Terms; (2) the Order; and (3) other documents attached to the Order. Any other forms or terms related to the Order, including any terms on Supplier’s website, product schedule, “shrink-wrap” or “click wrap” agreement or other pre-printed or boilerplate terms will have no force or effect.

4. Acceptance. Unless otherwise specified in an Order, Company will give notice of rejection or be deemed to accept: (a) services within 45 days after Supplier’s notice of completion, (b) products and software within 60 days after Supplier’s notice of (i) installation, if Supplier performs the installation, or (ii) delivery, if Supplier does not perform the installation. Supplier will, at its expense, repair, re-perform or replace the Purchases, as applicable until Company accepts or finally rejects the Purchases. If Company accepts any Purchases that contain a defect or nonconformity not apparent on examination, Company may revoke acceptance. If Company finally rejects or revokes acceptance, Supplier will refund all amounts paid by Company for the Purchases. Company may test or inspect all Purchases delivered, but Company’s inspection, testing or payment (or lack of inspection, testing or payment) is not deemed acceptance of Purchases or a waiver of any right or warranty and does not preclude Company from rejecting defective Purchases that do not meet Company’s specifications.


5. Representations and Warranties. Supplier represents and warrants that: (a) Supplier has all requisite ownership, rights and licenses to perform fully its obligations arising in connection with the Order and to grant to Company all rights to the Purchases, including good and marketable title for tangible products, free and clear from any and all liens, adverse claims, encumbrances and interests of any third party; (b) Purchases will: (i) conform with all specifications; and (ii) be free from deficiencies and defects in materials, workmanship, design and performance; (c) Purchases that involve services will be performed in a professional and workmanlike manner; (d) Purchases, and use of the Purchases, as permitted under the Order, will not infringe, violate, or misappropriate any intellectual property or proprietary right of any third party; (e) Supplier will, at its expense, promptly correct replace or refund all amounts paid by Company for non-conforming Purchases; and (f) the software or data included in the Purchases will not contain any software viruses or other malicious computer instructions designed to damage, disable or shut down a computer system or any component of a computer system, including security features or data.

6. Confidential Information. Supplier may use and copy the Company Confidential Information only for the purpose of performing its obligations under the Order. “Company Confidential Information” means all information relating to the Order and any information that is clearly identified in writing at the time of disclosure as confidential as well as any information that, based on the circumstances under which it was disclosed, a reasonable person would believe to be confidential. Confidential Information shall include, but not be limited to, formulas, methods, know how, processes, designs, new products, developmental work, marketing requirements, marketing plans, customer names, prospective customer names, and the terms and pricing under this Agreement, regardless of whether such information is identified as confidential.


Confidential Information includes all information received from third parties that either party is obligated to treat as confidential and oral information that is identified by either party as confidential. Company Confidential Information does not include information that is: (i) rightfully known by Supplier before negotiations leading to the Order; (ii) independently developed by Supplier without use of the Company Confidential Information; (iii) part of the public domain or (iv) is lawfully obtained by Supplier from a third party without any confidentiality violation. Copies Supplier makes of Company Confidential Information must contain the same confidential or proprietary notices or legends as the original. Supplier will not disclose Company Confidential Information to any third party without Company’s prior written consent. Supplier will protect Company Confidential Information with the same degree of care as it uses to protect its own information of like importance, but not less than reasonable care. Upon cessation of work, or upon request, Supplier agrees to promptly return all documents and other materials that contain or relate to Company Confidential Information.

7. Licenses. For software, documentation, and intellectual property provided under an Order but not specifically made for Company or owned by Company as work made for hire, Supplier hereby grants to Company a fully paid-up, worldwide, perpetual license to (a) install, display, perform, use, modify, reproduce, execute, distribute and create derivative works of the software, on any one or more machines and at any one or more locations, and in any number of production and nonproduction instances; and (b) use all intellectual property rights necessary to use the software as authorized in subparagraph (a). This license grant applies to and includes, without limitation, Company’s third-party contractors and agents. These Terms apply to all software provided by Supplier regardless of the form of delivery and supersede all click wrap, shrink wrap, and other license terms included with the software or in any Supplier forms or documentation. Supplier will promptly deliver any enhancements, including modifications, revisions, corrections, updates to any software that Supplier generally makes available to its customers, including all related documentation.


8. Breach. Company may terminate the Order by written notice to Supplier if Supplier breaches the Order and fails to cure such breach to Company’s satisfaction within 10 days of written notice specifying the breach.

9. Payment Terms. All payments hereunder shall be payable net sixty (60) days following Company’s receipt of Supplier’s invoice. Supplier will invoice Company after Delivery to Company. Supplier will submit invoices via electronic file submission through the Coupa Supplier Portal or by other electronic means as determined by Company. Supplier will not (a) issue an invoice to Company more than 90 days after the first date it is permitted to issue an invoice under the Agreement (“Late Invoice”) or (b) initially raise a claim for payment of a previously issued invoice more than 120 days after the invoice date (“Late Claim”). Company is not obligated to pay Late Invoices or Late Claims and Company waives all rights and remedies related to Late Invoices and Late Claims. Any amount in dispute shall not be payable until resolution of such dispute. If Supplier is required to pay (i) sales, use, property, value-added, withholding or other taxes, (ii) any customs or other duties, or (iii) any import, warehouse or other fees, associated with the importation or delivery, then such taxes, duties or fees shall be billed to and paid by Company. If Company is permitted to declare any such taxes, Company shall declare and pay such taxes and Supplier shall not be required to invoice Company.


10. Relationship of Parties. All personnel furnished by Supplier shall be employees of Supplier and Supplier shall pay all salaries and expenses of such employees and shall be solely responsible for all Federal Social Security Taxes, Federal and State Withholding Taxes and unemployment Taxes and Workmen’s Compensation insurance relating to such employees. The work shall be performed by the Supplier as an independent contractor. The Supplier shall have full power and authority to work without detailed control or direction by Company. The Supplier will receive directions from Company and Company’s representative as to the end results to be accomplished, and the Supplier shall be responsible for determining the manner and means of accomplishing the work to be performed hereunder pursuant to good and workmanlike practices.


Compliance by the Supplier with safety practices or orders issued by Company or Company’s representative shall not affect the Supplier’s status as an independent contractor and shall not relieve the Supplier of its obligations under these Terms or an Order.

11. Limitation of Liability. IN NO EVENT SHALL COMPANY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, DATA OR USE, INCURRED BY EITHER PARTY OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The aggregate and cumulative liability of Company for direct and proven damages hereunder shall in no event exceed the amount of fees paid by Company under this Agreement or $10,000, whichever is lesser.

12. Indemnification. The Supplier assumes all liability for and agrees to defend, indemnify and hold Company, its employees, agents and subsidiaries (collectively, the “Company Indemnitees”), harmless from and against all demands and any liability sought to be imposed upon Company Indemnitees, of whatsoever character, whether direct or indirect, provided that the liability arises from Supplier's or its employees' negligence or misconduct. Supplier further assumes all loss, damage, costs, and expense, including all attorney's fees, incurred by Company Indemnitees arising from or in any way connected with the Supplier's or its employees' negligence or misconduct hereunder, including without limitation, bodily injury, sickness and/or disease, including death at any time resulting from such bodily injury, sickness and/or disease sustained by any person while in, on or about Company's premises, if or where such injury, sickness, disease and/or death arose out of or was in any way connected with the negligence or misconduct of Supplier or its employees; and damage to property of the Company, Supplier, or others arising out of or incident to Supplier's or its employees' negligence or misconduct. Supplier shall defend, indemnify, release and hold harmless the Company Indemnitees from and against any loss, damage, injury, liability, demands and claims, and pay any settlements and judgments against the Company Indemnitees, arising out of alleged or actual infringement (whether or not the alleged infringement is joint or indirect) of patent rights, trademark, copyrights or alleged misuse of trade secret information, by the whole or any portion of the Purchases.

13. Insurance.

A.       Supplier will procure and maintain, at its sole cost and expense, the following types of insurance and amounts of insurance:

i.   Commercial automobile liability insurance: (including owned, non-owned and hired vehicles) with minimum limits of not less than $1,000,000.00 per occurrence combined single limit for personal injury and property damage.

ii.   Commercial general liability insurance: including blanket contractual liability and coverage for products and completed operations with minimum limits of liability of not less than $1,000,000 per occurrence.

iii.   Workers compensation and Employers Liability Insurance: in accordance with statutory requirements of jurisdiction where work is being performed with Employers’ Liability Limits not less than $1,000,000.

iv.   Professional liability where applicable in an amount not less than $1,000,000 per claim.

B.       Company shall be included as additional insured with respect to General Liability, Product Liability, and Automobile Liability and all policies including Workers’ Compensation shall be endorsed with a waiver of subrogation in favor of Company. Policies shall be issued by insurance companies that are qualified to do business in the state where work is performed and shall have an A.M. Best rating of at least A. Supplier shall provide certificate of insurance to Company evidencing the required insurance prior to the commencement of any services. It is specifically agreed that the types and amounts of insurance required herein shall not limit or otherwise affect Supplier’s liability or obligation to indemnify and hold Company harmless as provided by the indemnification provisions of these Terms.

14. Compliance with Law. The Supplier shall obtain all necessary permits and licenses, with the exception of permits and licenses that are required to be in Company’s name. The Supplier shall pay all fees and taxes required by law and shall comply with all applicable laws, ordinances, governmental rules and regulations.


15. Job Safety. The Supplier shall abide by all applicable safety and health rules, including compliance with the Occupational Safety and Health Act.


16. Assignment and Sub-Contracting. The Supplier shall not assign or sub-contract any part of this contract without the written consent of Company, nor shall the Supplier assign any monies due or to become due to it hereunder without the written consent of Company. This contract shall not be transferable by operation of law.


17. Non-Exclusivity/Volume Commitments. There are no commitments by Company to Supplier of exclusivity in dealing, preferred vendor status, revenue generation, volume usage, purchase quantities or otherwise.


18. Equal Employment Opportunity. To the extent required by law and during the performance of this Agreement, the Supplier agrees to comply with Executive Order 11246 and agrees that it will not discriminate against any employee or applicant for employment because of race, color, religion, sex, or national origin.


19. Federal Contractor/Subcontractor. Company is a federal contractor/subcontractor which complies with Executive Order 11246, as amended, and the applicable regulations contained in 41 CFR Parts 60-1 through 60-60 and 29 CFR Part 471, Appendix A. Company and its covered subcontractors shall abide by the requirements of 41 CFR 60-1.4(a), 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against all individuals based on their race, color, religion, sex, sexual orientation, gender identity, or national origin. Moreover, these regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status or disability.

20. Section 889 of the 2019 National Defense Authorization Act. In accordance Section 889 of the 2019 National Defense Authorization Act (the “Act”), Supplier represents that it (1) has reviewed manufacturers of the telecommunications or video surveillance equipment or services it will use or provide under this contract, (2) it will not provide any Covered Telecommunications Equipment or Services (as defined in the Act) to Company in the performance of this contract; (3) the equipment, systems, and/or services it will provide to Company under this contract do not contain or use Covered Telecommunications Equipment or Services, or any equipment, system, or service that contains or uses Covered Telecommunications Equipment, and (4) in the event Supplier identifies Covered Telecommunications Equipment or Services used as a substantial or essential component of any system, or as critical technology as part of any system, during contract performance, or is notified of such by a subcontractor at any tier or by any other source, it shall report the information in FAR 52.204-25(d)(2) to Company within the time frames established therein.


21. Employee Notice Clause. Where applicable, the Supplier agrees to comply with the provisions of 29 CFR part 471 and agrees that it will inform its employees of certain rights related to union membership and the use of union dues and fees under federal law.


22. Governing Law/Jurisdiction. The Terms and all matters arising out of or relating to the Purchases shall be governed by the laws of the State of Kansas, excluding its conflict of law provisions. Any dispute regarding the Terms shall be subject to the exclusive jurisdiction of the applicable court in Johnson County, Kansas and each party submits to the jurisdiction of such courts.


23. Changes to Terms of Service. These Terms are subject to occasional revision, and if Company makes any material changes it will post notice of the changes [insert location of notice]. These changes will be effective immediately. Continued fulfillment of Purchases and/or Orders following notice of such changes shall indicate Supplier’s acknowledgement of such changes and agreement to be bound by any revision of these Terms.


24. Entire Agreement. These Terms constitute the entire agreement between Supplier and Company regarding Company’s Purchases and Orders from Supplier. Company’s failure to exercise or enforce any right or provision of these Terms shall not operate as a waiver of such right or provision. The section titles of the Terms are for convenience only and have no legal or contractual effect. The word “including” means including without limitation. If any provision of these Terms is deemed to be illegal or unenforceable, the remainder of the Terms shall be unaffected and shall continue to be fully valid, binding, and enforceable.

Yellow Security and Privacy Policy for Vendors and Suppliers

This Information Security and Privacy Policy for Vendors and Suppliers (“Policy”) governs whenever a Supplier is granted physical or logical access to Yellow Information Systems, is Processing Confidential Information or where

Supplier Information Systems interact with Yellow Information Systems, as part of their contract(s). If any terms in this Policy conflict with the terms contained in any Agreement between Supplier and Yellow, the provisions providing the greatest protections to Confidential Information prevail and control.


1. Definitions


1.1. “Affiliate” means (1) all business units and divisions of a party or its parents and (2) any entity controlled by, controlling, or under common control with such party. Such entity shall be deemed to be an “Affiliate” only so long as such control exists.


1.2. “Agreement” means a contract, agreement, statement of work, task order, or purchase order governing the services and/or deliverables provided by Supplier to Yellow.


1.3. “Back-up Media” means a physical device or other physical storage media that contains Confidential Information. Back-up Media may include but is not limited to disks, drives, tapes, and hard copy.


1.4. “Confidential Information” means Yellow Critical Infrastructure Information, Customer Proprietary Network Information, Personally Identifiable Information, information defined as confidential in an Agreement, Sensitive Confidential Information, and any other sensitive, private, proprietary or legally-protected data that is owned, controlled, or processed by Yellow or a third party.


1.5. “Critical Infrastructure Information” or “CII” means information regarding Yellow's network architecture and key network assets, including but not limited to, the location and capability of central offices, network points of presence and other critical network sites, network elements and equipment within them, and any other information Yellow designates as critical infrastructure information.


1.6. “Device(s)” means a piece of mechanical or electronic equipment used for computing or storing data and information, including Mobile Devices.

1.7. “Encryption” or “Encrypted” means protecting information or data by converting it into a code using strong cryptographic protocol and hashing algorithm types and key management processes consistent with the highest-level industry practice.


1.8. “Location” means the location where Confidential Information resides or can be accessed, including but not limited to, a Device, physical location, hosting jurisdiction, or other jurisdiction.


1.9. “Location Move” means (a) moving Confidential Information from one hosting jurisdiction to a different hosting jurisdiction; (b) provisioning remote access to Confidential Information from a location other than the Yellow-approved hosting jurisdiction or other Yellow-approved jurisdiction; or (c) moving Confidential Information from a physical location or jurisdiction to a different physical location or jurisdiction.


1.10. “Mobile Device(s)” means portable computing and storage devices such as laptops, personal digital assistants, cell phones, tablets, and smartphones running mobile operating systems (e.g., iOS, Blackberry OS, Android, or Windows Mobile operating systems).


1.11. “Personally Identifiable Information” or “PII” means any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

1.12. “Privileged Account(s)” or (“PA”) means accounts with (a) system-level administrative or super-user access to devices, applications or databases; (b) administration access to accounts and passwords on a system; or (c) ability to override system or application controls.


1.13. “Process” or “Processing” means the performance of any operation or set of operations upon data (including, but not limited to, Confidential Information), whether or not by automatic means, including, but not limited to, collecting, recording, organizing, storing, adapting. altering, retrieving, accessing, consulting, using, disclosing by transmission, disseminating, making available, aligning, combining, blocking, erasing, or destroying data.


1.14. “Security Incident” means any actual or suspected event in which Confidential Information is or may have been lost, stolen, improperly altered, improperly destroyed, improperly disclosed, used for a purpose not permitted under an Agreement or this Policy, or accessed by any unauthorized person.


1.15. “Security Notice” means any written communication, notice, filing, press release, or report related to a Security Incident.


1.16. “Security Standards” means commercially reasonable security features in all material hardware, software, systems, and platforms that Supplier uses to access, Process and/or store Confidential Information.


1.17. “Sensitive Confidential Information” means Confidential Information that involves racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health and financial matters, sexual preferences, Social Security Numbers, credit cards and any other account numbers, customer data, or other Confidential Information which Yellow identifies as Sensitive Confidential Information, whether the information pertains to consumer, business, or employment activities.

1.18. “Services” means the services, materials, products, deliverables Yellow engaged Supplier to produce or perform which necessitate the Processing of Confidential Information.


1.19. “Supplier” means the entity and any Affiliate of such entity that provides Services to Yellow that Processes or has access to Confidential Information or has access to Yellow Information Systems or data.


1.20. “Supplier Information System(s)” means any Supplier systems, applications, computers, network equipment, hardware and Mobile Devices used to Process Yellow Confidential Information pursuant to the Agreement and/or as part of the Services, which includes laptops and network connected devices.


1.21. “Supplier Personnel” means Supplier’s employees, as well as its Affiliates, suppliers, subcontractors, and agents, and their respective employees.


1.22. “Yellow” means Yellow Corporation and its Affiliates.


1.23. “Yellow Information System(s)” means any networks, databases, applications, computers, hardware and/or Mobile Devices managed by Yellow, including laptops and network connected devices.

2. Minimum Periodic Review Requirements

2.1. Annual Review

2.1.1. Vulnerability and Penetration assessments (See Section 5)

2.1.2. Supplier Personnel Training (See Section 4)

2.1.3. Security Standards Audit (See Section 10)

2.2. Semi-Annual Review

2.2.1. Authorized connections and rule sets (See Section 6)

2.3. Quarterly Review

2.3.1. Physical access rights (See Section 5)

2.3.2. Privileged Account access rights (See Section 5)

2.3.3. Security Incidents (See Section 9)


3. Minimum Retention Requirements

3.1. Security Camera Recordings: 30 days

3.2. Physical access logs: 1 year

3.3. Security Incident logs: 1 year


4. Security Requirements

4.1. Supplier must review this Policy before accepting or Processing any Confidential Information. Supplier must protect Confidential Information from unauthorized Processing, disclosure, or loss. At all times that Supplier Processes Confidential Information, Supplier must:

4.1.1. Meet all Security Standards, as applicable, of this Policy.

4.1.2. Meet the terms of the Security Requirements section, and Additional Security Requirements Section, as applicable, of this Policy.

4.1.3. Maintain written physical and technological safety and data security procedures (“Safety Procedures”) to safeguard against the destruction, loss, unauthorized access, or alteration of Confidential Information, reflecting best practices for information security.

4.1.4. Maintain and follow written Security Standards and Safety Procedures, including any requirements specified in the Agreement, regarding backup and recovery of data to prevent loss of data in the case of a systems outage or Security Incident.

4.1.5. Require that all Supplier Personnel review and sign an attestation to follow and comply with the Safety Procedures.

4.1.6. Conduct Safety Procedures training for all Supplier Personnel at least annually.

4.1.7. Create and implement a tailored and appropriate due diligence process to continually verify Supplier and Supplier Personnel compliance with this Policy, the Safety Procedures, and additional security requirements contained in any applicable Agreement.

4.1.8. Assume ultimate responsibility and liability for Supplier Personnel compliance with this Policy and any additional security requirements contained in an applicable Agreement.

4.1.9. Maintain a privacy policy on Supplier’s website.

4.1.10. Cooperate in good faith to modify its business practices to accommodate any future changes in the parties’ hardware, software, or services, or in legal or industry standards regarding the

treatment of Confidential Information that may affect the reasonableness or effectiveness of the protections under this Policy.

4.2. In the event of separation, termination, or transfer of Supplier Personnel, Supplier shall undertake prompt and reasonable measures to:

4.2.1. Terminate Supplier Personnel access to Confidential Information, whether physical or logical, no later than the date of personnel separation or personnel transfer.

4.2.2. Where Supplier Personnel have been assigned Yellow sign-on credentials, Supplier must notify Yellow of any such separation or transfer immediately, but no later than the day of that event.


4.3. Unless prohibited by applicable law or regulation, Supplier shall notify Yellow promptly and act only upon Yellow’s instruction, upon any request by a third party, including without limitation law enforcement, governmental authority, or in connection with litigation or other court process for disclosure of Confidential Information or for information concerning the Processing of Confidential Information.


4.4. Supplier and Supplier Personnel are expressly prohibited and not authorized to Process Confidential Information on personal accounts (e.g., individual email or cloud services accounts such as Gmail, Yahoo, Dropbox, Google Drive, etc.) or on personally owned Devices.


4.5. Supplier is authorized only to Process Confidential Information on Supplier Information Systems to the extent necessary to perform the Services. Processing Confidential Information on Supplier Information Systems beyond the extent necessary to perform the Services is expressly prohibited.


4.6. Yellow prior approval is required for all Locations and Location Moves.


4.7. Supplier is prohibited from Processing any Confidential Information at any location outside the United States or through entities that are not incorporated or organized in the United States. Any exceptions require prior written consent from Yellow.


4.8. Encryption is required for the following instances:

4.8.1. At rest for any Device containing Confidential Information.

4.8.2. When electronically transferring Confidential Information over public networks (such as the Internet) or across non-U.S. territory.


4.9. Supplier Information Systems must have security controls that can detect and prevent attacks and must be continuously monitored. For example, network layer firewalls and intrusion detection/prevention Systems (IDS/IPS) between the Internet and DMZ, and between DMZ and internal servers containing Confidential Information. IDS/IPS high and critical priority alerts must be responded to as soon as reasonably practicable but in no case more than 24 hours.


4.10. Any Supplier Personnel remotely accessing Supplier Information Systems must be authenticated using at least a two-factor authentication method and such transmissions must be secured using Encryption.

4.11. Supplier agrees that all Yellow data residing on Supplier Information Systems is the property of Yellow. Supplier must return to Yellow all Yellow data upon dissolution of the Agreement or business relationship between Yellow and Supplier, regardless of cause.


4.12. Supplier must remove Confidential Information from Supplier Information Systems prior to disposal or reuse in a manner that ensures that the Confidential Information may not be accessed or readable. Supplier’s removal process must be an auditable process (e.g., certification of destruction).


4.13. Upon dissolution of the Agreement or business relationship between Yellow and Supplier, and after returning Yellow data to Yellow, Supplier must remove Confidential Information from Supplier Information Systems in a manner that ensure the Confidential Information may not be accessed or readable. Supplier’s removal process must be an auditable process (e.g., certification of destruction).


4.14. Yellow reserves the right to audit Supplier and Supplier Personnel for compliance with this Policy.


5. Additional Security Requirements for Sensitive Confidential Information In addition to the above Security Requirements, the following additional measures and controls are required with respect to Sensitive Confidential Information, Supplier shall:


5.1. Perform vulnerability and penetration assessments on Supplier Information Systems. For Supplier Information Systems that are internet facing, Supplier must engage an independent external party to perform a vulnerability and penetration assessment at least annually and shall remediate as required and

identified by Audits.


5.2. Have or implement hardening and configuration requirements consistent with highest level industry practices.


5.3. Implement and maintain appropriate data loss prevention (“DLP”) controls consistent with highest level

industry practices (e.g., disabling of USB ports, DLP software, URL/Web filtering) to detect and prevent unauthorized exfiltration of Confidential Information from Supplier Information Systems.


5.4. Support the secure creation, modification, and deletion PAs.

5.4.1. Supplier must review and update PA access rights at least quarterly.

5.4.2. Supplier shall continually review PA usage logs.

5.4.3. Supplier shall use Encrypted mechanisms (e.g., secure shell) to establish PA access.


5.5. Monitor, record, and control all physical access with physical access rights.

5.5.1. Limit physical access to Supplier Information Systems to approved, authorized Supplier Personnel

5.5.2. Unless prohibited by applicable law, Supplier must create physical access logs detailing access.

5.5.3. If Supplier is not staffed with physical security 24 hours per day, it must install and maintain alarms and entry point security cameras for off-hours access monitoring.


6. Technical Controls on Supplier Information Systems


6.1. Unless otherwise expressly agreed in the Agreement, development and testing environments must not contain Confidential Information and shall only go “live” upon Yellow Information Security’s review and approval, as appropriate.


6.2. Back-up Media stored at Supplier’s site must be kept in a secure location (e.g., locked office or locked file cabinet) and be Encrypted to a standard consistent with industry practice. Off-site Back-up Media storage must employ a check-in/check-out process with locked storage for transportation. Back-up Media must be given the same level of physical and environmental protection as the level of protection applied to “live” Confidential Information.


6.3. Supplier must implement network layer security devices to allow only authorized connections and rule sets.


6.4. Use of Mobile Devices to Process Confidential Information is authorized only in compliance with this Policy and only as needed to provide the Services. If so needed, Confidential Information contained on or processed through Mobile Devices must be Encrypted. Supplier must ensure that Mobile Devices used to Process Confidential Information (including emails) must have strong mobile device security controls, including required passcode, minimum passcode length, inactivity lock, and a process in place to immediately remotely wipe lost or stolen devices.


7. Compliance


7.1. Supplier represents and warrants that it shall comply with all laws and regulations applicable to Supplier’s activities concerning Confidential Information.


8. Data Collection


8.1. Unless and except to the extent expressly provided in the Agreement, Supplier must, in each case, seek and obtain Yellow’s prior written approval regarding the scope of any PII to be collected by Supplier, as well as any notices to be provided and any consent language to be used when collecting such information from or about an individual. In the case of PII collected directly from individuals by Supplier, Supplier shall comply with applicable data privacy laws and regulations, including those concerning notice, consent, access, correction, and deletion.

9. Security Incident


9.1. Supplier must develop and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform any required recovery actions to remedy the impact.


9.2. Security Incidents on Suppliers Information Systems must be logged, reviewed on a periodic basis, and securely maintained.


9.3. Supplier will promptly provide notification of Security Incidents (but in no event later than 24 hours after discovery) to Yellow in writing. Supplier shall report Security Incidents to Yellow’s Information Security Manager at Security.Management@yrcw.com, or by calling Yellow’s Network Operations Console (NOC) at 913.344.3106 and asking to be connected with the current Information Security Manager. In any such instance, Supplier will give specific information on what Confidential Information was accessed and any

other information Yellow reasonably may request concerning the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier will also disclose any remediation efforts undertaken, to the extent known and will thereafter provide regular and timely updates throughout the ongoing investigation and remediation. Supplier shall work to secure the return of any Confidential Information removed or copied. Upon reasonable request of Yellow, Supplier may be required to hire an independent, third party forensic or security firm to assist with investigation or remediation efforts. Yellow reserves the right, and is entitled, to receive the final results of the investigation, whether conducted by Supplier or a third party.


9.4. Notwithstanding and excluded from any limitations in the Agreement, Supplier shall pay for or reimburse Yellow for all costs incurred by Yellow as a result of a Security Incident, including repeated and related losses and expenses relating to any Security Incident experienced by Supplier, including without limitation, costs of forensic assessments, Security Notices, credit monitoring or other fraud alert services, and all other remedies either required by applicable law and regulation or which are required to remediate the Security Incident and prevent similar Security Incidents in the future.

9.5. If requested by Yellow, and at Yellow’s direction, Supplier shall send Security Notices regarding a Security Incident.

9.5.1. Unless prohibited by applicable law or regulation, Supplier shall provide Yellow with reasonable notice of, and the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except Yellow shall not have the right to reject any content in a Security Notice that is specifically required to comply with applicable law or regulation.

9.5.2. Should Yellow elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice.


9.6. Supplier may not make or permit any public statements or disclosure to any third party concerning any Yellow connection to any Security Incident without the explicit written authorization of the Yellow Legal Department.


10. Audits


10.1. Supplier shall monitor the effectiveness of its Security Standards by conducting or engaging a third party to conduct audits and risk assessments of Supplier Information Systems against the requirements of this

Policy. Supplier shall be responsible for ensuring consistency of its Security Standards, including proactive monitoring and mitigation of all vulnerabilities across any Supplier Information Systems used to access or Process Confidential Information or Yellow Information Systems.


10.2. Upon Yellow request, Supplier will provide information to Yellow to enable Yellow to determine compliance with the applicable security requirements. Yellow may require Supplier to, without limitation, answer security questionnaires or conduct scans of servers, databases and other network hardware, and submit an attestation by an officer of Supplier with knowledge of Supplier’s compliance.


10.3. Upon request, Supplier must provide to Yellow reports of any audits and assessments conducted on Supplier Information Systems, which reports shall include, at a minimum, the scope of the audit and/or assessment and any vulnerabilities, issues, findings, concerns, and/or recommendations in so far as they impact Confidential Information. Such reports provided by Supplier to Yellow shall be treated as confidential.


10.4. Supplier must remediate within thirty (30) days, or as soon as reasonably practicable thereafter, any items rated as high or critical (or similar rating indicating similar risk) in any audits or assessments of Supplier Information Systems. Yellow reserves the right to request remediation to be completed in less than 30 days or suspension of further activity where necessary to adequately protect Confidential Information. Where necessary to protect Confidential Information, Yellow may instruct Supplier to immediately suspend the Services without liability under any applicable Agreement.

10.5. Yellow reserves the right to conduct an onsite audit of Supplier on thirty (30) days prior written notice during regular business hours. This right shall survive termination or expiration of the Agreement so long as Supplier Processes Yellow Confidential Information provided under the Agreement. Supplier agrees to cooperate fully with Yellow or its designee during such audits and shall provide access to facilities, appropriate resources, provide applicable supporting documentation to Yellow, and complete security assessment questionnaires that may be requested.


10.6. If Yellow has a reasonable basis to believe that Supplier has breached or is likely to breach the terms of this Policy, Yellow may, upon 5 days’ notice, perform a vulnerability assessment, which assessment will be in addition to any assessment in the ordinary course. At Yellow’s reasonable request, Supplier will promptly cooperate with Yellow to develop a plan to protect Confidential Information from any applicable  failures or attacks, which plan will include prioritization of recovery efforts, identification of and implementation plans for alternative data centers or other storage sites and backup capabilities.


11. Material Breach


11.1. Notwithstanding anything to the contrary herein or in the Agreement, Supplier’s (including Supplier Personnel) failure to comply with the obligations set forth in this Policy also constitutes a material breach of the Agreement, with such rights and remedies set forth therein or under applicable law and regulation.


11.2. Yellow and/or any Yellow Affiliate may enforce the terms of this Policy with respect to Confidential Information.

Ethics Reporting

To report violations of the Code of Business Conduct, the law, or company policies, click here.