These requirements apply to any third parties who have access to Bolt data. Some requirements are grouped based on the data classification of data processed by the third party. Please refer to the Data Classification Policy for a detailed explanation of the classification categories. Please note that before any service or product is trialed, a proper check must be made to ensure that the third party can satisfy these requirements.
A signed NDA is required whenever any data that will be processed by a third party is classified as internal, restricted or confidential. If personal data is exchanged with a third party then a Data Processing Agreement MUST be signed before any data exchange can occur.
Any supplier must implement all agreed, as well as general, information security best practices across all supplied components and materials, including software, hardware and information in order to safeguard the confidentiality, availability and integrity of Bolt data. Where applicable, the Supplier shall provide Bolt full documentation in relation to the implementation of their security controls.
The following items must be implemented and verified:
Any Supplier having proven HIPAA, PCI DSS, GDPR, ISO27001 certification/validation demonstrates usually that they have implemented these requirements, nevertheless this must be verified. Reference to the relevant security controls should also be included in the supplier contract.
For all information-processing equipment providers and communication providers, a proper risk assessment must be carried out to assess possible risks and take the necessary remedial steps as may be required.
Detailed information security requirements are to be checked after any agreement has been signed and before real data processing happens by the member of Internal IT or Information Security team. In addition to the requirements presented here, the third party must have access to and agree in writing to comply with the Bolt Information Security Policy. Detailed requirements are presented in checklist format in Appendix A.
On reasonable notice or information, and during normal working hours, Bolt shall have the right, but not the obligation, to review periodically the Supplier's operations, processes and systems insofar as they relate to the Services, for the purpose of monitoring the Supplier's compliance with the terms and conditions of this Policy.
These requirements must be reviewed at least once a year by the document owner.
Checklist for common requirements of processing confidential,restricted and internal information
Checklist for processing confidential information
Checklist for processing public information