Supplier Data Integrity and Compliance Policy

Introduction

Airo Digital Labs (“Airo Digital Labs”) is committed to maintaining the highest standards of information security and data protection. This Supplier Compliance Policy outlines the obligations and expectations for our Suppliers regarding the confidentiality, integrity, and availability of information. Suppliers are expected to adhere to these principles and guidelines to ensure compliance with our security and data protection standards.

a) For India Suppliers: Access our Information Security Management System Policy Statement.

b) For US Suppliers: Access our Information Security Management System Policy Statement.

Definitions

For the purpose of this policy:

a. Supplier: Any individual, company, or entity that provides goods, services, or access to systems or data to Airo Digital Labs.

b. MSA (Master Services Agreement) / MCA (Master Consulting Agreement): A formal written agreement that outlines the terms and conditions under which a Supplier provides goods or services to Airo Digital Labs.

c. NDA (Non-Disclosure Agreement): A legally binding agreement that governs the sharing of confidential information between Airo Digital Labs and a Supplier.

d. Confidential Information:
Any information, data, or material that is not publicly available or generally known, which is considered sensitive, proprietary, or confidential by Airo Digital Labs. This includes, but is not limited to, trade secrets, customer data, business plans, financial information, pricings and costs, proprietary software, and any information marked as "confidential."

e. Data Encryption: The process of converting plain-text data into an unreadable format (cipher text) using encryption algorithms and encryption keys to protect data confidentiality.

f. Incident Response Plan: A documented strategy outlining the actions to be taken when a security incident or data breach occurs, including procedures for identifying, containing, and mitigating the incident.

g. Data Classification Framework: A systematic approach for categorizing data based on its sensitivity or criticality to the organization, often using labels such as "confidential," "internal use only," or "public."

h. Encryption Protocols: Secure communication methods and standards, such as SSL/TLS, IPsec, or PGP, used to protect data during transmission over networks.

i. Vulnerability Assessment: A systematic process of identifying and evaluating weaknesses in systems, applications, or processes that could be exploited by attackers.

j. Penetration Testing: A simulated attack on a computer system or network to identify vulnerabilities and assess security controls.

k. Data Retention Policy: A documented policy that defines how long data should be retained and when it should be securely disposed of or archived based on legal, business, and regulatory requirements.

l. Access Control Systems: Technical and physical mechanisms, such as key cards, biometrics, and authentication protocols, used to regulate access to facilities or systems.

Confidentiality, Integrity, and Availability of Information

a. Access Control: Suppliers shall implement robust access controls, including role-based access, strong authentication, and authorization mechanisms, as specified by Airo Digital Labs.

b. Data Encryption: Suppliers must encrypt sensitive data both at rest and in transit using industry-standard encryption protocols approved by Airo Digital Labs.

c. Regular Audits: Suppliers shall conduct periodic security audits and assessments to identify vulnerabilities and ensure compliance with Airo Digital Labs' security policies.

d. Incident Response Plan: Suppliers must develop and maintain an incident response plan to address security breaches promptly and effectively in accordance with Airo Digital Labs' guidelines.

e. Employee Training: Suppliers shall provide comprehensive security training to their employees to raise awareness and educate them on security best practices as defined by Airo Digital Labs. Airo Digital Labs expects the Supplier to demonstrate this as and when required.

Mitigation of Non-Compliance

a. Monitoring Tools: Suppliers are expected to implement continuous monitoring tools and systems to detect non-compliance issues in real-time and report them to Airo Digital Labs.

b. Escalation Process: Suppliers must define a clear escalation process to report and address non-compliance, involving relevant stakeholders at Airo Digital Labs. The Escalation matrix for the purpose of this clause is defined herein below:

c. Corrective Actions: In the event of non-compliance, Suppliers are required to develop a corrective action plan that includes root cause analysis and preventive measures. These plans must be shared with Airo Digital Labs.

d. Documentation: Suppliers shall maintain documentation of all non-compliance incidents and actions taken for future reference and improvement. These records must be made available to Airo Digital Labs upon request.

Information Transfer and Security

a. Data Classification: Suppliers shall classify data based on its sensitivity to determine appropriate transfer mechanisms and security controls in alignment with Airo Digital Labs' data classification framework.

b. Secure Data Transfer Protocols: Suppliers are obligated to use secure communication protocols (e.g., VPNs, encrypted channels) for transferring sensitive information as per Airo Digital Labs' standards.

c. Data Transfer Logs: Maintain logs of data transfers to ensure transparency and traceability. Provide access to these logs for auditing purposes if requested by Airo Digital Labs.

d. Data Transfer Agreements: Suppliers must establish clear agreements and protocols for transferring data to Airo Digital Labs, including responsibilities, encryption requirements, and other security measures.

Secure Disposal of Information

a. Data Retention Policy: Suppliers shall develop and enforce a data retention policy specifying how long data should be retained and when it should be securely disposed of, aligning with Airo Digital Labs' policies.

b. Secure Shredding: Use secure shredding methods for physical documents and data storage devices in accordance with Airo Digital Labs' guidelines and certification requirements.

c. Data Wiping: Employ secure data wiping techniques for electronic storage devices to prevent data recovery, following Airo Digital Labs' recommended standards.

d. Documentation of Disposal: Maintain records of the disposal process, including dates and methods used, and provide these records to Airo Digital Labs upon request.

Personnel and Physical Security

a. Access Control Systems: Suppliers must implement access control systems (e.g., key cards, biometrics) to restrict physical access to facilities as required by Airo Digital Labs.

b. Visitor Logs: Maintain visitor logs and require visitors to sign in and out when entering and leaving facilities in line with Airo Digital Labs' visitor access policies.

c. Employee Background Checks: Conduct background checks on employees to ensure trustworthiness and security clearance, if applicable, as specified by Airo Digital Labs.

d. Security Awareness Training: Provide security awareness training to employees regarding physical security measures and procedures, following Airo Digital Labs' standards.

Information Access and Handling

a. Access Requests: Suppliers shall establish a formal process for requesting access to information and assets, including approval mechanisms consistent with Airo Digital Labs' access control policies.

b. Access Logs: Maintain access logs to track who accessed what information and when, and provide access to these logs for auditing purposes as needed by Airo Digital Labs.

c. Data Encryption: Suppliers must apply encryption to sensitive data both in storage and during transmission as required by Airo Digital Labs' encryption standards.

d. Data Handling Procedures: Develop and communicate clear procedures for handling sensitive information, including secure storage and disposal, following Airo Digital Labs' guidelines.

e. Data Subjects Requests: If the Supplier receives requests from data subjects (individuals whose data is processed) regarding their rights under data protection laws, such as access, rectification, erasure, or data portability, the Supplier shall promptly inform Airo Digital Labs and assist as necessary to fulfill these requests.

f. Disaster Recovery Site:

  • The Supplier is responsible for establishing and maintaining a disaster recovery site at a geographically separate and secure facility. This site will serve as a critical component to ensure the continuity of services in the event of a catastrophic failure or disaster.

  • Regular backups of all critical data and systems will be conducted to minimize data loss, and routine testing and maintenance of the disaster recovery site will be performed to verify its effectiveness in restoring services.

  • The Supplier is also required to maintain up-to-date documentation of the disaster recovery procedures, which shall be made available to Airo Digital Labs upon request. This clause is essential to guarantee that the Supplier has a robust plan in place for business continuity, safeguarding the interests of Airo Digital Labs.

g. Change Management:

  • The Supplier shall promptly notify Airo Digital Labs of any proposed changes to the services or systems that may impact service levels, security, or compliance.

  • The Supplier shall establish a formal change request process that outlines how changes will be documented, evaluated, approved, and implemented. Prior to implementing any changes, the Supplier shall conduct a thorough impact assessment to evaluate potential risks, including security and compliance considerations.

  • Significant changes shall require prior written approval from Airo Digital Labs, and the Supplier shall provide a detailed plan for implementation. All changes, including their impact assessments, approvals, and implementation plans, shall be documented and made available for review by Airo Digital Labs.

  • The Supplier shall conduct testing and validation of changes before production implementation to ensure minimal disruption and maintain service levels. A rollback plan shall be in place for each change to mitigate any unforeseen issues, and it shall be communicated to Airo Digital Labs. This change management process ensures that any changes to the services or systems are carefully planned, evaluated, and documented to minimize risks, disruptions, and maintain compliance and security standards.

Indemnity and Penalties for Non-Compliance

a. Non-Compliance Penalty: In case of non-compliance, the Supplier shall be liable to pay a penalty determined as specified in the agreement with Airo Digital Labs. In case no quantum is defined in the Agreement then the damages payable for the violation / breach of this policy shall be USD 100,000 or actual damage which ever is higher.

b. Legal Costs: The Supplier shall cover all legal costs, including attorney's fees, arising from their non-compliance, as outlined in the agreement.

c. Financial Damages: The Supplier shall compensate Airo Digital Labs for any financial damages resulting from their non-compliance in accordance with the terms of the agreement.

d. Corrective Action: The Supplier must take immediate corrective actions to address non-compliance issues and prevent recurrence, as directed by Airo Digital Labs.

e. Termination: Airo Digital Labs reserves the right to terminate the agreement in cases of severe or repeated non-compliance, as specified in the agreement.

f. Audit Costs: The Supplier shall cover the costs of additional audits to verify compliance after a non-compliance incident, as detailed in the agreement.

Data Breach Notification

a. Prompt Notification: In the event of a data breach, the Supplier shall promptly but not later than 48 hours from the time of such incidence, notify Airo Digital Labs in accordance with legal requirements and provide assistance in mitigating potential harm, as outlined in the agreement.

Training and Awareness

a. Employee Training: Ensure that employees are adequately trained and aware of data protection and information security practices, fostering a culture of vigilance and responsibility, as detailed in Airo Digital Labs' security awareness program.

Continuous Improvement

a. Regular Review: Commit to regular review and update of security measures to adapt to evolving threats and regulations, aiming for continuous improvement in data protection and information security practices in collaboration with Airo Digital Labs.

Incorporation into Other Agreements and Conflict Resolution

Wherever referred, this document shall be read as part of the applicable MSA, NDA, or any other document governing the relationship between Airo Digital Labs and the Supplier. In case of any conflict between this policy and an agreement document, the terms and conditions of the agreement document shall prevail.

By entering into a business relationship with Airo Digital Labs, Suppliers acknowledge and agree to comply with this Supplier Compliance Policy and all related agreements and standards. Failure to meet these obligations may result in penalties, termination of agreements, and legal actions. Airo Digital Labs is committed to working collaboratively with Suppliers to ensure the highest level of security and data protection for all stakeholders.

Effective Date:

This Supplier Data Integrity and Compliance Policy is effective from May 4th, 2023 and it supersedes all existing policies on the subject matter.