These 10x Minimum Control Requirements (“Minimum Control Requirements”) recognise that there may be multiple approaches to accomplish a particular Minimum Control Requirement. The Supplier must document in reasonable detail how a particular control, including those pertaining to dependent suppliers (subcontractors) who collect, transmit, share, store, control, process, manage or access 10x Data, meets the stated Minimum Control Requirement. All Minimum Control Requirements apply to dependent suppliers, even if dependent suppliers are not specifically mentioned in the particular control requirement.
10x may revise the Minimum Control Requirements from time to time, and such revisions will become effective upon publication to the Supplier portal. The Supplier will comply with and implement the revised 10x Minimum Control Requirements as soon as commercially reasonable or otherwise agreed in writing by 10x.
The term “should” in these Minimum Control Requirements means that Supplier will use commercially reasonable efforts to accomplish the stated Minimum Control Requirement, and will document those efforts in reasonable detail, including the rationale, if any, for deviation. This documentation may be reviewed by Auditors to assess the control and the merit of the rationale for deviation. Not all the stated Minimum Control Requirements will apply to all Services or other Deliverables, but Supplier must be able to reasonably show how the Minimum Control Requirement does not apply. These Minimum Control Requirements do not limit Supplier’s obligations under the Agreement or applicable Law, and do not limit the scope of an audit by 10x.
10x may instruct an external Auditor to facilitate and conduct Audits. The Supplier will cooperate with any such external Auditor as reasonably requested by 10x (or any such external Auditor), including entering into agreements any of them may request from time to time, fully and promptly answering questionnaires that 10x or any of them may submit (including submitting information using electronic or other portals or facilities), meeting with any of them to facilitate the Audit, and not requesting any of them to execute a separate non-disclosure agreement.
As used in these Minimum Control Requirements, (i) “including” and its derivatives mean “including but not limited to”; and, (iii) “Confidential Information” is understood to include “Highly Confidential Information”, “Personal Information”, “10x Data” and “10x Client Data”.
The effectiveness of controls must be regularly validated through a documented risk assessment program and appropriately managed remediation efforts.
A documented set of rules and procedures must regulate the receipt, transmission, processing, storage, control, distribution, retrieval, access, presentation, and protection of information and associated services.
A Supplier Personnel security policy and agreements, established organisational requirements to ensure proper training and competent performance, and an appropriate and accountable security organisation must be in place.
Controls must be in place to protect assets, including mechanisms to maintain an accurate inventory of assets and handling standards for introduction and transfer, removal and disposal of all assets. Any personally-owned devices used by Supplier Personnel for business purposes must be be considered.
Controls must be in place to protect against physical penetration by malicious or unauthorised people, damage from environmental contaminants and electronic penetration through active or passive electronic emissions.
Supplier must implement controls over its communication network to safeguard data. Controls must include securing network and implementation of encryption, logging and monitoring, and disabling communications where no business need exists.
Documented operational procedures must ensure correct and secure operation of the Supplier’s assets.
Changes to the system, network, applications, data files structures, other system components and physical/environmental changes must be monitored and controlled through a formal change control environment. Changes must be reviewed, approved and monitored during post-implementation to ensure that expected changes and their desired result are accurate.
Authentication and authorisation controls must be appropriately robust for the risk of the data, application and platform; access rights must be granted based on the principle of least privilege and monitored to log access and security events, using software that enables rapid analysis of user activities.
Controls must ensure that any data stored, received, controlled or otherwise accessed is accurate and reliable. Inspection procedures must be in place to validate data integrity.
Data must be protected and should be encrypted, both in transit and at rest, including when shared with dependent suppliers.
A documented plan and associated procedures, to include the responsibilities of Supplier Personnel and identification of parties to be notified in case of an information security incident, must be in place.
Suppliers must have formal documented recovery plans to identify the resources and specify actions required to help minimise losses in the event of a disruption to the business unit, support group unit, application, or infrastructure component. Plans assure timely and orderly recovery of business, support processes, operations and technology components within an agreed upon time frame and include orderly restoration of business activities when the primary work environment is unavailable.
Policies and procedures must be established and adhered to that ensure proper control of an electronic mail and/ or instant messaging system that displays and/ or contains 10X Data.
Supplier must have policies and procedures for back-up of 10X Data. Back-up media must be protected in storage, offsite storage, and sanitised prior to disposal or reuse.
Policies for handling and storing electronic media containing 10X Data and paper records must be in place, including secure disposal of media and secure transport and transmission to and from Supplier and dependent suppliers.
All dependent suppliers must be identified, assessed, managed and monitored. Dependent suppliers that provide material services, or that support Supplier’s provision of material services to 10X, must comply with all control requirements applicable to any such services.
Information systems must be deployed with appropriate security configurations and reviewed periodically for compliance with Supplier’s security policies and standards.
Supplier must have an established software development lifecycle for the purpose of defining, acquiring, developing, enhancing, modifying, testing or implementing information systems. Supplier must ensure that all web-based and mobile applications used to store, receive, send, control or access 10X Data are monitored, controlled and protected.
Suppliers providing call centre or telemarketing services must have defined and enforced operational procedures that ensure the confidentiality, integrity and availability of 10X Data.
Supplier must continuously gather information and analyse vulnerabilities in light of existing and emerging threats and actual attacks. Processes must include vulnerability scans, anti-malware, Intrusion Detection Systems, Intrusion Prevention Systems, logging and security information and event management analysis and correlation.
Processes must be in place to ensure the protection of 10X Data and compliance with legal and regulatory requirements applicable to the Services and other Deliverables and you must keep records to demonstrate your compliance which shall be made available to 10x or its clients on request.
If you are in breach of any Laws, at your own cost you shall take all actions as 10x or a 10x client may require and are reasonably necessary to comply with such laws.
Supplier must implement effective controls to ensure appropriate processing and protection of Personal Information.
Adequate safeguards must ensure the confidentiality, integrity, and availability of 10X Data stored, processed or transmitted using cloud technology (either as a cloud customer or cloud provider, to include dependent suppliers), using industry standards (i.e., NIST SP 800-145, NIST SP 500-322).
Policies and procedures must ensure management oversight of business operations as well as appropriate responses to any suspected instances of fraud.
Suppliers and dependent suppliers who receive, send, transmit, store, create, generate, collect, control, process or have access to 10X Data, must do so solely to provide services to 10X.
10x prohibits the inappropriate destruction of any records, files, documents, samples, and other forms of information. For the purposes of this Minimum Control Obligation there are difference between records and disposable information.
Records - A record is any type of information created, received, or transmitted in the course of your engagement with 10x's business, regardless of physical format. Examples of where the various types of information are located include: Appointment books and calendars; Audio and video recordings; Computer programs; Contracts; Electronic files; Emails; Handwritten notes; Invoices; Letters and other correspondence; Magnetic tape; Memory in cell phones and PDAs; Online postings, such as on Facebook, Twitter, Instagram, Snapchat, Slack, Reddit, Vine, and other social media platforms and websites; Performance reviews; Test samples; Voicemails.
Disposable Information - Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a record as defined by this policy. Examples may include: Duplicates of originals that have not been annotated; Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record; Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of 10x and retained primarily for reference purposes; Spam and junk mail.
You and Your permitted Subcontractor shall: