Security Compliance Requirements
1. Security Compliance Requirements
These Security Compliance Requirements (“SCR”) apply to all FedEx Data which is: (a) processed by Company; (b) provided by or on behalf of FedEx and/or its Affiliates to Company; (c) learned or otherwise used by Company during or in connection with the performance of Services; or, (d) otherwise collected or gathered from FedEx or third parties in connection with the Services.
Notwithstanding any contrary terms or conditions in the Mutual Nondisclosure Agreement (“MNDA”) or any other agreements between Company and FedEx, any exclusion in the MNDA or such agreements to the definition of Confidential Information shall not apply to FedEx Data.
2. Definitions
The following terms have the indicated definitions and meanings:
“Affiliate” means any current and future entity that, directly or indirectly, controls, is controlled by or is under common control with FedEx, where “control” is defined as the ownership of at least fifty percent (50%) of the equity or beneficial interests of such entity.
“Authorized Provider” means any agent, consultant, auditor, contractor, distributor, subcontractor, outsourcer or other third party, acting on behalf of Company (whether direct or indirect and at any tier) who has agreed, in writing, to comply with these SCR.
“Breach” means any (a) unauthorized processing of FedEx Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Company regarding processing FedEx Data or otherwise put in place to comply with these SCR. For the avoidance of doubt, “unauthorized processing” includes, but is not limited to misuse, loss, destruction, alteration, compromise, or unauthorized disclosure/access to or collection of [including retention, storage, or transfer] personal data transmitted, stored, or otherwise processed.
“Card” means a credit card, debit card, charge card, or stored value card bearing the service marks of any Card Organization.
“Cardholder” means the person to whom the Card has been issued.
“Cardholder Data” means all information provided by or about a Cardholder in the course of a transaction or obtained through the use of a Card or otherwise relating to a Card transaction [including, without limitation, name, address, PIN, CVV number, credit card account numbers, expiration dates, magnetic stripe data and any other similar information identifying the Cardholder or the related account].
“Card Organization” means a Card organization [including but not limited to Visa, MasterCard, JCB, American Express, discover] that promulgates operating rules and operates an interchange system for exchanging charges between FedEx and the Payment Card Processor. In the case of debit cards, “Card Organizations” includes Debit Networks.
“Company” any supplier or other third party that while doing business with FedEx, processes FedEx Data.
“Debit Networks” means the telecommunications and processing system of shared electronic funds transfer networks.
“FedEx Personal Data Information” means any information that relates to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [including, but not limited to: (i) individual user passwords [including but not limited to challenge/response answers, personal identification numbers (“PIN”) and any other access codes that correlate to a person]; (ii) Social Security number; (iii) driver’s license number; (iv) state identification number; (v) date of birth; (vi) government or federal identification number; (vii) financial information [including but not limited to financial account number, credit card number or debit card number in combination with any required security code, access code, or PIN that would permit access to an individual’s account]; (viii) health coverage ID number; (ix) biometric data [including but not limited to thumb print, retina scan, palm scan]; (x) employee data [including but not limited to performance reviews, medical information, health information, family information, salary, performance pay, stock options]; and, (xi) electronic handwritten signature.
“FedEx Sensitive Data” means (I) Cardholder Data; (ii) corporate financial data that has not been released to the public; (iii) customer data [including but not limited to shipping account number, meter number, business name/email/phone, ship/bill address, rewards balance, FCL uid/username]; (iv) customer invoice data [including but not limited to invoice number, amount, billing info]; (v) data regarding critical systems/configuration [including but not limited to route planning, data subscriptions [including but not limited to security intel]; (vi) FedEx Personal Information as defined above and includes but is not limited to name, identification number, contact information, location data, online identifier; (vii) fedex.com embedded dependency/provider data [including but not limited to mapping, analytics, experience/user behavior tracking, internationalization/translated content]; (viii) marketing materials [including but not limited to campaign configuration, customer notification/offer emails]; (ix) passwords other than individual user passwords [including but not limited to application passwords, database passwords, and share account passwords]; (x) session identifiers that represent or potentially represent an authenticated identity [including but not limited to single sign-on cookies] used by systems that contain any data element considered FedEx Data; (xi) shipment data [including but not limited to tracking number/status, origin/destination address, shipper/recipient name/contact, shipment history, POD, duties taxes]; (xii) support artifacts [including but not limited to: screen shots, conversation/chat history, instructions/how-to, training videos]; (xiii) system information [including but not limited to URLs, IPs, owners]; (xiv) vulnerability data [including but not limited to scan results, pen test findings, remediation information], and any information or data developed, derived, converted, translated, or otherwise created from any of the foregoing categories (including but not limited to subsequent variables or data files] and any other data or information in any form which is identified by FedEx as FedEx Data. For the avoidance of doubt, FedEx Data includes any of the foregoing even when categorized under a different name [including but not limited to a person’s social security number is also a person’s “pilot certification number”].
“Payment Card Processor” means an entity engaged by FedEx Data irrespective of the purposes and means applied including, without limitation, access, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, disclosure by transmission, retention, storage, dissemination or otherwise making available, disclosure, use, erasure, destruction, alignment or combination, restriction and any other operation regarding FedEx Data.
“Services” means, including without limitation, Professional Services, Maintenance and Support and any other services provided to, or to the benefit of, FedEx and as defined in the Service Agreement.
“SCR” means these Security Compliance Requirements.
For the avoidance of doubt, derivations of the foregoing [including but not limited to processed, breached] are included in the defined term.
3. Generally Applicable Requirements
In all events, with respect to FedEx Data, Company shall implement technical and organizational measures to ensure an appropriate level of security, and as a minimum the measures set out in these SCR:
(A) comply with the most recent version of ISO 27002, Information Technology – Security Techniques – code of Practice for Information Security Management (“ISO Security Standard”).
(B) logically and/or physically segregate FedEx Data from the data of any third party.
(C) encrypt (utilizing strong encryption) FedEx Data if it is stored on laptops or portable media devices [including but not limited to USB drives, CD-ROMs, DVDs, backup tapes].
(D) unless a longer retention period is required by law, destroy all FedEx Data and copies thereof in a manner to ensure that no restoration of such data is possible upon the earlier of (i) termination of the agreement in relation to which the FedEx Data was used; or, (ii) the purpose for which the FedEx Data is being used has been completed (and, prior to disposal of any equipment on which FedEx Data has been stored or processed, Company shall comply with “NIST Guidelines for Media Sanitization (Draft SP 800-88)”).
(E) contact the FedEx Information Security organization promptly (but in no event more than twenty-four (24) hours) after a Breach is discovered by sending an e-mail to both dataprivacy@fedex.com and euprivacy@fedex.com /c3@fedex.com. When reporting a Breach, Company will provide the following information, in as much detail as possible:
- When the Breach occurred
- When and how the Breach was discovered.
- What exactly happened
- Who is involved in the Breach?
- What kind of information, including any FedEx Data, is involved in the incident?
(F) Process FedEx Data only in accordance with applicable laws, the terms of the applicable agreement between FedEx and Company (including, without limitation, these SCR), and on the basis of any authorized additional instructions from FedEx and its authorized agents and subcontractors. Company shall not process FedEx Data for its own purposes and confirms that it does not sell any FedEx Data, and will not retain, use, or disclose FedEx Data for any purpose other than for the specified purpose of performing services under any applicable agreement Company has with FedEx. Company shall immediately inform FedEx if, in Company’s opinion, any requirement in these SCR infringes applicable law. Company shall assist FedEx in ensuring compliance with its legal obligations (including but not limited to privacy law obligations such as performing data protection impact assessments and prior consultations with privacy authorities).
(G) not transfer, provide, or otherwise disclose FedEx Data to any third party, other than an Authorized Provider, unless required to by applicable law.
(H) not permit any third party, other than an Authorized Provider, to process FedEx Data.
(I) take prompt corrective action(s) to remedy a Breach and to prevent any future Breach.
(J) take prompt corrective action(s) to remedy violation of (and to prevent any future violation of) any SCRs.
(K) take prompt corrective action(s) to remediate any vulnerabilities or security concerns identified by FedEx.
(L) implement corrective action(s) in a timeframe commensurate with the risk or as agreed upon with FedEx.
(M) cooperate fully with FedEx in facilitating investigation and remediation of a Breach. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for FedEx and/or its designee(s) to complete the investigation of the Breach.
(N) not inform any third party of any Breach except as may be strictly required by applicable law, without first obtaining prior written consent from FedEx.
(O) promptly notify its primary FedEx business contact of any complaint or request received related to processing of FedEx Data and assist FedEx with responding to such requests.
(P) ensure that all its employees, agents and/or Authorized Providers engaged in processing FedEx Data have signed a confidentiality agreement and/or are under any other binding obligation of confidentiality.
(Q) In addition to, and without limiting, other applicable requirements, in the event Company processes FedEx Personal Information, Company shall only engage in transfers of FedEx Personal Information originating from the European Economic Area (“EEA”) to a country outside of the EEA without an adequate level of protection with prior written approval from FedEx.) In addition, if appropriate and necessary, in the reasonable opinion of FedEx, Company shall enter into a separate data processing agreement that is satisfactory for both parties.
4. Connectivity Requirements
In addition to, and without limiting, other applicable requirements, in the event Company is permitted remote access [including but not limited to VPN, direct connection] to any internal FedEx systems [including, without limitation, hardware, software, data, servers, personal computer or control devices, software or other system], services, or networks (collectively, “FedEx Systems”), Company shall:
(A) connect to FedEx Systems only in the manner and through the means authorized by FedEx.
(B) not connect to, access or use (or attempt to do any of the foregoing) any FedEx Systems without the prior authorization of FedEx.
(C) not enable bridging. Bridging of any FedEx network [including but not limited to FedEx intranet] and any other network is prohibited.
(D) use strong encryption access methods for network-based command and control or monitoring activities.
(E) not use shared personal accounts.
(F) not attempt to gain unauthorized access to any systems, infrastructure, or other user’s account.
(G) not store the PIN or password in the VPN client configuration when using two-factor authentication to the FedEx network.
(H) not physically store hardware-based authenticators for remote access with the device used to connect to the FedEx network.
(I) report to the sponsoring manager or designee when a hardware or software-based authenticator is lost, stolen, or otherwise compromised.
(J) restrict duration of access to only such period as when access is required.
(K) not use any FedEx System in any way that (i) is illegal; (ii) is abusive; (iii) is harmful to or interferes with other network systems at FedEx, or the network or systems of any other entity, or the use thereof; (iv) infringes, misappropriates or otherwise violates the intellectual property, privacy or other proprietary rights of any party, including FedEx; (v) creates a security risk or vulnerability; or, (vi) attempts to do any of the foregoing.
5. Requirements related to testing and/or development services
In addition to, and without limiting, other applicable requirements, in the event Company provides any development or testing services, prior to providing such services to FedEx:
(A) Company’s [including its subcontractors at any tier] developers shall have completed successfully secure code training based on the Open Web Application Security Project ("OWASP"). Certification of completion of such training shall be provided to FedEx upon its request.
(B) Company’s subcontractors, at any tier, shall have successfully completed training in Security Testing practices to ensure that testing performed by Company meets PCI DSS. Certification of completion of such training shall be provided to FedEx upon its request.
6. Cardholder Data Requirements
In addition to, and without limiting, the other applicable requirements, in the event Company has any access to or use of Cardholder Data, Company shall comply with the following:
(A) Cardholder Data Protection
Company shall implement, maintain, and use such proper security control and measures as is necessary to ensure the secure processing of Cardholder Data and to protect Cardholder Data from unauthorized processing or other compromise. In all events, Company shall comply with the Card Organizations’ Payment Card Industry (“PCI”) Data Security Standard (“DSS”) v.3.2.1, or such later version or replacement standard required by PCI to maintain its certification (PCI and DSS). In addition to PCI DSS, Company shall comply with such other programs, policies, procedures, obligations, duties, rules, regulations and requirements of the Card Organizations (now or in the future) regarding Cardholder Data [including but not limited to the Visa Cardholder Information Security Program, the MasterCard Site Data Protection Program, the American Express Data Security Operation Policy] (collectively, “Card Organizations Rules”). Company acknowledges receipt and review of the Card Organization Rules and will review Card Organization’s Rules at such Card Organization’s website and at the Payment Card Industry website.
(B) Cardholder Data Breach
In the event any Breach affecting, directly or indirectly, Cardholder Data is suspected, alleged, or confirmed (an “Event”), Company will notify FedEx promptly (in all events, within twenty-four (24) hours) of such Event. Within forty-eight (48) hours of the Event, Company shall conduct an internal investigation to determine whether unauthorized processing of Cardholder Data may have occurred and shall report the results of such investigation to FedEx. If such investigation is inconclusive, or upon request by FedEx or a Card Organization, Company, at Company’s sole expense, will engage a forensic investigator vendor, selected or approved by FedEx and/or the Card Organizations, no later than 48 hours following Company’s notice of the Event to FedEx, to investigate the Event. Such forensic investigator shall conduct promptly an examination of Company’s systems, procedures and records and issue a written report of its findings. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for the forensic investigator, FedEx, and/or Card Organizations to complete the investigation of the Event. Company will not alter or destroy any records related to the Event. Under all circumstances, Company shall maintain complete and accurate documentation regarding processing of Cardholder Data and the circumstances surrounding an Event. Company will provide FedEx information related to Company’s or any Card Organization’s investigation related to any unauthorized processing of Cardholder Data [including but not limited to forensic reports and systems audits].
(C) Compliance
Company will comply with Card Organizations’ registration requirements [including, but not limited to site inspections, background investigations, provision of financial statements] and reporting requirements. In addition, each year, and as otherwise requested by FedEx, Company shall provide proof of compliance to PCI DSS by: (I) being published in Visa Global List of PCI | DSS Validated Service Providers; or (ii) providing FedEx a copy of Company’s signed and dated PCI Security Standards Council approved documentation of either (a) its PCI DSS Report on Compliance (“ROC”) of (b) PCI DSS ROC Attestation of Compliance (“AOC”), or (c) Self-Assessment Questionnaire (“SAQ”), or (d) SAQ Attestation of Compliance (“AOC”), executive summary of either (a) its ROC or (b) SAQ, whichever is applicable based on Company’s PCI vendor or merchant level, as determined by the Card Organizations. And provide annually a completed and validated copy of the FedEx PCI Responsibility Matrix.
7. Certification Requirements
Company shall:
(A) comply with both the general certification requirements set forth in this section and any other applicable certification requirement(s) set forth elsewhere in these SCR or Company’s agreement(s) with FedEx.
(B) provide certification of compliance with the applicable SCR by either obtaining such certification from an independent information security service company or through an annual self-assessment and certification, as approved by FedEx.
(C) provide FedEx with a copy of Company’s applicable security standards, policies, procedures, and guidelines upon request of FedEx.
(D) provide written certification to FedEx that FedEx Data has been destroyed in accordance with these SCR.
These certifications shall be sent to FedEx Management with responsibility and ownership for the vendor relationship/engagement or such other address(es) as FedEx may designate from time to time.
8. Audit Right
(A) Company shall, upon reasonable notice, (30 days from initial request) allow its data processing facilities, procedures and documentation to be inspected by (I) FedEx, (ii) supervisory authority of FedEx to the extent permitted by applicable law and/or (iii) Card Organizations and Payment Card Processor (or designee(s) of any of the before mentioned under (i) through (iii)), in order to ascertain compliance with applicable law, these SCR’s, the MNDA and any agreements between FedEx and Company.
(B) Company shall fully cooperate with such audit requests by providing access to relevant knowledgeable personnel, physical premises, documentation, (IT) infrastructure and application software.
(C) In addition, upon notice, FedEx, Card Organization, Payment Card Processor (or designee of any of them) may conduct remote electronic scans, associated security testing scans or other associated security testing for Company’s systems, similar to those conducted under PCI DSS, to confirm compliance with the requirements of these SCR [including, without limitation, Card Organization Rules and PCI DSS]. Company shall promptly cooperate to allow such scans.
(D) In the event Company maintains an internet facing application or web site which processes FedEx Data or through which FedEx Data is otherwise accessible, Company shall conduct annual penetration tests with quarterly vulnerability scans. Company must provide the results of such testing and scans at the request of FedEx, but in any event, at least annually.
(E) In all events, the results of audits and scans [including but not limited to any written reports] shall be made available to FedEx and, notwithstanding any contrary confidentiality, use or disclosure restrictions in any agreement between Company and FedEx, FedEx may make such results available, as applicable to Card Organizations and Payment Card Processor.
(F) The Controller will bear the costs for the audit unless the audit shows that the Processor does not comply with these SCRs or if the audit was triggered by a data breach. Data Breach audits are not held to the annual timeframe. In such case, the Processor bears the costs of the audit, which includes all the fees of the third-party auditor and the reasonable specified internal costs made by Controller.
9. Non-compliance
Company’s failure to comply with any SCRs [including, without limitation, failure to implement any corrective action(s) within the required timeframe] is a material breach of Company’s agreement(s) with FedEx. Without limiting any other right or remedy that FedEx may have, FedEx reserves the right to terminate, for default/breach, those agreement(s) affected (directly or indirectly) by such non-compliance.
10. Authorized Providers and Sub-Processors
(A) As used in these SCR, the term “Company” includes “Authorized Providers” and “Sub-Processors” when Company utilizes an Authorized Provider or Sub-Processor to process FedEx Data. Company shall cause Authorized Providers or Sub-Processors to comply with these SCR [including, but not limited to, providing the required certifications, reports, information, assistance, and access]. Company is solely responsible and liable for each Authorized Provider’s compliance with, and breach of, these SCR. For the avoidance of doubt, unless and until a third party has agreed, in writing, to comply with these SCR, such third party is not an “Authorized Provider.”
(B) The Processor shall inform the Controller in advance of the engagement and/or replacement of Authorized Provider or sub-processor, in which event Controller has the right at its discretion to object to (the engagement of) that Authorized Provider or sub-processor within four weeks.
(C) The Processor shall remain fully liable vis-à-vis the Controller for the performance of – or the failure to perform – the obligations set out in this Agreement by Authorized Providers or Sub-Processors.
11. Delegation by FedEx
FedEx may delegate to a third party any right [including but not limited to inspection, audit, enforcement] granted to FedEx under these SCR. Company shall provide access, information, data, and cooperation to such third party as Company is required to provide FedEx under these SCR.
12. Returning or Destruction of Personal Data
Unless retention is required by Applicable Law, the Processor shall, at the discretion of the Controller, destroy or return the FedEx Data to the Controller upon expiration or termination of this Agreement, (no later than 30 days) in the manner and format indicated by Controller (where data is no longer re-creatable). Processors shall simultaneously destroy all existing copies of FedEx Data. In such events, the Processor shall ensure that all engaged Authorized Providers and Sub-Processors cooperate to return and/or destroy FedEx Data. Controller’s audit right as stipulated in Section 5 extends to verify Processor’s execution of its obligations under this Section.