DPA – Appendix A – Tapper Security Requirements
Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect Personal Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise Processed; all other unlawful forms of Processing; including (as appropriate):(i) the pseudonymization and encryption of Personal Data.(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.(iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and(iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.Service Provider will take the following security measures in addition to the above:1. Physical Control Access /Physical Security. The Service Provider will take industry standard steps designed to prevent unauthorized persons from gaining access to Personal Data processing systems by maintaining industry standard physical security controls at all Service Provider sites at which an information system that uses or houses Personal Data is located.2. Logical/Data Access Control. The Service Provider will maintain appropriate access controls designedto prevent Personal Data processing systems from being used without proper authorization, including:a) restricting access to Personal Data to only authorized Personnel who require such access in order to perform the Services and providing the lowest level of access required in accordance with the “least privilege” approach and to the minimum number; andb) implementing industry standard physical and electronic security measures to protect passwords or other access controls.Further, Service Provider will:a) Maintain user administration procedures: define user roles and their privileges; define how access is granted, changed, and terminated; address appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms; andb) Ensure that all employees of the Service Provider are assigned unique User-IDs.3. Data Transfer Control/Network Security. The Service Provider will ensure that: (a) Personal Data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control). The Service Provider will maintain network security using industry standard equipment and industry standard techniques, including firewalls, intrusion detection and prevention systems, and routing protocols; (b) it utilizes industry standard anti-virus and malware protection software to protect Personal Data from anticipated threats or hazards and protect against unauthorized access to or use; and (c) it utilizes industry-standard encryption tools (not less than 128-bit key utilizing an encryption method approved by the Service Provider) and other secure technologies in connection with any and all Personal Data that Service Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; or (iii) stores on portable devices, where technically feasible (including safeguarding the security and confidentiality of all encryption keys associated with encrypted Sensitive Personal Data).4.Availability Control/Separation Control. The Service Provider will implement appropriate policies and procedures to ensure that: (a) it Processes Personal Data in accordance with Customer’s instructions; (b) it Processes separately Personal Data collected for different purposes; and (c) Personal Data is protected against accidental destruction or loss.5. Organizational Security. The Service Provider will maintain security policies and procedures to classify sensitive or Confidential Information, clarify security responsibilities and promote awareness for employees by, among other things: (a) maintaining adequate procedures regarding the use, archiving, or disposal of media containing Personal Data; and (b) managing Security Incidents in accordance with appropriate incident response procedures. In addition:i) Prior to providing access to Personal Data to Service Provider personnel, the Service Provider will require Service Provider personnel to comply with its Information Security Program.ii) The Service Provider will maintain a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations, physical security controls, security practices, and security incident reporting.iii) The Service Provider will maintain procedures such that (A) when media are to be disposed of or reused, any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory will be prevented; and (B) when media are to leave the premises at which the files are located as a result of maintenance operations, any undue retrieval of Personal Data stored on them will be prevented.6. Business Continuity. The Service Provider will maintain appropriate back-up, disaster recovery and business resumption plans, business continuity plan and risk assessment, and review and test these plans regularly to ensure that they are up to date and effective. Service Provider will maintain procedures for reconstructing lost Personal Data in Service Provider’s possession or under Service Provider’s control, and correct, at Customer’s request, any destruction, loss, or alteration of any of Personal Data caused by Service Provider or arising out of Service Provider’s breach of this DPA.7. Risk Assessments. Service Provider will conduct periodic risk assessments and reviews and, as appropriate, update its Information Security Program; provided that Service Provider will not modify its Information Security Program in a manner that would weaken or compromise the confidentiality, availability, or integrity of Personal Data.