This Data Processing DPA ("DPA") supplements the Terms of Service (the "Agreement") entered into by and between Customer (as defined in the Agreement) and Integrated Projects Technology, Inc. a Delaware corporation located at 222 N Walnut Street, 1st Floor, East Orange, NJ 07017 ("Integrated Projects"). By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.
Integrated Projects Technology Inc.
Mailing: 222 N Walnut Street, 1st Floor, East Orange, NJ 07017
Phone: +1-646-685-3578
Contact email: partner@integratedprojects.co
1. Definitions
1.1 "Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
1.1 "Authorized Sub-Processor" means a third-party who has a need to know or otherwise access Customer's Personal Data to enable Integrated Projects to perform its obligations under this DPA or the Agreement, and who is either (1) listed in Exhibit B or (2) subsequently authorized under Section 3.2 of this DPA.
1.2 "Customer Account Data" means personal data that relates to Customer's relationship with Integrated Projects, including the names or contact information of individuals authorized by Customer to access Customer's account and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data Integrated Projects may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
1.3 "Customer Personal Data" means Personal Data that Integrated Projects processes as a processor pursuant to this DPA. Customer Personal Data does not include Customer Account Data or Customer Usage Data.
1.4 "Customer Usage Data" means Service usage data collected and processed by Integrated Projects in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
1.5 "Data Exporter" means Customer.
1.6 "Data Importer" means Integrated Projects.
1.7 "Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the California Consumer Privacy Act ("CCPA"), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR" or "GDPR"), (iii) the Swiss Federal Act on Data Protection, (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms "Data Subject", "Personal Data", "Personal Data Breach", "processing", "processor," "controller," and "supervisory authority" shall have the meanings set forth in the GDPR.
1.8 "EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
1.9 "ex-EEA Transfer" means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the "EEA"), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.10 "ex-UK Transfer" means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.11 "Services" shall have the meaning set forth in the Agreement.
1.12 "UK Addendum" the International Data Transfer Addendum to the Standard Contractual Clauses issued by the Information Commissioner's Office of the United Kingdom (including all Part 2 Mandatory Clauses).
2. Relationship of the Parties; Processing of Data
2.1 The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA, Integrated Projects is a processor. Customer shall, in its use of the Services, process Customer Personal Data, and provide instructions for the processing of Customer Personal Data, in compliance with Data Protection Laws, and not cause Integrated Projects to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to Integrated Projects by or on behalf of Customer, (ii) the means by which Customer acquired any such Customer Personal Data, and (iii) the instructions it provides to Integrated Projects regarding the processing of such Customer Personal Data. Customer shall not provide or make available to Integrated Projects any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Integrated Projects from all claims and losses in connection therewith.
2.2 Integrated Projects shall process Customer Personal Data only to provide the Services in accordance with the Agreement and this DPA. Integrated Projects will not process Personal Data except as permitted by this DPA, unless required to by applicable law; in such a case, Integrated Projects shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.3 The subject matter, nature, purpose, and duration of this processing, as well as the types of Customer Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.
2.4 Following completion of the Services, at Customer's choice, Integrated Projects shall return or delete Customer Personal Data, unless further storage of such Customer Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Integrated Projects shall take measures to block such Customer Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Customer Personal Data remaining in its possession, custody, or control. If Integrated Projects will be transferring Customer Personal Data outside of the European Union under the Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the UK SCCs and Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Integrated Projects to Customer only upon Customer's request.
2.5 CCPA. The parties acknowledge and agree that Integrated Projects is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving Customer Personal Data from Customer in order to provide the Services pursuant to the Agreement, which constitutes a business purpose. Integrated Projects shall not sell any such Customer Personal Data. Integrated Projects shall not retain, use or disclose any Customer Personal Data provided by Customer pursuant to the Agreement except as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or otherwise as set forth in the Agreement or as permitted by the CCPA. The terms "service provider," "sale," and "sell" are as defined in Section 1798.140 of the CCPA. Integrated Projects certifies that it understands the restrictions of this Section 2.5.
3. Authorized Sub-Processors
3.1 Customer acknowledges and agrees that Integrated Projects may (1) engage its affiliates and the Authorized Sub-Processors listed at https://www.integrated-projects.com/subprocessors/ (the "List") to this DPA to access and process Customer Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Customer Personal Data, as set out in Section 3.2. By way of this DPA, Customer provides general written authorization to Integrated Projects to engage sub-processors as necessary to perform the Services.
3.2 The List may be updated by Integrated Projects from time to time. At least fifteen (15) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, Integrated Projects will update the List. Customer will have the opportunity to subscribe to receive email notifications of any changes to the List via an RSS feed. Customer may object to such an engagement by informing Integrated Projects within thirty (30) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Integrated Projects from offering the Services to Customer.
3.3 If Customer reasonably objects to an engagement in accordance with Section 3.2, and Integrated Projects cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Integrated Projects. Discontinuation shall not relieve Customer of any fees owed to Integrated Projects under the Agreement.
3.4 If Customer does not object to the engagement of a third party, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.
3.5 Integrated Projects will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Integrated Projects under this DPA with respect to the protection of Customer Personal Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Integrated Projects, Integrated Projects will remain liable to Customer for the performance of the Authorized Sub-Processor's obligations under such agreement to the same extent that Integrated Projects would be liable for such obligations.
4. Security of Personal Data
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Integrated Projects shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets forth additional information about Integrated Project's technical and organizational security measures.
5. Transfers of Personal Data
5.1 In the event that Customer is subject to the GDPR or UK GDPR and the transfer of Customer Personal Data to Integrated Projects would be restricted in the absence of the EU SCCs or the EU SCCs as supplemented by the UK Addendum, the parties agree that the EU SCCs and, where applicable, the UK Addendum, shall be incorporated into this DPA as set out in this Section 5.
5.2 Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows: Module Two applies where Customer is a controller; Module Three applies where Customer is a processor; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are the annexes of this DPA.
5.4 Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the EU SCCs as supplemented by the UK Addendum, which are deemed entered into and incorporated into this DPA by reference, and completed as follows: Part 1, tables 1, 2 and 3 of the UK Addendum will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is the Data Importer.
6. Rights of Data Subjects
6.1 Integrated Projects shall, to the extent permitted by law, provide reasonable assistance to Customer to respond to a request by a Data Subject to exercise the Data Subject's right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively "Data Subject Request(s)") in relation to Customer Personal Data. Such assistance may include notifying Customer of a Data Subject Request and advising the Data Subject to submit their request to Customer.
7. Actions and Access Requests; Audits
7.1 Integrated Projects shall, taking into account the nature of the processing and the information available to Integrated Projects, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Integrated Projects.
7.2 Integrated Projects shall, taking into account the nature of the processing and the information available to Integrated Projects, provide Customer with reasonable cooperation and assistance with respect to Customer's cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Integrated Projects.
7.3 Integrated Projects shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA. Customer shall, with reasonable notice to Integrated Projects, have the right to review, audit and copy such records at Integrated Projects' offices during regular business hours.
7.4 Upon Customer's written request at reasonable intervals not exceeding once per year, and subject to reasonable confidentiality controls, Integrated Projects shall, either (i) make available for Customer's review copies of certifications or reports demonstrating Integrated Projects' compliance with prevailing data security standards applicable to the processing of Customer's Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer's independent third party representative to conduct an audit or inspection of Integrated Projects' data security infrastructure and procedures that is sufficient to demonstrate Integrated Projects' compliance with its obligations under Data Protection Laws, provided that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Integrated Projects' business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Integrated Projects for any time expended for on-site audits. If Customer and Integrated Projects have entered into Standard Contractual Clauses as described in Section 5 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the UK SCCs and Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section 7.4.
7.5 Integrated Projects shall immediately notify Customer if an instruction, in Integrated Projects' opinion, infringes the Data Protection Laws.
7.6 In the event of a Personal Data Breach, Integrated Projects shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Integrated Projects in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Integrated Projects' reasonable control).
7.7 In the event of a Personal Data Breach, Integrated Projects shall, taking into account the nature of the processing and the information available to Integrated Projects, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
7.8 Integrated Projects' obligation to report or respond to a Personal Data Breach under Sections 8.5 and 8.6 will not be construed as an acknowledgement by Integrated Projects of any fault or liability with respect to the Personal Data Breach.
8. Integrated Projects' Role as a Controller
The parties acknowledge and agree that with respect to Customer Account Data and Customer Usage data, Integrated Projects is an independent controller. Integrated Projects will process Customer Account Data and Customer Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Integrated Projects' core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Integrated Projects is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this DPA and the Agreement. Integrated Projects may also process Customer Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws.
9. Conflict
In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) any other written agreement executed by the parties. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.
Exhibit A
Details of Processing
Nature and Purpose of Processing: Integrated Projects will process Customer's Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer's instructions as set forth in this DPA.
Duration of Processing: Integrated Projects will process Customer's Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Integrated Projects' legitimate business needs; or (iii) by applicable law or regulation. Customer Account Data and Customer Usage Data will be processed and stored as set forth in the Agreement and this DPA.
Categories of Data Subjects: Customer end-users/customers and Customer employees.
Categories of Personal Data: Integrated Projects processes Personal Data contained in Customer Account Data, Customer Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Integrated Projects in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include name, location, email address, date of birth, physical address, unique identifiers such as passwords.
Sensitive Data or Special Categories of Data: Refer to Agreement.
Exhibit B
The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.
1. The Parties
Data exporter(s):
Name: Customer, as stated and defined in the applicable Order (as such term is defined under the Agreement)
Address: Customer's registered business address and any address provided to Integrated Projects at the time that Customer uses the Services.
Contact person's name, position and contact details: Customer's contact for the purposes of the SCC's will be the contact of the person that properly accepts and binds Customer to the Agreement unless another contact person's information is specifically provided to Integrated Projects in writing.
Activities relevant to the data transferred under these Clauses:
Signature and date: The UK SCC's and EU SCC's will be considered executed upon Customer's proper acceptance of the Agreement.
Role (controller/processor): Controller and Processor
Data importer(s):
Name: Integrated Projects Technology, Inc.
Address: partnerships@integratedprojects.co
Signature: Jose Cruz, Jr., Founder
Date: 7/12/24
Role (controller/processor): Controller
2. Description of the Transfer
Data Subjects | Refer to Agreement |
Categories of Personal Data | Refer to Agreement |
Special Category Personal Data (if applicable) | Refer to Agreement |
Nature of the Processing | Refer to Agreement |
Purposes of Processing | In order for Integrated Projects to provide the Services to Customer as stated under the Agreement. |
Duration of Processing and Retention (or the criteria to determine such period) | For as long as Customer is using the Services. |
Frequency of the transfer | As requested or initiated by Customer during the course of the Agreement. |
Recipients of Personal Data Transferred to the Data Importer | Integrated Projects will maintain and provide a list of its Sub-Processors upon request. |
3. Competent Supervisory Authority
The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.
Exhibit C
The following provides an overview of Integrated Projects security (SOC 2 Type 2 and ISO 27001) controls implemented.
Control | Description | Category |
|---|---|---|
Unique production database authentication enforced | The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH keys. | Infrastructure Security |
Encryption key access restricted | The company restricts privileged access to encryption keys to authorized users with a business need. | Infrastructure Security |
Unique account authentication enforced | The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | Infrastructure Security |
Production application access restricted | System access restricted to authorized access only | Infrastructure Security |
Access control procedures established | The company's access control policy documents the requirements for the following access control functions: adding new users; modifying users; and/or removing an existing user's access. | Infrastructure Security |
Production database access restricted | The company restricts privileged access to databases to authorized users with a business need. | Infrastructure Security |
Firewall access restricted | The company restricts privileged access to the firewall to authorized users with a business need. | Infrastructure Security |
Production OS access restricted | The company restricts privileged access to the operating system to authorized users with a business need. | Infrastructure Security |
Production network access restricted | The company restricts privileged access to the production network to authorized users with a business need. | Infrastructure Security |
Access revoked upon termination | The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs. | Infrastructure Security |
Unique network system authentication enforced | The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. | Infrastructure Security |
Remote access MFA enforced | The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | Infrastructure Security |
Remote access encrypted enforced | The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection. | Infrastructure Security |
Intrusion detection system utilized | The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches. | Infrastructure Security |
Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | Infrastructure Security |
Infrastructure performance monitored | An infrastructure monitoring tool is utilized to monitor the performance of servers, databases, and other infrastructure components supporting the services provided to customers. | Infrastructure Security |
Network segmentation implemented | The company's network is segmented to prevent unauthorized access to customer data and production systems. | Infrastructure Security |
Network firewalls reviewed | The company reviews its firewall rulesets on a periodic basis. | Infrastructure Security |
Network firewalls utilized | The company uses firewalls and configures them to prevent unauthorized access. | Infrastructure Security |
Network and system hardening standards maintained | The company's network and system hardening standards are documented and reviewed at least annually. | Infrastructure Security |
Asset disposal procedures utilized | The company has electronic media containing confidential information sanitized or destroyed in accordance with NIST 800-88 prior to disposal. | Organizational Security |
Production inventory maintained | The company maintains a formal inventory of production system assets. | Organizational Security |
Portable media encrypted | The company encrypts portable and removable media devices when used. | Organizational Security |
Anti-malware technology utilized | The company deploys anti-malware technology on endpoints and servers, and the anti-malware technology is updated regularly. | Organizational Security |
Employee background checks performed | The company performs background checks on new employees in accordance with local laws. | Organizational Security |
Code of Conduct acknowledged by contractors | The company requires contractor agreements to include obligations for contractors to maintain the confidentiality of company and customer information. | Organizational Security |
Code of Conduct acknowledged by employees and entity level | The company requires employees to acknowledge its Code of Conduct on an annual basis. | Organizational Security |
Confidentiality Agreement acknowledged by contractors | The company requires contractors to sign a confidentiality or non-disclosure agreement upon engagement. | Organizational Security |
Confidentiality Agreement acknowledged by employees | The company requires employees to sign a confidentiality or non-disclosure agreement upon hire. | Organizational Security |
Performance evaluations conducted | The company managers are required to complete performance evaluations for their direct reports on an annual basis. | Organizational Security |
Password policy enforced | The company requires passwords for in-scope systems to meet minimum password requirements. | Organizational Security |
MDM system utilized | The company has a mobile device management (MDM) system that is used to manage employee devices and enforce security policies on those devices. | Organizational Security |
Security awareness training implemented | The company requires employees to complete security awareness training upon hire and on an annual basis thereafter. | Organizational Security |
Data encryption utilized | The company's datastores housing sensitive customer data are encrypted at rest. | Product Security |
Control self-assessments conducted | The company performs control self-assessments on a periodic basis to identify gaps and opportunities for improvement. | Product Security |
Penetration testing performed | The company's penetration testing is performed by an independent third party on at least an annual basis. | Product Security |
Data transmission encrypted | The company uses secure data transmission protocols when transmitting sensitive data. | Product Security |
Vulnerability and system monitoring procedures established | The company's formal policies outline the requirements for the identification of vulnerabilities and the monitoring of system components. | Product Security |
Continuity and Disaster Recovery plans established | The company has Business Continuity and Disaster Recovery plans in place, which are reviewed and approved by management annually. | Internal Security Procedures |
Continuity and disaster recovery plans tested | The company has a documented business continuity and disaster recovery testing plan and tests are performed annually. | Internal Security Procedures |
Cybersecurity insurance maintained | The company maintains cybersecurity insurance. | Internal Security Procedures |
Configuration management system established | The company has a configuration management system in place to track changes to system configurations. | Internal Security Procedures |
Development lifecycle established | The company has a formal systems development lifecycle (SDLC) methodology in place that is used to design, develop, implement, and maintain systems and applications. | Internal Security Procedures |
SOC 2 - System Description | Complete a description of your system for the SOC 2 report. | Internal Security Procedures |
Whistleblower policy established | The company has established a formalized whistleblower policy that is available to all employees. | Internal Security Procedures |
Board oversight briefings conducted | The company's board of directors or a relevant governing body receives briefings on cybersecurity and data privacy at least annually. | Internal Security Procedures |
Board charter documented | The company's board of directors has a charter documenting its roles and responsibilities. | Internal Security Procedures |
Board meetings conducted | The company's board of directors meets on at least a quarterly basis. | Internal Security Procedures |
Backup processes established | The company's data backup policy documents the requirements for performing and retaining backups. | Internal Security Procedures |
System changes externally communicated | The company notifies customers of critical system changes that may affect their use of the company's products or services. | Internal Security Procedures |
Management roles and responsibilities defined | The company management has established defined roles and responsibilities for the design, development, implementation, operations, maintenance, and security of information systems. | Internal Security Procedures |
Organization structure documented | The company maintains an organizational chart that documents the company's organizational structure and the reporting lines for key functions. | Internal Security Procedures |
Roles and responsibilities specified | Roles and responsibilities for the design, development, implementation, operations, maintenance, and security of information systems are specified. | Internal Security Procedures |
Security policies established and reviewed | The company's information security policies are reviewed and approved by management at least annually. | Internal Security Procedures |
Support system available | The company has an external-facing support system available to customers. | Internal Security Procedures |
System changes communicated | The company communicates system changes to internal stakeholders through a formal change management process. | Internal Security Procedures |
Access reviews conducted | The company conducts access reviews at least semi-annually for in-scope systems to ensure that access is appropriate. | Internal Security Procedures |
Access requests required | The company ensures that user access to in-scope systems is granted through a formal access request and approval process. | Internal Security Procedures |
Incident response plan tested | The company tests their incident response plan on at least an annual basis. | Internal Security Procedures |
Incident response policies established | The company has security and privacy incident response policies and procedures in place. | Internal Security Procedures |
Incident management procedures followed | The company's security and privacy incident response procedures are followed in the event of a security or privacy incident. | Internal Security Procedures |
Company commitments externally communicated | The company's security commitments are communicated to external parties via a publicly-available trust center or equivalent. | Internal Security Procedures |
External support resources available | The company provides guidelines and technical documentation to enable customers to use the company's products or services. | Internal Security Procedures |
Service description communicated | The company provides a description of its services in its agreements with customers. | Internal Security Procedures |
Risk assessment objectives specified | The company specifies its objectives to enable the identification and assessment of risks related to those objectives. | Internal Security Procedures |
Risks assessments performed | The company's risk assessments are performed at least annually or upon significant changes to the organization or its systems. | Internal Security Procedures |
Risk management program established | The company has a documented risk management program in place. | Internal Security Procedures |
Third-party agreements established | The company has written agreements in place with third-party service providers that include security and confidentiality obligations. | Internal Security Procedures |
Vendor management program established | The company has a vendor management program in place to evaluate and monitor the security and compliance posture of third-party service providers. | Internal Security Procedures |
Data retention procedures established | The company has formal retention and disposal procedures in place for customer data. | Data and Privacy |
Customer data deleted upon leaving | The company purges or removes customer data upon the termination of a customer contract in accordance with the company's data retention policy. | Data and Privacy |
Data classification policy established | The company has a data classification policy in place that defines the different categories of data and the security requirements for each category. | Data and Privacy |