General:Nothing in this Addendum shall vitiate or remove the obligation of Unitas Global to take such due diligence with the handling of its own data when under its control as is required hereunder by Service Provider. Service Provider shall not be held responsible for damage arising from the supply by Unitas Global or its employees or subcontractors to Service Provider of corrupted data howsoever caused. The parties agree that in the event of a conflict between any other contract terms between the parties and this Addendum, the terms of this Addendum shall control. The parties agree that where reasonable, the section clauses below shall apply based upon existing service agreements. Additionally, both parties agree that requirements related to HIPAA and GDPR may apply based upon the Unitas Global customer and that if any conflicts between those requirements and section clauses herewith occur, the more strictive requirement shall survive.
1. Unitas Global data
- Unitas Global is to be treated as the owner of Unitas Global data and Service Provider acknowledges that Unitas Global data is the property of Unitas Global or data related to the service it provides its customers. Unitas Global data includes without limitation all handwritten, printed or digital formats of databases, data formats, data compilations, information, designs, documentation, texts, drawings or records and Personally Identifiable Information.
- Service Provider shall store, copy or use Unitas Global data only to the extent necessary to perform its obligations under this Agreement. Service Provider shall keep Unitas Global data stored on systems managed by Service Provider logically segregated from all other Data (including Service Provider's own Data and the Data of any other customer of Service Provider).
- Service Provider shall only access, process or host Unitas Global data on behalf and in conformity with the instructions of Unitas Global. Service Provider shall treat Unitas Global data as Confidential Information and in the event that any of Service Provider's employees or any Subcontractor retained by Service Provider shall have access to Unitas Global data, such access shall be permitted under a need-to-know basis and only to the extent required for the due performance of Service Provider's obligations. Service Provider assumes all responsibility and liability for breach of confidentiality and security obligations and for violation of statutory law relating to Unitas Global data by Service Provider's employees or any Service Provider retained by it, including any Subcontractors.
- Service Provider shall not, and shall ensure that each of the Service Provider Affiliates, the Subcontractors and each of the Service Provider Personnel shall not, carry out any act or make any omissions which has or could reasonably be expected to have an adverse impact on the security of the Services, Unitas Global business, customers, or systems, any Unitas Global data or the Service Records, or on Unitas Global’s compliance with Applicable Laws.
- Service Provider shall not disclose Unitas Global data and/or Deliverable(s) to any Service Provider (other than permitted Subcontractors) without the prior consent of Unitas Global except if required to do so by a Regulator or by any Applicable Laws. Service Provider shall not use Unitas Global data and/or Deliverable(s) to solicit any business for any of Service Provider's products or services and shall not disclose it to any of Service Provider's customers or to any Service Provider.
- If any part of Unitas Global data ceases to be required by Service Provider for the performance of its obligations under this Agreement upon first written request from Unitas Global, Service Provider shall promptly return that Unitas Global data to Unitas Global or, at the request of Unitas Global and at the expense of Service Provider, permanently destroy such Unitas Global data and have an authorised signatory sign a certificate attesting to such return destruction. To this purpose, Service Provider shall maintain appropriate processes in place for the permanent destruction or permanent purging of any Unitas Global data.
- Without limiting Service Provider's other obligations under this Agreement, Service Provider shall comply, and shall ensure that each of the Service Provider’s Affiliates which are involved in the provision of the Services and each of the Service Provider Personnel shall comply, with:
- the Policies and Standards set out within this Addendum;
- any instructions received from Unitas Global to the extent required for compliance with any Applicable Laws which are specifically applicable to Unitas Global’s industry or business; and
- Service Provider's own internal security standards as in force from time to time and as applicable to the Services, provided that the internal security standards shall, to the extent applicable, be of a standard at least equivalent to the standard of the internal security standards applied by Unitas Global in relation to the Services prior to entry into this Agreement.
- Service Provider shall bring into effect and maintain reasonable administrative, technical and organisational measures:
- to maintain security of Unitas Global data;
- to prevent unauthorized or accidental destruction, unauthorized alteration, copying, access or use, forgery, theft, loss or technical faults in connection with Unitas Global data.
- Those measures must take into account (i) the purpose of data processing, (ii) nature and extent of the processing, (iii) the assessment of possible risks to the data subject; and (iv) current industry best practices and state-of-the-art technologies. The measures shall include, at a minimum, those set out within this Addendum.
2. General Audit
- Service Provider must be prepared to provide necessary documentation and evidences to Unitas Global or its appointed auditors, confirming in support of Unitas Global’s external audits and review purposes within 15 (Fifteen) business days upon request by Unitas Global if independent attestation reports already provided do not provide enough information. Documentation and evidence requests beyond independent attestation reports listed in paragraph 2.3 below, may be billed if Service Provider internal staff shall require more than 5 hours to fulfil the request.
- Service Provider must permit Unitas Global to request and/or perform, at the expense of Unitas Global, one security assessment per year, including but not limited to, review of policies, on-site assessment of processes and procedures, physical security arrangements, network, system, and application vulnerability scanning, and penetration testing. Such assessments will be communicated at least 30 days in advance and conducted at a time mutually agreed upon between the Service Provider and Unitas Global; and Unitas Global will provide the results to the Service Provider. Documentation, evidence requests and support for these assessments beyond independent attestation reports listed in paragraph 2.3 below, may be billed if Service Provider internal staff shall require more than 5 hours to fulfil the request.
- At least once every twelve (12) months from the execution date of this agreement and for the remainder of the Term, Service Provider, at its own expense and in addition to and not in lieu of Unitas Global’s rights to conduct audits, shall cause to be conducted an independent Service Provider audit on its operations. Such audit shall be performed by an independent auditing firm registered and in good standing with the Public Company Accounting Oversight Board (or equivalent) and any successor thereto. The scope of the audit shall include Service Provider's compliance with the security and availability principles defined in AICPA’s SOC 2 engagement Trust Services Principles and Criteria and ISO27001 (or any successor) related to the Services under this Agreement. The audit shall result in an independent Service Provider report (e.g. ISO 27001 certification and SOC 2 Type 2) that shall be provided to Unitas Global free of charge. The report shall be of a nature that it includes the independent auditor's conclusion on operating effectiveness of controls (e.g. in case of a SOC 2 report this implies that it has to be a Type 2 report).
- If an independent Service Provider audit as set forth above results in a qualified opinion or non-certification, upon the first such occurrence, the Service Provider shall perform such corrective plan in accordance with the committed delivery dates to successfully resolve the applicable deficiency. The parties agree that such second occurrence shall be deemed a material breach of this Agreement and a default and Unitas Global shall have the right to immediately terminate this Agreement on written notice to Service Provider, provided that all Service Provider’s third-party obligations in respect of the services terminated are promptly paid by Unitas Global. A cure period shall not apply in respect of such termination.
- Service Provider, at its own expense and in addition to and not in lieu of Unitas Global’s rights to conduct audits, shall provide Unitas Global with any other information security related independent attestations or certificates (e.g. HIPAA or PCI-DSS).
- Service Provider must seek approvals from the Head of Information Security at Unitas Global as exceptions for all the risk items identified through infrastructure reviews and audits that Service Provider does not remediate within 10 (ten) business days.
3. Personnel & Security Awareness
- Service Provider shall conduct region-specific background checks for Service Provider personnel providing services to Unitas Global engagements.
- Service Provider must ensure employees are aware of the fact that they are not entitled to privacy protection in the use of their company computers and networks, since these resources may be monitored. Service Provider must define a formal process for responding to a security policy breach by Service Provider personnel providing services to Unitas Global engagements, in discussion with Information security leader.
- All Service Provider Unitas Global workers, contractors, and control impacting third parties with access to Unitas Global networks and data; and or unescorted physical access must receive training and provide consent on Unitas Global’s Acceptable Use policies of Unitas Global Information assets and systems; and Service Provider security policy and compliance developed by the Service Provider as part of their security awareness program.
- The Service Provider must employ designated staff whose primary job responsibilities focus on information security and information risk management.
- The Service Provider Manager should ensure that any Service Provider personnel added to the Unitas Global account (in-processing) and removed from the Unitas Global account (out-processing) are completed in a timely, consistent manner auditable by Unitas Global.
- Unitas Global reserves the right to audit Service Provider’s personnel access records to Unitas Global data.
- The Service Provider understands that Unitas Global may require Service Provider personnel to take special training to comply with The European Union’s General Data Protection Regulations, where applicable.
4. Inventory, Ownership and Classification
- Data Inventory: Service Provider must maintain an inventory of all Unitas Global information assets including:
- Name, location, purpose, dependencies and associations of the information asset such as a database or file system.
- A knowledgeable individual owner of each information asset with the default owner of an information asset as its creator.
- Computer systems that stores Unitas Global data and storage encryption status.
- Application Inventory:
- Service Provider must maintain an inventory of Applications that provide access to Unitas Global data and encryption used for transmission with correlation to computer systems.
- Assign access controls based upon classification and individual “need to know”
- Unitas Global reserves the right to examine Unitas Global data and all data stored or transmitted by Unitas Global computers or communications systems that are the property of Unitas Global. (This may exclude data specifically owned by any government agency or other businesses where Unitas Global is the “caretaker” rather than owner).
- Physical Inventory:
- Service Provider must maintain an inventory of any physical computing assets (including VPN hard tokens) used in the performance of the Unitas Global engagement.
- Physical assets and equipment must have asset tags or recorded serial numbers.
- Assign a knowledgeable individual owner and usage requirements to each asset.
- Include purpose or project, locations authorized, and current location.
- For Unitas Global-supplied equipment, record Unitas Global authorization and return date.
- Software Inventory:
- Service Provider must maintain an inventory of all softwares used in the delivery and performance of the Unitas Global engagement: those licensed and issued by Unitas Global, those procured by the Service Provider and reimbursed by Unitas Global, and those procured by Unitas Global.
- Include license date, purpose/locations authorized, and return date.
- Record the Unitas Global authorization and usage compliance.
5. Data Transmission
- Email: Since Unitas Global confidential and restricted Information must be encrypted when transferred over public networks (such as the Internet), Unitas Global supports SMTP encryption using TLS on the gateway. Country-specific legal and regulatory requirements must be reviewed concerning the use of encryption technology.
- Fax: Information classified as Unitas Global confidential or restricted can only be faxed to password-protected mailboxes or sent after verifying a trusted contact is standing by to receive.
- Voice Communication (e.g. Phone): Unitas Global Restricted information must not be discussed on speakerphones or during teleconferences unless all participating parties first confirm that no unauthorized persons are in close proximity such that they might overhear the conversation.
- Electronic Transmission: where available, use file-based PGP/GPG encryption with TLS/SSH encryption over any public or non-trusted network connection.
- Service Provider is responsible for the infrastructure that supports user compliance with the acceptable use of Unitas Global information resources. The policy applies to laptops, desktop PCs, endpoints, and mainframe terminals.
- Service Provider must maintain laptop and endpoint security through demonstrated provisioning, patching, and anti-malware processes. Personal firewall and anti-malware are required for all Windows systems. Laptop disks should be encrypted.
- Unitas Global data must not be stored on laptop computers or other portable computing devices. Although laptops should primarily be used for access, not storage, specific exceptions may be granted by the Unitas Global Information Security team for running licensed software, with patching, anti-malware, encryption, and personal firewall conforming to Unitas Global security requirements based on justified business need.
7. Business Continuity Planning/Disaster Recovery
- Service Provider shall maintain a tested and sufficient Business Continuity plan (BCP)/ Disaster Recovery (DR) plan and reporting process, so that the business processes may be quickly re-established following a disaster or outage. The Service Provider must maintain an updated inventory of all critical production systems and supporting hardware, applications and software, projects, data communications links, and critical staff at both the primary and secondary sites.
- Service Provider must ensure preparation, maintenance, and regular test of the BCP/DR plan that allows all critical computer and communication systems to be available in the event of emergency or a disaster and meet service level and recovery time and recovery point objectives.
- Service Provider must maintain updated documentation of Disaster Recovery test plans, scripts and test results for the managed service and Service Provider’s own technology infrastructure associated with service delivery. Unitas Global
- Any emergency event-related disruption of business activities related to the Unitas Global account must be reported to Unitas Global.
8. Incident Response & Breach Notification
- Service Provider must maintain an up-to-date information security incident response plan including mobilization contact/call trees, bridge numbers, severity assessment, log recording steps and evidence collection.
- Service Provider shall implement, maintain, comply with and enforce information security policies and information security controls with respect to data security breach response, including information security policies and information security controls that: (a) ensure a prompt, effective and orderly response to any data security breach; (b) limits data security breach management to only authorized Personnel; and (c) require documentation of data security breach response actions taken in detail which shall meet reasonable expectations of forensic admissibility.
- Service Provider must notify and update the Unitas Global sponsor and/or Unitas Global information security leader without unreasonable delay and in less than 24 hours of any actual or threatened unauthorized access or release of Unitas Global confidential or restricted data or to the systems holding or providing access to such data
- The Service Provider, at the request of Unitas Global, must provide appropriately redacted copies of any log files maintained by the Service Provider (including firewall, intrusion detection, system, and application log files) to support any investigation or legal action that may be initiated by Unitas Global.
- Final notification must include detailed incident log and root cause analysis within seven days of closure that describes actions taken and plans for future actions to prevent a similar event from occurring in the future.
- Service Provider must report all occurrences of viruses and malicious code, not handled by deployed detection and protection measures, on any endpoint or server used to provide services or under the work agreement, to Unitas Global without unreasonable delay. Unitas Global expectation is within four hours.
- Service Provider must act immediately to identify and mitigate an incident, and to carry out any recovery or remedies.
- Service Provider must first secure Unitas Global approval of the content of any filings, communications, notices, press releases, or reports related to any security breach of Unitas Global data prior to any publication or communication thereof to any Service Provider. The Service Provider must maintain a well-understood reporting procedure for security incidents.
9. Service Provider Workplace Security
- Entry to the Service Provider workplace or processing area with access to Unitas Global data must be access restricted to personnel authorized, including an access termination procedure and periodic audit of such access.
- Visitor logbooks must be maintained which includes clear description of the visitor, arrival and leaving time, and Unitas Global-relevant business purpose. A Service Provider employee must always escort visitors within the Service Provider area.
- A security guard or electronic access control must protect entry to Service Provider area. Entry and exit logging are preferable. Software-based access control systems must be secured, have proper backups and be highly available. Entry logs must be maintained for at least six months.
- Ensure windows or any other auxiliary entry points are secured. If not staffed 24x7, alarms and entry point security cameras must be installed for off-hours access monitoring with recordings retained for at least one month.
- Service Provider will ensure access to server and switch rooms are access controlled with biometric controls. Access is granted on need basis and entry-exit gates are monitored and recorded on CCTV 24x7. Access Logs to be retained for a period of 90 days.
10. Change Management
- Service Provider must have a documented change management procedure for applications and networks.
- Service Provider change management process must have clear separation of duties.
- Service Provider must have a demonstrable process for keeping servers and software updated with the latest patches and service packs as recommended by the OS and software Service Providers.
- Production Unitas Global data must not be used in the Service Provider’s development or staging environment without written approval from Unitas Global. If a production extract is used, the Service Provider must strip the Unitas Global data or use a tool to obfuscate the Unitas Global data before it is inserted into these environments.
11. Data Back-up
- Service Provider must have well-documented procedures for information backup.
- Any Unitas Global Confidential or Unitas Global Restricted data and Service Provider systems critical to the delivery of services or operational capabilities must be backed up and stored in physically secured area with communication to the Unitas Global team of its location and status upon request.
- Service Provider must maintain all backup and archival media containing Unitas Global information in secure, environmentally controlled storage areas owned, operated, or contracted for by the Service Provider and approved by Unitas Global.
- Unitas Global data must not be stored on removable media other than physically secured retention media expressly used for the purpose of backup or data retention for BCP/DR purposes.
- Service Provider must maintain adequate access and encryption controls on electronic backups as outlined in the Unitas Global data Classification Standard.
12. Access Controls and Privilege Management
- Every user must have a unique user ID. No shared accounts must be used beyond built-in and system accounts where individual usage can be tracked.
- Service Provider accounts must match or exceed Unitas Global or industry standard password guidelines.
- The account owner is responsible for protecting data and resources that are proprietary to Unitas Global, respecting privacy considerations where appropriate, operating ethically, and following security and legal procedures.
- Upon employment termination, all accounts belonging to exiting Unitas Global Workers must be disabled or deleted on their departure date.
- When an account is removed, files associated with the account must be transferred as instructed by the request. If specific instructions were not received, the files must be archived on tape or other approved backup media and then deleted from the system
- All Unitas Global data and systems must always remain protected via access controls. The information must be protected from improper access, disclosure, modification and deletion.
- Unitas Global data must not be disclosed to unauthorized personnel. Access to Unitas Global data must be approved on a need basis as per role and with appropriate business justifications. Access to servers must be restricted to authorized staff based on function (e.g., employees working in development must not have access to production servers).
- The users must be given access privileges with the minimum requirements as per their job requirements. Non-administrative users must not have access to administrative system software or utilities. Privileged or administrative accounts must only be given to the persons responsible for managing systems, databases and applications.
- Ensure procedures are in place to add, remove, and modify user access, including details on control of user administration rights.
- Service Provider, on a quarterly basis, must audit all user accounts. Any account that is not owned must be removed. Any account that is not sponsored, is not valid, or has not been accessed during the prior 90 calendar days or longer must be disabled.
13. Unitas Global Sponsored user accounts including SSO
- A Unitas Global employee should sponsor all accounts on Unitas Global-managed systems assigned to Service Provider workers
- The full name of the Unitas Global employee sponsoring the account should be included in the account profile in readable form such that the account can be easily identified as the responsibility of that employee.
- When a Service Provider worker leaves or is no longer actively engaged on a Unitas Global project, it is the responsibility of Service Provider to inform the Unitas Global sponsor to initiate account termination activities.
- Disabled accounts must not be re-enabled until sponsored by a Unitas Global employee.
14. Application Security
- Service Provider shall implement, maintain, comply with and enforce information security policies and information security controls with respect to the use of application utility programs, including:
- Authentication and authorization procedures, including defining and documenting authorization levels for system utilities.
- Segregation of system utilities from application software.
- Limiting the access and use of system utilities to the minimum practical number of trusted authorized users.
- Logging of all use of system utilities.
- Removal of all unnecessary software-based utilities and system software, and
- Adherence to application security controls designed by Unitas Global.
15. Network Security
- The Service Provider upon request must provide copies of relevant security policy documents to Unitas Global for review and audit purposes. Sensitive procedural documents may be provided onsite for inspection. Unitas Global should review and recommend reasonable changes, and Service Provider may amend the policies or respond with mitigating controls and responses.
- Each Service Provider connection should have a termination date that is not more than 18 months from the start of the connection. The Unitas Global sponsor is responsible for reviewing and either renewing or terminating the connection prior to the termination date. If the connection needs to continue after the termination date, a review of the connection should take place to ensure the correct security measures are in place to meet any new or updated business needs and to utilize new technology. This review should take place prior to the termination date to ensure continued service.
- Service Provider will not extend network connectivity to any sub-contractors or provide remote access without prior approval from Unitas Global information security team.
- Dedicated site-to-site VPN from the Service Provider parent network to the Unitas Global internal network leveraging existing ISP Internet connectivity is recommended and acceptable.
- Unitas Global manages the network device endpoints. This is required for both security and operational reasons.
- Periodic audit should include external scans of the Internet-reachable devices used to build the VPN tunnel.
Information Security Risk Increase and Upgrading Information Security Controls
- Service Provider shall regularly consult with reputable journals, Internet sites, software Service Providers, information security professionals, attorneys and other sources to discover: (a) Information Security Risk Increases; (b) methods to prevent loss by addressing, neutralizing, remedying and mitigating Information Security Risk Increases and Data Security Breaches; and (c) existing, new or modified Information Security Laws and how to comply with such laws. Service Provider shall regularly and periodically determine whether Service Provider needs to upgrade, add to or modify its Information Security Controls to prevent or mitigate against an Information Security Risk Increase or Data Security Breach.
- In the event of an information security risk increase, Service Provider shall: (a) immediately undertake remedial action; (b) provide immediate notice to Unitas Global if Service Provider cannot undertake such action or if such action was unsuccessful or inadequate after implementation, and coordinate a response with Unitas Global; and (c) after undertaking remedial action, provide a report to Unitas Global indicating the results of the remedial action, any adverse impact or violation of information security law that occurred or could occur because of the information security risk increase and any future remedial action to be taken.