Third-Party Security and Privacy Policy

1. Purpose

This policy outlines the Security and Privacy requirements that all Third-Party(s) must adhere to when handling Tredence’s or its Client’s (“Company” or “Organization”) data, systems, applications or services. The objective of this policy is to ensure and maintain the Security and Privacy of Company’s information from unauthorized access, processing or its communication when the information is shared with Third Parties for fulfilling Company’s requirements.

2. Scope

This policy applies to all Third Parties who process, store, or transmit the Company’s confidential, sensitive, or personal data (collectively “Data”). Third Parties shall only process Company Data in accordance with this Policy, including the agreed Contractual Terms / Services Agreement / Statement of work etc. (“Principal Agreement”), and any other written instructions it may receive from the Company.

3. Policy Statement

This Third-Party Security and Privacy Policy outlines our commitment to building and maintaining strong, secure relationships with our Third-Party vendors. We recognize that effective Third-Party Security is essential for protecting our organization, our customers, and our reputation. This policy establishes a framework for evaluating, managing, and monitoring Third-Party Security risks, ensuring that all third parties meet our Security and Privacy requirements

4. Statutory and Regulatory Compliance

Third Parties must comply with applicable data protection laws, including GDPR, PIPEDA, CCPA, and other relevant regulations.

5. Processing Of Company Data

The Third-Party shall only process Company data in accordance with the terms of the Principal Agreement and any reasonable and lawful directions received in writing from authorized personnel of the Company. For the avoidance of doubt, the engagement of Third-Party as per the Principal Agreement by Company is deemed to be a general authorization for Third-Party to process Company Data in accordance with these Measures.

1. To the extent where Third-Party shall process Company Data as per the Principal Agreement, Company will always be deemed to be the Data Controller and Third-Party will at all times be deemed to be the Data Processor within the meaning of the applicable data protection laws.
2. Third-Party Obligations:
   1. Processing of Data: Third-Party shall only process Company Data to provide services as instructed under the Principal Agreement (including this Policy) and applicable law.
   2. Inability to comply with instructions: Third-Party shall notify Company within 5 business days, if in its opinion any Applicable Data Protection Law prohibits it from complying with Company instruction or if it is otherwise unable to comply with the said instructions or the Principal Agreement. The notification shall be given as specified in Clause 5 (b)(vi).
   3. Regulatory Authority Requests: Third-Party will verify the legal basis of any Government authority data requests and reject those which it has reason to believe are not valid. It shall keep the Company updated on any such requests and inform within 48 hours of receiving such request and as specified as per Clause 5 (b)(vi), unless otherwise prohibited from doing so by law.
   4. Storage limitation: In the event that the Third-Party is bringing Company Data into its environment, it shall ensure that it keeps Company Data it collects, for only as long as necessary and as laid down in Clause 14 of this policy. Third-Party shall only utilize the Company Data for the purpose for which it was collected, for performing or fulfilling contractual obligations, for complying with law; and/or for responding to legal actions.
   5. Data subject rights: Taking into account the nature of Processing, Third-Party shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company’s obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
      Third-Party shall also redirect within 24 hours to the Company, any request received for Company Data directly from an individual regarding that individual’s Personal Data (without responding to that request unless it has been otherwise authorized to do so). Third-Party shall also redirect to the Company any complaint, communication or request it receives, relating to Company’s obligations under applicable data protection laws. This shall be done as per Clause 5 (b)(vi).
   6. Reporting mechanisms:To the extent applicable by law, Third-Party shall ensure that timely communication is always ensured with respect to this policy.
      • For any communications with respect to Regulatory authorities, Data subject requests, engaging of sub-contractors/Processors or inability to comply to this policy please reach at: Privacy@tredence.com
      • For any communications with respect to Data Breach or Disruptions please reach at: InfoSec@tredence.com
   7. Data Protection Impact Assessments (DPIA): To the extent applicable by law, Third-Party shall provide reasonable assistance to the Company with any DPIAs, and prior consultations with Supervising Authorities or other competent data Privacy authorities, which the Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to Third-Party.

6. Sub-Processing

1. Third-Party shall not appoint (or disclose any Company Data to) any Sub-processor without getting authorization by the Company.
2. In the event of engaging a new sub-processor under this Policy, Third-Party shall give at least 30 days’ notice to the Company, and any objections from the Company shall be addressed and remediated within 30 days of receipt of such notice. Such notice shall be provided as per Clause 5 (b)(vi).
3. Third-Party shall ensure that the processing of Company Data by the Sub-processor is governed by a written contract including terms no less protective of Company Data than those set out in this Policy, including that the applicable data protection obligations in this Policy are imposed on the Sub-processor.
4. Third-Party shall be fully responsible for the actions and omissions of its Sub-processors. Third-Party shall indemnify, defend, and hold harmless the Company from and against any claims, losses, liabilities, damages, or expenses (including reasonable attorney's fees) arising from the actions or omissions of its Sub-processors, subject to the limitations of liability set forth in the Principal Agreement.

7. Risk Assessments (RA) and Audits

1. The Company holds the right to perform RAs if required and as appropriate, with prior written notification of 10 business days to the Third-Party, and without creating a business disturbance for the Third-Party.
2. The RA may be conducted by the Company and/or by Company nominated Third-Party. Any information obtained during such an assessment shall be with confidentiality within the Company.

8. Data Protection & Security Requirements

The Third-Party shall only process Company data in accordance with the terms of the Principal Agreement and any reasonable and lawful directions received in writing from authorized personnel of the Company. For the avoidance of doubt, the engagement of Third-Party as per the Principal Agreement by Company is deemed to be a general authorization for Third-Party to process Company Data in accordance with these Measures.

1. Audit Reports & Attestations
   Third-Party shall implement administrative, physical and technical safeguards to protect the Company’s information that are no less rigorous than accepted industry practices such as ISO/IEC 27001:2022 – Information Security Management Systems (ISMS)– Requirements, SOC 2 Type-2 Attestations, and ISO 27701:2019 Privacy Information Management System (PIMS) - Requirements, The Control Objectives for Information and related Technology (COBIT) standards [or] other applicable industry standards for information Security), and shall ensure that all such safeguards, including the manner in which the information is collected, accessed, used stored, processed, disposed of and disclosed, comply with applicable data protection and Privacy laws, as well as the terms and conditions of the Agreement. Third-Party shall share such Attestations and Reports for verification as and when requested by the Company.
2. Data Classification
   Third Parties must classify data according to its sensitivity (e.g., Public, Internal, Confidential) and apply appropriate safeguards.
3. Data Encryption
   All sensitive data in transit and at rest must be encrypted using industry-standard encryption protocols (e.g., AES-256, TLS v1.2+).
4. Data Minimization
   Third Parties must only collect, process, or store data that is necessary to fulfill their contractual obligations.
5. Access Controls
   • Third-Parties shall implement role-based access control (RBAC) to ensure that only authorized personnel can access sensitive data.
   • Use multi-factor authentication (MFA) for accessing critical systems or applications.

9. Incident Reporting and Breach notification

Third-Party must report any Security breaches, data leaks, or incidents involving Tredence's data within 24 hours of discovery as specified in Clause 5 (b)(vi). The notification must include:

1. The nature of the breach.
2. The types of data affected.
3. The estimated impact and scope.
4. Steps being taken to mitigate the breach

Third-Party must cooperate fully with forensic investigations and remediation efforts.

10. Secure Development & Maintenance

Third-Party must report any Security breaches, data leaks, or incidents involving Third Parties developing software or platforms must adhere to secure coding best practices. Security patches and updates must be applied promptly to mitigate vulnerabilities.

11. Enforcement & Penalties

Non-compliance with this policy may result in contract termination and legal action. Vendors may be held liable for financial damages resulting from Security or Privacy breaches.

12. Business continuity

1. The Third-Party shall maintain and test a comprehensive Business Continuity Plan (BCP) to ensure the continuity of critical services, operations, and deliverables in the event of disruption, including but not limited to natural disasters, cyber incidents, pandemics, or other unforeseen events. The Third-Party agrees to take all reasonable measures to minimize the impact of such disruptions on its obligations under this Policy.
2. Business Continuity Plan Requirements

   The Third-Party’s BCP shall, at a minimum:

   1. Identify critical business functions and processes relevant to the Agreement;
   2. Include strategies for disaster recovery, data backup, and restoration of services;
   3. Outline communication protocols to inform the Company of any disruptions and mitigation efforts;
   4. Be tested and updated at least annually or as required by changes in the Third-Party’s operations or external risks. The test results shall be shared with the Company as requested.
3. Notification of Disruptions

   In the event of a disruption that may impact the Third-Party’s ability to fulfill its obligations under this agreement, the Third-Party shall notify the Company within 24 hours of becoming aware of the disruption. The notification shall include:

   1. The nature and scope of the disruption;
   2. The anticipated impact on deliverables or services;
   3. The steps being taken to mitigate the disruption; and
   4. An estimated timeline for resuming normal operations.
   5. The Third-Party shall promptly share the RCA report to the Company as soon as possible and shall report as specified in Clause 5 (b)(vi).
4. Remediation and Termination

   If the Third-Party fails to maintain an adequate BCP or fails to resume operations within a reasonable timeframe following a disruption, the Company may, at its discretion:

   1. Require the Third-Party to implement corrective actions; or
   2. Terminate this agreement for cause, without liability, and seek alternative service providers.

13. International Transfers

1. Compliance with Data Protection Laws: The Third-Party shall comply with all applicable data protection laws regarding the international transfer of personal data, including but not limited to the California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union's General Data Protection Regulation (GDPR).
2. Standard Contractual Clauses (Controller-to-Processor): If any personal data is transferred from the European Economic Area (EEA) to a third country outside of the EEA, the parties agree to incorporate the Standard Contractual Clauses (SCCs) Module 2 or Module 3 (as applicable), as approved by the European Commission, and all necessary related appendices, which form an integral part of this Agreement, and shall be covered under Annex 2.
3. CCPA Compliance and Obligations: For transfers subject to the CCPA, the Third-Party agrees to act as a “service provider” as defined by the CCPA and shall not “sell” or “share” any personal information it receives under this Policy. The Third-Party shall comply with CCPA requirements, including processing personal information only for specific business purposes and lawful instructions provided by the Company. Any other requirement under this law shall be discussed and informed by the Company.

14. Indemnification

The Indemnification and Liability clauses of the Principal Agreement shall apply to this provision.

15. Data Retention and Disposal

1. The Third-Party acknowledges that data retention shall be limited to the duration necessary for business and legal purposes.
2. Within thirty (30) days following the completion of services involving Company Data, the Third-Party shall securely delete or return all Company Data to the Company and erase any remaining copies securely and unretrievable, unless retention is required by applicable law. The Third-Party shall provide a written certification confirming the return or destruction of the data.
3. Method of Deletion
   1. Data shall be erased using industry-standard secure deletion methods (e.g., NIST SP 800-88 etc.).
   2. Logs of deletion activities shall be maintained for compliance and audit purposes.
4. Data Deletion Rights & Compliance
   1. The Company may request an expedited deletion of specific data categories, subject to contractual and legal constraints.
   2. All deletion activities shall align with applicable data protection laws, including GDPR, CCPA, PIPEDA and other relevant regulations.
5. Exception

   Data required for legal, regulatory, or dispute resolution purposes shall be retained as necessary, with restricted access.

16. Termination & Offboarding

1. Upon contract termination, Third-Party must return or securely destroy all Company data promptly and in any event within 30 business days of the date of cessation of any Services involving the Processing of Company Data.
2. The Company reserves the right to conduct exit audits to ensure compliance with offboarding procedures.

17. Review & Updates

This policy will be reviewed annually and updated as needed to address new risks and compliance requirements.

18. Definitions

1. “Applicable Data Protection Law” means, as applicable to the processing of Customer Data (including any personal data contained therein), any national, federal, European Union, state, provincial, or other Privacy, data protection, or data Security law or regulation.
2. “Confidential Information” means any non-public, proprietary, or sensitive information disclosed by Tredence to a Third-Party, whether in written, oral, electronic, or other form, including but not limited to - Business plans, Financial data, Trade secrets, Customer information, Technical specifications and any other information marked or identified as confidential.
3. “Cross-Border Data Transfer” means the transmission of Data from one country to another, including transfers to countries outside the jurisdiction of Tredence.
4. “Company Data” or “Data” shall mean any information, in any form, that is collected, processed, stored, or transmitted by or on behalf of Tredence, including but not limited to: Personal Data (as defined below), Confidential Information, Intellectual Property, Financial Information, Operational Data, and any other information deemed sensitive or proprietary by Tredence.
5. “Data Controller” refers to the entity that determines the purposes and means of processing Personal Data. For the purposes of this policy, Tredence is the Data Controller unless otherwise specified.
6. “Data Fiduciary” shall have the same meaning as “Data Controller” or “Controller”.
7. “Data Processing” Any operation or set of operations performed on Data, whether or not by automated means, including but not limited to – Collection, Recording, Organization, Structuring, Storage, Adaptation, Retrieval, Consultation, Use, Disclosure, Dissemination, Alignment, Combination, Restriction, Erasure and Destruction.
8. “Data Processor” refers to the entity that processes Personal Data on behalf of the Data Controller. Third Parties may act as Data Processors when handling Tredence's data.
9. “Data Protection Laws” means EU Data Protection Laws, Indian Data protection laws and, to the extent applicable, the data protection or Privacy laws of any other country.
10. “DPDP” means the Indian Law, Digital Personal Data Protection Act, 2023.
11. “EEA” means the European Economic Area
12. “GDPR” means EU General Data Protection Regulation 2016/679
13. “Personal Data” or “Personally Identifiable Information (PII)” refers to any information relating to an identified or identifiable natural person ("Data Subject"), as defined under applicable data protection laws, such as the General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA) or the California Consumer Privacy Act (CCPA). It shall also mean any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.
14. “Regulatory Authority” means any government or regulatory body responsible for enforcing data protection, Privacy, or Security laws, such as - The Information Commissioner's Office (ICO) under GDPR, The Federal Trade Commission (FTC) in the United States, Other relevant local, national, or international authorities.
15. “Security Breach” or “Data Breach” means a breach of Tredence’s Security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
16. “Security Incident” means any event that compromises the confidentiality, integrity, or availability of Tredence's Data, systems, or resources, including but not limited to - Unauthorized access, Malware infections, Denial-of-service attacks, Physical Security breaches.
17. “Sensitive Data” means any information that, if disclosed, accessed, or processed without authorization, could result in harm, risk, or adverse impact to the Company including but not limited to Personal Data, financial data, health records, authentication credentials, trade secrets, and any other data classified as sensitive under applicable laws, regulations, or organizational policies.
18. “Sub-Processor” means a Third-Party engaged by another Third-Party to perform specific tasks or services related to the agreement with Tredence or as specified in applicable Data Protection Laws.
19. “Third-Party” means any external entity that provides goods, services, or resources to Tredence, including but not limited to: Vendors, Suppliers, Contractors, Consultants, Service Providers, Business Partners, Subcontractors, or any other entity that has access to, processes, or handles Tredence's data, systems, or resources.

ANNEX 1:

Technical and organizational measures including technical and organizational measures to ensure the Security of the data

Description of the technical and organizational Security measures that should be implemented by the Third-Party (including any relevant certifications) to ensure an appropriate level of Security, considering the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons. Examples of possible measures:

1. Pseudonymization for Personal Data
2. Encryption of Company data in rest and in transit
3. Ensuring confidentiality, integrity, availability and resilience of processing systems and services
4. Ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
5. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the Security of the processing
6. User identification and authorization
7. Protection of data during transmission
8. Protection of data during storage
9. Ensuring physical Security of locations at which personal data are processed
10. Ensuring events logging
11. Ensuring system configuration, including default configuration
12. Internal IT and IT Security governance and management
13. Certification/assurance of processes and products
14. Ensuring data minimization
15. Ensuring data quality
16. Ensuring limited data retention
17. Ensuring accountability
18. Allowing data portability and ensuring erasure
19. For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller
20. Description of the specific technical and organizational measures to be taken by the processor to be able to provide assistance to the controller.

ANNEX 2:

Only applicable when Data is being transferred from EU/EEA region.

SCCs shall be adopted and are available at:
https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en