Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

 Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?

Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?

Yes. Commonplace operates a documented Supplier Security Policy that ensures providers are using appropriate controls are in place within their organisation. Terms of service / contracts are checked to confirm all necessary clauses relating to information security and data protection with appropriate mechanisms for reporting etc.

Customer information while residing on third party services (AWS, MongoDB, Sendgrid) is not accessible to the providers and in all cases is transferred using secure mechanisms such as https.

Critical suppliers are reviewed annually to verify the maintenance of certifications (such as ISO 27001, etc) and continued resilience (any incidents, failures, etc). Where an incident affecting Commonplace services or customer information, immediate reviews of provision are undertaken.

 Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?

Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?

Yes.

 Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?

Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?

Yes.

 Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?

Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?

Yes. We have a documented Supplier Security Policy that details the requirements that must be in place when selecting service providers. This includes checklists for security clauses in contracts, and due diligence checklists to ensure appropriate controls. Suppliers are also reviewed at least annually to ensure performance.

 Does your organisation conduct security due diligence against suppliers before entering into a contract?

Does your organisation conduct security due diligence against suppliers before entering into a contract?

Yes.

  Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?

Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?

Yes, all suppliers are reviewed annually and on demand if there is a breach or other significant disruption

  • No labels