0
Number of items
0

Annex 2 - Supplier Security Requirements

NOTE: Due to the public nature of Northwestel's Security Requirements, all Northwestel vendors are required to comply with Annex 2 and it cannot be edited.

Section 1 - Definitions and Interpretation

1.1 Definitions

The following capitalized terms will have the respective meanings as set out below.

1.1.1 "Affiliate" means any entity controlling, controlled by or under common control of a party, as the context requires. For this definition, "control" means the: (i) direct or beneficial ownership of fifty percent (50%) or more of the entity's voting securities; or (ii) ability to elect a majority of the entity's directors.

1.1.2 "Agreement" means a written agreement that references this Annex.

1.1.3 "Annex" means this security requirements document, as updated from time to time in accordance herewith.

1.1.4 "Anonymization" means irreversible and permanent modification of Personal Data, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.

1.1.5 "Applicable Law" means all applicable domestic or foreign law, rule, statute, regulation, by-law, order, ordinance, protocol, code, guideline, treaty, policy, notice, direction, or judicial, arbitral, administrative, ministerial or departmental judgment, award, decree, treaty, directive, or other requirement or guideline, as issued by each Governmental Authority having jurisdiction over the parties or the Deliverables, or as otherwise duly enacted, enforceable by law, the common law or equity. For certainty, the term "Applicable Law" includes repeals of, replacements of, successors of and amendments to the foregoing, where applicable, made by a Governmental Authority.

1.1.6 "Artificial Intelligence" or "AI" or "AI System" means a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.

1.1.7 "Northwestel" means the Northwestel Company, including its successors and permitted assigns, that entered into the Agreement.

1.1.8 "Northwestel Company" means either Northwestel Canada or one of its Affiliates, as the context requires; and "Northwestel Companies" means Northwestel and all its Affiliates.

1.1.9 "Northwestel Data" means any information and data that has been made available by Northwestel Companies and their Personnel to Supplier or its Personnel in connection with the Agreement and includes Northwestel Companies' Confidential Information.

1.1.10 "Confidential Information" means any information (including Personal Data and Derived Data), whether in tangible or intangible form, made directly or indirectly available by or on behalf of one party (the "Disclosing Party") to the other party, its Affiliates or Personnel (the "Receiving Party") in connection with this Annex or the Agreement, and which information: (i) is identified or being treated as confidential by the Disclosing Party; (ii) would be understood to be confidential by a person exercising reasonable business judgment; and (iii) includes the existence of this Annex and the Agreement and the fact that discussions between the parties have been or are taking place. Confidential Information does not include information which the Receiving Party can prove: (a) was rightfully known by it prior to disclosure of such information by the Disclosing Party; (b) is or becomes generally available to the public, other than due to the Receiving Party's breach of this Annex or the Agreement; (c) was independently developed by the Receiving Party; or (d) is or becomes available to the Receiving Party on a non-confidential basis from a source other than the Disclosing Party, provided that such source is not in breach of its obligations of non-disclosure towards the Disclosing Party. Notwithstanding the foregoing, items (a), (b), (c) and (d) will not apply to any of the Disclosing Party's Personal Data.

1.1.11 "De-Identification" means modification of Personal Data so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.

1.1.12 "Deliverables" means:

  • 1.1.12.1 "Products" means the tangible products and equipment supplied by or on behalf of Supplier pursuant to the Agreement;
  • 1.1.12.2 "Services" means the services performed by or on behalf of Supplier pursuant to the Agreement, which may include: (i) hosted software or infrastructure services; (ii) consulting or professional services; and (iii) outsourcing services; and
  • 1.1.12.3 "Software" means any software supplied by or on behalf of Supplier pursuant to the Agreement and which software: (i) is licensed to Northwestel Companies for their Use; (ii) Northwestel Companies may resell to their customers for their Use; or (iii) is developed or customized for Northwestel Companies. For the purposes of the Agreement, "Use" means any act which, if committed without authorization of the owner of IP Rights, would constitute an infringement of such IP Rights.

1.1.13 "Derived Data" means any and all data derived from Northwestel Data in connection with: (i) provision of the Services and Hosted Services; and (ii) Northwestel Companies' Use of the Products, Software and Hosted Services.

1.1.14 "Effective Date" means the date on which the Agreement became effective.

1.1.15 "Governmental Authority" includes any domestic or foreign federal, provincial or state, municipal, local or other governmental, regulatory, judicial or administrative authority.

1.1.16 "IP Right" means any right that is or may be granted or recognized regarding patents, copyright, moral rights, trade secrets, trade-marks, domain names, industrial designs, integrated circuit topography, and personality rights, and any other legislative provision or common or civil law principle regarding intellectual property, whether registered or unregistered, and includes rights in any application for any of the foregoing.

1.1.17 "Personal Data" means information relating to an identified or identifiable individual that Northwestel Companies make available to Supplier, directly or indirectly, in connection with this Annex or the Agreement. Personal Data includes any "personal information" as defined in Section 2(1) of the Personal Information Protection and Electronic Documents Act (S.C. 2000, C.5), as may be amended or replaced.

1.1.18 "Personnel" means directors, officers, employees, agents, and subcontractors.

1.1.19 "Software Composition Analysis" or "SCA" means a test to be performed on all software to identify open source software components and review such components for all known security vulnerabilities, including those identified in the MITRE Common Vulnerabilities and Exposures (CVE) database and the NIST software security vulnerabilities bulletins, as updated from time to time.

1.1.20 "Software Bill of Material" or "SBOM" means a comprehensive nested inventory of all Software components (including any integrated third-party open-source software components, tools, libraries, modules, and other assets) and dependencies that comprise the Software.

1.1.21 "Supplier" means the supplier, including its successors and permitted assigns, that entered into the Agreement with Northwestel and is required to comply with this Annex.

1.1.22 "Usage Data" means data related to the performance and usage of the Products, Software and Hosted Services, which data: (i) does not contain any of Northwestel Companies' Personal Data or Confidential Information; and (ii) is aggregated and anonymized such that it cannot be used to identify Northwestel Companies or their respective customers and Personnel.

1.2 Interpretation

The term "including" means "including without limitation", and "include" and "includes" will be interpreted to have corresponding meanings, and references to "and" or "or" will mean "and/or".

1.3 Incorporation; Changes

This Annex is incorporated into and forms part of the Agreement. Northwestel may update this Annex from time to time by posting a revised version on this website. Supplier is solely responsible for periodically checking this website for updates. Any changes to this Annex will be effective thirty (30) days after posting.

1.4 Notifications

All notices required under this Annex must be in writing and sent to the applicable contact designated in the Agreement based on the subject matter.

Section 2 - General Requirements

2.1 Security Contacts

2.1.1 Primary. Upon Northwestel's request, Supplier shall designate and provide contact information for one (1) named individual to be Northwestel's primary security contact (the "Security Contact"). The Security Contact shall respond to Northwestel's requests for assistance, information, investigations, and all other matters concerning Supplier's security obligations as set out in this Annex or in the Agreement.

2.1.2 Alternate. Upon Northwestel's request, Supplier shall designate and provide contact information for at least one (1) alternate contact to fulfill Supplier's obligations, as set out in Section 2.1 (Security Contacts), in the event the Security Contact is not available. Such alternate contact(s) must collectively have similar skills and qualifications held by the Security Contact.

2.2 Costs

Unless expressed otherwise in this Annex, Supplier's compliance of this Annex, including any remediation efforts, shall be at Supplier's sole cost, and Northwestel will not reimburse Supplier for any costs or expenses incurred by Supplier, its Affiliates, or their respective Personnel, in complying with any Northwestel requests under this Annex.

2.3 Security, Privacy and Risk Awareness Training

Supplier shall ensure that its Personnel participate in and successfully complete, at a minimum, an annual security awareness program focusing on common and emerging threats, including in relation to cybersecurity, privacy, and responsible use of AI.

2.4 Industry Organization Membership

Supplier shall enroll and maintain membership with Canadian Cyber Threat Exchange (CCTX) (https://cctx.ca/about-cctx/) or other equivalent industry threat exchange organization.

2.5 Audit Trails

Supplier shall maintain industry best practice audit trails for all security-related functions, tasks and obligations set out in the Agreement (including, for certainty, this Annex), including for any environments, information systems or networks used in connection with the Agreement.

2.6 Network Access Control

Upon Northwestel's request, Supplier shall promptly provide a complete list of site URLs: (i) required to implement or use the Deliverables; and (ii) that a Northwestel Company may otherwise need to access in connection with the Deliverables.

Section 3 - Incident Management

3.1 Reporting

Upon discovery, Supplier shall immediately notify Northwestel in writing, of any security issue or incident, including: (i) actual or suspected breaches of its obligations under this Annex; (ii) security issues and known security vulnerabilities affecting Supplier's environments or that otherwise negatively impact the security, integrity or availability of Northwestel Data or Sensitive Assets; and (iii) environmental, business continuity or health and safety incidents. "Sensitive Assets" means Northwestel Companies', or their customers', information systems, networks or premises and Supplier's information systems, networks or premises on which any Northwestel Data may be stored.

3.2 Resolution

Supplier shall investigate and respond to any actual or suspected security issues and incidents that it reports pursuant to this Annex in accordance with: (i) Northwestel's reasonable instructions; and (ii) risk mitigation and incident management requirements set out in this Annex.

3.3 Risk Mitigation

Supplier shall:

  • 3.3.1 establish a formal remediation plan, including the investigation of root causes and the development and implementation of corrective action for all security and due diligence compliance issues that Supplier is aware of;
  • 3.3.2 provide such formal remediation plan, prior to its adoption, to Northwestel for Northwestel's approval, acting reasonably, which Northwestel may review, test and request that additional security and due diligence terms and conditions be added to such plan;
  • 3.3.3 upon approval, implement such formal remediation plan;
  • 3.3.4 provide Northwestel with periodic status updates during remediation and a detailed explanation of the corrective action used to resolve the issue or incident at the conclusion of remediation effort; and
  • 3.3.5 implement and maintain incident management policies to ensure that: (i) security breaches affecting Supplier's information systems and networks, and any information stored on the foregoing, can be identified, contained, and remediated; (ii) root causes can be identified; (iii) corrective actions can be implemented, tracked and reported on; and (iv) Supplier can comply with its obligations set out in this Section 3 (Incident Management).

3.4 Breach

For certainty, failure to resolve a security issue or incident in compliance with Section 3.2 (Resolution) of this Annex will be deemed a material breach of the Agreement.

3.5 Investigations

Upon Northwestel's request and in relation to any security incidents identified under this Section 3 (Incident Management) or as a result of a review conducted or a report issued under Section 6 (Compliance Review), Supplier shall make its information systems and networks available to Northwestel for Northwestel to conduct further investigations on such security incidents. In relation to such investigations, Supplier shall:

  • 3.5.1 Support and Cooperation. provide an independent, reputable third party for the support and cooperation with Northwestel during the investigation of any security-related situation, event or incident that Northwestel reasonably deems necessary;
  • 3.5.2 Interviews. allow Northwestel Personnel to attend and participate in any investigative interview that Northwestel reasonably deems necessary;
  • 3.5.3 Security Review. upon request, provide Northwestel Personnel access to each Supplier environment running Northwestel processes for the purpose of conducting reasonable security and access right reviews, vulnerability assessments and penetration tests, audits of hardware, application software, information systems, networks and other facilities being used in connection with the Agreement; and
  • 3.5.4 Northwestel Obligation. to the extent Northwestel exercises any rights set out in this Section, Northwestel shall ensure that its Personnel adheres to Supplier's reasonable internal security procedures and is bound to confidentiality provisions no less stringent than those set out in the Agreement.

Section 4 - Background Checks

4.1 Background Checks

Supplier shall arrange for an independent background check provider to perform criminal background checks on each Supplier Personnel who may have access to: (i) Northwestel Data; or (ii) Sensitive Assets. Such background checks must be completed by: (a) Northwestel's approved vendors; or (b) subject to Northwestel's prior written approval, a reputable background check provider either accredited by or a member of the Professional Background Screening Association. The foregoing background checks must be completed within one hundred and eighty (180) days prior to the performance or provision of any Deliverables.

4.2 Northwestel's Rights

Upon Northwestel's request, Supplier shall: (i) re-perform background checks in accordance with this Annex; (ii) provide proof of criminal background checks; (iii) replace any Supplier Personnel with an offense or alleged offense identified in a criminal background check report, whether punishable by indictment or summary conviction, which has not been discharged, expunged or pardoned, if such offense or alleged offense is reasonably connected with the nature of the Deliverables being performed or provided under the Agreement.

4.3 Invalid Background Checks

If Supplier becomes aware of a change in the status of any of the criminal background check performed on its applicable Personnel under this Annex, Supplier shall promptly: (i) notify Northwestel of such change in the Personnel's criminal background check; (ii) provide Northwestel with a remediation plan or alternate Personnel to ensure compliance with this Annex.

4.4 Personnel Removal

If Supplier becomes aware of any Supplier Personnel being charged with a crime or involved in any prior actual or alleged criminal activity, Supplier shall: (i) immediately notify Northwestel; and (ii) ensure that such Supplier Personnel immediately ceases to perform or provide any Deliverables for Northwestel Companies.

Section 5 - Information Security Measures

5.1 Access Restriction

Supplier shall ensure that Supplier Personnel do not attempt to access or allow access to any Northwestel Data: (i) within an environment to which they do not have access rights; or (ii) except to exercise or perform Supplier's rights or obligations under the Agreement. Supplier shall immediately: (a) notify Northwestel of a breach of the foregoing; (b) describe in detail all accessed materials and the method of access; and (c) upon request, provide Northwestel with copies of all accessed materials.

5.2 Security Measures

Supplier shall maintain industry recognized security measures to protect against: (i) the destruction, degradation, loss, unauthorized access to, disclosure or alteration of Northwestel Data, Northwestel Companies' or their customers' intellectual property, and assets (tangible and intangible), in Supplier's possession or under its management or control; and (ii) the destruction or alteration of any component of the Sensitive Assets, or the environments and systems on which Northwestel Data is stored. At a minimum, Supplier shall maintain the security measures identified below, and, upon request, shall provide to Northwestel all reasonable documentation supporting the implementation of such measures:

  • 5.2.1 Controls. logical and physical access controls, such as access control lists, firewalls, and intrusion detection and prevention mechanisms;
  • 5.2.2 Logical Access. user access management software installed on Supplier's information systems and networks that: (i) authorizes and authenticates users and their access rights; and (ii) allow administrators to control and track additions of, changes to, and deletions of authorized users and their access rights;
  • 5.2.3 Logging and Monitoring. record all access and changes to systems or software and maintain all such records in a centralized and secure electronic audit log for a minimum of ninety (90) days. Electronic audit logs must be monitored and backed up in a secure location;
  • 5.2.4 Risk Assessment and Improvement. up-to-date and risk-appropriate safeguards, which are regularly updated for currency, that detect, prevent, and automatically remove any threats and vulnerabilities to Supplier's information, information systems and networks are addressed;
  • 5.2.5 PCI DSS Certification. security standards and certification requirements for any payment processing applications and supporting network infrastructure as set out in the latest version of Payment Card Industry Data Security Standard document, as may be amended or replaced from time to time by the PCI Security Standards Council;
  • 5.2.6 Certified Telecom Industry Alliance (CTIA). obtain and maintain at least a Level 2 CTIA certification for any IoT Device. "IoT Device" means a Product that: (i) contains an application layer that provides identity and authentication functionality, as well as at least one communications module that supports wired 5G, 4G LTE, or Wi-Fi connectivity; and (ii) connects to at least one network to exchange data with other applications and devices, including vehicles, home appliances, personal mobile device, and infrastructure elements;
  • 5.2.7 Business Continuity Measures. implementation of business continuity and disaster recovery plans to ensure that: (i) all data is backed up to off-site storage, which is suitably distanced from the main storage site; (ii) information systems and applications can be recovered from the backup copies; and (iii) the backup copies are secure from unauthorized access, modification or use;
  • 5.2.8 Third Party Software. maintain and, upon Northwestel's request, provide to Northwestel a list of all third party code, including open source and commercially available code, and third party software tools used to maintain the security of Supplier's environments, information systems or networks used for processing any Northwestel Data;
  • 5.2.9 Penetration Testing and Vulnerability Management Program(s). industry standard vulnerability management and penetration testing programs for Deliverables interconnected to a Northwestel Company's (or its customers') information systems or network, which, at a minimum: (i) applies to all assets associated with the Deliverables; (ii) identifies the level of security testing conducted for all assets (including, by way of example only, network scanning, DAST, SAST or penetration testing); (iii) identifies the frequency of testing for all assets; and (iv) identifies remediation timelines for all vulnerability severity levels; and
  • 5.2.10 Northwestel's Requirements. any other reasonable security measures required by Northwestel from time to time.

5.3 Evidence and Confirmation

Upon Northwestel's request, Supplier shall provide Northwestel with: (i) documentation describing all of Supplier's code review and vulnerability testing practices; (ii) documentation describing vulnerability mitigation practices for all areas affecting Northwestel Companies; (iii) documentation confirming protection against web borne attacks including protection against layer 7 protocol exploitation such as web application firewalls and runtime application self-protection; and (iv) written confirmation of Supplier's compliance with the practices referenced in (i), (ii), and (iii) above.

5.4 Network Segregation

If Supplier provides hosted Services as a Deliverable, Supplier shall: (i) ensure that its internal network(s) are segregated from Internet facing networks using firewall and VLAN technologies; (ii) implement regular vulnerability and penetration testing prior to providing any Deliverables to Northwestel; and (iii) physically and logically segregate Northwestel Data from the data of Supplier's other customers.

5.5 Northwestel Data Location and Access

In connection with any Northwestel Data to which Supplier has access, Supplier, its Affiliates, and their respective Personnel shall not, without Northwestel's prior written consent:

  • 5.5.1 Location. store or transfer any Northwestel Data outside of Canada, whether physically or electronically;
  • 5.5.2 Access. access Northwestel Data from outside of Canada; or
  • 5.5.3 Changes. change the location of where Northwestel Data is stored or the location from where Northwestel Data is remotely accessed.

5.6 Northwestel Data Access and Storage Locations

Unless otherwise approved by Northwestel in writing, in its absolute discretion, Supplier represents and warrants that any Northwestel Data to which Supplier has access will be stored and accessed only at the Approved Locations. "Approved Locations" means the locations identified to Northwestel during the security assessment process conducted in connection with the Agreement and the applicable Deliverables. Supplier shall send approval requests for changes to the Approved Locations to the email address designated in the Agreement.

5.7 Access Restriction

If Northwestel reasonably determines, in its sole discretion, that any access to Northwestel Data poses an unacceptable security risk to Northwestel, Northwestel may revoke any access privileges granted to any Personnel that has access to Northwestel Data or Sensitive Assets.

5.8 Secure Destruction, Preservation and Return of Information

Where Supplier has access to Northwestel Data:

5.8.1 Data Destruction Requirements. Subject to any express obligations under the Agreement to retain Northwestel Data, including in connection with record retention requirements and litigation hold as may be requested by Northwestel, upon Northwestel's request and when the Agreement has expired or terminated, Supplier shall: (i) delete and render unrecoverable all Northwestel Data; (ii) destroy storage media that contains Northwestel Data in a secure manner and within a secure area, if such storage media cannot be reused or repurposed; (iii) maintain an auditable chain of custody of the destroyed storage media (if applicable) that allows verification of when and the method of destruction; and (iv) provide proof of destruction to Northwestel when: (a) storage media that contains Northwestel Data is returned to Supplier for service; (b) Northwestel Data is removed from Northwestel Companies' sites or networks for the purpose of trouble shooting and is no longer required; and (c) the Agreement expires or is otherwise terminated.

5.8.2 Litigation Hold Notice. If Northwestel requests in writing that Supplier retain or preserve any information (including any Northwestel Data or Supplier Confidential Information) within its possession and the process by which such information must be delivered to Northwestel, including technical and timing requirements, for the purposes of an investigation, litigation hold, legal hold (each a "Hold Notice"), Supplier shall comply with such Northwestel request, which, for certainty, Northwestel may amend from time to time with written notice to Supplier. To the extent that Supplier does not comply with a Hold Notice, Supplier shall defend, fully indemnify and hold Northwestel Companies harmless from and against all actual and alleged claims, demands, causes of action and liability, of any kind, for damages, losses, costs and expenses, including legal fees and disbursements, arising out of or relating to Supplier's inability to comply with the Hold Notice.

5.8.3 Anonymization and De-Identification of Personal Data. To the extent expressly required under the Agreement or requested by Northwestel in writing, anonymization and de-identification must be performed in accordance with Applicable Law and industry best practices and standards. Without limiting the foregoing, Supplier shall: (i) provide to Northwestel a re-identification risk analysis and a description of the techniques and processes used to perform anonymization or de-identification, and (ii) keep a record of the foregoing for auditing purposes.

5.9 Loss or Damage

Where Northwestel Data is provided to Supplier and such Northwestel Data (in whole or in part) is lost or damaged:

  • 5.9.1 Reasonable Assistance. Supplier shall, at no additional cost to Northwestel, use all commercially reasonable efforts to assist Northwestel in repairing, recovering and replacing such damaged or lost Northwestel Data; and
  • 5.9.2 Loss or Damage Due to Breach. without limiting the generality of the foregoing, if such Northwestel Data is lost or damaged as a result of non-compliance by Supplier, its Affiliates, or their respective Personnel, of the Agreement (including, for certainty, this Annex), Supplier shall assist Northwestel in recovering such lost or damaged Northwestel Data by providing all additional resources reasonably required by Northwestel at no additional cost to Northwestel.

5.10 Software Development and Deployment

If Supplier provides Services involving Software development or deployment, Supplier shall:

  • 5.10.1 Secure Build Environment. ensure the build environments, individual developer environment and production build environment, including source code repositories, are hardened with all access to the build pipeline logged, and must be developed and maintained in accordance with the applicable security standards set out in this Annex;
  • 5.10.2 Secure Source Code. ensure that the source code, including third party code, open-source code and open source libraries, to such Software does not contain any known security vulnerabilities;
  • 5.10.3 Secure Software Components. ensure prior to the incorporation of third party components into any Software that Supplier is authorized to use them, they do not contain any known security weakness or vulnerabilities and that the applicable SBOM reflects the presence of and interdependencies of such components;
  • 5.10.4 Secure Development Practices and Procedures. ensure that Software is developed in a manner that complies with industry best practices and standards (including ISO/IEC 5055:21) for secure software development, including secure software development life cycle techniques and methodologies, including code scanning, code review and penetration testing, to proactively identify, mitigate and remediate security vulnerabilities;
  • 5.10.5 Standards Review. provide details and supporting documentation regarding the Software development standards and methodologies it follows, including code testing, SCA, vulnerability scanning and penetration testing, for Northwestel's review prior to the delivery of any Software source code, including any subsequent modifications thereto, to Northwestel (e.g., Open Web Application Security Project (OWASP)). If Northwestel is not reasonably satisfied with the standards and methodologies implemented by Supplier, Supplier shall cooperate with a third party designated by Northwestel to review and test any Software source code, including any subsequent modifications thereto, in accordance with Northwestel's instructions, to determine if Supplier is in compliance with Section 5.10.2 (Secure Source Code) and Section 5.10.4 (Secure Development Practices and Procedures);
  • 5.10.6 Secure the Supply Chain. maintain and, upon Northwestel's request, provide to Northwestel the SBOM, and all tools used during the development life cycle or included in the Software; and
  • 5.10.7 Confirmation. provide written confirmation of compliance with Section 5.10 (Software Development and Deployment), at Northwestel's request.

5.11 Government Agreements

If Supplier provides Deliverables to a Governmental Authority or requires remote or physical access to any information, information systems, networks or premises of a Governmental Authority, then for each Supplier Personnel providing such Deliverables or requiring such access, Supplier shall obtain: (i) all security clearances required by the applicable Governmental Authority, including, where applicable, a Designated Organization Screening approval from the Treasury Board of Canada; and (ii) any other clearance or authorization required by a Governmental Authority or Northwestel.

Section 6 - Compliance Review

6.1 External Control Audits

Supplier shall: (i) at least once per every twelve (12) month period, undergo an industry-recognized external control audit, such as SOC 1/SOC 2, SSAE 18, ISAE 3402 and CSAE 3416 (or their respective successors), as performed by an independent, reputable third party auditor, covering the scope of Supplier's obligations under the Agreement (including, for certainty, this Annex); and (ii) upon Northwestel's request, provide to Northwestel copies of all reports produced from such external control audits and any remediation action plans (and statuses thereof) for any issues identified in such reports.

6.2 Compliance Review and Verification

Upon Northwestel's request, Supplier shall participate in Northwestel's on-going compliance review process, including one or more of the following activities:

  • 6.2.1 Assessment. completion of any then-current Northwestel security assessments;
  • 6.2.2 Support and Cooperation. provide support and cooperation to Northwestel for the completion of on-site assessments of facilities, operations and Personnel performing obligations pursuant to the Agreement, excluding incident investigations;
  • 6.2.3 Data Location. provide a complete list of addresses at which Northwestel Data is (or will be) stored, accessed or otherwise made available to Supplier, its Affiliates, or their respective Personnel;
  • 6.2.4 Supplier Policies Review. provide access to Supplier's applicable internal policies, including to its:
    • 6.2.4.1 Security policy and governance documents for testing, scanning, vulnerability management, incident management, access control, and privacy policy, including Supplier's processes for identifying and resolving Personal Data breaches; and
    • 6.2.4.2 Code of conduct, or similar documents, including standards for business integrity and ethics, and investigative and resolution process for non-compliance thereof by Supplier Personnel.
  • 6.2.5 Certification Review. provide access to industry standard certifications, and any reports produced during their respective certification processes, including for the following industry standards (or their respective successors):
    • 6.2.5.1 ISO 27001 Information technology — Security techniques — Information security management systems — Requirements;
    • 6.2.5.2 ISO 5055 Information technology — Software measurement — Software quality measurement — Automated source code quality measures;
    • 6.2.5.3 ISO 22301 — Business Continuity Management Systems;
    • 6.2.5.4 CSA STAR Certification – Cloud Security;
    • 6.2.5.5 PCI DSS — Payment Card Industry Data Security Standard; and
    • 6.2.5.6 Information Security Forum — Standard of Good Practice.
  • 6.2.6 Security Issues Summary. a summary of all past security issues, as well as investigation and remediation actions taken during the prior twelve (12) month period;
  • 6.2.7 Personnel Access Rights. provide: (i) current lists of all Supplier Personnel requiring access to Northwestel Data or Sensitive Assets; and (ii) security and access permissions granted to such Supplier Personnel.

Section 7 - Artificial Intelligence Measures

7.1 Applicability

This Section 7 (Artificial Intelligence Measures) applies only to the extent that AI is used or provided in association with the Deliverables.

7.2 AI Security and Risk Management Measures

Supplier shall develop and make AI available in a secure manner and in compliance with Applicable Law. Without limiting the generality of the foregoing, Supplier shall:

  • 7.2.1 Risk Identification. regularly assess, identify, document, and upon request, provide to Northwestel a detailed summary of potential risks, limitations, and mitigations associated of each AI System used or provided in association with the Deliverables. Supplier shall immediately notify Northwestel if it becomes aware of any issues that could lead to a state in which human life, physical and mental health, property, or the environment is endangered, or in which Northwestel is at a loss or exposed to a higher level of risk.
  • 7.2.2 Human Oversight & Monitoring. enable users of an AI System to gain deeper understanding of the inference chain (explainability) and how the AI System generates the output data (interpretability). Upon request, Supplier shall maintain and provide a record of output data and available inference processes in addition to Section 5.2.3.
  • 7.2.3 No Storing of Northwestel Data. ensure that Northwestel Data processed by an AI System is not stored, unless otherwise approved by Northwestel in writing. To the extent that Northwestel provides such written approval, Supplier shall ensure that Northwestel Data is stored in accordance with Northwestel's data retention requirements communicated to Supplier.
  • 7.2.4 No Training with Northwestel Data. not use any Northwestel Data (including, for greater certainty, any Derived Data) for the purposes of training any AI models. For greater certainty, this restriction does not apply to Usage Data.
  • 7.2.5 Third Party AI. Supplier must obtain Northwestel's prior written approval before: (i) any third party AI is used or provided in association with the Deliverables, and (ii) any Northwestel Data is made available to a third party AI for the purposes of training, system improvement, research, storage or processing of any kind.

7.3 Trustworthy and Responsible AI Measures

Supplier is committed to provide trustworthy and responsible AI services to Northwestel. Without limiting the generality of the foregoing, Supplier shall ensure:

  • 7.3.1 Fairness & Equity. usage of data to drive unethical decisions or actions based on biases such as race, religion, ethnicity, gender, age are prohibited. Appropriate actions must be taken to mitigate discriminatory outcomes for individuals and groups.
  • 7.3.2 Validity and Reliability. that AI Systems are often assessed by ongoing testing or monitoring that confirms the system is performing as intended.