TOUCAN DATA HANDLING GUIDELINES (“Guidelines”)
These Guidelines sets out the information security and data privacy standards for any company (“Company”) that enters into an agreement with Toucanapp Pte Ltd, its subsidiaries and/or its related companies (“Toucan”) or otherwise has access to Toucan’s Information Assets. “ Information Asset” means non-public data (including, without limitation, personal data) on any media format which is acquired from, owned by, stored on behalf of, or otherwise the responsibility and/or property of, Toucan. If there is a direct conflict between any term of these Guidelines and the terms of a written contract between Company and Toucan, the terms of the written contract shall prevail to the extent of the conflict.
SECTION 1: ACCESS TO TOUCAN NETWORKS / FACILITIES
If Company has access to Toucan networks (including without limitation, if Toucan is providing a data feed or other information to Company via the Internet or vice-versa) or facilities, Company should, in their best endeavours, comply with the following:
1.1 INFORMATION SECURITY RISK MANAGEMENT
Company should have an established process that periodically assesses risk within the organisation that has access to Toucan Information Assets.
1.2 PERSONNEL & HUMAN RESOURCES SECURITY
1.2.1 BACKGROUND & SCREENING CHECKS
To the extent allowed by local law and prior to employment, Company should conduct employee and contingent staff background screening. Company should not expose Toucan to a level of risk which is commercially unreasonable or which is higher than that to which the Company would be comfortable exposing itself. Individuals whose background checks reveal convictions for violations including computer crimes, fraud, theft, identity theft, or excessive financial defaults MUST not be permitted access to Toucan Information Assets.
1.2.2 SECURITY AWARENESS & EDUCATION
Company should provide information security awareness training to anyone who has access to Toucan Information Assets. Company should be responsible for verifying successful training of all employees and contingent staff. The security awareness training must continually educate employees and contingent staff on all applicable policies, procedures, and standards and their responsibilities to secure Toucan Information Assets. Company employees should acknowledge, in writing or electronically, that they have completed the required training, and have read, understand, and agree to abide by all applicable security policies and procedures annually.
1.3 PHYSICAL AND ENVIRONMENTAL SECURITY
1.3.1 EQUIPMENT AND MEDIA SECURITY
Company must store Toucan Information Assets in locations that will be protected from: natural disasters, theft, physical intrusion, unlawful and unauthorised physical access, problems with ventilation, heat or cooling, and power failures or outages. Company must implement controls to prevent or detect theft, physical intrusion, unlawful and unauthorised access (physical or otherwise), the removal of any equipment involved in accessing Toucan Information Assets.
1.3.2 GENERAL SECURITY CONTROLS
Company must have processes in place to inspect all Company-supplied computing or data storage equipment used in providing services to Toucan to ensure that data is securely overwritten prior to disposal, sending out for repairs and/or redeployment for other usage(s). Company must physically destroy storage media or overwrite information using industry standard techniques to make the original information unrecoverable (i.e. “wiped”). It is not sufficient to use standard delete or format functions, which do not prevent the recovery of information.
1.4 COMMUNICATIONS AND OPERATIONS MANAGEMENT
1.4.1 OPERATIONAL SYSTEM SECURITY
Company should document all change management procedures. Company must ensure thorough testing of changes to IT systems to prevent negative security implications.
1.4.2 MALWARE PROTECTION
Company must deploy malware protection on all IT systems that access Toucan Information Assets. Company should ensure malware protection technology has the latest and up-to-date manufacturer’s signatures, definition files, software, and patches. Company should retain logs according to its retention policy, scan e-mail and attachments before delivery, and have infected systems removed from the network until verified as virus-free.
1.4.3 NETWORK, OPERATING SYSTEM, AND APPLICATION CONTROL
All networks connecting to Toucan networks and/or accessing Toucan Information Assets should employ safeguard controls capable of monitoring and blocking unauthorised network traffic. Company should enable logging on network activity for audit, incident response, and forensic purposes. Where such controls are not available, networks used to access Toucan Information Assets should be physically separate from other Company’s networks.
1.5 INFORMATION SECURITY INCIDENT MANAGEMENT
Company must establish and maintain procedures that ensure appropriate response to security incidents, and securely maintain incident data such as security logs for forensic analysis. Incident response plans should include methods to protect evidence of activity from modification or tampering, and allow for the establishment of a proper chain of custody for evidence. Company must immediately notify Toucan ([email protected]) of any known or suspected compromise of information security, misconduct involving system abuse, and/or violations of information security policy.
1.6 ACCESS CONTROL
Company should ensure controls restrict unauthorised user access to Toucan Information Assets. Company should use authentication and authorisation services to access Toucan Information Assets. Toucan authorises access to Toucan Information Assets on a need-to-know basis. Company should authorise all decisions for access to Toucan Information Assets. Company should ensure procedures exist for prompt modification or termination of access rights in response to organisational changes. For Toucan-managed systems, Company should immediately (or as soon as reasonably practicable) notify Toucan in writing if a Company employee or Company subcontractor with access to Toucan Information Assets: terminates, no longer requires access to the Toucan account, or user account requires changes. Toucan reserves the right to monitor all systems used to access Toucan Information Assets, and Toucan shall own the rights of all such data. Company should configure all affected systems to provide real-time logging of any event that may indicate a system compromise, denial-of-service event, or other security violation. This real-time system logging should also be capable of immediately notifying an administrator when pre-determined event thresholds are exceeded. Logs should be restricted to only the security administrator or other authorised administrator to prevent unauthorised access or modification.
Company policies and practices must comply with all applicable laws and regulations and contractual obligations to Toucan.
SECTION 2: ACCESS TO TOUCAN SENSITIVE BUSINESS INFORMATION
If a Company has access to Toucan’s sensitive business information (e.g. project or other business plans and Toucan proprietary code), the provisions in this Section will apply in addition to the provisions in Section 1 above.
2.1 INFORMATION SECURITY POLICY
Company should have a documented information security policy, approved by appropriate management or governance committee, which defines responsibilities for protecting information assets and its acceptable use. Acceptable use policies should include rules that prohibit use of third party assets for activities defined as unacceptable, including, but not limited to unlawful, unethical, and unprofessional activities. Company should ensure its employees and contingent staff comply with its acceptable use policies at all times. Company must obtain written permission from Toucan prior to allowing third parties access to Toucan Information Assets.
2.3 PHYSICAL AND ENVIRONMENTAL SECURITY
Company should implement controls that restrict unauthorised physical access to areas containing equipment used to access Toucan Information Assets. Company should monitor all areas containing equipment used to access Toucan Information Assets for attempts at unauthorised access. Company must ensure proper disposal of all sensitive information using appropriately secured containers for shredding or other approved means.
2.4 SYSTEMS DEVELOPMENT AND MAINTENANCE
2.5.1 APPLICATION SECURITY
Unless with Toucan’s prior written consent, Company must not allow Toucan production data in any development, test, quality assurance (QA), or other non-production environment. Company must ensure protection of personal data and sensitive business information that is stored in cache or cookies.
2.5.3 SYSTEM SECURITY
Company should establish and maintain configuration standards, which address currently known security vulnerabilities and industry best practices, for all network devices and hosts. These standards should address configuration with all applicable security parameters to prevent misuse.
2.6 BUSINESS CONTINUITY MANAGEMENT
Company should maintain a comprehensive and current: business continuity plan (“BCP”) that documents and implements processes and procedures to ensure essential business functions continue to operate during and after a disaster; and disaster recovery plan that documents technical plans for specific restoration of Toucan Information Assets. If Company is allowed to store or process Toucan Information Assets within its environment, it should ensure the availability of data through backups. All such backups should employ encryption and be stored in a secure off-site location.
SECTION 3: ACCESS TO EMPLOYEE OR CUSTOMER PERSONAL DATA
If a Company has access to Toucan employee or customer data, the following provisions will apply in addition to the provisions in Sections 1 and 2 above.
3.1 COMPANY OBLIGATIONS REGARDING PERSONAL DATA
3.1.1 Personal Data shall at all times remain the sole property of Toucan, and nothing in this Agreement will be interpreted or construed as granting Company any license or other right under any patent, copyright, trademark, trade secret, or other proprietary right to Personal Data.
3.1.2 Company shall Process Personal Data only on the instruction of Toucan and in accordance with this Agreement and applicable privacy and security laws. Toucan hereby instructs Company, and Company hereby agrees, to Process Personal Data as necessary to perform Company’s obligations to Toucan under its Agreement(s) with Toucan and for no other purpose.
3.1.3 Company shall not create or maintain data which are derivative of Personal Data except for the purpose of performing its obligations to Toucan under the Agreement(s) between both parties and as authorised by Toucan.
3.1.4 If Company collects or stores Toucan customer or employee Personal Data, authentication credentials, or cardholder data elements in temporary or cached sessions or files must safeguard the information using cryptographic controls and key management practices.
3.1.5 At any and all times during which Company is Processing Personal Data, Company should:
a) Comply with all applicable privacy and security laws to which it is subject, and not, by act or omission, place Toucan in violation of any applicable privacy or security law;
b) Safely secure or encrypt all Highly Sensitive Data and Sensitive Data during storage or transmission;
c) Not use or maintain any Personal Data on a laptop or other portable device;
d) Notify Toucan no later than one (1) day from the date of obtaining actual knowledge of any Data Security Breach and, at Company’s cost and expense, assist and cooperate with Toucan concerning any disclosures to affected parties and other remedial measures as requested by Toucan or required under applicable law;
e) Not disclose Personal Data to any third party (including, without limitation, Company’s subsidiaries and affiliates and any person or entity acting on behalf of Company) unless with respect to each such disclosure: (A) the disclosure is necessary in order to carry out Company’s obligations under this Agreement; (B) such third party is bound by the same provisions and obligations as set forth in any Agreement(s) with Toucan; (C) Company has received Toucan’s prior written consent; and (D) Company shall remain responsible for any breach of the obligations set forth in any Agreement(s) with Toucan to the same extent as if Company caused such breach; and
f) Establish policies and procedures to provide all reasonable and prompt assistance to Toucan in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any Personal Data Processed by Company.
3.1.6 Company should provide security awareness and training to promote continual security education related to user’s security responsibilities for protecting Personal Data.
3.1.7 Company shall return, delete, or destroy (at Toucan’s election), or cause or arrange for the return, deletion, or destruction of, all Personal Data subject to in any Agreement(s) with Toucan, including all originals and copies of such Personal Data in any medium and any materials derived from or incorporating such Personal Data, upon the expiration or earlier termination of the such Agreement(s) with Toucan, or when there is no longer any legitimate business need (as determined by Toucan) to retain such Personal Data, or otherwise on the instruction of Toucan, but in no event later than ten (10) days from the date of such expiration, earlier termination, expiration of the legitimate business need, or instruction. If applicable law prevents or precludes the return or destruction of any Personal Data, Company shall notify Toucan of such reason for not returning or destroying such Personal Data and shall not Process such Personal Data thereafter without Toucan’s express prior written consent. Company’s obligations under any Agreement(s) with Toucan to protect the security of Personal Data shall survive termination of this Agreement.
SECTION 4: ACCESS TO CARDHOLDER DATA
If a Company has access to individual credit and debit card account numbers (“Cardholder Data”) or customer data, (processed either in Company environment OR Toucan controlled environment) the following provisions will apply in addition to the provisions in Sections 1, 2 and 3 above. Defined terms used in this Section are defined in Section 5 (Definitions) below.
4.1 Company represents that, to its best knowledge, it is presently in compliance, and will remain in compliance with the current PCI DSS, developed and published jointly by the Payment Card Brands for protecting individual credit and debit card account numbers.
4.2 Unless provided otherwise in a written contract between Company and Toucan, Company acknowledges that Cardholder Data is owned exclusively by Toucan, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Toucan, and further acknowledges that such Cardholder Data may be used solely to assist the foregoing parties in completing a transaction, supporting a loyalty program, providing fraud control services, or for other uses specifically required by law, the operating regulations of the Payment Card Brands, or this Agreement.
4.3 In the event of a Data Security Breach, Company shall afford full cooperation and access to Company’s premises, books, logs and records by a designee of the Payment Card Brands to the extent necessary to perform a thorough security review and to validate Company’s compliance.
4.4 If Company provides to Toucan software that processes any payments via a Payment Application, Company represents that software provided to Toucan has been assessed and complies with the Payment Application Data Security Standard (“PA-DSS”) developed and published jointly by the Payment Card Brands, and agrees to provide Toucan with all documentation, including the PA-DSS Implementation Guide, necessary for Toucan to deploy the software in a manner consistent with PCI DSS.
SECTION 5: DEFINITIONS
For purposes of this Schedule B, the following definitions shall apply.
“PA-DSS” means Payment Application Data Security Standard 2.0, its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorisation or settlement.
“Payment Card Brands” means American Express, Discover, MasterCard and Visa.
"PCI DSS" means the Payment Card Industry (PCI) Data Security Standard (DSS) version 2.0, its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“Personal Data” means any information that can be used to identify, locate, or contact an individual, including an employee, customer, or potential customer of Toucan, including, without limitation: (A) first and last name; (B) home or other physical address; (C) telephone number; (D) email address or online identifier associated with an individual; (E) “Highly Sensitive Data” as defined below; (F) employment, financial or health information; (G) any other personally identifiable information to the extent that the same is considered to be ‘personal data’ under any national privacy legislation or regulation, including for example an IP address associated with a device; or (H) any other information relating to an individual, including cookie information and usage and traffic data or profiles, that is combined with any of the foregoing.
“Sensitive Data” is a subset of Personal Data and has the meaning assigned under European Union Directive 96/46/EC and includes medical information, criminal history, race, ethnicity, national origin, information about sexual orientation or activity, political opinions and religious beliefs.
“Highly Sensitive Data” is that subset of Personal Data whose unauthorised disclosure or use could reasonably entail enhanced potential risk for the data subject. Highly Sensitive Data includes Social Security number, passport number, driver’s license number, or similar identifier, or credit or debit card number, and/or financial or medical account authentication data, such as passwords or PINs.
“Processing” or “Process” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organisation, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deletion, erasure, or destruction.
“Data Security Breach” means: (A) the loss or misuse (by any means) of Personal Data, including, without limitation any unauthorised access or disclosure to unauthorised individuals; (B) the inadvertent, unauthorised and/or unlawful Processing, corruption, modification, transfer, sale or rental of Personal Data; or (C) any other act or omission that compromises the security, confidentiality, or integrity of Personal Data. Data Security Breach includes, without limitation, a breach resulting from or arising out of Company’s internal use, Processing or other transmission of Personal Data, whether between or among Company’s subsidiaries and affiliates or any other person or entity acting on behalf of Company.
“Technical and Organisational Security Measures” means security measures, consistent with the type of Personal Data being Processed and the services being provided by Company, to protect Personal Data, which measures shall implement best industry protections and include physical, electronic and procedural safeguards to protect the Personal Data supplied to Company against any Data Security Breach, and any security requirements, obligations, specifications or event reporting procedures set forth in any Schedule to this Agreement.