Information security terms

a. “Asset” shall mean any item or element of hardware and software that is or may be used for the purpose of creating, accessing, processing, protecting, monitoring, storing, retrieving, displaying, or transmitting CLIENT data.

b. “CLIENT Data” shall mean any data that the CLIENT, or a person acting on its behalf, provides to the PROVIDER, or permits the PROVIDER to access and process, in connection with the Agreement.

c. “Encryption” shall mean the process of converting information or data into a code, especially to prevent unauthorized access.

d. “Patching” shall mean any software and operating system (OS) updates that address security vulnerabilities within a program or product.

e. “Penetration Testing” shall mean an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.

f. “PROVIDER System” shall mean any System or Asset which is owned or managed (in whole or in part) for operation by or on behalf of the PROVIDER or any of its Affiliate.

g. “Security Incident” shall mean an incident, event and/or problem which resulted in an actual compromise of the confidentiality, integrity and/or availability of CLIENT data and/or the Service.

h. “Production Environment” shall mean environment where CLIENT data is stored and processed.

i. “Testing Environment” shall mean environment made available for the testing of recently developed programs or software products prior to being released into a Production Environment.

j. “Vulnerability” shall mean the existence of a weakness/flaw found within the system.

k. “Artificially Inflated Traffic” means any traffic generated by automated or fraudulent means, including but not limited to bots, click farms, or any other means intended to artificially inflate traffic volumes.

PROVIDER shall:

2.1. define, document, implement and maintain security policies compliant with ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 22301, and other applicable industry standards, while:

2.2. review its policies and procedures on an annual basis, and/or in response to any significant change.

2.3. ensure that the security policies are documented and approved by the PROVIDER’s management and published and communicated to relevant stakeholders..

2.4. ensure that they have the required number of security professionals who will be responsible for coordinating and monitoring all information security functions, policies, and procedures.

2.5. maintain a process for periodical internal and external validation of the effectiveness of its security controls. PROVIDER shall maintain, at minimum:

PROVIDER shall:

3.1. define, document, implement and maintain appropriate background checking policy and procedure. The checks may include the individual’s education and previous employment history, criminal record, reference checks, and any additional industry standard background check requirements in accordance with relevant and applicable laws and regulations.

3.2. carry out background verification checks on all existing and new employees including contract employees.

3.3. ensure that all employees are bound by an appropriate confidentiality agreement.

3.4. define, document, implement, and maintain a formal security and privacy awareness training for all employees. PROVIDER shall ensure that such trainings are provided prior to granting permission to access or use of sensitive information and on a continuous basis thereafter.

4.1. define, document, implement and maintain an accurate and up-to-date inventory which records all hardware and software, with information of owner and location of each.

4.2. ensure that only software applications and/or operating systems currently supported in, and/or receiving vendor updates are added to the PROVIDER’s authorized software inventory.

4.3. ensure that all software and hardware supporting EOL (End-of-life) is removed from use and the inventory is updated in a timely manner.

4.4. define rules for the acceptable use of information and of assets associated with information and information processing.

4.5. ensure that all information is classified in terms of legal requirements, value, criticality, and sensitivity, and handled in line with its classification label.

4.6. ensure proper handling and disposal of CLIENT data from PROVIDER systems:

5.1. General provisions

PROVIDER shall:

5.1.1. define, document, implement and maintain access control policy and procedures on the basis of business needs and principle of “Least Privilege” and ensure that only authorized employees have access to the PROVIDER systems.

5.1.2. ensure that only unique IDs are used and shall document any exception and usage of shared accounts.

5.1.3. ensure that any access to PROVIDER Systems that store, or process CLIENT Data is subject to Multi-Factor Authentication (MFA).

5.1.4. periodically, on at least annual basis, review appropriateness of assigned user privileges.

5.1.5. ensure that user management activities (addition, modification, or removal of user privileges) are performed based on a valid formal request and in a timely manner.

5.2. REMOTE ACCESS SECURITY

PROVIDER shall:

5.2.1. ensure that appropriate set of security controls is put in place to prevent unauthorized remote access to PROVIDER Systems. Such controls shall include at least:

5.3. PASSWORD MANAGEMENT

PROVIDER shall:

5.3.1. define, document, implement and maintain password policy in line with industry best practice and internal business needs.

5.3.2. ensure that passwords are of sufficient length, complexity, do not contain easily guessable words and are changed at regular intervals.

5.3.3. ensure that user accounts are locked out after certain number of unsuccessful attempts of entering the wrong password and that the account is locked out for a certain amount of time.

5.3.4. ensure that passwords are stored in a secure way that makes them unintelligible while they remain valid.

5.3.5. ensure that initial and/or default password is changed immediately or upon first use.

PROVIDER shall:

6.1. define, document, implement and maintain relevant policies and procedures that regulate the use of appropriate cryptographic controls and the key management processes setting the rules of the use, protection, and lifetime of cryptographic keys and keying material.

6.2. Ensure CLIENT Data is protected while in transit or at rest using secure protocols (e.g., TLS 1.2, AES-256 or other industry recommended standards).

6.3. manage all encryption keys in a key management system that is owned and operated by the PROVIDER.

6.4. ensure proper segregation of the duties within encryption key management process.

PROVIDER shall:

7.1. define, document, implement and maintain physical security policies and procedures to prevent unauthorized physical access, damage, and interference to the organization’s information and information processing facilities that store CLIENT data.

7.2. implement physical and environmental security processes and controls in line with defined policies and procedures. PROVIDER may outsource some or all physical security controls to a 3rd party and it shall ensure same level controls are in place and shall regularly assess the 3rd party for compliance.

7.3. ensure secure areas are protected by appropriate entry controls and only authorized personnel are allowed access.

7.4. ensure that all visitors are authorized, have proper identification, and are only given access to the necessary areas.

7.5. ensure that locking cabinets are used to secure confidential information.

7.6. ensure that equipment containing storage media is securely overwritten prior to disposal or re-use.

7.7. ensure a clear desk policy and a clear screen policy is applied for information processing facilities.

PROVIDER shall:

8.1. define, document, implement and maintain security operating procedures for backup, endpoint protection, vulnerability management, antivirus and antimalware, patching, system hardening and logging.

8.2. perform vulnerability assessments and penetration tests on a regular basis in accordance with industry best practice and internal business needs. PROVIDER shall also perform a risk assessment, followed by a remediation of identified issues.

8.3. ensure vulnerabilities are handled in accordance with defined prioritization and within required resolution timelines:

8.4. apply patches and upgrades to all levels of infrastructure in accordance with defined prioritization and within required resolution timelines as noted in point 8.3.

8.5. ensure endpoints, servers, storage devices, mail / web gateways and mail traffic are protected with active anti-malware tools where technically feasible to detect and wherever possible prevent malware infections.

8.6. create backup copies of information, software and system images and shall test these regularly in accordance with industry best practice and internal business needs.

8.7. ensure appropriate logging is performed, with sufficient details and maintained in accordance with defined retention periods, while being protected against tampering and unauthorized access.

8.8. define, document, implement and maintain rules governing the installation of software by users.

8.9. define, document, implement and maintain standards for the secure configuration of endpoints, including, but not limited to laptops, servers, virtual machines, databases, and networks devices to protect against loss of confidentiality, integrity, and availability of CLIENT Data at rest and in transit.

PROVIDER shall:

9.1. define, document, implement and maintain security mechanisms and management requirements of all network services.

9.2. define, document, implement and maintain strong encryption and security configuration standards to secure communication over the public and non-public networks.

9.3. ensure that the clocks of all relevant information processing systems are synchronized to a single reference time source.

9.4. monitor the web traffic and network perimeter to detect cyber-attacks and block malicious services, webpages, and traffic.

9.5. ensure that changes to firewall rules are controlled through a formal request / approval process and are regularly reviewed.

9.6. restrict and control access to the organizations in line with industry best practice and internal business needs.

9.7. ensure zoning model is applied and that network is appropriately segmented while only approved access and traffic are allowed in each segment.

PROVIDER shall:

10.1. establish a secure development lifecycle to ensure Services are developed and maintained in a secure manner.

10.2. control changes to systems within the development lifecycle by formal change control procedures.

10.3. ensure that the development, testing, and production environments are segregated to reduce the risks of unauthorized access or changes to the production environment.

10.4. ensure that information security related requirements are included in the requirements for new Services or enhancements to existing Services.

10.5. ensure that test data is created carefully and in a controlled manner, and that production data is not used for testing purposes.

PROVIDER shall:

11.1. define, document, implement and maintain supplier relationship management policies and procedures which define basic principles and rules for managing supplier relationships that comply with business, security requirements, as well as applicable regulations, best practices, and international standards.

11.2. for each supplier that may access, process, or store CLIENT data, PROVIDER shall assess, and document compliance of supplier’s solution as defined in point 1. For critical suppliers, including sub-processors, reassessment shall be performed on an annual basis.

11.3. ensure that all relevant information security requirements shall be established and agreed with each supplier that may access, process, or store CLIENT data.

11.4. ensure that a valid agreement that defines the scope of work, confidentiality, security, and technical requirement (if applicable) of the business relationship is in place with each supplier that may access, process, or store CLIENT data.

PROVIDER shall:

12.1. define, document, implement and maintain a formal process for reporting, responding to and managing information security incidents. This shall include as a minimum:

PROVIDER shall:

13.1. define, document, implement and maintain a Business Continuity Program in line with the requirements set out in ISO22301.

13.2. identify and prioritize the Infobip’s critical products and services using a Business Impact Analysis (BIA) process.

13.3. use Risk Assessment information and methods to evaluate threat of disruption.

13.4. based on results of Business Impact Analysis and Risk Assessment, develop response and recovery strategies to mitigate the impact on the critical services during a disruptive incident.

13.5. develop business continuity and recovery plans that are fit for purpose, regularly reviewed, available and simple to follow and understand.

13.6. develop crisis management and communications plans for effective management of crisis, prioritization in communication and ways to alert of the incidents.

13.7. deliver training and exercising, developed against required competencies, and delivered to employees with a direct business continuity responsibility.

13.8. continually improve the Infobip’s Business Continuity Program through regular evaluation and taking into account any changes to legal and regulatory requirements.

PROVIDER shall:

14.1. The CLIENT acknowledges that the PROVIDER is regularly audited against ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 22301, and ISAE 3000 standards. All compliance is assessed on annual basis and certificates are available for download from: https://www.infobip.com/certificates. Upon CLIENT’s written request, the PROVIDER shall provide the CLIENT with a full or summary copy, as applicable, of its then-current reports. PROVIDER shall also provide, not later than ten (10) working days, written responses to all reasonable requests (questionnaires, forms, etc.) made by the CLIENT in order to check that PROVIDER is complying with the requirements under these Terms. 

14.2. To the extend required by applicable regulation, once per year upon at least 30 calendar day prior notification, PROVIDER shall permit CLIENT, its respective auditors, or other agents (each an “Auditing Party”), to access Supplier’s premises, records, and documents as reasonably required by the Auditing Party to check that PROVIDER is complying with the requirements under these Terms. Any review in accordance with this paragraph shall not require the review of any third-party data and the Auditing Party may be required to enter into a confidentiality agreement with PROVIDER as may be reasonably necessary to respect the confidentiality of the information of which the Auditing Party may become aware in the course of undertaking the review. Each Party shall bear its own costs in relation to such audit. In case the audit reveals non-compliance with SUPPLIER’s obligations under these Terms, the SUPPLIER shall rectify such non-compliance within mutually agreed timeline and bear the costs of such actions.

14.3. The PROVIDER reserves the right to impose limitations and restrictions on showing internal confidential information and taking copies of any evidence requested in points 14.1 and 14.2.

15.1. General security measures

PROVIDER shall:

15.1.1. PROVIDER has defined, documented, implemented, and is maintaining security recommendations (https://www.infobip.com/docs/essentials/security-recommendations) for CLIENTs using its cloud communication services. CLIENT shall review said recommendations and implement them in accordance with its business needs, technical capability, and risk appetite.

15.1.2. CLIENT shall be fully responsible for proper set up of security measures on their side and shall not impose any liability on the PROVIDER in case of a security incident resulted from improper setup of security and technical measures or negligence to implement measures as recommended by the PROVIDER.

15.2. AIT security mitigation measures

PROVIDER shall:

15.2.1. PROVIDER has defined, documented, and is maintaining security guidelines for prevention of fraud cases:  https://www.infobip.com/docs/essentials/security-recommendations#web-application-issues-leveraged-in-fraud-cases-security-guidelines-for-sms-fraud-prevention.

15.2.2. Potential risk may arise on CLIENT’s website or mobile application integrated with PROVIDER Systems if a registration or other form that is executing SMS MT with OTPs is not protected with an anti-bot mechanism like CAPTCHA. Vulnerabilities in such applications may lead to artificially inflated traffic (AIT) attacks. An anti-bot mechanism such as CAPTCHA is essential to protect the User Sign Up flow from automated fake registrations that execute SMS MT with OTPs.

15.2.3. When AIT attacks occur, traffic is sent to the PROVIDER’s infrastructure with the source IP address used by the CLIENT at the time of submission. The SMS MT content of the traffic is indistinguishable from the genuine traffic of the CLIENT. In the absence of any feedback from the CLIENT, the PROVIDER is unable to differentiate between the AIT on the CLIENT’s application and genuine traffic from the same application. As a result, the PROVIDER cannot be held responsible for the security of the web or mobile application(s) of the CLIENT. CLIENT further acknowledges that all traffic received from CLIENT’s infrastructure shall be routed to Network Operators and charged to the CLIENT in accordance with the terms of the Agreement.

15.2.4. Blocking impacted networks would not prevent a similar issue from occurring again on enabled networks, as the root cause of the issue lies with the CLIENT’s infrastructure. Hence, it is imperative for the CLIENT to address all forms on their website or mobile application that execute SMS MT OTP codes.

15.3. Request to increase the credit limit

PROVIDER shall:

15.3.1. The limit can be quickly exhausted if the vulnerabilities on CLIENT website are not addressed. Therefore, the PROVIDER requests CLIENT’s confirmation of awareness of the risks and understanding of the potential consequences of increasing credit limit. 

15.3.2. By requesting an increase in credit limit, the CLIENT acknowledges the responsibility for any potential loss due to AIT attacks and commits to pay for any expenses that may arise as a result.