Data Sharing Addendum
(Controller-Controller)

Indeed Flex., on behalf of itself and its Affiliates (“Indeed Flex”) and the counterparty agreeing to this Data Sharing Addendum (“Company”) have entered into an agreement, insertion order or other contract for the provision of the Controller Services, as amended from time to time (the “Primary  Agreement”). This Data Sharing Addendum (‘DSA”) is intended to comply with the parties’ obligations under Data Privacy Laws with respect to the Processing of Controller Personal Data pursuant to the Primary Agreement. Indeed Flex and Company are Individually referred to as a “Party” or together as “Parties”. In the event of a conflict between this DSA and the Primary Agreement, this DSA shall prevail.

1. Definitions.

Words and expressions used in this Addendum but not defined herein shall have the meanings given to such words and expressions in the GDPR unless otherwise stated herein. Where the Applicable Data Protection Law gives means to such words and expressions that differ from the GDPR, then those meanings in the Applicable Data Protection Law shall apply instead for purposes of compliance with such Applicable Data Protection Law. The following definitions apply to this Addendum unless otherwise specified herein.

1. “Adequate Country” means a country or territory that is recognized under EU Data Protection Law as providing adequate protection for Personal Data;
2. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Indeed Flex. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity..
3. “Applicable Data Protection Laws” means all laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data applicable to the processing of Client Personal Data under the Agreement including but not limited to General Data Protection Regulation 2016/679 (“GDPR”), Federal Data Protection Act of 19 June 1992 (Switzerland), UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), Japanese Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) and any US state or federal laws or regulations pertaining to the collection, use, disclosure, security or protection of personal data, or to security breach notification, e.g. California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2020 (“CPRA”); the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), and/or the Utah Consumer Privacy Act (the “UCPA”) and binding guidance and / or codes of practice issued by the governments, a competent supervisory authority under applicable laws (as defined in the GDPR), or the European Data Protection Board.
4. “Controller“, “Consent“, “Processor“, “Sub-Processor“, “Data Subject“, “Personal Data”, “Personal Information”, “Processing”, “Third Party” or similar terms shall have the meaning given under Applicable Data Protection Law. For the avoidance of doubt, Processor includes without limitation a,“business operator handling personal information” as defined by the APPI.
5. “Controller Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the Primary Agreement in connection with the providing Party’s provision or use (as applicable) of the Controller Services. Unless prohibited by Applicable Data Protection Law, Client Personal Data shall not include information or data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific person.
6. “Controller Services” means the services as described in the Subcontract agreement for the supply of services.
7. “EEA” means the European Economic Area, the United Kingdom.
8. “Process, Processing and Processed” means any operation or set of operations which is performed on Controller Personal Data or on subsets thereof, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. “Personal Data Breach” means an actual, confirmed breach of security of Client Personal Data that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such Client Personal Data transmitted, stored or otherwise processed by a Party under the terms of the Agreement.
10. “Personnel” means all officers, directors and employees, independent contractors or service providers of a Party or its Affiliates.
11. “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“).
12. “Technical and Organizational Security measures” means those measures as set forth in Appendix B of this Addendum, aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
13. “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by subsequent legislation.
14. “UK SCCs Addendum” means the standard contractual clauses addendum issued by the UK Secretary of State for the transfer of Personal Data outside the UK and any amendment or replacement of such standard contractual clauses pursuant to Article 46(5) of the GDPR

2. Role of the Parties.

Each Party is an independent Controller of the Controller Personal Data that it collects or Processes pursuant to the Primary Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Privacy Law. The Parties agree that they are not joint Controllers of any Controller Personal Data. Each Party will individually determine the purposes and means of its Processing of Controller Personal Data.

3. Obligations of the Parties.

3.1 Each Party shall comply with all applicable requirements of Data Privacy Laws. Each Party represents and warrants at all times that: (i) it has the necessary right and authority to enter into this DSA and to perform its obligations herein; (ii) its execution and performance under this DSA and the Primary Agreement will not violate any agreement to which it is a party; (iii) it has provided all required information to Data Subjects including, where required, that Personal Data that may be passed to third parties for the purposes of the Primary Agreement; and that it has otherwise obtained any legally required consent to the collection, use and disclosure of Controller Personal Data to allow Indeed Flex to Process such Controller Personal Data in connection with the Controller Services.

3.2  Without limiting the foregoing, each Party will maintain a publicly-accessible privacy policy on its website that is in compliance with Data Privacy Laws.

3.3  Each Party will notify the other Party in writing of any action or instruction of the other Party under this DSA or the Primary Agreement which, in its opinion, infringes applicable Data Privacy Laws.

3.4  Subject to this DSA, each Party, acting as a Controller, may Process the Controller Personal Data in accordance with, and for the purposes permitted in, the Primary Agreement (the “Permitted Purposes”).

3.5  A Party that has made Controller Personal Data available to the other Party under the Primary Agreement (“Disclosing Party”) will have the right to: (i) inform the  other Party (“Receiving Party”) that in their opinion that other Receiving Party’s uses of such Controller Personal Data is a inconsistent with the Disclosing Party’s obligations under and as required by Data Privacy Laws, and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Controller Personal Data under and as required by applicable Data Privacy Laws. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under applicable Data Privacy Laws. Receiving Party acknowledges and agrees that it is receiving Controller Personal Data only for the limited and specified purposes set forth in the Primary Agreement. Receiving Party shall provide not less than the same level of privacy protection as is required by Data Privacy Laws for such Controller Personal Data.

3.6  Neither party shall sell or share (as defined by CCPA) any  Personal Data (as defined by CCPA)

4. Security and Confidentiality.

Each Party shall implement appropriate technical and organisational measures to protect the Controller Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction. In the event that a Party suffers a Personal Data Breach, it shall notify the other Party without undue delay, but in any event within seventy-two (72) hours of it confirming same, and both Parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Laws prior to notification of the other Party so long as the notifying Party provides notification to the other Party without undue delay. Each Party shall ensure that all of its Personnel who have access to and/or Process Controller Personal Data are obliged to keep the Controller Personal Data confidential.

5. Transfers outside the EEA.

5.1   Where the Controller Services involve the storage and/or Processing of Controller Personal Data which transfers Controller Personal Data out of the European Economic Area or the UK to a jurisdiction that is not an Adequate Country, and EU Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), both parties agree that such transfers shall be governed as follows:

1. 1. for data subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU (MODULE ONE: Transfer Controller to Controller) as can be found at https://hrtechprivacy.com/c2cscc) (the “EU SCC”). For the purposes of entering the Standard Contractual Clauses: The optional Clause 7 shall apply.
   2. for data subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”) also available here available at: https://hrtechprivacy.com/uk-scc;
   3. the EU SCC and if applicable the UK Addendum shall be incorporated into this DSA by reference and form an integral part of this DSA. For the purposes of the descriptions in the EU SCC and only as between the parties, Company agrees that it is a “data exporter” and Indeed Flex is the “data importer” under the EU SCC;
   4. the Appendices to this DSA provide the information required by Annexes I, II and III of the EU SCC and by the UK Addendum as set out in AppendixB to this DSA. The EU SCC may also be annexed to this DSA if appropriate.

5.2   The parties may store and Process Transferred Personal Data in the United States of America, the United Kingdom and/or any other country in which either party or any of its Processors maintains facilities so long as such party and any of its Processors:

1. 1. transfer such data via a valid legal mechanism such as the appropriate EU SCC and/or UK Addendum, or a UK International Data Transfer Agreement; and
   2. provide at least the same level of protection to such Transferred Personal Data as is required by such mechanism to ensure an adequate level of protection for such Transferred Personal Data in accordance with the requirements of European Data Protection Laws.

5.3   In the event of inconsistencies between the provisions of the EU SCC or UK Addendum and this DSA or other agreements between the parties, then the terms of the EU SCC or UK Addendum as applicable shall prevail.

5.4   If the EU SCC or UK Addendum are deemed invalid by a governmental or judicial entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified approach with respect to such Transferred Personal Data which is in compliance with European Data Protection Laws.

5.5   Where the European Commission or other relevant supervisory authority issues new, updated or replacement EU SCC, or the UK Addendum is updated or replaced, then Indeed Flex may notify Company in writing thereof and the parties shall replace the EU SCC or UK Addendum as appropriate and make any other necessary amendments to this DSA.

6. Data Subject Requests.

Each Party is separately responsible for processing its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the Parties, including requests to opt-out from the Sale of Personal Information pursuant to CCPA, the parties will collaborate to honor such objections or opt-out requests.

7. Compliance Cooperation.

Both Parties agree to reasonably cooperate and assist each other in relation to any regulatory inquiry, complaint or investigation concerning the Controller Personal Data shared between the Parties.

8. Allocation of Costs.

Each Party shall perform its obligations under this DSA at its own cost, except as otherwise specified herein.

9. Liability.

9.1  Except for 9.2 below, the liability of the Parties under or in connection with this Addendum will be subject to the exclusions and limitations of liability in the Primary Agreement.

9.2  The Parties agree that it shall each be separately liable for, inter alia, any costs, damages, fines, penalties that may arise from that Party’s failure to comply with Applicable  Data Protection Laws.

10.  Severability.

Each and every provision of this Addendum is severable and distinct from the others and if at any time any provision of this is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction, that will not affect or impair the legality, validity or enforceability in that jurisdiction of any other provision of this Addendum.

11.  Governing Terms

11.1 This Addendum represents the entire agreement between the Parties in relation to its subject-matter and all previous representations, agreements and statements are hereby excluded.

11.2 For avoidance of doubt and without prejudice to the rights of any data subjects thereunder, this Addendum and any Standard Contractual Clauses (or other data transfer agreements) that the Parties or their affiliates may enter into in connection with the services provided pursuant to the Agreement will be considered part of the Agreement and the liability terms set forth in the Agreement will apply to all claims arising thereunder.

11.3 In the event of any conflict or ambiguity between terms of this Addendum and terms of the Agreement, the terms of the Addendum shall prevail. In the event of any conflict or ambiguity between terms of this Addendum and terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail. All other terms and conditions within the Agreement remain unchanged and in full force and effect.

12.  Notices and Variation

All notices, consents, demands, and other communications required or permitted to be given by either Party under this Addendum shall be in writing. No amendment to this Addendum will be effective unless in writing and signed by both Parties.

13.  Governing Law and Jurisdiction

13.1  The jurisdiction of this Addendum shall be the jurisdiction of the Agreement. In the event there is no jurisdiction clause in the Agreement, any dispute or claim in connection with this Addendum shall be governed by and construed in accordance with:

13.1.1 in the case of the contracting Indeed Flex entity being in the US, the laws of the state of Texas,

13.1.2 in the case of the contracting Indeed Flex entity being outside the US, the laws of Ireland, and each of the Parties hereby consent to the exclusive personal jurisdiction (including non-contractual disputes or claims) of the federal or state courts located in Travis County, Texas, U.S.A, if the Data Processor is located in the United States of America, or Dublin, Ireland, if the Data Processor is located elsewhere.

 

 APPENDIX A

(Annex I of the Standard Contractual Clauses)

A.   LIST OF PARTIES

DATA EXPORTER(S):		DATA IMPORTER(S):
Name:	Subcontractor	Name:	<p”>Indeed Flex
Address:		Address:	One Smart’s Place, 1st Floor, London, England, WC2B 5LW
Contact person’s name, position and contact details:		Contact person’s name, position and contact details:	Attention:  Data Protection Officer
Activities relevant to the data transferred under these Clauses:	Supply of Temporary Workers (as defined in the Subcontract agreement for the supply of services) to Indeed Flex to meet its Service Requirements, for the benefit of the Customers	Activities relevant to the data transferred under these Clauses:	Indeed Flex is engaged in the business of providing a web- based platform and related services for businesses to manage their casual workforce and individuals seeking work on a casual basis
Signature:Name (printed): Date:		Signature: Name (printed): Date:
Role:	Controller	Role:	Controller

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The personal data transferred concern the following categories of data subjects: Individuals about whom Personal Data is provided as part of the Controller Services, which may include without limitation Controller’s or its Affiliates’ employees, contractors, and end users. The personal data processed by the Data Importer relates to users of the Indeed Flex service

Categories of personal data transferred

Data relating to employees and users of Indeed Flex provided to the Data Importer by and at direction of Indeed Flex for the purposes of providing the Services under the Agreement and may include the following categories of data: x__ Names                  x__email addresses             _x postal addresses                  _x_ telephone numbers _x_ photographs         _x_ usernames                     _x_ IP addresses                        __ credit card numbers _x_ social security numbers        _x_ identification card/passport numbers              __ login credentials Depending on the Services used, the personal data transferred may primarily concern the following categories of data:  Indeed Flex Account Information: Data associated with the Data Exporter’s  Flex account, password, company name, and Data Exporterpreferences. This will include: Indeed Flex unique user ID, social media login (optional), and display name. Data Exporter  Authentication Data: This may include username and password unless Single Sign On (SSO) is used. Interview Content. This may include video, audio, transcripts, interview notes, and interview questions. Chat Messages. Content sent between users on an Indeed Flex hosted video platform (e.g. Indeed Flex Interview) Calendar Information. This may include meeting schedules and event information made available through Data Exporter controlled integrations (e.g. Outlook, Google Calendar). Candidate Materials: Data that Job Seekers disclose to employers in the hiring process. This data may include applications, which generally contain job seeker resumes, screening data (such as answers to screener questions or assessment results), cover letters, and any other data a job seeker agrees to share with Employers when they express interest in employment opportunities, for example, by applying or registering for events.  Employer Materials: This may include recruiter profiles, disposition information and employers’ notes about candidates, and candidate preferences. Interview Metadata: This may include information about interview product usage, such as frequency, quality, timezone, attendance, and duration of events, as well as network activity and sample text saved to dash.  Device and Network information: Information about desktop and mobile devices, which may include network data, operating system, user agent, MAC / IP  address, and service logs. User Feedback and Satisfaction Data: This may include ratings and plain text feedback on how we can improve our services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

Special categories are not required to use the Services. Such special categories of data include, but may not be limited to, Personal Data with information revealing  racial or ethnic origin, political opinions, religious or philosophical belief, genetic or biometric data, data concerning health or sexual orientation. To the extent such sensitive data is submitted, it is determined and controlled by Data Exporter in its sole discretion.

The frequency of the transfer (e.g. whether the data transfer is a one-off or continuous basis)

Continuous

Nature of the processing

As set out in the Agreement unless otherwise required by law.

Purpose(s) of the data transfer and further processing

The Parties will process the Controller Personal Data as part of the Controller Services in accordance with the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The applicable term of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Indeed Flex will process personal data for the purposes of providing the Services in accordance with the Addendum.

C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs:

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be Irish Data Protection Commission

With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”).

With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

APPENDIX B (UK Addendum)

UK STANDARD CONTRACTUAL CLAUSES

1. The UK SCCs Addendum is available at: https://hrtechprivacy.com/uk-scc
2. For the purposes of entering the UK SCCs Addendum:

1. 1. The information contained in Appendix A of this Addendum shall be deemed to apply to Tables 1, 2 and 3 of the UK Standard Contractual Clauses; and
   2. The information contained in Appendix C of this Addendum shall be deemed to apply to the final row (Annex II) of Table 3 of the UK Standard Contractual Clauses.

APPENDIX C

(Annex II of the Standard Contractual Clauses)

 Technical and Organisational Security Measures

In accordance with the DSA and the Agreement, the Parties will adopt and maintain appropriate (including organizational and technical) security measures in dealing with Data (including but not limited to Personal Data) in order to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of any Data (including Personal Data), in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing. In determining the technical and organizational security measures required under the DSA and the Agreement, the Parties will take account of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The Parties will, at a minimum, maintain the following specific security measures, as applicable:

ORGANIZATION OF INFORMATION SECURITY – Management direction and support for information security

Policies for information security are documented and published.

Chief Security Officer is appointed with responsibility for coordinating and monitoring security rules and procedures.

Security roles and responsibilities are defined and allocated.

Maintained information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.

HUMAN RESOURCE SECURITY – Employee responsibilities for information security

Background checks are conducted on candidates for employment in accordance with relevant laws, regulations and ethics based on job title and location.

Terms and conditions of employment for every employee require acknowledging Company Guidelines which include Acceptable Use Policy, Employee Privacy Notice and Code of Conduct.

Information security and privacy awareness, education, and training is conducted on hire and annually thereafter.

Formal disciplinary process is documented, communicated, and acknowledged by new hires and employees annually.

ASSET MANAGEMENT – Identification and management of organizational assets

Assets associated with data processing have been identified and an inventory is maintained.

Rules for acceptable use have been documented, communicated, and acknowledged by new hires and employees annually.

Sensitive data has been classified in terms of legal requirements to allow for access to be restricted.

LOGICAL SECURITY – Access control to information processing systems

Access to information and information processing facilities is limited and controlled to only that data minimally necessary to perform the users’ job duties.

A formal user registration and de-registration process is in place enforcing unique identification of users.

Allocation and use of privileged access rights are restricted and controlled.

Users are required to follow secure practices in the use of authentication information including password configurations providing for a minimum length of 10 characters. Password history of 12. Complexity requiring 3 out of the following 4 character types: Capital Letters, Lowercase Letters, Numbers, Special Characters.

Automatic time-outs of accounts if left idle, with identification and password required to reopen.

Automatic deactivation of user IDs when several incorrect passwords are entered.

ORGANIZATION OF INFORMATION SECURITY – Management direction and support for information security

Multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access over virtual private network (VPN) to any network, system, application, or other asset containing classified information.

PHYSICAL SECURITY – Access and environmental control of information processing areas

Security perimeters are defined and used to protect areas that contain restricted or confidential information and information processing facilities.

Secure areas are protected by entry controls to ensure only authorized personnel are allowed access.

Access to information processing facilities is logged and monitored by security.

Physical protections against natural disasters, malicious attacks, and accidents are applied.

OPERATIONS SECURITY – Secure operations of information processing facilities

Changes to information processing facilities are controlled.

Centrally managed anti-malware software to monitor and defend information processing facilities.

Logging enabled on information processing facilities to include detailed information such as event source, date, user, timestamp, source addresses, destination addresses with synchronized time sources.

Periodic internal and external penetration testing of information processing systems is performed to identify vulnerabilities. Identified vulnerabilities are addressed as part of the vulnerability management program.

A process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Personal Data.

NETWORK SECURITY – Security of information transmission

Use of industry standard firewall and encryption technologies to protect the gateways and pipelines through which the data travels (e.g. TLS/SSL).

Encryption of certain highly confidential data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) at rest and when in transit across open networks in accordance with industry best practices.

APPLICATION SOFTWARE SECURITY – Information Security is designed and implemented within systems development

Separation of development, testing and operational environments.

Secure coding practices appropriate to the programming language and development environment are in use.

Error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.

Verification of versions of software acquired from third parties are supported or appropriately hardened based on developer security recommendations.

Software development personnel receive OWASP training in writing secure code.

Static and dynamic analysis tools are used to verify that secure coding practices are being adhered to for internally developed software.

ORGANIZATION OF INFORMATION SECURITY – Management direction and support for information security

THIRD PARTY RELATIONSHIPS – Security of information and information processing facilities accessible by third parties

Information security requirements for mitigating risks associated with third party access to information and information processing facilities are agreed to in writing.

Third parties and third party services are assessed by security to identify security and data protection risks that must be addressed through either organizational or technical measures during contracting or implementation.

INCIDENT MANAGEMENT – Management of information security incidents

Responsibilities and procedures for incident management are documented to define the roles of personnel as well as the phases of incident handling.

Users are trained to report observed or suspected information security weaknesses and events to security immediately.

Response to security incidents are conducted in accordance with documented procedures and retrospectives are conducted.

Incident response exercises and scenarios are conducted periodically to maintain awareness and comfort in responding to real-world threats. Exercises test communication channels, decision-making, and incident responder’s technical capabilities using tools and data available to them.

AVAILABILITY – Redundancy of information processing facilities and backup of information

Information, software, and system information are backed up regularly and are tested periodically.

Backups are encrypted and replicated across geographic locations to provide for redundancy.

COMPLIANCE – Compliance with legal and contractual requirements and information security reviews

Relevant legal and contractual requirements are documented and kept up to date of information processing facilities.

Independent reviews of information security and its implementation are conducted on a periodic basis.

Technical compliance reviews of information systems are conducted on a periodic basis to identify compliance with organizational policies and standards.