Security Addendum
This is the Security Addendum under the Master Agreement.
1.SECURITY POLICY
- GTreasury will maintain a comprehensive security policy (“Security Policy”) that satisfies the requirements set forth below. GTreasury will not make any change to the Security Policy that materially reduces or limits in any material respect the rights or protections offered to Customer under this Addendum generally. Upon request by Customer, GTreasury will provide to Customer a summary the then-current Security Policy.
- GTreasury will review the Security Policy at least annually, and reissue same if updated particularly following any changes in applicable law, advances in technology, or material changes to the GTreasury IT Infrastructure.
2.STANDARDS.
- GTreasury will use industry standard measures to secure and protect Customer Data. Where applicable, GTreasury will use and adhere to the then-current Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Controls Framework and Payment Card Industry Data Security Standard.
3.TRAINING AND AWARENESS.
- Generally. GTreasury will institute an appropriate training and education program designed to ensure that its personnel are appropriately trained regarding their responsibilities with respect to the confidentiality, data protection, and non-disclosure duties including, without limitation, any special requirements relating to Customer Data.
- Privileged Access Users. In addition to its general training obligations, GTreasury will make available specific security training to all personnel granted privileged access (e.g., root, dba, system admin, network admin, superuser level access, support, etc.) to systems which handle or hold Customer Data.
4.RISK ASSESSMENTS.
- Risk Assessment. GTreasury will, at least annually, perform a comprehensive management-directed risk assessment (either internally or with contracted, independent resources) that identifies customer data, business assets (e.g., technical infrastructure), and the operational workflows of GTreasury, the threats against those elements (both internal and external), the likelihood of those threats occurring, and the impact upon the organizationto determine an appropriate level of information security safeguards.
- Risk Mitigation. GTreasury will use industry-standard measures to manage, control, and mitigate any risks identified in the risk assessment that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of Customer Data, all commensurate with the sensitivity of the Customer Data, as well as the complexity and scope of the activities of GTreasury under the Agreement.
5.SECURITY CONTROLS TESTING.
- GTreasury will cause a third-party independent auditor to, at least annually, perform an audit of GTreasury’s Systems’ security according to Statement on Standards for Attestation Engagements No. 18 under the standards of the American Institute of Certified Public Accountants (the “AICPA”), generating a SOC 2 Type II report. Upon request by Customer, GTreasury will provide a copy of such report to Customer. The report will be GTreasury’s Confidential Information and Customer will undertake such confidentiality obligations as the auditor requires of similarly-situated persons.
- With respect to GTreasury’s suppliers who provide hosting services, GTreasury will, promptly upon Customer request, provide to Customer such security audits performed on such supplier’s systems as GTreasury is permitted under its agreement with such supplier to obtain, subject to Customer’s undertaking of such confidentiality obligations as the auditor(s) who produced such reports require.
6.ORGANIZATIONAL SECURITY.
- Responsibility. GTreasury will assign responsibility for information security management to appropriate skilled and senior personnel only.
- Need-to-Know Access. GTreasury will restrict access to information systems used in connection with the services provided under the Agreement and/or to Customer Data to only those personnel who are reliable, have sufficient technical expertise for the role assigned, and know his or her obligations and the consequences of any security breach or non-compliance with confidentiality requirements.
- Confidentiality and GTreasury Personnel. GTreasury will cause its personnel who have access to Customer’s Confidential Information to maintain the confidentiality of such Confidential Information consistent with GTreasury’s obligations under the Master Agreement.
7. ASSET MANAGEMENT.
- Data Control. GTreasury will not, and will cause the GTreasury Personnel not to, copy, download, transmit (to or from), or store Customer Data on any desktop, laptop, server, portable or other device at any location, unless directly related to the delivery of service under the Agreement.
- Configuration Management. GTreasury will establish a configuration baseline for the GTreasury IT Infrastructure information systems using applicable information security standards, manufacturer recommendations, and industry practices. GTreasury will establish appropriate monitoring to ensure that the GTreasury IT Infrastructure is configured according with established configuration baseline throughout the life of the GTreasury IT Infrastructure.
- Change Management. The implementation of changes and the introduction of new systems must be controlled, documented, and enforced by the use of comprehensive, formal change control procedures including documentation, specifications, testing, quality control, recovery, and managed implementation.
- Vulnerability Management. GTreasury will implement a formal organizational policy for a program of vulnerability management requiring scanning for vulnerabilities, subscription to a vulnerability notification service, a method for prioritizing vulnerability remediation based on risk (one component of which must be an industry standard rating system), established remediation timeframes based on risk rating, and the tracking and reporting on the effectiveness of the remediation program.
8. RESPONSIBILITY FOR SUPPLIERS. GTreasury will be liable to Customer for any act or omission by a GTreasury supplier or other agent that, if committed or omitted by GTreasury, would be a breach by GTreasury of this Addendum.
9. GEOLOCATION: Where an Order Schedule requires a particular location for Customer Data hosting (e.g., an Azure region or similar specification), GTreasury will maintain Customer Data stored and processed by the applicable System in that location.
10. PHYSICAL SECURITY OF PREMISES.
- Securing Physical Facilities. GTreasury will maintain, or cause to be maintained, the hosting environment for the System(s) in a physically secure environment that restricts access to only authorized individuals. A secure environment includes 24×7 security personnel governance or equivalent means of active monitoring of security controls for all relevant locations (including, without limitation, buildings, computer facilities, and records storage facilities).
- Secure Physical Processing Locations. GTreasury will keep an up-to-date record of all the locations where it stores or processes Customer Data in connection with the provisions of services and the owner of such data location. GTreasury will update such record to reflect any transfer or relocation of material portions of Customer Data.
11. MEDIA HANDLING.
- Physical Security of Media. GTreasury will use industry standard measures to prevent the unauthorized access, copying, alteration or removal of any media containing Customer Data, wherever located. Removable media on which Customer Data is stored (including, but not limited to, thumb drives, CDs, and DVDs) by GTreasury must be encrypted using at least 256-bit AES (or equivalent).
- Media Destruction. GTreasury will securely erase or destroy removable media and any mobile device (examples to include discs, USB drives, DVDs, back-up tapes, printers, laptops or tablets, etc.) containing Customer Data when no longer used by rendering Customer Data on such physical media unintelligible and incapable of reconstruction by any technical means prior to any reuse of the media, if requested by Customer or if such media or mobile device is no longer intended to be used. All backup tapes which for any reason are not destroyed must meet the level of protection described in this Addendum until destroyed.
- Paper Destruction. GTreasury will cross-shred all paper waste containing Customer Data and dispose of it in a secure and confidential manner so as to render all such paper waste unreadable.
12. COMMUNICATIONS AND OPERATIONS MANAGEMENT.
- Penetration Testing. GTreasury will, on at least an annual basis, contract with an independent third party (or an organizationally independent testing function) to conduct a penetration test of the GTreasury IT Infrastructure. GTreasury will, upon request, provide to Customer a high-level summary of the test results.
- Penetration Testing Scope. The scope of a penetration test must include the GTreasury IT Infrastructure perimeter and any critical systems that may impact the security of the GTreasury IT Infrastructure. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the GTreasury IT Infrastructure (LAN-to-LAN attack surfaces). Testing must include both application-layer and network-layer assessments.
- Data Encryption. GTreasury will encrypt Customer Data in GTreasury’s possession or under GTreasury’s control, both at rest (when not actively undergoing processing) and in transit. For in-transit circumstances, GTreasury will enable TLS with at least 256-bit encryption strength at the Demarcation Point. GTreasury will implement and comply with a formal organizational encryption policy covering acceptable standards, algorithms, key management practices, and certificates.
- Data Loss Prevention. GTreasury will implement comprehensive data leakage controls designed to automatically identify, detect, monitor, document and either prevent or alert concerning said Customer Data from leaving GTreasury control without authorization in place.
- Data Destruction. Where GTreasury is permitted or required by the Master Agreement to destroy Customer Data, GTreasury will erase or destroy such Customer Data, rendering it unrecoverable.
- Network Traffic Restrictions. GTreasury will implement technical controls that restrict network traffic affecting Customer Data to the minimum traffic required to provide the service (e.g. port restrictions, firewall controls, etc.).
- Wireless Networks. GTreasury will ensure that any use of Wi-Fi organizational network traffic for transmission of Customer Data is encrypted using WPA2 or WPA3 with the AES encryption algorithm option provided for non-broadcast SSID and mutual authentication between the server and the end devices; or similar or better measures.
- Malicious Code. GTreasury will implement controls to detect the introduction or intrusion of Malicious Code on information systems handling or holding Customer Data and implement and maintain controls designed to prevent the unauthorized access, disclosure, or loss of integrity, of any Customer Data.
- Internet Controls. GTreasury will implement controls to identify and block employee access to high-risk and undesirable Internet content and higher-risk websites (such as Internet-based email or file storage services) using the GTreasury IT Infrastructure.
13. ACCESS CONTROL.
- Authorized Access. GTreasury will maintain logical separation such that access to the GTreasury IT Infrastructure hosting Customer Data and/or being used to provide services to Customer will uniquely identify each individual requiring access and grant access only to authorized personnel based on the principle of least privileges.
- User Access Inventory. GTreasury will maintain an accurate and up to date list of all GTreasury Personnel who have access to the Customer Data and will have a process to promptly disable, within 24 hours of transfer or termination access. Additionally, GTreasury will periodically (at least annually) review the access entitlements of users to ensure that the principle of least privilege is preserved.
- Access No Longer Required.
- With respect to any GTreasury Personnel that no longer require, or are no longer authorized to have, access to Customer Data, where user access is managed by Customer, GTreasury will so notify Customer at least 24 hours prior to the time at which such access is no longer required or authorized.
- Notwithstanding the above, where user access is managed by GTreasury, GTreasury will immediately terminate access to Customer systems and premises by any GTreasury Personnel that are either removed or are no longer actively engaged in any Customer assignment or if such personnel cease to be an employee or supplier of
- Authentication Credential Management. GTreasury will communicate Access Credentials to users in a manner reasonably calculated to prevent receipt by persons not authorized to receive the same.
- Logging and Monitoring. GTreasury will log and monitor all access to the GTreasury IT Infrastructure for additions, alterations, deletions, and copying of Customer Data. GTreasury will maintain records or system or applicable access attempts, both successful and failed. GTreasury will maintain administration logs for a minimum of 60 days and financial transactions logs for a minimum of six months.
- Multi-Factor Authentication for Remote Access. GTreasury will use multi factor authentication and a secure tunnel when remotely accessing GTreasury IT Infrastructure.
- Multi-Factor Authentication for Internet Facing Applications. GTreasury will require multi-factor authentication for all users of applications that are public-Internet facing; that permit financial instructions/transactions; or that enable the display of sensitive Personal Data.
- Endpoint Administrative Access. GTreasury will generally restrict administrative access on end-user machines used by GTreasury Personnel, including the ability to install software, exclusively to personnel and privileged accounts with technical administrative responsibilities.
14. USE OF LAPTOPS AND MOBILE DEVICES.
- Encryption Requirements. GTreasury will encrypt data on any laptop or mobile devices containing Customer Data using an industry-recognized encryption algorithm with at least 256 bit encryption AES (or equivalent).
- Secure Storage. GTreasury will require that all of its laptops and mobile devices that access Customer Data be securely stored whenever out of GTreasury Personnel immediate possession. In the event of a lost or stolen GTreasury laptop or other mobile device containing unencrypted or readily ascertainable Customer Data, GTreasury will promptly notify Customer of the same.
- Inactivity Timeout. GTreasury will employ access and password controls as well as inactivity timeouts of no longer than 30 minutes on all laptops, desktops and mobile devices used by GTreasury Personnel to access Customer Data.
- Laptops/Mobile Devices. – GTreasury will implement technical controls which prohibit access to Customer Data on laptops or mobile devices where above requirements cannot be met.
15. INFORMATION SYSTEMS ACQUISITION DEVELOPMENT AND MAINTENANCE.
- Code Analysis. With respect to software that GTreasury develops for use as a part of a System, GTreasury will perform static application security testing (SAST) with a commercially recognized tool and/or process designed to identify and remediate technical security vulnerabilities. Additionally, GTreasury will examine its code for design flaws (such as residual debug code) that could be used to circumvent implemented security controls, and/or for the inclusion of code that could be used with malicious intent.
- Open Source Software Security. GTreasury will, as applicable, implement controls associated with the use of open-source software within the development lifecycle to address and mitigate the risks of such software. These controls will minimally include provisions for open-source software inventories and audits, component and composition analysis, security and vulnerabilities, licensing and compliance, and software quality.
- Software Patching. GTreasury will regularly update and patch all computer software on GTreasury IT Infrastructure that handles or holds Customer Data, with patching for vulnerabilities rated ‘critical’ or ‘high’ applied within 30 days of patch availability, unless other controls suggested or recommended by the software publisher have been applied that mitigate the vulnerability.
16. INCIDENT EVENT AND COMMUNICATIONS MANAGEMENT.
- Incident Management/Notification of Breach. GTreasury will develop and implement a management approved incident response planthat specifies actions to be taken when GTreasury or one of its suppliers suspects or detects that a person has gained unauthorized access to Customer Data or systems or applications containing any Customer Data (the “Response Plan”).The Response Plan will include the following provisions.
- Escalation Procedures. Notification of senior managers and appropriate reporting to regulatory and law enforcement agencies.
- Incident Reporting. GTreasury will promptly furnish to Customer such details as GTreasury has or obtains regarding the general circumstances and extent of such unauthorized access, including without limitation, the categories of Customer Personal Data and the number and/or identities of any data subjects affected, as well as any steps taken to secure the Customer Data and preserve information for any necessary investigation.
- Investigation and Prevention. GTreasury will use reasonable efforts to assist Customer in investigating or preventing the reoccurrence of any such access and will: (A) cooperate with the Customer in its efforts to comply with statutory notice or other legal obligations applicable to Customer or its clients arising out of unauthorized access or use and to seek injunctive or other equitable relief and (B) promptly take all reasonable actions necessary to prevent a reoccurrence of and mitigate against loss from any such unauthorized access. In addition, in the event that GTreasury reports a security incident to Customer and the security incident results in Customer opening a technical support case at the “critical” level, then GTreasury will take the following measures unless otherwise agreed between the parties:
- GTreasury will assign one or more cloud support engineers, technical account managers or similar personnel (the “Incident Responder”) to coordinate with Customer, monitor details of the security incident, investigate and diagnose Customer concerns, and work with GTreasury’s service subject matter experts in connection with the security incident;
- GTreasury will use commercially reasonable efforts to have the Incident Responder respond to (or acknowledge) Customer’s technical support case as provided for in the SLA; and
- If needed and appropriate, the Incident Responder will arrange for direct interaction between Customer and GTreasury service subject matter experts in connection with the security incident.
- Personnel Training and Confidentiality. GTreasury will ensure that all personnel fully understand the process and conditions under which they are required to invoke the appropriate incident response. GTreasury will maintain confidentiality as, and to the extent, required by the Master Agreement regarding actual or suspected unauthorized possession, use or knowledge of Customer Data or any other failure of GTreasury’s security measures or non-compliance with its security policies or procedures.
- Annual Review/Update. GTreasury will review the Response Plan at least annually to accommodate any material changes in systems, applications, or the operational processes and approved by management. GTreasury will, at least annually, perform a validation exercise to test whether the Response Plan’s assumptions are accurate and confirm GTreasury’s ability to execute the plan as it is designed.