1. Purpose
This policy outlines the Security and Privacy requirements that all Third-Party(s) must adhere to when handling Tredence’s or its Client’s (“Company” or “Organization”) data, systems, applications or services. The objective of this policy is to ensure and maintain the Security and Privacy of Company’s information from unauthorized access, processing or its communication when the information is shared with Third Parties for fulfilling Company’s requirements.
2. Scope
This policy applies to all Third Parties who process, store, or transmit the Company’s confidential, sensitive, or personal data (collectively “Data”). Third Parties shall only process Company Data in accordance with this Policy, including the agreed Contractual Terms / Services Agreement / Statement of work etc. (“Principal Agreement”), and any other written instructions it may receive from the Company.
3. Policy Statement
This Third-Party Security and Privacy Policy outlines our commitment to building and maintaining strong, secure relationships with our Third-Party vendors. We recognize that effective Third-Party Security is essential for protecting our organization, our customers, and our reputation. This policy establishes a framework for evaluating, managing, and monitoring Third-Party Security risks, ensuring that all third parties meet our Security and Privacy requirements
4. Statutory and Regulatory Compliance
Third Parties must comply with applicable data protection laws, including GDPR, PIPEDA, CCPA, and other relevant regulations.
5. Processing Of Company Data
The Third-Party shall only process Company data in accordance with the terms of the Principal Agreement and any reasonable and lawful directions received in writing from authorized personnel of the Company. For the avoidance of doubt, the engagement of Third-Party as per the Principal Agreement by Company is deemed to be a general authorization for Third-Party to process Company Data in accordance with these Measures.
- To the extent where Third-Party shall process Company Data as per the Principal Agreement, Company will always be deemed to be the Data Controller and Third-Party will at all times be deemed to be the Data Processor within the meaning of the applicable data protection laws.
- Third-Party Obligations:
- Processing of Data: Third-Party shall only process Company Data to provide services as instructed under the Principal Agreement (including this Policy) and applicable law.
- Inability to comply with instructions: Third-Party shall notify Company within 5 business days, if in its opinion any Applicable Data Protection Law prohibits it from complying with Company instruction or if it is otherwise unable to comply with the said instructions or the Principal Agreement. The notification shall be given as specified in Clause 5 (b)(vi).
- Regulatory Authority Requests: Third-Party will verify the legal basis of any Government authority data requests and reject those which it has reason to believe are not valid. It shall keep the Company updated on any such requests and inform within 48 hours of receiving such request and as specified as per Clause 5 (b)(vi), unless otherwise prohibited from doing so by law.
- Storage limitation: In the event that the Third-Party is bringing Company Data into its environment, it shall ensure that it keeps Company Data it collects, for only as long as necessary and as laid down in Clause 14 of this policy. Third-Party shall only utilize the Company Data for the purpose for which it was collected, for performing or fulfilling contractual obligations, for complying with law; and/or for responding to legal actions.
- Data subject rights: Taking into account the nature of Processing, Third-Party shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company’s obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Third-Party shall also redirect within 24 hours to the Company, any request received for Company Data directly from an individual regarding that individual’s Personal Data (without responding to that request unless it has been otherwise authorized to do so). Third-Party shall also redirect to the Company any complaint, communication or request it receives, relating to Company’s obligations under applicable data protection laws. This shall be done as per Clause 5 (b)(vi).
- Reporting mechanisms:To the extent applicable by law, Third-Party shall ensure that timely communication is always ensured with respect to this policy.
- For any communications with respect to Regulatory authorities, Data subject requests, engaging of sub-contractors/Processors or inability to comply to this policy please reach at: Privacy@tredence.com
- For any communications with respect to Data Breach or Disruptions please reach at: InfoSec@tredence.com
- Data Protection Impact Assessments (DPIA): To the extent applicable by law, Third-Party shall provide reasonable assistance to the Company with any DPIAs, and prior consultations with Supervising Authorities or other competent data Privacy authorities, which the Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to Third-Party.
7. Risk Assessments (RA) and Audits
- The Company holds the right to perform RAs if required and as appropriate, with prior written notification of 10 business days to the Third-Party, and without creating a business disturbance for the Third-Party.
- The RA may be conducted by the Company and/or by Company nominated Third-Party. Any information obtained during such an assessment shall be with confidentiality within the Company.
8. Data Protection & Security Requirements
The Third-Party shall only process Company data in accordance with the terms of the Principal Agreement and any reasonable and lawful directions received in writing from authorized personnel of the Company. For the avoidance of doubt, the engagement of Third-Party as per the Principal Agreement by Company is deemed to be a general authorization for Third-Party to process Company Data in accordance with these Measures.
- Audit Reports & Attestations
Third-Party shall implement administrative, physical and technical safeguards to protect the Company’s information that are no less rigorous than accepted industry practices such as ISO/IEC 27001:2022 – Information Security Management Systems (ISMS)– Requirements, SOC 2 Type-2 Attestations, and ISO 27701:2019 Privacy Information Management System (PIMS) - Requirements, The Control Objectives for Information and related Technology (COBIT) standards [or] other applicable industry standards for information Security), and shall ensure that all such safeguards, including the manner in which the information is collected, accessed, used stored, processed, disposed of and disclosed, comply with applicable data protection and Privacy laws, as well as the terms and conditions of the Agreement. Third-Party shall share such Attestations and Reports for verification as and when requested by the Company.
- Data Classification
Third Parties must classify data according to its sensitivity (e.g., Public, Internal, Confidential) and apply appropriate safeguards.
- Data Encryption
All sensitive data in transit and at rest must be encrypted using industry-standard encryption protocols (e.g., AES-256, TLS v1.2+).
- Data Minimization
Third Parties must only collect, process, or store data that is necessary to fulfill their contractual obligations.
- Access Controls
- Third-Parties shall implement role-based access control (RBAC) to ensure that only authorized personnel can access sensitive data.
- Use multi-factor authentication (MFA) for accessing critical systems or applications.
9. Incident Reporting and Breach notification
Third-Party must report any Security breaches, data leaks, or incidents involving Tredence's data within 24 hours of discovery as specified in Clause 5 (b)(vi). The notification must include:
- The nature of the breach.
- The types of data affected.
- The estimated impact and scope.
- Steps being taken to mitigate the breach
Third-Party must cooperate fully with forensic investigations and remediation efforts.
10. Secure Development & Maintenance
Third-Party must report any Security breaches, data leaks, or incidents involving Third Parties developing software or platforms must adhere to secure coding best practices. Security patches and updates must be applied promptly to mitigate vulnerabilities.
11. Enforcement & Penalties
Non-compliance with this policy may result in contract termination and legal action. Vendors may be held liable for financial damages resulting from Security or Privacy breaches.
13. International Transfers
- Compliance with Data Protection Laws: The Third-Party shall comply with all applicable data protection laws regarding the international transfer of personal data, including but not limited to the California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union's General Data Protection Regulation (GDPR).
- Standard Contractual Clauses (Controller-to-Processor): If any personal data is transferred from the European Economic Area (EEA) to a third country outside of the EEA, the parties agree to incorporate the Standard Contractual Clauses (SCCs) Module 2 or Module 3 (as applicable), as approved by the European Commission, and all necessary related appendices, which form an integral part of this Agreement, and shall be covered under Annex 2.
- CCPA Compliance and Obligations: For transfers subject to the CCPA, the Third-Party agrees to act as a “service provider” as defined by the CCPA and shall not “sell” or “share” any personal information it receives under this Policy. The Third-Party shall comply with CCPA requirements, including processing personal information only for specific business purposes and lawful instructions provided by the Company. Any other requirement under this law shall be discussed and informed by the Company.
14. Indemnification
The Indemnification and Liability clauses of the Principal Agreement shall apply to this provision.
15. Data Retention and Disposal
- The Third-Party acknowledges that data retention shall be limited to the duration necessary for business and legal purposes.
- Within thirty (30) days following the completion of services involving Company Data, the Third-Party shall securely delete or return all Company Data to the Company and erase any remaining copies securely and unretrievable, unless retention is required by applicable law. The Third-Party shall provide a written certification confirming the return or destruction of the data.
- Method of Deletion
- Data shall be erased using industry-standard secure deletion methods (e.g., NIST SP 800-88 etc.).
- Logs of deletion activities shall be maintained for compliance and audit purposes.
- Data Deletion Rights & Compliance
- The Company may request an expedited deletion of specific data categories, subject to contractual and legal constraints.
- All deletion activities shall align with applicable data protection laws, including GDPR, CCPA, PIPEDA and other relevant regulations.
- Exception
Data required for legal, regulatory, or dispute resolution purposes shall be retained as necessary, with restricted access.
16. Termination & Offboarding
- Upon contract termination, Third-Party must return or securely destroy all Company data promptly and in any event within 30 business days of the date of cessation of any Services involving the Processing of Company Data.
- The Company reserves the right to conduct exit audits to ensure compliance with offboarding procedures.
17. Review & Updates
This policy will be reviewed annually and updated as needed to address new risks and compliance requirements.
ANNEX 1:
Technical and organizational measures including technical and organizational measures to ensure the Security of the data
Description of the technical and organizational Security measures that should be implemented by the Third-Party (including any relevant certifications) to ensure an appropriate level of Security, considering the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons. Examples of possible measures:
- Pseudonymization for Personal Data
- Encryption of Company data in rest and in transit
- Ensuring confidentiality, integrity, availability and resilience of processing systems and services
- Ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the Security of the processing
- User identification and authorization
- Protection of data during transmission
- Protection of data during storage
- Ensuring physical Security of locations at which personal data are processed
- Ensuring events logging
- Ensuring system configuration, including default configuration
- Internal IT and IT Security governance and management
- Certification/assurance of processes and products
- Ensuring data minimization
- Ensuring data quality
- Ensuring limited data retention
- Ensuring accountability
- Allowing data portability and ensuring erasure
- For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller
- Description of the specific technical and organizational measures to be taken by the processor to be able to provide assistance to the controller.