This Addendum outlines the minimum requirements for UNLESS's operations and protection of Customer’s data (personal and non-personal) and forms an integral part of the Agreement entered into between the Customer (you) and UNLESS (the “Main Agreement”).
For the avoidance of doubt, the measures outlined in this document are not intended to be an exhaustive list of measures required by UNLESS. Additional and/or more stringent measures may be required in line with the actual risks and the proportionality principle as outlined below. Furthermore, the requirements outlined in this document are supplementary to all other functional and non-functional security requirements outlined in the Main Agreement or as otherwise provided by UNLESS.
UNLESS’s security measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of data processing as well as the risk of varying likelihood and severity for any adverse consequences for the Customer or the natural persons involved.
Information security management
UNLESS operates an information security management approach modelled after the ISO 27001 and 27002:2022 (or subsequent versions) or an equivalent industry standard for information security management. It encompasses measures detailed herein, which UNLESS implements following industry best practices and the principles of continuous improvement.
UNLESS provides regular and comprehensive training to its employees to raise awareness of data protection principles and security best practices.
System Access and Control
UNLESS implements organisational measures to prevent unauthorised access to the data processing systems, including, but not limited to:
- Secure user authentication processes;
- Role-based access control to limit access to personal data to authorised personnel;
- Password policies, e.g. requiring strong, unique passwords that are periodically updated;
- Multi-factor authentication for accessing sensitive and/or business critical systems or data;
- Regular review and monitoring of access logs.
Privacy and Security Incident Management
Incident response plan
UNLESS has a documented incident response plan in place to detect, contain, and remediate data breaches or security incidents (together referred to as “incidents”). Regular testing and updates to the incident response plan are conducted.
Notification and information obligations
In the event of any actual or suspected incidents concerning the services provided under the Main Agreement, UNLESS will promptly notify the Customer in writing, providing all available relevant details regarding the incident, including its nature, scope, and potential impact on Customer's data. Any privacy breach shall, in addition to the requirements set forth herein, be informed and handled in accordance with the requirements outlined in the data processing agreement entered into between the Parties.
Cooperation and mitigation
UNLESS will cooperate fully with the Customer to mitigate any adverse effects resulting from the incident. This includes, but is not limited to, taking immediate corrective actions, providing necessary support, and collaborating to prevent further unauthorized access or data compromise.
Information Sharing and Documentation
UNLESS will furnish the Customer with all information and documentation pertinent to investigations, analyses, or reviews related to the incident, upon the Customer's reasonable request.
UNLESS will assist the Customer in conducting an inquiry or audit regarding the incident, facilitating access to relevant records, systems, or personnel to support the investigation.
Throughout the incident resolution process, UNLESS will provide regular updates to the Customer regarding the progress made in rectifying the breach and implementing security measures to prevent similar occurrences.
UNLESS has implemented appropriate physical measures, such as entry controls, to ensure only authorised personnel can access facilities where data processing occurs.
UNLESS has implemented network security measures, such as firewalls, intrusion detection/prevention systems, and network segmentation to safeguard internal data networks. UNLESS regularly updates anti-malware solutions and conduct periodic network scans to detect and mitigate threats.
UNLESS utilises strong encryption protocols for data at rest and in transit to protect the confidentiality and integrity of Customer's data. Management of encryption keys must be performed securely, with periodic changes and secure storage of keys.
UNLESS supplies secure coding practices and conduct regular code reviews and/or scans to identify and remediate security vulnerabilities in applications.
Business continuity and disaster recovery
UNLESS maintains a documented Business Continuity Plan (BCP) outlining procedures, resources, and strategies to ensure the continuity of services in the event of disruptive incidents.
UNLESS has established comprehensive Disaster Recovery (DR) procedures to address scenarios where critical systems or services are unavailable due to unforeseen events.
UNLESS conducts periodic tests and reviews of the BCP and DR procedures to ensure their effectiveness and responsiveness in various disaster scenarios.
UNLESS has implemented robust and regular backup routines for all business critical and sensitive data involved in providing services under the Agreement. Backups are performed at defined intervals, ensuring data integrity, accessibility, and secure storage in compliance with industry standards and regulatory requirements.
Backup data is securely stored and readily accessible in case of data loss or system failure, enabling timely restoration of services.
Compliance and Audits
Applicable laws and regulations
UNLESS ensures strict compliance with all applicable security and privacy laws, regulations, and standards pertinent to the services rendered under this Agreement.
Customer may periodically verify UNLESS's compliance with the requirements outlined in this Addendum. UNLESS shall provide necessary documentation in this regard upon Customer’s reasonable request.
Customer may, upon reasonable notice, conduct audits or assessments to verify UNLESS's adherence to these requirements. UNLESS agrees to cooperate fully with such audits.
Subcontractors and Third-Party Security
UNLESS ensures that any subcontractors or third parties it engages in the provision of services to Customer adhere to materially equivalent security standards and are contractually bound to do so.