Data Processing Terms of Business for Suppliers
DATA PROCESSING TERMS
In order that you as a service provider and data processor (referred to as “Processor” or “you” or “your”) may provide or continue to provide certain services (the “Services”) to us, the Business and data controller (referred to as “the Business” or “we”, “us” or “our”), you have agreed that these data processing terms (“Terms”) shall apply (notwithstanding any other terms and conditions applicable to the delivery of the Services to the contrary) in order to address the compliance obligations imposed upon the Business and its Clients pursuant to the Data Protection Law. These Terms shall constitute a separate agreement or they may be incorporated by reference in the relevant Services agreement, as the case may be.
BY ACCEPTING ANY MATERIALS FROM THE BUSINESS OR OTHERWISE COMMENCING THE SERVICES (“EFFECTIVE DATE”), YOU AGREE THAT THE PROCESSOR WILL PROCESS BUSINESS PERSONAL DATA IN ACCORDANCE WITH THESE TERMS, WHICH YOU HEREBY ACCEPT FOR AND ON BEHALF OF THE PROCESSOR.
NOW IT IS HEREBY AGREED as follows:
SCHEDULE: Security measures
Processor shall put in place the following measures, as applicable.
Minimum technical measures
- Firewalls which are properly configured and using the latest software;
- user access control management;
- unique passwords of sufficient complexity and regular expiry on all devices;
- secure configuration on all devices;
- regular software updates, if appropriate, by using patch management software;
- timely decommissioning and secure wiping (that renders data unrecoverable) of old software and hardware;
- real-time protection anti-virus, anti-malware and anti-spyware software;
- encryption of all portable devices ensuring appropriate protection of the key;
- encryption of personal data in transit by using suitable encryption solutions;
- multi-factor authentication for remote access;
- WPA-TKIP secured WiFi access;
- delinquent web filtering and other appropriate internet access restrictions;
- intrusion detection and prevention systems;
- appropriate and proportionate monitoring of personnel; and
- data backup and disaster recovery measures and procedures.
Minimal organisational measures
- Vet all personnel including staff, contractors, vendors and suppliers (including Subprocessors) on continuous basis;
- non-disclosure agreements used with all personnel;
- regular training of all personnel on confidentiality, data processing obligations, identification of Security Breaches and risks;
- apply principle of least authority, including a restricted or strictly controlled transit of data and material outside of office;
- physical security on premises including reception or front desk, security passes, clean desk policy, storage of documents in secure cabinets, secure disposal of materials, CCTV, etc.;
- apply appropriate policies including Information Security Policy, Data Protection Policy, BYOD, Acceptable Use Policy; limited and monitored personal use of work resources, as appropriate.