Article 11 – Indemnification

11.1 Mutual Indemnities.

Each Party agrees to indemnify, defend and hold harmless the other Party and its respective officers, directors, employees, agents, successors, and assigns, from any Losses related to, arising from, or in connection with any Third Party Claims alleging: (a) personal injury, wrongful death, or property damage proximately caused by the negligence or willful misconduct of the indemnitor, its employees, agents or subcontractors; (b) an act or omission of the indemnitor in its capacity as employer of a person; and (c) any breach by the indemnitor of its obligation with respect to Confidential Information under this Agreement.

11.2 Indemnity by Vendor.
Vendor agrees to indemnify, defend and hold harmless Subscriber and their respective officers, directors, employees, agents, successors, and permitted assigns, from any Losses related to, arising from, or
in connection with any Third Party Claims alleging: (a) the infringement by Vendor of a third party’s Intellectual Property Rights; (b) Vendor’s gross negligence or willful misconduct; (c) any violation by Vendor of applicable laws, rules, regulations, ordinances, orders, and directions of federal, state, provincial, county, and municipal governments,
all as they may be amended from time to time; and (d) Vendor’s abandonment or termination of the Services without cause. In the event of Vendor’s breach of its obligations with respect to Personal Data under this Agreement that results in unauthorized use or disclosure of Personal Data and in addition to Vendor’s other obligations under this
Section, Vendor shall reimburse Subscriber and Subscriber Entity for any and all costs and expenses related to notification of effected individuals and procurement of credit protection services for such individuals for a defined period The foregoing obligations of Vendor do not apply (i) to the extent that the allegedly infringing Services or portions or components thereof or modifications thereto result from any change made by Subscriber or any third party for the Subscriber without Vendor’s approval, (ii) to the extent that an infringement claim is based upon Subscriber Materials or (iii) to the extent that an infringement claim is based upon the combination of the Services with any third
party product, software or services except as expressly instructed by Vendor,, provided the infringement would not have occurred in the absence of such combination.

11.3 Indemnity by Subscriber.
To the extend Vendor processes Personal Data on behalf of Subscriber, Subscriber agrees to indemnify, defend and hold harmless Vendor and its officers, directors, employees, agents, successors, and assigns, from any Losses related to, arising from, or in connection with any Third Party Claims alleging such Personal Data and Vendor’s use thereof received directly from or at the direction of Subscriber. 

11.4 Infringement.
If a Service provided under this Agreement, or any part thereof, becomes, or in Vendor’s reasonable opinion is likely to become, the subject of an infringement or misappropriation claim or proceeding, and as a result of such claim or proceeding, Subscriber’s use of the Services, or any part thereof, may be enjoined or interfered with in any manner, then Vendor shall, in the following order of priority and in addition to indemnifying Subscriber as provided in this Agreement and to the other rights Subscriber may have, promptly (which, in the event Subscriber’s use of the Service, or any part thereof, is enjoined or interfered with in any manner, shall not exceed thirty (30) calendar days following such enjoinment or interference) at Vendor’s expense: (a) obtain a license for Subscriber to continue to use
the Service; (b) modify the Service to avoid the infringement but in a manner that still permits the Service to perform as promised under this Agreement; or (c) replace the Service with a compatible, functionally equivalent, and noninfringing deliverable or service. Vendor shall accomplish the remedies under subsections (a), (b) and (c) in a manner that minimizes the disruption to Subscriber’s business operations. If Vendor is not able to accomplish the remedies under subsections (a), (b) and (c) within a commercially reasonable time frame (which, in the event Subscriber’s use of the Service, or any part thereof, is enjoined or interfered with in any manner, shall not exceed thirty (30) calendar days following such enjoinment or interference), upon the discontinued use of the Services, Vendor may, at its option, terminate the Agreement without penalty, and Vendor shall promptly refund any pre-paid amounts applicable to any Services not performed as of the termination date. Sections 11.2 and this Section 11.4 set forth Vendor’s sole and exclusive liability and Subscriber’s sole remedy for any intellectual property infringement or misappropriation claim or proceeding.

11.5 Indemnification Procedures.
The Parties shall follow the following indemnification procedures: Promptly after receipt by the indemnitee of notice of a Third Party Claim, the indemnitee shall notify the indemnitor of such Third Party Claim in writing. No failure to provide indemnitor such notification shall relieve the indemnitor of its obligations under this Agreement except to the extent that the indemnitor can demonstrate prejudice attributable to such failure.
Within fifteen (15) days following receipt of written notice from the indemnitee relating to any Third Party Claim, but no later than ten (10) days before the date on which any response to a complaint or summons is due (“Election Notice Period”), the indemnitor shall notify the indemnitee in writing if the indemnitor elects to assume control of the defense
and settlement of that Third Party Claim (“Election Notice”). If the indemnitor delivers an Election Notice relating to any Third Party Claim within the required Election Notice Period, the indemnitor shall be entitled to have sole control over the defense and settlement of such claim; provided that: (a) the indemnitor’s successful defense or settlement of such claim is reasonably likely to result in the indemnified Party’s release of all liability relating to such claim; (b) the indemnitee may participate in the defense and employ counsel at its own expense to assist with such Third Party Claim; and (c) the indemnitor shall obtain the prior written approval of the indemnitee before entering into any settlement of such Third Party Claim that purports to bind the indemnitee. After the indemnitor has delivered an Election Notice, the indemnitor shall not be liable to the indemnitee for any legal expenses incurred by the indemnitee in connection with the defense of that Third Party Claim. In addition, the indemnitor shall not be required to indemnify the indemnitee for any amount paid or payable by the indemnitee in the settlement of any Third Party Claim for which the indemnitor has delivered a timely Election Notice if such amount was agreed to without the written consent of the indemnitor. If the indemnitor does not deliver an Election Notice relating to any Third Party Claim within the required Election Notice Period, the indemnitee shall have the right to defend the Third Party Claim in such manner as it may deem appropriate, at the sole cost and expense of the indemnitor. The indemnitor shall promptly reimburse the indemnitee for all such costs and expenses.

Article 12 – Limitation of Liability

12.1 Limitation of Liability. Neither Party shall be liable to the other for special, indirect, incidental, consequential, exemplary or punitive damages of the other or for any form of damages (even if advised of the possibility thereof) other than direct damages arising out of, or in connection with this Agreement or the subject matter hereof. The
aggregate liability to a Party for direct damages shall not exceed the greater of (i) three (3) times the fees paid or payable under the Agreement in the prior twelve (12) month period preceding the vent giving rise to a claim or (ii) $2,000,000 (two million) dollars. Notwithstanding the foregoing, the limitations of liability in this Agreement shall not
apply to limit: (a) a Party’s defense and indemnification obligations under this Agreement; (b) either Party’s liability to the other Party for Losses incurred by such other Party arising from fraud, gross negligence or willful misconduct, or violation of any applicable laws, rules or regulations of the liable Party; or (c) either Party’s breach of its obligations with respect to Personal Data or Confidential Information under this Agreement.

Article 13 – Term and Termination

13.1 Term of Agreement.
This Agreement shall commence on the Effective Date and remain in effect for three (3) years (“Term of Agreement”); provided that if an Order Form is active at the expiration of this Agreement, the terms and conditions hereof will remain in effect for such active Order Form until its completion. For clarity, an Order Form may not be executed nor renewed by the Parties following the (i) expiration or termination of this Agreement or (ii) the expiration or termination of the Master Agreement.

13.2 Order Form Initial Term and Renewal.
Each Order Form executed by the Parties, shall set forth a term for the Services provided thereunder. At the expiration of the Initial Term, the Order Form shall renew for the same period (“Renewal Term”) unless Subscriber elects not to renew the Services by notifying Vendor of such election in writing thirty (30) days prior to the expiration of the applicable term. Subject to Section 13.1 above, the Order Form shall continue to renew in a similar manner at the expiration of each subsequent Renewal Term.

13.3 Termination by Subscriber for Convenience. Subscriber may terminate this Agreement or Order Form at any time without cause on thirty (30) days’ prior written notice without liability to Vendor, except for payment by Subscriber on a pro rata basis for work completed or Services provided in accordance with the terms of this Agreement prior to such termination notice. Except as otherwise instructed by Subscriber immediately upon receipt of such termination notice by Vendor, Vendor shall cease all Services being performed hereunder. With respect to Services performed during the notice period, Subscriber will pay only for Services actually provided in accordance with Subscriber’s instructions.

13.4 Termination by Either Party for Cause.
Either Party may terminate this Agreement on thirty (30) days’ prior written notice if the other Party: (a) has committed a material breach of this Agreement and has failed to cure such material breach within such thirty (30) day notice period; or (b) should become insolvent, file a voluntary petition in bankruptcy, be adjudicated a bankrupt, have a receiver appointed for the operation of its business, or make a material liquidation of assets. Vendor may suspend Subscriber’s access and use of the Services (i) upon ten (10) days’ written notice to Subscriber in the event Subscriber is in breach of this Agreement, or (ii) if, and so long as, in Vendor’s reasonable business judgment, there is a security risk created by Subscriber that may interfere with the proper continued provision of the Services or the operation of Vendor’s network or systems.

13.5 Effect of Termination.
Upon termination of this Agreement for any reason, each Party shall: (a) return any
Confidential Information of the other Party in its possession in a form reasonably requested by the other Party and delete all copies of such Confidential Information from all systems, records, and backups; and (b) Vendor shall immediately cease using Subscriber Materials, and Subscriber shall immediately cease use of the Services. Additionally, Vendor shall refund to Subscriber any prepaid amounts applicable to Services not performed as of the termination date, and Subscriber shall pay any outstanding fees owed to Vendor. Termination of this Agreement shall not affect any rights that any Party may have (whether at law or in equity), with respect to any breach of this Agreement occurring prior to or following such termination.

Article 14 – Resolution of Disputes

14.1 Resolution of Disputes.
Prior to the initiation of litigation, the Parties shall first attempt to resolve their dispute on an informal basis in accordance with this Section. All communications made in connection with informal dispute resolution hereunder shall be deemed confidential and privileged settlement communications pursuant to the applicable rules of evidence and shall not be admissible in any legal proceedings.
(a) The Party believing itself aggrieved (the “Invoking Party”) shall call for management involvement in the dispute negotiation by written notice to the other Party. The Parties shall use their best efforts to arrange personal meetings and/or telephone conferences as needed, at mutually convenient times and places, between negotiators for the Parties set forth below:
Subscriber Vendor
As indicated on the signed Property
Order Form Director of Operations
The negotiators shall have a period of ten (10) business days in which to attempt to resolve the dispute, unless otherwise agreed to by the Parties. The allotted time for the negotiation shall begin on the date of receipt of the Invoking Party’s notice. If a resolution is not achieved by the negotiators within the allotted time for such negotiations, then either Party shall have the right to commence litigation proceedings.
(b) The Parties agree that the foregoing shall not apply when a Party makes a good faith determination that a breach of the terms of this Agreement by the other Party is such that the damages to such Party resulting from the breach will be so immediate, so large or severe, and so incapable of adequate redress after the fact that a temporary restraining order or other immediate injunctive relief is the only adequate remedy.
(c) The Parties agree to consider resolution of their dispute by binding arbitration, subject to their mutual written agreement to do so at the time of the dispute.
(d) Except where clearly prevented by the area in dispute, both Parties shall continue performing their obligations under this Agreement while the dispute is being resolved under this Section unless and until the dispute is resolved or until this Agreement is terminated or expires as provided herein.

Article 15 – General

15.1 Assignment.
Neither Party may assign or transfer this Agreement, in whole or in part without the prior written consent of the other Party; provided, that either Party may assign to an Affiliate and Vendor may assign this Agreement or any interest herein, or delegate any obligation hereunder without the prior written consent of Subscriber to an Affiliate in connection with a merger, consolidation, reorganization acquisition or transfer of all or substantially all of Vendor’s assets, provided however that Subscriber shall have the right to immediately terminate the Agreement without any further liability if such assignment is made to a Marriott Competitor. For all valid assignments and delegations, this Agreement shall bind and inure to the benefit of the Parties and their successors and assigns.

15.2 Force Majeure.
If a Party fails to complete, or is delayed at any time in fulfilling its obligations under this Agreement and: (a) such failure or delay is due to a cause beyond such Party’s reasonable control; (b) such Party is without fault in causing such failure or delay; and (c) such failure or delay could not have been prevented by reasonable precautions and cannot reasonably be circumvented by such Party through the use of alternate sources, workaround plans or other means, (“Force Majeure Event”), the other Party will: (i) extend the time of completion for a reasonable time provided the Party continues to use its best efforts to re-commence performance whenever and to whatever extent possible without delay; or (ii) excuse the failure to fulfill its obligations provided the Party continues to use its best efforts to comply with such obligations. No such extension or excuse shall be granted unless such Party gives
written notice of failure or delay to the other Party within three (3) business days after such Party first has knowledge of the Force Majeure Event. If a failure or delay caused by a Force Majeure Event continues, or is likely to continue, for longer than thirty (30) business days, Subscriber may terminate this Agreement, without liability, except for amounts due and payable for Services already performed hereunder prior to the date of the Force Majeure Event, and payment of any pro rata portion of any “holdback” or retained fees.

15.3 Supplier Diversity Program. Vendor acknowledges and understands that Subscriber has a supplier diversity program and agrees to provide reasonable cooperation and information to Subscriber as part of such program. Specifically, if Vendor is a certified minority-, woman-, service veteran-, disabled-, or LGBT (Lesbian, Gay, Bisexual or
Transsexual)-owned business (collectively “Diverse Business”), Vendor shall submit a copy of the relevant certification prepared by a certifying organization confirming its status as a Diverse Business, and shall notify Subscriber promptly of any changes to its status as a Diverse Business. If, in connection with the Services to be provided hereunder, Vendor has business relationships with Diverse Businesses, Vendor will use reasonable efforts
to: (a) supply Subscriber with a list of such Diverse Businesses together with a copy of the relevant certification prepared by a certifying organization; and (b) report the dollar amount impact of such Diverse Businesses in a format reasonably requested by Subscriber.

15.4 Notices.
All notices, requests and demands, other than routine communications under this Agreement, shall be in writing and shall be deemed to have been duly given when delivered, or when transmitted by confirmed facsimile (with a copy provided by another means specified in this Section), or one (1) business day after being given to an overnight courier with a reliable system for tracking delivery, or three (3) business days after the day of mailing, when mailed by United States mail, registered or certified mail, return receipt requested, postage prepaid, and addressed as follows:
Vendor: Subscriber:
myDigitalOffice As indicated on the signed Property
4350 East West Highway, Suite 401
Bethesda, MD 20817
Order Form
Attn: Ali Moloo
Facsimile/Email: ali@mydigitaloffice.com
Either Party may from time to time change the individual(s) to receive notices under this Section and its address for notification purposes by giving the other prior written notice of the new individual(s) and address and the date upon which the change will become effective.

15.5 Relationship of Parties.
Both Parties agree that they are independent entities. Nothing in this Agreement shall be construed to create a partnership, joint venture, or agency relationship between the Parties. Each Party is responsible for the supervision, management, direction, employment costs, and payment of compensation of its own employees. Each Party is responsible for any injury to its own employees occurring in the course of such employees’ employment for which their employer is responsible.

15.6 Remedies are Cumulative.
Unless otherwise expressly set forth in this Agreement, all remedies available to either Party for breach of this Agreement are cumulative and may be exercised concurrently or separately, are in addition to any other rights and remedies provided by law, and the exercise of any one remedy will not be deemed an election of such remedy to the exclusion of other remedies.

15.7 Waiver.
No failure of either Party to exercise any power or right granted hereunder to insist upon strict compliance with any obligation hereunder, and no custom or practice of the Parties with regard to the terms and performance hereof shall constitute a waiver of the rights of such Party to demand full and exact compliance with the terms of this Agreement. No waiver of any provision or right hereunder will be valid unless it is in writing and signed by the Party giving such waiver.

15.8 Severability. The Parties intend that this Agreement is valid and shall be enforced as written. If any provision of this Agreement is held by a court of competent jurisdiction to be overly broad, excessive, or unenforceable in any circumstances or to any extent, then the remainder of the Agreement and the application of such provision or portion in all other circumstances shall be valid and enforceable to the fullest extent permitted by law or equity.

15.9 Survival of Provisions.
The terms and provisions of this Agreement that by their sense and context are intended to
survive the performance thereof or hereof by either Party or both Parties hereto shall so survive the completion of performance and termination or expiration of this Agreement, including Articles concerning Confidentiality, Publicity, Personal Data, Warranties, Indemnification, Insurance, and Limitation of Liability and making of any and all payments
due hereunder.

15.10 Counterparts; Facsimile Signatures.
This Agreement shall be binding on the Parties through facsimile or scanned and emailed signatures, including electronic or digital signatures. For clarity, electronic, digital, machine-generated or images of signature shall be considered valid for executing this Agreement or an Order Form as if the original had been received.

15.11 Governing Law and Jurisdiction.
This Agreement, the interpretation hereof, and any dispute arising hereunder, shall be governed by the laws of the State of New York, without regard to its choice of law rules. If New York subsequently adopts the Uniform Computer Information Transaction Act (“UCITA”) or an act that is substantially based on UCITA, the Parties hereby opt out from the applicability of the provisions of such act to the maximum extent permitted by law. In addition, for all litigation arising from or relating to this Agreement, the Parties consent to the exclusive jurisdiction of competent Maryland state courts or federal courts located in Maryland. The Parties hereby agree to waive or opt-out of any application of the United Nations Convention on Contracts for the International Sale of Goods.

15.12 No Effect of Click-Through Terms and Conditions.
Where an End User is required to “click through” or otherwise accept or is made subject to online terms and conditions in accessing or using the Services, such terms and conditions are binding and shall have force or effect as to the Services solely with respect to the End User; provided, that in the event of a conflict between the provisions of online terms and conditions and the Agreement, the terms of the Agreement shall control.

15.13 Entire Agreement; Amendments.
This Agreement and its Terms, exhibits, appendices, or any other attachments
constitutes the entire understanding of the Parties with respect to the subject matter herein. This Agreement may not be amended or modified by a purchase order, invoice or similar form, or conduct manifesting assent, and each Party is hereby put on notice that any individual purporting to amend or modify this Agreement by a purchase order, invoice or similar form, or conduct manifesting assent is not authorized to do so. Any and all previous agreements and understandings between the Parties regarding the subject matter hereof, whether written or oral, are superseded by this Agreement (except for any confidentiality agreements to which the Parties have duly executed, which shall
remain in full force and effect for any discussions, transactions or exchanges of confidential information outside of the subject matter herein). This Agreement shall not be modified or amended except in a writing signed by the authorized representatives of each Party.

APPENDIX – Definitions

Capitalized terms used herein shall have the meanings ascribed to them in the Attachments, Schedules, Appendices, Exhibits and other documents attached hereto, or as defined hereunder:
“Affiliates” shall mean entities: (a) under the majority ownership or control of, under common majority ownership or control with, or which own or control, a Party; and (b) partnerships and joint ventures in which a Party or an entity under clause (a) above is a partner or a principal.
“Agreement” shall mean the Property Level between the Parties including any attachments, appendices, schedules, and exhibit(s) hereto.
“Bug Bounty Program” shall have the meaning set forth in Section 7.6.
“Bug Bounty Report” shall have the meaning set forth in Section 7.6.
“Confidential Information” shall have the meaning set forth in Section 6.1.
“Diverse Business” shall have the meaning set forth in Section 15.3.
“Documentation” shall have the meaning set forth in Section 2.5
“Effective Date” shall have the meaning set forth in the Property Order Form.
“Election Notice Period” shall have the meaning set forth in Section 11.4.
“Election Notice” shall have the meaning set forth in Section 11.4.
“End User” shall mean any individual (solely if an employee, agent or representative of Subscriber, Subscriber Entity, or
Subscriber Owner, as permitted herein) who is designated by Subscriber as applicable to receive or use the Services;
provided, that Subscriber has paid for use of the Services by such End User under the applicable Order Form.
“Force Majeure Event” shall have the meaning set forth in Section 15.2.
“Intellectual Property Rights” shall mean any and all right, title and interest (including all patent, patent registration,
copyright, trademark, trade name, service mark, service name, trade secret, or other proprietary right arising or enforceable
under any United States federal or state law, rule or regulation, non-United States law, rule or regulation or international
treaty) in any technology, system, invention, medium, or content, including without limitation text, print, pictures,
photographs, video, Marks, logos, designs, drawings, artistic and graphical works, music, speech, computer software and
documentation, any other works of authorship, and any form, method or manner of expression or communication;
“Internal Purposes” shall mean that Subscriber may: (a) designate its employees to use the Services solely for the benefit
of Subscriber; and (b) designate one or more consultants, auditors, and other third party service providers to exercise
Subscriber’s rights under this Agreement with respect to the Services solely for the benefit of Subscriber; provided that the
aforementioned third parties are under an obligation to protect the confidentiality of the Services to the same extent this
Agreement obligates Subscriber to protect the confidentiality of the Services.
“Invoking Party” shall have the meaning set forth in Section 14.1(a).
“Late Payment Rate” shall mean the lower of: (a) 1% per month; or (b) the highest interest rate permitted by applicable law
for outstanding debt.
“Losses” shall mean all losses, fines, penalties, liabilities, damages and claims, and all related costs and expenses
(including reasonable legal fees, disbursements and costs of investigation, litigation, settlement, judgment, interest and
penalties).
“Malfunction” shall mean a failure by the Services to perform as required by this Agreement.
“Marks” shall mean trademarks, trade names, web site domain names, service marks and logos, whether or not registered.
“Marriott Competitor” shall mean any company providing lodging related services to the general public.
“Materials” shall mean any and all reports, computer programs, Documentation, specifications, products, work product,
software, source code, algorithms, routines, graphics, files, software patches, enhancements, modifications, diagrams,
charts, functional descriptions, photographs, surveys, or other materials, writings, or derivatives thereof however delivered.
“Party” or “Parties” shall mean, individually, Subscriber or Vendor as the context requires and, collectively, both
Subscriber and Vendor.
“Personal Data” shall mean any End User information that can be associated with or traced to any individual End User,
including an individual’s name, address, telephone number, e-mail address, credit card information, social security number,
or other similar specific factual information, regardless of the media on which such information is stored (e.g., on paper or
electronically) and includes such information that is generated, collected, stored or obtained as part of this Agreement or
such information that Vendor has access to while performing its obligations and responsibilities under this Agreement.
“Service(s)” shall have the meaning set forth in Section 2.1.
“Service Web Site” shall mean the web site(s) and other forms of electronic communication that constitute a part of the
Services and means the Internet site operated by Vendor to provide access to the Services.
“Security Breach” shall have the meaning set forth in Section 7.1
“Subscriber”, or “Customer”, shall mean the (1) signing entity that operates or owns a property under a franchise or
license agreement with Marriott or (ii) signing third party management company.
“Subscriber Customers” shall mean customers or guests of Subscriber.
“Subscriber Materials” shall mean Materials owned by Subscriber and Subscriber data stored or used in or produced or
obtained as the result of processing through the use of the Services, including Personal Data.
“Subscriber Operating Environment” shall mean the minimum hardware, software and environment configuration
necessary to access and use the Services identified in the Order Form, including any incompatibilities as of the effective date
of the Agreement.
“Taxes” shall have the meaning set forth in Section 5.5.
“Term of Agreement” shall have the meaning set forth in Section 13.1.
“Third Party Claim(s)” shall mean all claims or threatened claims, civil, criminal, administrative, or investigative action or
proceeding, demand, charge, action, cause of action or other proceeding asserted against a Party brought by a third party.
“Vendor” shall have the meaning set forth in the Preamble.
“Vendor Materials” shall mean all Materials owned by Vendor and shall also include any information, products, or services
contained or made available to Subscriber in the course of providing the Services, including any training materials or
documentation.
“Vendor’s System” shall mean the software, hardware, and systems used by Vendor to provide Subscriber with access to
and use of the Services.

SCHEDULE A
TO FRANCHISE PROPERTY LEVEL SUBSCRIPTION AGREEMENT
FRANCHISE PROPERTY ORDER FORM
ATTACHMENT 1
INFORMATION SECURITY REQUIREMENTS

Compliance
1. Application or service being provided to MI has been reviewed by an independent third party and a compliance
report or certification letter can be provided. (ex. Service Organization Controls (SOC) 1 Type 2 report, SOC 2
Type 2 report, an ISO 27002 review or equivalent).
2. Data Center or Co-location facility used to host the service or application has been reviewed by an independent
third party and a compliance report or certification letter can be provided. (ex. Service Organization Controls
(SOC) 1 Type 2 report, SOC 2 Type 2 report, an ISO 27002 review or equivalent).
3. Vendor allows MI to remotely run non-invasive, credentialed web application/vulnerability scans using industry
accepted tools to test the security of the service or application. Any Critical, High or Medium security issues
discovered by these scans will be remediated within time frames agreed to in coordination with MI. (Typically,
Critical & High flaws within 30 days and Medium flaws within 60 days)
Network Security
4. A firewall exists at each Internet connection and between any demilitarized zone (DMZ) and the internal network
zone.
5. For web applications, an automated solution (such as a web-application firewall) that continually checks traffic to
detect and prevent web-based attacks against externally facing web applications is in place.
6. A formal process is in place for approving and testing all external network connections and changes to the firewall
configuration.
7. Documentation and business justifications exist for the use of insecure services, protocols or ports and includes
documentation of security features implemented to mitigate the risks of using insecure services.
8. Firewall (Security/Network Group) and router rule sets are reviewed at least every six months.
9. MI data is not stored on any system components connected directly to the Internet (i.e. on the web servers or in the
DMZ).
10. A Network Intrusion Detection or Prevention System (NIDS/NIPS) is in place to detect, alert on, and block or initiate
response to potentially malicious activity.
11. For communications via HTTPS (web applications, web services, etc.) only current, non-vulnerable protocols &
ciphers are enabled (i.e. TLS 1.1 or higher).
12. In cloud or co-location environments, all internal data in transit is encrypted. (i.e. end-to-end encryption).
13. Network access (non-console) to systems hosting MI data for administrative purposes use encryption technologies
such as SSH, VPN or TLS for web-based management.
Configuration Management
14. Router configuration files are secured and synchronized across the network.
15. All patches and system and software configuration changes are tested before deployment.
16. Separate development, test, and production environments exist to develop and test changes to the systems or
software.
17. Users have separate accounts for accessing each environment (dev, test, QA, Prod, etc.) with defined and
documented separation of duties between the personnel or functions within each environment.
18. Production MI data is not being used within development environments. Any copies of data used in QA, user
acceptance or staging environments for testing purposes has been properly anonymized (masked) or
pseudonymized (transformed) using security industry-recognized methods.
19. Change control procedures are followed and include at least the following steps:
a. Documentation of impact for all changes
b. Management sign-off by appropriate parties
c. Testing of operational functionality
d. Back-out procedures for all changes
20. All system components have configuration standards that assure all known security vulnerabilities are addressed
and the systems are secured/hardened using industry-accepted standards.
21. For any custom developed code, Source code repositories are secured and implement strict access control
policies.
22. Outdated or un-supported hardware/software is not used by any components within the system. Example: End of
Life Operating Systems/software/hardware.
23. A process exists that can be used by security researchers or users of the system to submit potential security issues
or vulnerabilities when observed (i.e. an email address is publicly available for submitting security concerns, etc.).
Identity & Access Management
24. For web applications that will allow MI associates to login, the system supports SAML 2.0 to integrate with
Marriott’s Single Sign-On (SSO) solution or an alternative authentication & authorization system is provided that
has been approved by MI and supports MFA for end user access.
25. An access control system has been established that restricts access based on a user’s need to know and is set to
“deny all” unless specifically allowed.
26. Written procedures are in place on user provisioning, authorization and access review processes for the vendors
own systems and for any MI access to the application or service.
27. Passwords require a minimum length and complexity (alphanumeric, unrelated to user ID, contain at least one
number (or special character) and one alpha character, and not all numbers or all characters) based on user type:
a. End Users – minimum 8-characters
b. Privileged Users – minimum of 12-characters
28. User passwords are changed at least every 90 days.
29. The application automatically Removes/disables inactive user accounts at least every 90 days.
30. Passwords do not appear or are masked on the screen when entered.
31. Idle sessions for more than 15 minutes require the user to re-enter the password to re-activate the site or
application.
32. Repeated access attempts are limited by locking out the user ID after 5 attempts within 15 minutes.
33. If a user ID is locked, the lockout duration is a minimum of 30 minutes or until administrator enables the user ID.
34. Users are prevented from using the previous 4 passwords during a password change.
35. The application validates the user identifier and user authenticator as a pair and rejects the logon attempt if the pair
is invalid. The system does not inform the user on which of the two is wrong.
36. All passwords are rendered unreadable (encrypted) during transmission and storage (password hashing) on all
components using NIST approved cryptography.
37. All users are assigned a unique ID before allowing them to access system components. (No shared or group
accounts are used.)
38. Vendor-supplied defaults are changed/removed before installing a system on the network (i.e. passwords, simple
network management protocol (SNMP) community strings, unnecessary accounts, etc.)
39. Remote access to the network or systems that host MI data by employees, administrators or third parties
(contractors) requires multi-factor authentication.
40. All access to web consoles used to manage cloud services are configured to require multi-factor authentication for
access.
System and Application Security
41. Anti-virus software has been deployed on all systems commonly affected by malicious software and is updated at
least weekly with the proper updates or definitions.
42. A file-integrity monitoring (FIM) solution or Host-based IDS has been implemented to detect, alert on, and block or
initiate responses to unauthorized changes, additions, or deletions to critical system files, configuration files, or
audit logs.
43. Marriott production data is stored on a backend file or database server which is physically or virtually different from
the web server.
44. All system components and software have the latest vendor-supplied security patches installed and Critical security
patches are installed within 30 days of release.
45. Applications are routinely tested, to include manual or automated inspection of source code to ensure no critical,
high or medium vulnerabilities exist within the system. External penetration tests are conducted at least annually,
and internal vulnerability scans of the infrastructure are conducted at least quarterly.
Data Protection & Retention
46. Only the minimum amount of Marriott data is stored by the system and the vendor will work with MI business
sponsors to define and adhere to data retention and disposal agreements.
47. All MI data can be purged / deleted from all storage locations, including backup media, in a timely fashion at the
end of the contract term or at the request of MI.
48. All MI data can be transferred to MI in a timely fashion at the end of the contract term or at the request of MI.
49. All employees and contractors that will have access to MI data receive information security training at least
annually.
50. Any reports containing Marriott data that can be produced or downloaded from the system can have a
confidentiality label or footer added to the report.
Encryption and Key Management
51. NIST approved cryptography is used to protect all MI data during transmission over open, public networks.
52. All MI data is encrypted at rest in storage (including on portable digital media, backup media, logs, etc.) using NIST
approved cryptography (MI does not allow for the use of cipher/protocols that have been proven to be
weak/vulnerable or “home-grown”/non-standard encryption ciphers/protocols/schemes).
53. Strict access control measures are used to protect encryption keys and access is restricted to the fewest number of
custodians necessary.
54. Cryptographic keys securely stored in the fewest possible locations and forms.
55. Key management processes and procedures are fully documented and implemented to include:
a. How keys are generated
b. How keys are stored and distributed for use within the system
c. How and when keys are changed/rotated
d. How expiring or possibly comprised keys are changed
e. How dual control / split knowledge is implemented to limit access to keys
Physical, Media & Peripherals Security
56. Any hard copy materials containing MI data are properly disposed of (shred, incinerate, pulp, etc.) so that data
cannot be reconstructed.
57. MI data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industryaccepted standards for secure deletion, or otherwise physically destroyed.
58. Multifunction printers (MFPs) used to copy, print or scan MI data are properly secured.
59. MFPs used to handle MI data do not permanently store processed documents on the hard drive or in Dynamic
random-access memory (DRAM) memory as a standard feature.
60. Appropriate facility entry controls are used to limit and monitor physical access to systems.
61. Cameras or other equipment is used to monitor sensitive areas containing MI data.
62. Physical access to publicly accessible network jacks is restricted.
63. Physical access to wireless access points, gateways or handheld devices are restricted.
64. Procedures exist to distinguish between employees and visitors in areas where MI data is accessible.
65. Visitor/access logs are used to maintain audit trails of access to server rooms, data centers or co-location facilities.
Security Logging & Monitoring
66. Audit trails/logging is enabled to link all access to system components (especially Admin IDs) to each individual
user.
67. Automated audit trails/logging is enabled for all system components (servers, applications, databases, etc.) to
reconstruct the following events:
f. Administrative access to MI data or systems hosting/processing MI data
g. Any access to the audit trails or logs
h. Invalid or denied access attempts
i. The creation or deletion of system objects/software
j. Unauthorized or out-of-band changes to database rows and columns
68. For each event, the following items are captured by the audit trails/logs to identify what occurred on the system:
k. User ID
l. Type of event
m. Date and Time of event
n. Success or failure of the event
o. Name of the affected data, component or resource
69. All audit trails are protected from unauthorized modifications or deletion.
70. Audit trails / logs for all system components are reviewed at least daily, either through automated or manual
means, to identify issues that could affect the confidentiality, integrity or availability of the MI data stored,
processed or transmitted by the system.
71. Events from applications or appliances providing security services (Firewalls, IDS’s, etc.) are automatically sent to
the appropriate personnel in real time to address and respond to potential incidents.