Skip to main content

Third Party Policy

Purpose:

The purpose of this policy is to establish guidelines for engaging with third-party vendors and service providers to ensure the security, privacy, and compliance of data and operations related to the Pitaka platform.

Scope:

This policy applies to all employees, contractors, and third-party vendors who have access to the Pitaka platform’s systems, data, or infrastructure.

Policy

1. Third-Party Risk Assessment:

A risk assessment must be conducted before engaging any third-party vendor or service provider. The assessment should evaluate the potential risks associated with the vendor, including data security, compliance with applicable laws, and the potential impact on the Pitaka platform.

2. Due Diligence:

Due diligence must be performed to ensure that third parties have adequate security measures and compliance practices in place. This includes reviewing their security policies, practices, and any relevant certifications (e.g., ISO 27001, SOC 2).

3. Data Protection Agreements:

All third-party vendors must sign a data protection agreement (DPA) that outlines their responsibilities for data protection and compliance with applicable laws, including the Data Privacy Act of 2012. The DPA should specify how data will be handled, processed, stored, and disposed of.

4. Access Control:

Third-party access to the Pitaka platform must be limited to only the information and systems necessary for them to perform their services. Access should be granted based on the principle of least privilege and reviewed regularly.

5. Monitoring and Auditing:

Regular monitoring of third-party vendors’ activities and compliance with the terms of the DPA must be conducted. Audits should be performed at least annually to ensure adherence to security and compliance requirements.

6. Incident Response:

Third-party vendors must have an incident response plan in place to address any data breaches or security incidents. The Pitaka platform must be notified immediately of any incidents that may impact its systems or data.

7. Training and Awareness:

All employees involved in managing third-party relationships must receive training on this policy and best practices for vendor management. Continuous education should be provided to ensure understanding of emerging risks associated with third-party vendors.

This policy aligns with applicable laws and regulations, including the Data Privacy Act of 2012 and the Cybercrime Prevention Act of 2012 in the Philippines. Compliance audits should be conducted to ensure adherence to this policy and assess the effectiveness of third-party management practices.

9. Policy Enforcement:

Violations of this policy may result in disciplinary actions, which may include revocation of access, termination of employment, or legal consequences, depending on the severity of the violation. The compliance officer is responsible for overseeing adherence to this policy and addressing any violations.