Versions Compared

Old Version 2

changes.mady.by.user Alaf Azam Khan

Saved on

compared with

New Version Current

changes.mady.by.user Kanika B

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Service Provider represents and warrants that it complies with ISO/IEC 27001:2013 standards. 

Service Provider also warrants that it complies with System and Organization Controls (SOC 2 ®) Type 2

Service Provider Personnel

The Service Provider will ensure that access to Personal Data is limited to those Service Provider employees and contractors (“Personnel”) and agents who have a need to know. Service Provider will ensure that its Personnel engaged in the Processing of Personal Data have received appropriate training on their responsibilities and have executed written confidentiality obligations and such obligations survive the termination of that persons’ engagement with the Service Provider. 

...

Service Provider will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

  1. anonymization of Personal Data 

  2. measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services and Deliverables; 

  3. the ability to restore the availability and access to Client Confidential Information in a timely manner in the event of a physical or technical incident; 

  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; 

  5. a process and procedures to monitor and log processing systems for unauthorised changes and other evidence the processing environment has been compromised. 

The Service Provider will document and monitor compliance with these measures. 

...

If the Service Provider becomes aware of any actual or suspected Security Incident, Service Provider will without undue delay, but in no event later than forty eight  (48) hours, after becoming aware of the Security Incident:

  1. Notify Client of the Security Incident; 

  2. Investigate the Security Incident and provide Client with information about the Security Incident; 

  3. Take reasonable steps to mitigate the effects, to remedy and to minimize any damage resulting from the Security Incident;.

GDPR and Privacy Compliance

...

Service Provider will inform Client immediately if it finds violation of any Data Privacy Laws or requirements.

Service Provider will 

  1. Put relevant GDPR recommended mechanism in place like

    1. Pseudo anonymization of PII data.

    2. Limit access of PII data to necessary personal only

  2. Ensure that Personal Data collected in an GDPR compliant country will be Processed only in GDPR compliant regions (with GDPR compliant mechanisms) 

  3. Amend, update, supplement, return or delete any Personal Data as soon as reasonably practicable at Client’s request.

  4. Promptly notify the Client if it receives a request from a Data Subject for information, access to, correction, amendment, deletion, erasure, portability, or restriction of processing of that person’s Personal Data..