Versions Compared

Old Version 1

changes.mady.by.user Alaf Azam Khan

Saved on

compared with

New Version Current

changes.mady.by.user Kanika B

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Service Provider represents and warrants that it complies with ISO/IEC 27001:2013 standards. 

Service Provider also warrants that it complies with System and Organization Controls (SOC 2 ®) Type 2

Service Provider Personnel

The Service Provider will ensure that access to Personal Data is limited to those Service Provider employees and contractors (“Personnel”) and agents who have a need to know. Service Provider will ensure that its Personnel engaged in the Processing of Personal Data have received appropriate training on their responsibilities and have executed written confidentiality obligations and such obligations survive the termination of that persons’ engagement with the Service Provider. 

...

Service Provider will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

...

  1. anonymization of Personal Data 

  2. measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services and Deliverables; 

  3. the ability to restore the availability and access to Client Confidential Information in a timely manner in the event of a physical or technical incident; 

  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; 

  5. a process and procedures to monitor and log processing systems for unauthorised changes and other evidence the processing environment has been compromised. 

The Service Provider will document and monitor compliance with these measures. 

Encryption

The Service Provider will use strong encryption methodologies to protect Client Confidential Information transferred over public networks, and will implement whole-disk encryption for all Personal Data at rest.  Service Provider will fully document and comply with Service Provider’s key management procedures for crypto keys used for the encryption of Client Confidential Information.

Storage

The Service Provider will retain all Client Confidential Information in a physically and logically secure environment to protect from unauthorised access, modification, theft, misuse and destruction. The Service Provider will utilize platforms to host Client Confidential Information that are configured to conform to industry standard security requirements and will only use hardened platforms that are continuously monitored for unauthorized changes.    

Antivirus; Firewall

The Service Provider will utilize antivirus programs that are capable of detecting, removing, and protecting against all known types of malicious or unauthorized software with antivirus signature updates at least every one day (24 hours).  The Service Provider will implement firewalls designed to ensure that all outbound traffic to Client Systems are restricted to only what is necessary to ensure the proper functioning of the Services and Deliverables.  All other unnecessary ports and services will be blocked by firewall rules at the Service Provider network. 

OWASP

The Service Provider will ensure that it is using industry standards in preventing vulnerabilities, including OWASP top 10

Vulnerability Management

Updates and Patches

Service Provider will establish and maintain mechanisms for vulnerability and patch management that are designed to evaluate twice a year application, system, and network device vulnerabilities and apply Service Provider-supplied security fixes and patches in a timely manner, taking a risk-based approach for prioritizing critical patches.  

...

If the Service Provider becomes aware of any actual or suspected Security Incident, Service Provider will without undue delay, but in no event later than forty eight  (48) hours, after becoming aware of the Security Incident:

  1. Notify Client of the Security Incident; 

  2. Investigate the Security Incident and provide Client with information about the Security Incident; 

  3. Take reasonable steps to mitigate the effects, to remedy and to minimize any damage resulting from the Security Incident;.

GDPR and Privacy Compliance

Processing of Personal Data

Service Provider will inform Client immediately if it finds violation of any Data Privacy Laws or requirements.

Service Provider will 

  1. Put relevant GDPR recommended mechanism in place like

    1. Pseudo anonymization of PII data.

    2. Limit access of PII data to necessary personal only

  2. Ensure that Personal Data collected in an GDPR compliant country will be Processed only in GDPR compliant regions (with GDPR compliant mechanisms) 

  3. Amend, update, supplement, return or delete any Personal Data as soon as reasonably practicable at Client’s request.

  4. Promptly notify the Client if it receives a request from a Data Subject for information, access to, correction, amendment, deletion, erasure, portability, or restriction of processing of that person’s Personal Data..