Policy for Third Party Information Handling and Data Protection

‍Effective from

Introduction

Purpose of Policy

This Policy sets out GXS Bank’s information handling and data protection requirements for third party vendors accessing and processing GXS Bank’s information assets (including personal data) on behalf and for the purposes of GXS Bank, pursuant to a contract.

GXS Bank’s contractual agreement between GXS Bank and the third party vendor includes obligations on the third party vendor to comply with GXS Bank’s policies notified to the third party vendor. This Policy serves to inform the third party vendor entering into a contractual relationship with GXS Bank of the bank’s policies for the third party vendor’s handling and protection of GXS Bank’s information assets and personal data, which will be binding on the third party vendor.

GXS Bank may revise this Policy from time to time. The latest version of the Policy will be made available on our website. It is the third party vendor's responsibility to review the Policy periodically for any changes.

Scope of Policy

This Policy applies to third party vendors with whom GXS Bank enters into a contractual relationship to carry out activities that may involve access, collection, use, disclosure, holding or otherwise processing of GXS Bank’s information assets (including personal data).

Definitions

Term	Definition	Examples
Information assets	GXS Bank’s information created, owned, processed or stored by the third party entity.	Digital files stored on hard drive, cloud storage or backup tape.
Personal data	Data, whether true or not, about an individual who can be identified from that data, or from that data and other information which is in the possession of or is likely to come into the possession of the organisation.	Name, identification number, bank account number, personal mobile telephone number, personal email address, facial image, individual’s online activity, transaction or location data, etc.
Sensitive personal data (subset of personal data)	Data about an individual which may result in significant harm to the individual, such as physical, psychological, emotional, economic, financial, reputational and other forms of severe harms that a reasonable person would identify as a possible outcome of a data breach.	National identification number, financial information, medical information, evaluative data, investigation, disciplinary or criminal records, bank account number, password, security code, access code, biometric data or other data used to allow access to or use of the individual’s account.
Technology infrastructure	IT infrastructure of which information assets and information systems are hosted, processed and run. Technology infrastructure is used on an ongoing basis to host, configure, process or support the information assets and information systems.	Hardware and software of network devices, appliances, firewalls, servers, desktops, laptops and mobile devices.
Processing (of data)	Carrying out of any operation (or set of operations) in relation to data, whether or not by automatic means.	Recording, holding, organising, adapting, altering, retrieving, combining, transmitting, erasing or destroying the data.
Info security incident	Any event which involves security breach of a critical system or where security, integrity and confidentiality of the system processing GXS Bank’s customer information has been compromised.	Hacking, unauthorised intrusions.
Data incident	Any event or activity which may or may not result in any unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data, or other similar risk.	Retrieval of incorrect personal data during data processing and disclosed to external party, incorrect personal data that is made publicly accessible or viewed by unauthorised users, web folder or text file containing GXS Bank’s personal data left publicly accessible, malware infection resulting in employee’s emails containing GXS Bank’s personal data forwarded to external parties or exfiltrated, account compromised resulting in exfiltration of GXS Bank’s personal data, and data theft by an employee with access.
Data breach	Any unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data, including the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.

Information Handling and Data Protection Requirements

Access Control and Management

The third party vendor shall ensure its personnel’s access to GXS Bank’s information assets (including personal data) is restricted on a need-to-know basis and based on the principle of least privilege.

The third party vendor shall have in place an access control and management process, which should include a formal provisioning and de-provisioning process for access to information systems with exposure to GXS Bank’s information assets for its personnel and those of any other third parties (e.g. sub-contractors).

The third party vendor shall ensure no one is given concurrent access to both production systems and backup systems. Any personnel of the third party vendor who needs to access backup files or system recovery resources must be duly authorised for a specific reason and for a specified time period only.

The third party vendor should ensure all its user roles and permissions, reasons and purposes, period of access and change requests are vetted and approved by GXS Bank. The third party vendor should ensure that user access recertification is completed, vetted and approved in a timely manner.

All access provisioning, de-provisioning, change requests and relevant approvals shall be documented for tracking, monitoring and auditing purposes.

The third party vendor shall ensure all its personnel’s access to GXS Bank’s information assets or personal data is removed as soon as they no longer need to access them. All user accounts on information systems with exposure to GXS Bank’s information assets and personal data shall be disabled at a pre-set date agreed by GXS Bank, such as the contract’s expiry date. Where a personnel requires temporary access to an information system with exposure to GXS Bank’s data, such access shall be removed immediately after the user has completed the task for which the access was granted. If a personnel is undergoing an investigation on a suspicion of wrongdoing or non-compliance to GXS Bank’s policies, the user account of that personnel shall be suspended immediately, where required.

The third party vendor shall ensure there are appropriate detection and preventive measures to monitor all access, use, processing or disclosure of GXS Bank’s information assets and personal data by its personnel for any possible unauthorised activity.

Secure Access, Transmission and Storage

The third party vendor shall use secure channels for access, transmission and storage of GXS Bank’s data, including but not limited to secure file transfer protocol and encryption.

The third party vendor shall have appropriate encryption standards for the transmission and storage of GXS Bank’s data. All transmission of GXS Bank’s confidential and restricted information (including personal data) over the Internet and between cloud environments shall be protected with strong Transport Layer Security (TLS).

The third party vendor shall ensure GXS Bank’s data is physically and logically separate from other datasets, and clearly identified as GXS Bank’s data.

The third party vendor shall ensure production data containing GXS Bank’s personal data is not used or stored in non-production environments for testing, user acceptance tests or other purposes.

The third party vendor shall not store GXS Bank’ information assets and personal data in publicly accessible folders.

The third party vendor shall ensure its personnel do not download or transfer GXS’ information assets and personal data to their personal email accounts, social media accounts, online repositories (e.g. GitHub, Google Drive, OneDrive etc) or external storage devices.

Vulnerability Management

The third party vendor should establish a clear and consistent vulnerability management policy with appropriate remediation timeline. This timeline should ensure timely remediation of vulnerabilities, tailored to the risk profile and criticality of the vendor's services to GXS Bank.

The third party vendor should have a formal process to identify and fix security weaknesses in their systems and applications. This process should include regular security testing (like vulnerability scans, penetration testing, and secure code reviews), with a plan to fix them, and verify the remediation.

The third party vendor security testing should include all systems and applications that handle the bank’s data, including, but not limited to, web services, web applications, and network equipment.

The third party vendor penetration testing methodology should be based on the widely accepted and accredited CREST Penetration Testing methodology.

The third party vendor security testing should be conducted before release to production of new features or major changes to existing features.

If any vulnerabilities are found, they must be prioritised and fixed within the remediation timelines according to the third party vendor’s vulnerability management policy.

The third party vendor should continuously monitor their systems for vulnerabilities and fix them as needed.

The third party vendor that is identified to be providing critical services as informed by GXS Bank will be required to comply with GXS Bank’s Vulnerability Management policy requirements.

Overseas Transfers

For any overseas transfer of GXS Bank’s personal data to, or remote access of GXS Bank’s personal data from, an overseas location, the third party vendor shall ensure that the overseas recipient of the personal data is bound by contractual obligation to provide a standard of protection to the personal data transferred or remotely accessed that is comparable to the protection under its agreement with GXS Bank and/or the Singapore Personal Data Protection Act.

Information Security and Data Incident Management

The third party vendor shall have in place a consistent process for identifying, reporting, investigating and resolving an information security or data incident. Such incidents should include any data integration errors detected or erroneous data made accessible to the third party vendor. The third party vendor shall have in place escalation procedures to ensure GXS Bank is promptly notified of the incident in accordance with the timeframes specified in the MSA and in compliance with the requirements under applicable laws and regulations.

The third party vendor shall have in place an appropriate information security and data incident management process to promptly rectify, contain and mitigate possible risks arising from any actual or potential unauthorised access, collection, use, disclosure, copying, modification, loss or similar risks of GXS Bank’s information assets and personal data.

The third party vendor shall cooperate with GXS Bank in carrying out investigations, root cause analysis, and taking any necessary remedial actions to rectify, contain and mitigate the risks arising from any information security or data breach, including assisting GXS Bank in carrying out data breach notifications to affected individuals where required by GXS Bank.

Data Retention and Availability

The third party vendor shall have an appropriate retention period for GXS Bank’s information assets and personal data obtained in the course of its engagement with GXS Bank, to meet the purposes of the engagement with GXS Bank, and any business, legal or regulatory requirements that apply.

The third party vendor shall have in place a process for ceasing to retain GXS Bank’s information assets and personal data obtained in the course of its engagement with GXS Bank upon reaching the retention period, and shall provide written confirmation to GXS Bank that it has ceased to retain the data, where required by GXS Bank.

The third party vendor shall take steps to promptly identify, retrieve, preserve and make available to GXS Bank any of GXS Bank’s information assets and personal data processed or held by the third party vendor as requested by GXS Bank.

Secure Data Disposal

The third party vendor shall have in place processes (manually or through automated means) to cease its retention of GXS Bank’s information assets and personal data through the secure disposal of hardcopies and deletion of softcopies upon reaching the agreed retention period.

GXS Bank’s information assets and personal data in digital form shall be securely disposed of by means of electronic data erasure in accordance with industry standards such as NIST 800-80 or DoD 5220.22-M. Should the information or personal data be stored in removable storage, it should be securely disposed of by means of degaussing. GXS Bank’s information assets and personal data residing in cloud based repositories shall be securely removed. Printed hardcopy documents containing GXS Bank’s information assets and personal data shall be shredded in line with NIST’s Guidelines for Media Sanitisation and PDPC’s Guide to Disposal of Personal Data on Physical Medium.

The third party vendor may cease its retention of GXS Bank’s personal data through anonymisation. The methods of anonymisation used shall be in accordance with PDPC’s Guidelines and Guide to Anonymisation and agreed upon by GXS Bank.

Data Accuracy

The third party vendor should take steps to ensure GXS Bank’s personal data in its possession or control remains reasonably accurate and complete for the purposes of its processing.

This should include implementing processes and controls, such as additional verification or maker-checker processes where appropriate, to prevent the processing or disclosure of incorrect personal data (e.g. extracting, using or sending the wrong individual’s personal data to parties not authorised to receive the data).

Where requested by GXS Bank, the third party vendor shall take steps to correct GXS Bank’s personal data processed or held by the third party vendor as instructed by GXS Bank, and to provide the corrected personal data to other third parties (e.g. sub-contractors) to which the personal data was disclosed within a year before the requested correction, unless the other third parties do not require the corrected personal data for any business or legal purpose.

Accountability

The third party vendor should have a governance structure and processes in place to ensure oversight and accountability for the collection, access, processing, use and disclosure of GXS Bank’s information assets and personal data by its personnel and other third parties (e.g. sub-contractors).

This should include processes to:

a) seek GXS Bank’s approval for any new processing or disclosure of GXS Bank’s information assets and personal data by the third party vendor or its sub-contractors for purposes other than the permitted purposes;

b) inform GXS Bank of any transfer of GXS Bank’s personal data by the third party vendor or its sub-contractors to overseas locations other than the agreed locations; and

c) ensure its sub-contractors that process GXS Bank’s information assets and personal data implement reasonable technical, administrative and physical security measures to prevent any unauthorised access, collection, use disclosure, copying, modification or loss of GXS Bank’s information assets and personal data.

Where required by GXS Bank, the third party vendor shall permit GXS Bank to carry out audits and/or onsite inspections of the third party vendor’s processing activities involving GXS Bank’s information assets and personal data.

Training

The third party vendor shall ensure its personnel who will access or process GXS Bank’s information assets and personal data have received training on information security and personal data protection policies, controls and procedures. This may include GXS Bank’s training for third parties where required by GXS Bank.