THIRD PARTY SECURITY REQUIREMENTS TERMS AND CONDITIONS (1)

The EXTERNAL PARTY shall implement the information security requirements prescribed under this Annexure as provided by the COMPANY to the extent applicable to the business or operations of EXTERNAL PARTY. (Note: External Party refers to the entity providing products or supplying services or doing trade/business with the COMPANY).

This Third Party Security Requirement Terms and Conditions apply to Tier 1  External Party.

  • The Tier 1 designation is applied to an External Party provided any of the succeeding parameters are present in the engagement:
    • Data Sensitivity: Involves Restricted Data, Know-Your-Customer (KYC), Know-Your-Merchant (KYM), Credit Card data, or source codes.
    • Network Connectivity: Requires significant access, such as VPN, Site-to-Site, or Client-to-Host connections.
    • System Integration: External Party will provide Software Development Kit (SDK), Android Package Kit (APK), Webhooks, or iOS App Store Package (IPA). The third party utilizes image based integration
    • Operational Dependency: The External Party is tagged as Premium in the Partner Reliability Program
    • Access Control: Requires Privileged Access or Administrative Access.
  1. INFORMATION SECURITY MANAGEMENT FRAMEWORK: The EXTERNAL PARTY shall implement and maintain an information security management system or process covering the EXTERNAL PARTY’s organization that conforms with industry recognized standards (e.g. ISO 27001, ISO 27002, PCI-DSS, NIST, etc.), the applicable requirements set forth in this agreement, and any other applicable requirements or specifications required by laws applicable to the EXTERNAL PARTY and the COMPANY.
  2. INFORMATION SECURITY PROGRAM: The EXTERNAL PARTY shall establish and maintain a documented information security program that covers the data or information shared by the COMPANY. The EXTERNAL PARTY’s information security program shall be designed in such a way that it considers the protection of the confidentiality, integrity, and availability of the COMPANY’s shared data, confidential information, platforms, systems, and services against any undesirable events (e.g., malware, insider threats, physical security hazards, destruction, loss, unauthorized access).
    1. Review of Information Security Management Documents. The EXTERNAL PARTY should establish and review its information security management documents such as policies, standards, guidelines at least annually and/or as need arises.
    2. Information Security Measures: The EXTERNAL PARTY shall implement appropriate and adequate technical, physical, and organizational security measures or controls to protect the COMPANY’s shared data or information against undesirable events (e.g., unauthorized use, access or disclosure, intentional or unintentional destruction, modification, accidental loss, unlawful and unauthorized processing, selling of data, violation of regulatory requirements) and comply with applicable laws. The EXTERNAL PARTY’s security measures or controls must conform with industry accepted standards (e.g., SANS CIS Controls, ISO 27001, ISO 27002, PCI-DSS) and must be sufficient to meet the requirements of laws or regulations applicable to both parties (e.g. BSP Circulars on Information Security, Data Privacy Act and its IRR).
    3. Information Security Organization: The EXTERNAL PARTY shall have a clearly defined information security roles & responsibilities for all personnel in the EXTERNAL PARTY’s organization. The EXTERNAL PARTY’s organization must have an Information Security Officer appointed by Senior Management. The Information Security Officer must have adequate knowledge, skills, and experience as well as a position and a team in the EXTERNAL PARTY’s organization to enable effective implementation of an enterprise wide information security management in the EXTERNAL PARTY’s organization.
    4. Personnel Security. The EXTERNAL PARTY shall perform a full background check to verify the identity of the EXTERNAL PARTY personnel prior to hiring. Part of the checking is to ensure that no conflict of interest will exist in the position that will be assumed by the personnel providing the services to the COMPANY. In the event of a conflict, the EXTERNAL PARTY shall immediately notify the COMPANY in writing for proper disposition or handling of the matter. The EXTERNAL PARTY shall perform information security related awareness and training for its employees at least annually.
    5. Information Security Risk Assessment. The EXTERNAL PARTY's information security risk assessment process shall be established, implemented and monitored within its organization. The information security risk assessment process should be performed at least annually to be able to identify the critical assets, especially those which would be used to deliver the products and services to the COMPANY, risks and threats to such, including vulnerabilities. A formal report on the result of analyses of information security risks must be documented.
    6. PCI DSS Compliance: If the EXTERNAL PARTY is found to have access to cardholder-related data or is determined to be in-scope for PCI-DSS, the EXTERNAL PARTY shall be required to obtain certification to the latest PCI-DSS requirements through a qualified PCI assessor within twelve (12) months from contract signing and submit an Attestation of Compliance issued by a PCI Qualified Security Assessor.
    7. Secure Handling of Information. The EXTERNAL PARTY must have Information Classification, Protection, Retention and Disposal policies, standards, and procedures established and implemented within its organization.
    8. Data Protection and Encryption. The EXTERNAL PARTY shall only access, process, transmit COMPANY data in accordance with the engagement with the COMPANY. The EXTERNAL PARTY shall implement necessary data protection measures to protect the confidentiality, integrity, and authenticity of data or information that it may process, store, transmit for the COMPANY. Specifically, data or information considered as confidential such as but not limited to sensitive personal information must be protected using industry recognized and accepted strong encryption solutions both at rest and in transit (e.g. AES 256 and TLS 1.2 or higher).
    9. Physical and Environmental Security. The EXTERNAL PARTY’s physical security policies and practices shall be established, implemented and monitored within the EXTERNAL PARTY organization. Physical security controls shall include, but not limited to, guards, locks and keys, authorized badges or cards and readers, CCTV security system, and environment controls (e.g.fire safety, temperature, humidity, battery backup) in areas or facilities from where the products and services would be delivered to the COMPANY.
  3. ACCESS CONTROL 
    1. Identity and Access Management: The EXTERNAL PARTY shall maintain a documented and an appropriate access control policy and access management procedures, which at a minimum requires proper authentication, logging and monitoring, and periodic reviews on all accesses granted such as but not limited to OAuth 2.0, Multifactor Authentication (MFA), Role-based Access Control (RBAC), etc. Access to systems and other components that may store, process, and transmit COMPANY related data or information must be restricted only to authorized personnel, with legitimate business need to have an access. The access must be granted only based on a "need-to-know" basis and "Least Privilege" principle to ensure that no excessive access rights will be provided to an authorized personnel. The EXTERNAL PARTY maintains an audit trail to document whether and by whom COMPANY Data have been accessed, entered into, modified, transferred or removed from Processing, which is provided to COMPANY upon request. Conduct of logical access review must be performed on a quarterly basis to ensure that access to the system is appropriate to the role of user and given only to an authorized and active personnel. Where COMPANY employees are granted access to EXTERNAL PARTY’s portal or systems, upon COMPANY’s request, the EXTERNAL PARTY will promptly remove such access and within 1 business day. The EXTERNAL PARTY implements commercially-reasonable physical and electronic security controls to create and protect passwords.
    2. Remote Access Control: The EXTERNAL PARTY’s remote access to IT/Network systems is only permitted on authorized personnel and remote devices. In addition, the EXTERNAL PARTY’s remote access to internal resources should be subjected to more than one form of strong authentication (e.g., multi-factor authentication).
    3. Use of Devices and Security Requirements: If the External Party or its personnel use their own devices to access, process, store, or transmit Company Data, such devices shall comply with all security requirements prescribed by the Company and shall not be used unless the Company confirms compliance. The External Party shall implement all configurations and security measures required by the Company before any access is granted. If the External Party or its personnel are granted administrative, privileged, or elevated access to Company systems, applications, or infrastructure, they shall use only Company-issued devices.
  4. TECHNICAL OPERATIONS AND COMMUNICATIONS SECURITY 
    1. Endpoints and Server Security Controls: The EXTERNAL PARTY shall implement appropriate security measures (e.g. USB port disabling, Data Leakage Protection tool) to prevent unauthorized access and copying of data from any endpoint device that may contain information shared by the COMPANY to the EXTERNAL PARTY. The EXTERNAL PARTY shall also configure and maintain their endpoints/servers (processing/storing information shared by the COMPANY) in accordance with industry standards on system hardening or secure configuration (e.g. NIST, CIS, etc.). Secure access path shall be established by the EXTERNAL PARTY to ensure secure remote access (e.g., VPN, bastion host) to their endpoints and servers. In addition, the EXTERNAL PARTY should implement endpoint/server security and protection related controls such as but not limited to the following: File Integrity Monitoring (FIM) software, Security Information & Event Management (SIEM) solution, Anti-Malware software, Endpoint Security Threat Detection and Response (EDR) solution, Host level Firewall solution, Disk Encryption solution, Multi-Factor Authentication for all remote access to critical systems, Vulnerability scanning tool or detection solution, Patch management solution to ensure installation of updated patches, Use of hardened images representing hardened versions of the underlying operating systems and other applications installed on the platform/device.
    2. Network Security Controls: The EXTERNAL PARTY must establish, implement, document and disseminate to all concerned parties network security related policies and secure configuration standards including implementation of network based security controls to ensure the protection of data or information in the EXTERNAL PARTY’s network and its supporting data processing facilities. In addition, EXTERNAL PARTY shall implement the following, but not limited to:
      1. EXTERNAL PARTY shall ensure that controls and procedures for all network services and components are implemented based on industry accepted standards, whether such services are provided in-house or outsourced.
      2. The EXTERNAL PARTY shall disclose to the COMPANY their ownership and/or control of all public-facing IP addresses identified as involved or utilized by the EXTERNAL PARTY to deliver the products and/or services to the COMPANY when requested.
      3. The EXTERNAL PARTY shall implement firewalls at each Internet connection and between any DMZ, as well as any internal network zone.
      4. The EXTERNAL PARTY shall define and assign descriptions of groups, roles, and responsibilities in the management and administration of network devices and components.
      5. The EXTERNAL PARTY shall deploy and configure intrusion-detection and/or prevention (IDS/IPS) techniques and file-integrity monitoring (FIM) systems in environments or zones used to deliver the products and services to the COMPANY to monitor, detect, and respond to anomalous traffic and unauthorized modifications to critical system files.
      6. The EXTERNAL PARTY shall deploy time-synchronization technology, such as that of an NTP server to synchronize all systems' clocks and times. The time-synchronization technology should be configured to receive time settings from industry-accepted time sources or servers.
      7. The EXTERNAL PARTY must have implemented automated audit trails to reconstruct events on all individual user access to all data.
      8. The EXTERNAL PARTY’s networks shall be adequately managed and controlled to be protected from threats and maintain security for the systems and applications using the network, including information in transit.
    3. Security Administration and Monitoring: Monitoring of security related events covering IT/Network systems or infrastructure of the EXTERNAL PARTY shall be performed on a 24/7 basis to proactively detect and respond to any suspicious looking events such as through manual or automated review or correlation of events found on the system logs and alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.
    4. Threat and Risk Management: The EXTERNAL PARTY must deploy, maintain and keep up to date a cyber threat management system to detect, contain, and prevent occurrence of common and advanced persistent threats through use of relevant technologies and documented procedures to aid threat monitoring, detection, and response.
  5. SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE
    1. Secure System Development and Maintenance: The EXTERNAL PARTY shall establish and maintain a process ensuring that information security will be an integral part of any projects or initiatives including changes to the EXTERNAL PARTY’s organization. The process must include conduct of activities intended to provide assurance on the adequacy of security controls that may be needed to address foreseen security risks that may be introduced by a particular project, initiative, or changes initiated by the EXTERNAL PARTY. This may include formal process for conduct of project based security risk assessment, defining the appropriate information security requirements, implementation of the defined security requirements, conducting security testing to validate proper implementation of security requirements, deployment of latest security patches and fixes, conduct of vulnerability scanning and secure configuration checking, performing remediation to close out security issues before cut over to the production. Furthermore, the EXTERNAL PARTY shall perform its secure software/application development process including security testing based on industry recognized methodology, framework, or lifecycle (e.g., OWASP, NIST, etc.).
    2. System and Application Security Controls: The EXTERNAL PARTY must establish, implement and maintain a secure systems development process, including, but not limited to, secure software development lifecycle standards, and secure coding practices. In addition, the EXTERNAL PARTY shall implement the following, but not limited to: The EXTERNAL PARTY shall write custom codes in accordance with secure coding guidelines and practices and shall review custom codes, apply necessary corrections on code level security flaws, and be approved by management prior to release to production. The EXTERNAL PARTY shall train its developers at least annually in up-to-date secure coding techniques. The EXTERNAL PARTY shall change all vendor-supplied and unnecessary defaults on all systems and applications prior to deployment or go-live. The EXTERNAL PARTY’s secure system development framework, policies, procedures and standards consistent with industry-accepted standards (e.g. CIS, ISO, SANS, NIST, OWASP). This shall apply to web application, mobile application, embedded software, and firmware development as appropriate. The EXTERNAL PARTY must have identified security requirements before implementing any initiatives that may involve creating or enhancing information assets like information systems that include operating systems, infrastructure, business applications, off-the-shelf products, services, and self-developed applications.
    3. Malicious Code Prevention: The EXTERNAL PARTY shall implement its secure coding guidelines and practices to address common coding vulnerabilities such as, but not limited to, injection flaws, buffer overflows, cryptographic flaws, insecure communications, force browsing, cross-site request forgeries and broken authentication configurations to protect the integrity of software and information that provide products and/or services to the COMPANY.
    4. API Security: The EXTERNAL PARTY shall ensure that all Application Programming Interfaces (APIs) and associated services provided to or used by the COMPANY are developed, maintained, and operated in compliance with industry best practices. At a minimum. the EXTERNAL PARTY shall ensure the following: 
      1. Authentication and Authorization: Implementing strong authentication and authorization controls, such as OAuth 2.0 or mutual TLS, to ensure all API calls are from authorized sources.
      2. Encryption: Ensuring all data transmitted via the API is encrypted using a minimum of TLS 1.2 or higher, and all sensitive data at rest is encrypted.
      3. Input Validation: Implementing strict input validation, sanitization, and filtering of all data received to prevent injection and other malicious attacks.
      4. Logging: Maintaining a comprehensive audit trail of all API calls, including failed attempts and security-related events. Such logs must be retained for a minimum of one (1) year.
      5. Security Testing: Performing regular security assessments, including penetration testing and vulnerability scanning, on all APIs and underlying infrastructure, and promptly remediating all identified vulnerabilities.
      6. Data Minimization: Ensuring that API responses do not contain excessive or sensitive data beyond what is strictly necessary for the intended purpose.
      7. The EXTERNAL PARTY shall promptly report any suspected or actual API security incident to the COMPANY within a timeframe consistent with the incident reporting requirements of this Annex.
    5. Change Control: The EXTERNAL PARTY shall have formal procedures to evaluate, test, and approve the changes to be made to its network infrastructure, in IT/Network/Application/System environments or zones, used in the engagement or used to deliver the products and services to the COMPANY that will help ensure that proposed changes will not introduce information security risks without the appropriate security controls.
    6. Software Bill of Materials (SBOM) and Vulnerability Scanning: For all software, tools, and applications used in the delivery of services to the COMPANY, the EXTERNAL PARTY shall:
      1. Maintain a current and accurate Software Bill of Materials (SBOM) detailing all open-source and third-party components.
      2. Implement a process to continuously scan and analyze all software dependencies for known vulnerabilities, providing documented evidence of timely remediation.
  6. VULNERABILITY MANAGEMENT: The EXTERNAL PARTY must have an established and implemented process to check its internal and external Systems/IT/Network environment at least on a quarterly basis to identify security vulnerabilities using industry recognized and up to date vulnerability scanning tools. The identified security vulnerabilities must be assessed and remediated within a reasonable period based on criticality. Any detected vulnerabilities shall be remediated without undue delays, as per the Security Issues clause.
    1. Vulnerability Assessment and Penetration Testing (VAPT): The EXTERNAL PARTY must conduct an application-layer and network-layer vulnerability assessment and penetration testing in external and internal environments or zones. The VAPT must cover EXTERNAL PARTY's assets, including external and internal environments, that are used to store, process, or transmit the COMPANY's data or are connected to the COMPANY's systems. Any detected vulnerabilities shall be remediated without undue delays, as per the Security Issues clause.
    2. Periodic Secure Configuration Testing: The EXTERNAL PARTY must perform secure configuration checking on a quarterly basis at least to check system security settings and security configurations to verify its compliance with industry recognized security hardening or baseline configuration standards (e.g., SANS, NIST, CIS Benchmarks). Upon the COMPANY's request, the EXTERNAL PARTY shall provide a summary of assessment results or a formal attestation of compliance.
  7. SECURITY INCIDENT MANAGEMENT
    1. Security Incident and Breach: 
      1. Incident Notification: The EXTERNAL PARTY shall notify the COMPANY within two (2) hours of discovering any security incident that may endanger or jeopardize the confidentiality, integrity, or availability of the COMPANY’s data or systems, including but not limited to those assets that store, process, or transmit the COMPANY’s shared data. The EXTERNAL PARTY shall provide a follow-up report within twenty-four (24) hours, detailing the nature, impact, immediate response, and measures taken to contain the incident.
      2. Incident Response Plan: The EXTERNAL PARTY shall establish, maintain, and regularly test a security and privacy-related incident response plan covering all assets that store, process, or transmit the COMPANY’s data. The EXTERNAL PARTY shall conduct periodic incident response exercises to assess their preparedness for handling incidents. The response plan shall include:
        1. Annual review and testing of the incident response plan.
        2. Designated personnel available 24/7 to respond to security alerts and incidents.
        3. Appropriate training for staff responsible for security breach response.
        4. A process to modify and update the plan based on lessons learned and evolving industry standards.
        5. Provisions for responding to alerts from security monitoring systems, including intrusion detection, prevention systems, firewalls, and file integrity monitoring systems.
      3. Containment and Remediation:Upon discovery of a security incident, the EXTERNAL PARTY shall immediately implement containment measures to minimize further damage. The EXTERNAL PARTY must also initiate remedial actions to secure the affected systems, restore services, and prevent recurrence. The EXTERNAL PARTY shall address the root cause and take corrective actions in accordance with industry best practices and the COMPANY’s security policies.
      4. Incident Reporting and Documentation: The EXTERNAL PARTY shall provide the COMPANY with a detailed incident report, including investigation results, actions taken, and measures implemented to prevent recurrence. The COMPANY has the right to request these reports without undue delay.
      5. Right to Monitor and Audit: The COMPANY reserves the right to monitor the EXTERNAL PARTY’s remediation efforts and conduct audits to ensure the security of COMPANY data, particularly in the event of a security incident or breach. In case of inadequate controls, the COMPANY may enforce additional security measures, such as providing COMPANY-owned devices, to safeguard COMPANY data until the EXTERNAL PARTY remediates the identified gaps.
    2. Security Incident Management & Response: The EXTERNAL PARTY should establish and implement a Security Incident Management and Response plan, such that it covers the following at a minimum, (i) identification of roles, responsibilities, and communication and contact strategies in the event of a security incident, (ii) incident specific response procedures based on top cyber threats applicable to the EXTERNAL PARTY, (iii) recovery and continuity procedures, (iv) Reporting and notification of stakeholders.
    3. Security Incident Contact and Availability: The External Party shall designate and maintain a Technical Security Incident Contact (TSIC) who possesses the requisite technical authority and expertise for immediate response, analysis, mitigation, and resolution of any Security Incident. Within ten (10) business days of the Effective Date, the External Party shall provide the Company with the TSIC’s name, title, 24/7 telephone number, and email address. The Company shall be notified if there are any changes in the TSIC. The External Party shall ensure the TSIC, or an authorized technical delegate, is available 24x7x365 and shall acknowledge and commence response to Company notifications Security Incident within two (2) hours of notification.
    4. Post-incident Security Assessment and Code Review: In the event that the External Party experiences, or is reasonably suspected by the Company to have experienced, any actual or attempted Security Incident or Data Breach affecting Company Data, systems, or services, the Company shall have the right, at its sole discretion and without prejudice to any other rights under this Agreement, to commission a third party to conduct a Vulnerability Assessment and Penetration Test (VAPT). The Company or its designated third party shall also have the right to conduct a side by side code review of the EXTERNAL PARTY's systems, applications, infrastructure, or assets directly involved in or reasonably connected to the incident. The External Party shall grant the Company and its designated assessors prompt, secure, and unhindered access to all such systems, logs, records, and relevant source code, and shall fully cooperate during the assessment, which may be performed with prior notice where immediate action is necessary to contain or validate the incident. The External Party shall bear all costs associated with such assessments unless the investigation conclusively determines the incident did not originate from or was not exacerbated by a vulnerability in the External Party's systems. The External Party shall promptly remediate all identified vulnerabilities and provide documented proof of closure within the period prescribed by the Company; failure to cooperate or remediate shall constitute a material breach of this Agreement.
  8. BUSINESS CONTINUITY AND DISASTER RECOVERY
    1. Business Continuity and Disaster Recovery Cooperation: EXTERNAL PARTY represents and warrants that it shall, at all times, maintain, test (at least annually), and update a commercially reasonable Business Continuity Plan (BCP) and IT Disaster Recovery Plan (ITDRP) (collectively, "Resilience Plans") consistent with industry standards and sufficient to meet all Service Level Agreements, RTOs, and RPOs. Upon COMPANY's request, EXTERNAL PARTY shall provide documentation (such as a plan summary and test attestation) to evidence its compliance. Furthermore, COMPANY reserves the right, in its sole discretion, to designate EXTERNAL PARTY as a "Critical Vendor" based on COMPANY's internal risk and materiality assessment. If so designated in writing, EXTERNAL PARTY shall, at no additional cost, provide COMPANY with its complete Resilience Plans and evidence of testing, cooperate in good faith with COMPANY's BCP planning, participate in joint testing exercises upon reasonable notice, and provide immediate written notification (not to exceed two (2) hours) of any disruptive event, declared disaster, or security breach reasonably likely to impact the engagement. A failure by EXTERNAL PARTY to comply with any provision of this section shall be deemed a material breach of this Agreement.
    2. Backup and Recovery: The EXTERNAL PARTY shall establish and maintain a Business Continuity (BC) and Disaster Recovery Plan (DRP) that should cover the services being provided to the COMPANY or the engagement between the COMPANY and the EXTERNAL PARTY and the BC/DRP plan must be exercised and tested at least once a year.
  9. THIRD PARTY AND SUBCONTRACTOR MANAGEMENT
    1. Security in Subcontractor: In case the EXTERNAL PARTY will engage in subcontracting that will involve the processing of and/or access to COMPANY’s shared data or information by a subcontractor, the EXTERNAL PARTY shall seek prior permission from the COMPANY before engaging a subcontractor. As applicable to the engagement, the External Party shall be responsible for the security and confidentiality of all credentials, access keys, licenses, and accounts used to access or operate systems related to the provision of services under this Agreement. The External Party is expressly prohibited from sharing or disclosing such credentials or licenses to any third party, including its subcontractors. Any violation of this clause shall be considered a material breach of this Agreement. The EXTERNAL PARTY shall ensure that its subcontractor shall: 
      1. Only process and/or access COMPANY shared data or information based on the instructions of the EXTERNAL PARTY that do not violate any of the terms and conditions set forth in this document. 
      2. Have the appropriate technical, physical, and organizational security measures (that conform with industry accepted standards like ISO27001) to protect the COMPANY’s shared data or information against undesirable events (e.g. unauthorized disclosure or access to the COMPANY’s data) and unlawful acts (e.g. unauthorized data processing, selling of information) and shall be no less rigorous than the COMPANY’s security measures.
      3. At all times, keep the COMPANY’s shared data or information with utmost confidentiality, not disclose such shared data or information to any individual except there is prior written consent from the EXTERNAL PARTY, and restrict access to authorized individuals only within the Subcontractor’s organization only who need access in order to perform tasks necessary to provide the contracted services.  
      4. Immediately notify and inform the EXTERNAL PARTY of any occurrence of security incidents impacting the contracted services wherein the COMPANY’s shared data or information may be involved or affected. 
      5. Perform secure data erasure to render all data unrecoverable when subcontracting arrangement is about to be terminated or when a COMPANY’s shared data or information being processed or accessed to by the Subcontractor is no longer needed or required to be retained for the delivery of services agreed between the EXTERNAL PARTY and its Subcontractor. A certification on the completion of secure data erasure must be retained by the EXTERNAL PARTY for record purposes. (f) Strictly adhere to the industry accepted standards for information security management and data protection including relevant regulatory requirements so that the subcontractor will not place the EXTERNAL PARTY and COMPANY in breach of any applicable laws.
  10. AUDIT, REMEDIATION, AND LIABILITY
    1. Security Assessment: The COMPANY shall have the right to perform security related compliance assessments covering the EXTERNAL PARTY’s existing security program and security measures implemented. The EXTERNAL PARTY shall complete, upon the request of the COMPANY and in an annual basis, in a timely and accurate manner, the third party security requirements given by the COMPANY to the EXTERNAL PARTY, in order to verify the EXTERNAL PARTY’s compliance with its security-related obligations specified on this Annex. A reasonable advance written notice shall be issued by COMPANY to the EXTERNAL PARTY prior to the start of the assessment. The EXTERNAL PARTY shall fully cooperate with the COMPANY or its designated Assessor Company during the conduct of security related compliance assessment and shall provide the necessary information, documents, and records (e.g. Policies, Security Reports, Attestation of Compliance, etc.) necessary to demonstrate its compliance and satisfy the objectives of the COMPANY’s assessment as long as it is relevant to the products/services agreed by both parties.
    2. System and Application Security Controls (COMPANY right to evaluate) : In case the EXTERNAL PARTY is providing application, system, or software development related services to the COMPANY, the EXTERNAL PARTY shall allow the COMPANY or its designated Assessor Company to evaluate the security posture over the EXTERNAL PARTY’s software development and testing processes including the adequacy of security controls implemented over it.
    3. Security Issues: In the event that the COMPANY determines, through assessment, audit, or other reasonable means, that the EXTERNAL PARTY has inadequate security measures or material gaps in protecting the COMPANY’s data or information, the EXTERNAL PARTY shall, at its sole cost, promptly remediate such deficiencies within the period mutually agreed upon by both parties, in accordance with the following standard remediation timelines based on severity:
      <custom code>
      1. To facilitate monitoring and compliance, the EXTERNAL PARTY shall submit to the COMPANY a written corrective action plan (CAP) within seven (7) days following completion of any security or privacy-related assessment, detailing the specific remediation steps, responsible parties, and completion timelines.
      2. If, based on the COMPANY’s assessment, the EXTERNAL PARTY’s controls are deemed inadequate to protect the COMPANY’s data, the COMPANY reserves the right to enforce additional security measures to safeguard COMPANY data. These measures may include, but are not limited to, providing COMPANY-owned devices, enforcing enhanced security protocols, or requiring the EXTERNAL PARTY to temporarily use such devices until the identified security gaps are remediated to the COMPANY’s satisfaction.
      3. In addition. the COMPANY reserves the right, at its reasonable discretion, to temporarily suspend the EXTERNAL PARTY’s access to the COMPANY’s systems, network, or data, including any transfer or exchange of information, in the event that the COMPANY identifies or reasonably suspects adverse security conditions or ongoing risks within the EXTERNAL PARTY’s environment. Such suspension shall remain in effect until the identified issues have been satisfactorily remediated and verified by the COMPANY.
      4. Failure of the EXTERNAL PARTY to remediate within the agreed timelines or to submit a corrective action plan may constitute a material breach of this Agreement, entitling the COMPANY to exercise its rights under the Agreement, including termination for cause.
    4. Cyber Liability Insurance: The EXTERNAL PARTY shall, at its own cost, maintain comprehensive Cyber Liability Insurance with coverage limits appropriate to the level of risk associated with its services, but not less than an amount mutually agreed upon by the Parties. The EXTERNAL PARTY shall provide the COMPANY with a Certificate of Insurance upon request.
    5. Explicit Indemnification: In addition to the general indemnity clause in the main body of this Agreement, the EXTERNAL PARTY shall indemnify and hold harmless the COMPANY for any and all losses, damages, liabilities, costs, and penalties (including fines imposed by regulatory bodies such as the NPC) directly resulting from the EXTERNAL PARTY's failure to comply with any security control or obligation specified in this Agreement.
  11. SECURITY OFFBOARDING. If the External Party or its personnel use their own devices to access, process, store, or transmit Company Data, such devices shall comply with all security requirements prescribed by the Company and shall not be used unless the Company confirms compliance. The External Party shall implement all configurations and security measures required by the Company before any access is granted. If the External Party or its personnel are granted administrative, privileged, or elevated access to Company systems, applications, or infrastructure, they shall use only Company-issued devices. Upon termination, expiration, or suspension of this Agreement, or upon the Company’s written request, the External Party shall immediately:
    1. Return all Company-issued assets, including but not limited to laptops, storage media, access tokens, mobile devices, network equipment, and any other hardware or materials provided for the performance of services, in good working condition and without any alteration, tampering, or unauthorized software;
    2. Remove or revoke all access granted to the External Party and its personnel to Company systems, platforms, applications, shared drives, emails, cloud environments, or any other digital or physical resources;
    3. Delete or uninstall any Company-provided software, configurations, or access credentials installed on the External Party’s systems or devices, and confirm such deletion in writing;
    4. Permanently delete all Company Data in its possession, custody, or control—including all backups, archives, reports, and derivatives—using secure deletion methods acceptable to the Company;
    5. Return all Company-owned or Company-related information, whether in physical or electronic form, including documentation, reports, analyses, configurations, credentials, or copies thereof; and
    6. Provide a written certification signed by an authorized officer within five (5) business days confirming that all Company assets have been returned, all access has been revoked, and all Company Data has been securely deleted.
    7. The Company reserves the right to verify compliance through inspection, audit, or certification review. The External Party shall provide full cooperation during such verification and shall immediately remedy any deficiencies identified. Failure to comply with any obligation under this clause shall constitute a material breach of this Agreement and shall entitle the Company to immediately revoke access, suspend services, withhold payment, or terminate the Agreement without liability, without prejudice to any other rights or remedies available to the Company.
Got questions about GCash?
Visit Help Center

G-Xchange, Inc. (GCash) is regulated by the Bangko Sentral ng Pilipinas (www.bsp.gov.ph)

Need Help? Visit the GCash Help Center or Call 2882 (Globe/TM) / (02) 7213-9999 (other networks; fees may apply)

W Global Center, Lane P Cor. 9th Avenue, 
Bonifacio Global City, Taguig, Philippines

Customer

Get StartedServicesNewsroomPromosCareers

Business

EnterpriseMSMEPartner SolutionsDigicities

Legal

Privacy NoticeTerms and Conditions

Copyright © 2025 GCash. All Rights Reserved.