DATA SECURITY POLICY

This document (the “Data Security Policy”) describes the security requirements applicable to all Parties of an Agreement signed with PAIC EUROPA, S.L. or its affiliate (hereinafter referred to as “PAiC”). Additional security requirements may apply in particular cases if agreed by involved parties.

Definitions

“Agreement” shall mean the agreement between PAiC and its business Partner under which the Data Security Policy applies and to which the Data Security Policy is part thereof.

“Buyer” shall mean the entity purchasing services from the other Party and bound by a Service Agreement with that other Party defined as the Supplier.

“Buyer’s Data” shall mean data or other information that the Buyer or a person acting on behalf of the Buyer, makes available to the other Party, including but not limited to Personal Data processing purpose.

“Supplier” shall refer to the counter-party who supplies any kind of deliverables to Buyer identified as “Supplier”, “Vendor, “Partner” or the equivalent in the relevant Agreement.

“Supplier Personnel” shall mean any person working on behalf of the Supplier such as employees, consultants, contractors and sub-suppliers.

“Information Processing Facilities” shall mean any information processing system, services or infrastructure or the physical locations housing them.

“Log” shall mean record details of information or events in an organized record-keeping system, usually sequenced in the order in which the information or events occurred.

“Personal Data” shall mean all information communications (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) and General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/RC) and any amendments, replacements or renewals thereof (collectively the “EU Legislation”), all binding national laws implementing the EU Legislation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time, which identifies a natural person. An identifiable natural person is one who can be directly or indirectly identified by reference to an identifier such as a name, address, social security number, subscription number, IP address, location data, an online identifier, traffic data or message content or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Services” shall mean the services to be provided by the Supplier to the Buyer or a person acting on behalf of the Supplier as further defined in the Agreement between the Parties.

“Security Control” shall mean a technical countermeasure, an organizational setup or a process, that helps to maintain IT systems security-quality properties.

“Security Incident” shall mean a single or a series of unwanted or unexpected security events that have a significant probability of compromising business operations and threatening security.

“Sensitive Products” and “Sensitive Services” shall mean any product or Services defined as sensitive by the Buyer. Sensitive Products or Sensitive Services shall be clearly documented in the applicable Agreement.

“Pseudonymisation” shall mean the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

Scope

The Data Security Policy applies when:

the Supplier will process Buyer’s Data;
the Supplier will access Buyer’s network or IT systems including remote access;
the Supplier will handle Buyer’s information processing equipment;
the Buyer has deemed the Supplier as a provider of Sensitive Products and/or Sensitive Services and identified the Supplier as such under the relevant Agreement.

The Supplier ´s overall responsibility

The Supplier is fully responsible for the Supplier Personnel’s compliance with the Data Security Policy.

The Supplier shall implement the measures required to ensure compliance to the Data Security Policy prior to commencing any assignment for the Buyer.

The Supplier shall, at the request of the Buyer, inform the Buyer how the Supplier complies with the Data Security Policy and what measures the Supplier has taken to comply with the Data Security Policy.

The Supplier shall inform the Buyer about any Security Incident (including but not limited to incidents in relation to the processing of Personal Data) as soon as possible but no later than within 24 hours after the Security Incident has been identified. See incident management below.

The Supplier shall guarantee that any processing of Buyer’s Data will be compliant with the Data Security Policy.

The Supplier shall return or destroy (as determined by the Buyer) any Buyer’s Data and the copies thereof. The Supplier shall confirm in writing to the Buyer that the Supplier has met this requirement on termination of the Agreement or at the request of the Buyer.

The Supplier shall not allow any access to Buyer’s Data (it may also concern new, extended, updated, prolonged or in any other way changed real-time network access) in breach of the Agreement to any party without prior written approval by the Buyer.

Security requirements

Risk management

Security risk management

The Supplier shall periodically assess the risks related to information systems and processing, storing and transmitting information.

Security risk management for Personal Data

The Supplier shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk of the specific Personal data types and purposes being processed by the Supplier, including inter alia as appropriate:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to Buyer’s Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing .

The Supplier shall periodically assess the risks related to information systems and processing, storing and transmitting Personal Data.

Organization of information security

The Supplier shall have defined and documented security roles and responsibilities within its organization.

The Supplier shall appoint at least one person who has appropriate security competence and who has an overall responsibility for implementing the security measures under the Data Security Policy and who will be the contact person for Buyer’s security staff.

Human resource security

The Supplier shall ensure that its Personnel handles information in accordance with the level of confidentiality required under the Agreement.

The Supplier shall ensure that it’s relevant Personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities and systems under the Agreement. Buyer has the right to request a signed receipt from each and every Supplier’s Personnel stating that he or she has understood and will comply with the Security Directives and the approved use of information, systems and facilities.

The Supplier shall ensure that any of his Personnel performing assignments under the Agreement is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification.

The Supplier shall not, without informing and getting the Buyer’s prior written approval, assign any Supplier’s Personnel to Buyer’s assignment that:

has any conflict of interest in relation to Buyer or the relevant assignment; or
has been convicted to imprisonment for any criminal offense during the three (3) year period prior to the engagement or the assignment

The Buyer shall provide information about what tasks are classified as sensitive at the time of entering into the Agreement or the latest two weeks prior to Supplier’s Personnel engagement or assignment commences.

The Supplier shall ensure that its Personnel with security responsibilities is adequately trained to carry out security related duties.

The Supplier shall provide or ensure periodical security awareness training to its relevant Personnel. Such Supplier training shall include, without limitation:

How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);
Why information security is needed to protect customers information and systems;
The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
The importance of complying with information security policies and applying associated standards/procedures;
Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected Security Incidents).

Asset management

The Supplier shall have a defined and documented asset management system in place and maintain up-to-date records of all relevant assets and their owners. Information assets include but are not limited to IT systems, backup and/or removable media containing sensitive information, access rights, software and configuration.

The Supplier shall label, treat and protect information according to a pre-defined information classification system in accordance with valid security standards at that time (including removable media storage, disposal and physical transfer).

The Supplier shall implement measures to ensure protection against accidental, unauthorized or unlawful loss, destruction, alteration or damage to Buyer data transmitted, stored or otherwise processed

The Supplier shall keep an updated list of Buyer’s data processed. The list shall contain the following information:

the processed data;
storage details, such as asset name, location etc.

Access control

The Supplier shall have a defined access control policy for facilities, sites, network, system, application and information/data access (including physical, logical and remote access controls), an authorization process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for the Supplier Personnel in place.

The Supplier shall have a formal user registration and de-registration process implemented to enable assignment of access rights.

The Supplier shall assign all access privileges based on the principle of need-to-know and principle of least privilege.

The Supplier shall use strong authentication (multi-factor) for remote access users and users connecting from untrusted network.

The Supplier shall ensure that its Personnel have a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.

Physical and environmental security

The Supplier shall protect Information Processing Facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.

The Supplier shall protect goods received or sent on behalf of the Buyer from theft, manipulation and destruction.

Operations security

The Supplier shall have an established change management system in place for making changes to business processes, Information Processing Facilities and systems. The change management system shall include tests and reviews before changes are implemented, such as procedures to handle urgent changes, roll back procedures to recover from failed changes, logs that show, what has been changed, when and by whom.

The Supplier shall implement malware protection to ensure that any software used for the Supplier’s provision of the deliverables to the Buyer is protected from malware.

The Supplier shall make backup copies of critical information and test back-up copies to ensure that the information can be restored as agreed with the Buyer.

The Supplier shall Log and monitor activities, such as create, reading, copying, amendment and deletion of processed data, as well as exceptions, faults and information security events and regularly review these. Furthermore, the Supplier shall protect and store (for at least 6 months, or in compliance with the local law) Log information and on request, deliver monitoring data to the Buyer. Anomalies / incidents / indicators of compromise shall be reported according to the incident management requirements.

The Supplier shall manage vulnerabilities of all relevant technologies such as operating systems, databases, and applications proactively and in a timely manner.

The Supplier shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, and applications.

The Supplier shall ensure development is segregated from test and production environment.

Communications security

The Supplier shall implement network Security Controls such as service level, firewalling and segregation to protect information systems.

Software Development Security

The Supplier shall implement rules for development lifecycle of software and systems including change and review procedures.

The Supplier shall test security functionality during development in a controlled environment.

The Supplier relationship with sub-suppliers

The Supplier shall reflect the content of this Data Security Policy in its agreements with sub-suppliers that perform tasks assigned under the Agreement.

The Supplier shall regularly monitor, review and audit sub-supplier‘s compliance with the Data Security Policy.

Security incident management

The Supplier shall have established procedures for Security Incident management.

All reporting of security related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods such as PGP (Pretty Good Privacy Encryption).

The security incident report shall contain at least the following information:

notwithstanding the requirement for immediate notification, the Supplier shall, comprise a written preliminary report to the Buyer of any security incident that could possibly affect the Buyer or the Buyer’s assets in any imaginable way;
sequence of events, including actions taken during the incident handling;
affected portions of the infrastructure, systems and information;
estimated (or, upon a high level of uncertainty, worst-case) consequences/impact;
consequence reducing measures already implemented;
risk-reducing measures already implemented;
consequence reducing measures to be implemented, including implementation plan (date; responsible; dependencies);
risk reducing measures to be implemented, including implementation plan (date; responsible; dependencies);
experiences summary

Compliance

The Supplier shall comply with all relevant legislation and contractual requirements including but not limited to Personal Data protection.

The Supplier shall, on request, provide the Buyer with a compliance status report with regards to this Data Security Policy without any unjustified delay.