THIRD PARTY SECURITY REQUIREMENTS TERMS AND CONDITIONS (3)

The EXTERNAL PARTY shall implement the information security requirements prescribed under this Annexure as provided by the COMPANY. to the extent applicable to the business or operations of EXTERNAL PARTY. (Note: External Party refers to the entity providing products or supplying services or doing trade/business with the COMPANY).

This Third Party Security Requirement Terms and Conditions apply to Tier 3 External Party.

  • An External Party shall be designated as Tier 3 if, and only if, the External Party does not meet any of the criteria for Tier 1 classification and does not meet any of the criteria for Tier 2 classification, and any of the succeeding Tier 3 parameters are present:
    • Data Sensitivity: Involves only Internal Data.
    • Network Connectivity: Access is highly restricted, limited to a Sandbox only or a Web Portal only.
    • System Integration: The External Party consumes Company Application Program Interface (API) (one way only) and has no access to any Company data via the API call.
    • Operational Dependency: The External Party is tagged as Standard in the Partner Reliability Program
    • Access Control: Requires Non-privileged Access. Access is provided via  a Portal  or Front end Web access only.
  1. INFORMATION SECURITY MANAGEMENT FRAMEWORK: The EXTERNAL PARTY shall implement and maintain an information security management system or process covering the EXTERNAL PARTY’s organization that conforms with industry recognized standards (e.g. ISO 27001, ISO 27002, PCI-DSS, NIST, etc.), the applicable requirements set forth in this agreement, and any other applicable requirements or specifications required by laws applicable to the EXTERNAL PARTY and the COMPANY.
  2. INFORMATION SECURITY PROGRAM: The EXTERNAL PARTY shall establish and maintain a documented information security program that covers the data or information shared by the COMPANY. The EXTERNAL PARTY’s information security program shall be designed in such a way that it considers the protection of the confidentiality, integrity, and availability of the COMPANY’s shared data, confidential information, platforms, systems, and services against any undesirable events (e.g., malware, insider threats, physical security hazards, destruction, loss, unauthorized access).
    1. Review of Information Security Management Documents. The EXTERNAL PARTY should establish and review its information security management documents such as policies, standards, guidelines at least annually and/or as need arises.
    2. Information Security Measures: The EXTERNAL PARTY shall implement appropriate and adequate technical, physical, and organizational security measures or controls to protect the COMPANY’s shared data or information against undesirable events (e.g., unauthorized use, access or disclosure, intentional or unintentional destruction, modification, accidental loss, unlawful and unauthorized processing, selling of data, violation of regulatory requirements) and comply with applicable laws. The EXTERNAL PARTY’s security measures or controls must conform with industry accepted standards (e.g., SANS CIS Controls, ISO 27001, ISO 27002, PCI-DSS) and must be sufficient to meet the requirements of laws or regulations applicable to both parties (e.g. BSP Circulars on Information Security, Data Privacy Act and its IRR).
    3. Information Security Organization: The EXTERNAL PARTY shall have a clearly defined information security roles & responsibilities for all personnel in the EXTERNAL PARTY’s organization. The EXTERNAL PARTY’s organization must have an Information Security Officer appointed by Senior Management. The Information Security Officer must have adequate knowledge, skills, and experience as well as a position and a team in the EXTERNAL PARTY’s organization to enable effective implementation of an enterprise wide information security management in the EXTERNAL PARTY’s organization.
    4. Personnel Security.. The EXTERNAL PARTY shall perform a full background check to verify the identity of the EXTERNAL PARTY personnel prior to hiring. The EXTERNAL PARTY shall perform information security related awareness and training for its employees at least annually.
    5. Information Security Risk Assessment. The EXTERNAL PARTY's information security risk assessment process shall be established, implemented and monitored within its organization. The information security risk assessment process should be performed at least annually to be able to identify the critical assets, especially those which would be used to deliver the products and services to the COMPANY, risks and threats to such, including vulnerabilities. A formal report on the result of analyses of information security risks must be documented.
    6. Secure Handling of Information. The EXTERNAL PARTY must have Information Classification, Protection, Retention and Disposal policies, standards, and procedures established and implemented within its organization.
    7. Data Protection and Encryption. The EXTERNAL PARTY shall only access, process, transmit COMPANY data in accordance with the engagement with the COMPANY. The EXTERNAL PARTY shall implement necessary data protection measures to protect the confidentiality, integrity, and authenticity of data or information that it may process, store, transmit for the COMPANY. Specifically, data or information considered as confidential such as but not limited to sensitive personal information must be protected using industry recognized and accepted strong encryption solutions both at rest and in transit (e.g. AES 256 and TLS 1.2 or higher).
    8. Physical and Environmental Security. The EXTERNAL PARTY’s physical security policies and practices shall be established, implemented and monitored within the EXTERNAL PARTY organization. Physical security controls shall include, but not limited to, guards, locks and keys, authorized badges or cards and readers, CCTV security system, and environment controls (e.g.fire safety, temperature, humidity, battery backup) in areas or facilities from where the products and services would be delivered to the COMPANY.
  3. ACCESS CONTROL
    1. Identity and Access Management: The EXTERNAL PARTY shall maintain a documented and an appropriate access control policy and access management procedures, which at a minimum requires proper authentication, logging and monitoring, and periodic reviews on all accesses granted such as but not limited to OAuth 2.0, Multifactor Authentication (MFA), Role-based Access Control (RBAC), etc. Access to systems and other components that may store, process, and transmit COMPANY related data or information must be restricted only to authorized personnel, with legitimate business need to have an access. The access must be granted only based on a "need-to-know" basis and "Least Privilege" principle to ensure that no excessive access rights will be provided to an authorized personnel. The EXTERNAL PARTY maintains an audit trail to document whether and by whom COMPANY Data have been accessed, entered into, modified, transferred or removed from Processing, which is provided to COMPANY upon request. Conduct of logical access review must be performed on a quarterly basis to ensure that access to the system is appropriate to the role of user and given only to an authorized and active personnel. Where COMPANY employees are granted access to EXTERNAL PARTY’s portal or systems, upon COMPANY’s request, the EXTERNAL PARTY will promptly remove such access and within 1 business day. The EXTERNAL PARTY implements commercially-reasonable physical and electronic security controls to create and protect passwords.
    2. Use of Devices and Security Requirements: If the External Party or its personnel use their own devices to access, process, store, or transmit Company Data, such devices shall comply with all security requirements prescribed by the Company and shall not be used unless the Company confirms compliance. The External Party shall implement all configurations and security measures required by the Company before any access is granted. If the External Party or its personnel are granted administrative, privileged, or elevated access to Company systems, applications, or infrastructure, they shall use only Company-issued devices.
  4. TECHNICAL OPERATIONS AND COMMUNICATIONS SECURITY
    1. Endpoints and Server Security Controls: The EXTERNAL PARTY shall implement appropriate security measures (e.g. USB port disabling, Data Leakage Protection tool) to prevent unauthorized access and copying of data from any endpoint device that may contain information shared by the COMPANY to the EXTERNAL PARTY. The EXTERNAL PARTY shall also configure and maintain their endpoints/servers (processing/storing information shared by the COMPANY) in accordance with industry standards on system hardening or secure configuration (e.g. NIST, CIS, etc.). Secure access path shall be established by the EXTERNAL PARTY to ensure secure remote access (e.g., VPN, bastion host) to their endpoints and servers. In addition, the EXTERNAL PARTY should implement endpoint/server security and protection related controls such as but not limited to the following: File Integrity Monitoring (FIM) software, Security Information & Event Management (SIEM) solution, Anti-Malware software, Endpoint Security Threat Detection and Response (EDR) solution, Host level Firewall solution, Disk Encryption solution, Multi-Factor Authentication for all remote access to critical systems, Vulnerability scanning tool or detection solution, Patch management solution to ensure installation of updated patches, Use of hardened images representing hardened versions of the underlying operating systems and other applications installed on the platform/device.
  5. SECURITY INCIDENT MANAGEMENT
    1. Security Incident and Breach:
      1. Incident Notification: The EXTERNAL PARTY shall notify the COMPANY within twenty (24) hours of discovering any security incident that may endanger or jeopardize the confidentiality, integrity, or availability of the COMPANY’s data or systems, including but not limited to those assets that store, process, or transmit the COMPANY’s shared data. The EXTERNAL PARTY shall provide a follow-up report within forty eight (48) hours, detailing the nature, impact, immediate response, and measures taken to contain the incident.
      2. Incident Response Plan: The EXTERNAL PARTY shall establish, maintain, and regularly test a security and privacy-related incident response plan covering all assets that store, process, or transmit the COMPANY’s data. The EXTERNAL PARTY shall conduct periodic incident response exercises to assess their preparedness for handling incidents. The response plan shall include:
        1. Annual review and testing of the incident response plan.
        2. Designated personnel available 24/7 to respond to security alerts and incidents.
        3. Appropriate training for staff responsible for security breach response.
        4. A process to modify and update the plan based on lessons learned and evolving industry standards.
        5. Provisions for responding to alerts from security monitoring systems, including intrusion detection, prevention systems, firewalls, and file integrity monitoring systems.
      3. Containment and Remediation: Upon discovery of a security incident, the EXTERNAL PARTY shall immediately implement containment measures to minimize further damage. The EXTERNAL PARTY must also initiate remedial actions to secure the affected systems, restore services, and prevent recurrence. The EXTERNAL PARTY shall address the root cause and take corrective actions in accordance with industry best practices and the COMPANY’s security policies.
      4. Incident Reporting and Documentation:
      5. The EXTERNAL PARTY shall provide the COMPANY with a detailed incident report, including investigation results, actions taken, and measures implemented to prevent recurrence. The COMPANY has the right to request these reports without undue delay.
      6. Right to Monitor and Audit: The COMPANY reserves the right to monitor the EXTERNAL PARTY’s remediation efforts and conduct audits to ensure the security of COMPANY data, particularly in the event of a security incident or breach. In case of inadequate controls, the COMPANY may enforce additional security measures, such as providing COMPANY-owned devices, to safeguard COMPANY data until the EXTERNAL PARTY remediates the identified gaps.
    2. Security Incident Management & Response: The EXTERNAL PARTY should establish and implement a Security Incident Management and Response plan, such that it covers the following at a minimum, (i) identification of roles, responsibilities, and communication and contact strategies in the event of a security incident, (ii) incident specific response procedures based on top cyber threats applicable to the EXTERNAL PARTY, (iii) recovery and continuity procedures, (iv) Reporting and notification of stakeholders.
    3. Security Incident Contact and Availability: The External Party shall designate and maintain a Technical Security Incident Contact (TSIC) who possesses the requisite technical authority and expertise for immediate response, analysis, mitigation, and resolution of any Security Incident. Within ten (10) business days of the Effective Date, the External Party shall provide the Company with the TSIC’s name, title, 24/7 telephone number, and email address. The Company shall be notified if there are any changes in the TSIC. The External Party shall ensure the TSIC, or an authorized technical delegate, is available 24x7x365 and shall acknowledge and commence response to Company notifications Security Incident within twenty (24) hours of notification.
  6. BUSINESS CONTINUITY AND DISASTER RECOVERY
    1. Business Continuity and Disaster Recovery Cooperation: EXTERNAL PARTY represents and warrants that it shall, at all times, maintain, test (at least annually), and update a commercially reasonable Business Continuity Plan (BCP) and IT Disaster Recovery Plan (ITDRP) (collectively, "Resilience Plans") consistent with industry standards and sufficient to meet all Service Level Agreements, RTOs, and RPOs. Upon COMPANY's request, EXTERNAL PARTY shall provide documentation (such as a plan summary and test attestation) to evidence its compliance. Furthermore, COMPANY reserves the right, in its sole discretion, to designate EXTERNAL PARTY as a "Critical Vendor" based on COMPANY's internal risk and materiality assessment. If so designated in writing, EXTERNAL PARTY shall, at no additional cost, provide COMPANY with its complete Resilience Plans and evidence of testing, cooperate in good faith with COMPANY's BCP planning, participate in joint testing exercises upon reasonable notice, and provide written notification (not to exceed two (2) hours) of any disruptive event, declared disaster, or security breach reasonably likely to impact the engagement. A failure by EXTERNAL PARTY to comply with any provision of this section shall be deemed a material breach of this Agreement.
    2. Backup and Recovery: The EXTERNAL PARTY shall establish and maintain a Business Continuity (BC) and Disaster Recovery Plan (DRP) that should cover the services being provided to the COMPANY or the engagement between the COMPANY and the EXTERNAL PARTY and the BC/DRP plan must be exercised and tested at least once a year.
  7. THIRD PARTY AND SUBCONTRACTOR MANAGEMENT
    1. Security in subcontracting: In case the EXTERNAL PARTY will engage in subcontracting that will involve the processing of and/or access to COMPANY’s shared data or information by a subcontractor, the EXTERNAL PARTY shall seek prior permission from the COMPANY before engaging a subcontractor. As applicable to the engagement, the External Party shall be responsible for the security and confidentiality of all credentials, access keys, licenses, and accounts used to access or operate systems related to the provision of services under this Agreement. The External Party is expressly prohibited from sharing or disclosing such credentials or licenses to any third party, including its subcontractors. Any violation of this clause shall be considered a material breach of this Agreement. The EXTERNAL PARTY shall ensure that its subcontractor shall: 
      1. Only process and/or access COMPANY shared data or information based on the instructions of the EXTERNAL PARTY that do not violate any of the terms and conditions set forth in this document. 
      2. Have the appropriate technical, physical, and organizational security measures (that conform with industry accepted standards like ISO27001) to protect the COMPANY’s shared data or information against undesirable events (e.g. unauthorized disclosure or access to the COMPANY’s data) and unlawful acts (e.g. unauthorized data processing, selling of information) and shall be no less rigorous than the COMPANY’s security measures.
      3. At all times, keep the COMPANY’s shared data or information with utmost confidentiality, not disclose such shared data or information to any individual except there is prior written consent from the EXTERNAL PARTY, and restrict access to authorized individuals only within the Subcontractor’s organization only who need access in order to perform tasks necessary to provide the contracted services.  
      4. Immediately notify and inform the EXTERNAL PARTY of any occurrence of security incidents impacting the contracted services wherein the COMPANY’s shared data or information may be involved or affected. 
      5. Perform secure data erasure to render all data unrecoverable when subcontracting arrangement is about to be terminated or when a COMPANY’s shared data or information being processed or accessed to by the Subcontractor is no longer needed or required to be retained for the delivery of services agreed between the EXTERNAL PARTY and its Subcontractor. A certification on the completion of secure data erasure must be retained by the EXTERNAL PARTY for record purposes. (f) Strictly adhere to the industry accepted standards for information security management and data protection including relevant regulatory requirements so that the subcontractor will not place the EXTERNAL PARTY and COMPANY in breach of any applicable laws.
  8. AUDIT, REMEDIATION, AND LIABILITY
    1. Security Assessment: The COMPANY shall have the right to perform security related compliance assessments covering the EXTERNAL PARTY’s existing security program and security measures implemented. The EXTERNAL PARTY shall complete, upon the request of the COMPANY and in an annual basis, in a timely and accurate manner, the third party security requirements given by the COMPANY to the EXTERNAL PARTY, in order to verify the EXTERNAL PARTY’s compliance with its security-related obligations specified on this Annex. A reasonable advance written notice shall be issued by COMPANY to the EXTERNAL PARTY prior to the start of the assessment. The EXTERNAL PARTY shall fully cooperate with the COMPANY or its designated Assessor Company during the conduct of security related compliance assessment and shall provide the necessary information, documents, and records (e.g. Policies, Security Reports, Attestation of Compliance, etc.) necessary to demonstrate its compliance and satisfy the objectives of the COMPANY’s assessment as long as it is relevant to the products/services agreed by both parties.
    2. Security Issues: In the event that the COMPANY determines, through assessment, audit, or other reasonable means, that the EXTERNAL PARTY has inadequate security measures or material gaps in protecting the COMPANY’s data or information, the EXTERNAL PARTY shall, at its sole cost, promptly remediate such deficiencies within the period mutually agreed upon by both parties, in accordance with the following standard remediation timelines based on severity:
      <custom code>
      1. To facilitate monitoring and compliance, the EXTERNAL PARTY shall submit to the COMPANY a written corrective action plan (CAP) within seven (7) days following completion of any security or privacy-related assessment, detailing the specific remediation steps, responsible parties, and completion timelines.
      2. If, based on the COMPANY’s assessment, the EXTERNAL PARTY’s controls are deemed inadequate to protect the COMPANY’s data, the COMPANY reserves the right to enforce additional security measures to safeguard COMPANY data. These measures may include, but are not limited to, providing COMPANY-owned devices, enforcing enhanced security protocols, or requiring the EXTERNAL PARTY to temporarily use such devices until the identified security gaps are remediated to the COMPANY’s satisfaction.
      3. In addition. the COMPANY reserves the right, at its reasonable discretion, to temporarily suspend the EXTERNAL PARTY’s access to the COMPANY’s systems, network, or data, including any transfer or exchange of information, in the event that the COMPANY identifies or reasonably suspects adverse security conditions or ongoing risks within the EXTERNAL PARTY’s environment. Such suspension shall remain in effect until the identified issues have been satisfactorily remediated and verified by the COMPANY.
      4. Failure of the EXTERNAL PARTY to remediate within the agreed timelines or to submit a corrective action plan may constitute a material breach of this Agreement, entitling the COMPANY to exercise its rights under the Agreement, including termination for cause.
    3. Explicit indemnification: In addition to the general indemnity clause in the main body of this Agreement, the EXTERNAL PARTY shall indemnify and hold harmless the COMPANY for any and all losses, damages, liabilities, costs, and penalties (including fines imposed by regulatory bodies such as the BSP, NPC) directly resulting from the EXTERNAL PARTY's failure to comply with any security control or obligation specified in this Agreement.
  9. SECURITY OFFBOARDING. If the External Party or its personnel use their own devices to access, process, store, or transmit Company Data, such devices shall comply with all security requirements prescribed by the Company and shall not be used unless the Company confirms compliance. The External Party shall implement all configurations and security measures required by the Company before any access is granted. If the External Party or its personnel are granted administrative, privileged, or elevated access to Company systems, applications, or infrastructure, they shall use only Company-issued devices. Upon termination, expiration, or suspension of this Agreement, or upon the Company’s written request, the External Party shall immediately:
    1. Return all Company-issued assets, including but not limited to laptops, storage media, access tokens, mobile devices, network equipment, and any other hardware or materials provided for the performance of services, in good working condition and without any alteration, tampering, or unauthorized software;
    2. Remove or revoke all access granted to the External Party and its personnel to Company systems, platforms, applications, shared drives, emails, cloud environments, or any other digital or physical resources;
    3. Delete or uninstall any Company-provided software, configurations, or access credentials installed on the External Party’s systems or devices, and confirm such deletion in writing;
    4. Permanently delete all Company Data in its possession, custody, or control—including all backups, archives, reports, and derivatives—using secure deletion methods acceptable to the Company;
    5. Return all Company-owned or Company-related information, whether in physical or electronic form, including documentation, reports, analyses, configurations, credentials, or copies thereof; and
    6. Provide a written certification signed by an authorized officer within five (5) business days confirming that all Company assets have been returned, all access has been revoked, and all Company Data has been securely deleted.
    7. The Company reserves the right to verify compliance through inspection, audit, or certification review. The External Party shall provide full cooperation during such verification and shall immediately remedy any deficiencies identified. Failure to comply with any obligation under this clause shall constitute a material breach of this Agreement and shall entitle the Company to immediately revoke access, suspend services, withhold payment, or terminate the Agreement without liability, without prejudice to any other rights or remedies available to the Company.
Got questions about GCash?
Visit Help Center

G-Xchange, Inc. (GCash) is regulated by the Bangko Sentral ng Pilipinas (www.bsp.gov.ph)

Need Help? Visit the GCash Help Center or Call 2882 (Globe/TM) / (02) 7213-9999 (other networks; fees may apply)

W Global Center, Lane P Cor. 9th Avenue, 
Bonifacio Global City, Taguig, Philippines

Customer

Get StartedServicesNewsroomPromosCareers

Business

EnterpriseMSMEPartner SolutionsDigicities

Legal

Privacy NoticeTerms and Conditions

Copyright © 2025 GCash. All Rights Reserved.