THIRD PARTY SECURITY REQUIREMENTS TERMS AND CONDITIONS (4)

The EXTERNAL PARTY shall implement the information security requirements prescribed under this Annexure as provided by the COMPANY. to the extent applicable to the business or operations of EXTERNAL PARTY. (Note: External Party refers to the entity providing products or supplying services or doing trade/business with the COMPANY).

This Third Party Security Requirement Terms and Conditions apply to Tier  4 External Party. 

  • An External Party shall be designated as Tier 4 if, and only if, the External Party fails to meet any of criteria for Tier 1, Tier 2, and Tier 3 classifications. The External Party's engagement is strictly limited to one-way informational services, passive physical support, or non-interactive functions. Tier 4 External Parties do not require access to any Company data, network connectivity, system integration, or logical access to any Company tools, systems, or applications.
    1. INFORMATION SECURITY MANAGEMENT FRAMEWORK: The EXTERNAL PARTY shall implement and maintain an information security management system or process covering the EXTERNAL PARTY’s organization that conforms with industry recognized standards (e.g. ISO 27001, ISO 27002, PCI-DSS, NIST, etc.), the applicable requirements set forth in this agreement, and any other applicable requirements or specifications required by laws applicable to the EXTERNAL PARTY and the COMPANY.
    2. INFORMATION SECURITY PROGRAM: The EXTERNAL PARTY shall establish and maintain a documented information security program and should establish and review its information security management documents such as policies, standards, guidelines at least annually and/or as need arises. 
      1. The EXTERNAL PARTY shall have a clearly defined information security roles & responsibilities for all personnel in the EXTERNAL PARTY’s organization.
      2. The EXTERNAL PARTY shall perform a full background check to verify the identity of the EXTERNAL PARTY personnel prior to hiring. 
      3. The EXTERNAL PARTY shall perform information security related awareness and training for its employees at least annually.
      4. The EXTERNAL PARTY’s physical security policies and practices shall be established, implemented and monitored within the EXTERNAL PARTY organization.
      5. The EXTERNAL PARTY shall maintain a documented and an appropriate access control policy and access management procedures, which at a minimum requires proper authentication, logging and monitoring, and periodic reviews on all accesses granted such as but not limited to OAuth 2.0, Multifactor Authentication (MFA), Role-based Access Control (RBAC), etc. The EXTERNAL PARTY implements commercially-reasonable physical and electronic security controls to create and protect passwords. 
      6. Although the EXTERNAL PARTY does not have access to COMPANY data, the EXTERNAL PARTY shall ensure that any information shared or provided by the COMPANY, including but not limited to proprietary information, is treated as confidential. The EXTERNAL PARTY shall protect such information using appropriate technical and organizational measures, as required by applicable data protection laws and regulations.
    3. SECURITY INCIDENT MANAGEMENT 
      1. Security Incident Management & Response: The EXTERNAL PARTY should establish and implement a Security Incident Management and Response plan, such that it covers the following at a minimum, (i) identification of roles, responsibilities, and communication and contact strategies in the event of a security incident, (ii) incident specific response procedures based on top cyber threats applicable to the EXTERNAL PARTY, (iii) recovery and continuity procedures, (iv) Reporting and notification of stakeholders.
      2. Security Incident Contact and Availability: The External Party shall designate and maintain a Technical Security Incident Contact (TSIC) who possesses the requisite technical authority and expertise for immediate response, analysis, mitigation, and resolution of any Security Incident. Within ten (10) business days of the Effective Date, the External Party shall provide the Company with the TSIC’s name, title, 24/7 telephone number, and email address. The Company shall be notified if there are any changes in the TSIC. The External Party shall ensure the TSIC, or an authorized technical delegate, is available 24x7x365 and shall acknowledge and commence response to Company notifications Security Incident within twenty (24) hours of notification.
    4. SECURITY IN SUB-CONTRACTING: In case the EXTERNAL PARTY will engage in subcontracting, as applicable to the engagement, the EXTERNAL PARTY shall remain fully and solely responsible for all acts, omissions, or negligence of any Subcontractor as if they were the EXTERNAL PARTY’'s own acts, omissions, or negligence. The utilization of any Subcontractor shall not relieve the EXTERNAL PARTY of any of its obligations or liabilities under the Agreement or this Annexure. The EXTERNAL PARTY shall ensure these contractual requirements and security prohibitions are formally flowed down and enforced against the Subcontractor.
    5. SECURITY ASSESSMENT: The COMPANY shall have the right to perform security related compliance assessments covering the EXTERNAL PARTY’s existing security program and security measures implemented. The EXTERNAL PARTY shall fully cooperate with the COMPANY or its designated Assessor Company during the conduct of security related compliance assessment and shall provide the necessary information, documents, and records (e.g. Policies, Security Reports, Attestation of Compliance, etc.) necessary to demonstrate its compliance and satisfy the objectives of the COMPANY’s assessment as long as it is relevant to the products/services agreed by both parties.
    6. EXPLICIT INDEMNIFICATION: In addition to the general indemnity clause in the main body of this Agreement, the EXTERNAL PARTY shall indemnify and hold harmless the COMPANY for any and all losses, damages, liabilities, costs, and penalties (including fines imposed by regulatory bodies such as the BSP, NPC) directly resulting from the EXTERNAL PARTY's failure to comply with any security control or obligation specified in this Agreement.
    7. SECURITY OFFBOARDING: Upon termination, expiration, or suspension of this Agreement, or upon the Company’s written request, the External Party shall immediately:
      1. Return all Company-issued assets used to provide services or access COMPANY premises.
      2. The Company reserves the right to verify compliance through inspection, audit, or certification review. The External Party shall provide full cooperation during such verification and shall immediately remedy any deficiencies identified. Failure to comply with any obligation under this clause shall constitute a material breach of this Agreement and shall entitle the Company to immediately revoke access, suspend services, withhold payment, or terminate the Agreement without liability, without prejudice to any other rights or remedies available to the Company.
Got questions about GCash?
Visit Help Center

G-Xchange, Inc. (GCash) is regulated by the Bangko Sentral ng Pilipinas (www.bsp.gov.ph)

Need Help? Visit the GCash Help Center or Call 2882 (Globe/TM) / (02) 7213-9999 (other networks; fees may apply)

W Global Center, Lane P Cor. 9th Avenue, 
Bonifacio Global City, Taguig, Philippines

Customer

Get StartedServicesNewsroomPromosCareers

Business

EnterpriseMSMEPartner SolutionsDigicities

Legal

Privacy NoticeTerms and Conditions

Copyright © 2025 GCash. All Rights Reserved.