Vendor Requirements

Vendor Code Of Conduct

Any vendor or supplier (“Vendor”) supporting Consensus Cloud Solutions, Inc. (“CCSI”) is expected to implement and maintain the minimum information security requirements, as set forth below (as applicable to the scope of services provided to CCSI):
  1. IntroductionCorporate integrity, ethical sourcing, and the safety and wellbeing of workers across the globe are significant values of Consensus Cloud Solutions, Inc. (“CCSI”). These principles apply to all aspects of CCSI’s business, and encompass vendors and Vendors (each a “Vendor” and collectively “Vendors”) supporting CCSI.

    These principles are reflected in this Vendor Code of Conduct (”Code of Conduct”), which establishes the minimum standards that must be met by any Vendor that does business with CCSI, regarding:

    1. Vendor’s treatment of workers and workplace safety;
    2. Vendor’s security and data protection standards;
    3. the impact of Vendor’s activities on the environment; and
    4. Vendor’s ethical business practices.
  2. ApplicabilityThis Code of Conduct applies to all Vendors that do business with CCSI. Vendor is responsible for compliance with the standards set out in this Code of Conduct (”Standards”) throughout its operations and throughout its entire supply chain.

    Without limiting Vendor’s obligations hereunder, Vendor shall comply with the Standards in:

    1. all of its facilities; and
    2. all of its operations and services, including with respect to manufacturing, distribution, packaging, sales, marketing, product safety and certification, intellectual property, labor, immigration, health, worker safety, and the environment.
  3. Slavery and Human TraffickingAll labor must be voluntary. Vendor shall not support or engage in slavery or human trafficking in any part of its supply chain. Without limiting Vendor’s obligations hereunder, Vendor shall not, and shall ensure that its partners do not, support or engage in, or require any:
    1. compelled, involuntary, or forced labor;
    2. labor to be performed by children;
    3. bonded labor;
    4. indentured labor;
    5. prison labor.
  4. Compliance and Documentation

    Vendor shall:

    1. Implement and maintain a reliable system to verify the eligibility of all workers, including:
      1. age eligibility; and
      2. legal status of foreign workers (or as consistent with such Vendor’s local regulations).
    2. Implement and maintain a reliable recordkeeping system regarding the eligibility of all workers.
  5. Freedom of Movement
    1. Without limiting Vendor’s obligations hereunder, Vendor shall ensure that workers have the right to freedom of movement without:
      1. delay or hindrance; or
      2. the threat or imposition of any discipline, penalty, retaliation, or fine or other monetary obligation.
    2. Worker freedom of movement rights include each worker’s right to leave the facilities without retaliation:
      1. at the end of each workday;
      2. based on reasonable health and safety-related justifications; and
      3. based on any reasonable circumstances, such as personal or family emergencies.
  6. Compensation and Benefits
    1. Vendor shall solely be responsible for compensating all workers with wages, including overtime premiums, and benefits that at a minimum meet the minimum wage and benefits established by applicable law; and applicable collective agreements.
    2. Vendor shall solely be responsible for making wage payments as required by law and providing legally required benefits on a timely basis
  7. Deductions
    1. Vendor shall not make any deductions from wages, except income tax withholding and those that are legally allowed.
    2. Documentation. Vendor Shall:
      1. use an industry-accepted time-keeping system to track worker work hours; and
      2. develop work-hour policies to ensure compliance with applicable law.
  8. No Discrimination, Abuse, or Harassment

    Vendor shall not discriminate in hiring, compensation, training, advancement or promotion, termination, retirement, or any other employment practice based on race, color, national origin, gender, gender identity, sexual orientation, military status, religion, age, marital or pregnancy status, disability, or any other characteristic other than the worker’s ability to perform the job.

    Vendor shall treat workers with respect and dignity.

    Vendor shall prohibit any physical, verbal, sexual, or psychological abuse or any other inhumane or degrading treatment, corporal punishment or other form of harassment in the workplace. Vendor must not condone or tolerate such behavior by its partners.

  9. Health and Safety

    Vendor shall provide a safe, healthy, and sanitary working environment. Vendor shall implement procedures and safeguards to prevent workplace hazards, and work-related accidents and injuries, including procedures and safeguards to prevent industry-specific workplace hazards, and work-related accidents and injuries.

  10. Information Security and Data Protection

    Vendor must comply with our Minimum Vendor Information Security Requirements, which provides in detail our minimum standards for a comprehensive security program, risk management program, and data protection compliance program, as well as all applicable laws and contractual obligations pertaining to the protection of personal and business information.

    If Vendor is providing services subject to the General Data Protection Regulation (“GDPR”), Vendor must complete all required data protection assessments provided by CCSI, and execute the Standard Contractual Clauses and Data Processing Agreements with each relevant CCSI entity, as applicable.

  11. Environmental Protection and Operation of Vendor’s Facilities
    1. Vendor shall operate in compliance with all applicable environmental laws, including laws and international treaties relating to:
      1. waste disposal;
      2. emissions;
      3. discharges; and
      4. hazardous and toxic material handling.
  12. Anti-Bribery and Anti-Corruption

    Vendors will ensure that management systems and practices are in place to ensure the prevention of money laundering, insider trading, conflicts of interest, and fraud. Vendor must comply with all local statutes and regulations relating to anti- bribery and anti-corruption, including the Foreign Corrupt Practices Act (FCPA), and have processes in place to ensure compliance.

  13. Report Violations

    Vendor shall self-report any violations of the Code of Conduct and work with CCSI to investigate and remediate violations. Vendor can also submit questions and comments regarding the Code of Conduct, to CCSI’s legal department to [email protected]. Vendor shall not retaliate or take disciplinary action against any worker who has, in good faith, reported violations or questionable behavior, or who has sought advice regarding this Code of Conduct. CCSI may terminate its business relationship (including any purchase order(s) and purchase contracts) with Vendor if Vendor or its partners fail to meet the Standards.

  14. Compliance with Laws

    Vendor shall comply with all applicable national and local laws and regulations including but not limited to those laws and regulations pertaining to the exporting and importing of goods or services, fiscal and tax compliance, anti-trust, anti-bribery, anti-corruption, environmental, labor & human rights, health and safety, and privacy and data protection.

Minimum Vendor Information Security Requirements

Any vendor or supplier (“Vendor”) supporting Consensus Cloud Solutions Inc. (“CCSI”) is expected to implement and maintain the minimum information security requirements, as set forth below (as applicable to the scope of services provided to CCSI):

  1. Right to Audit
    1. Vendor shall maintain all necessary documentation to show compliance with the minimum information security requirements set forth herein.
    2. Upon request, Vendors shall permit CCSI or an independent third party to audit Vendor’s compliance with the minimum information security requirements.
    3. To the extent required and applicable to the scope of work, Vendor must provide CCSI with written audit results as follows:
      1. Audit results must be an ISO/ICE 27000 or other appropriate Industry standard certification or report. The Vendor’s information security management program must comply with an internationally recognized standard (e.g., ISO/IEC, NIST)
      2. If any such audit reveals material gaps or weaknesses in Vendor’s security program, CCSI shall be entitled to suspend transmission of CCSI Information to Vendor. Vendor is to cease processing of any of this information until such issues are resolved to the satisfaction of CCSI.
      3. CCSI reserves the right to terminate Vendor services without penalty if identified gaps or weaknesses are not resolved within a reasonable period.
  2. Security Management
    1. Vendor shall maintain a comprehensive written information security program, based on best practice standards for their industry. The program must contain:
      1. Written information privacy and security policies, communicated to appropriate personnel and third party providers and revised on a regular basis.
      2. Security training and awareness activities performed regularly and designed to enable employees and contractors to identify information privacy risks.
  3. Risk Management
    1. Vendor shall implement a risk management program to formally identify, assess, treat and monitor risks regarding the Vendor’s business.
    2. Vendor shall perform periodic risk assessments to evaluate the risk profile regarding the collection, storage, and use of CCSI Information.
    3. Vendors should use best efforts to continually identify and mitigate internal and external risks that could result in the compromise of confidential information, including CCSI Information.
  4. Personnel Security/Human Resources Security
    1. Vendor shall implement controls to enable employees, contractors, and service providers to adhere to policies and standards, according to roles and access in order to reduce the risk of theft, fraud, loss, and misuse of facilities or information.
      1. Vendor must ensure that employees, contractors, and third party users understand their responsibilities and are suitable for the roles in which they are considered, including through any appropriate personnel screening.
      2. Security roles and responsibilities of employees, contractors and third party users must be defined and documented to incorporate CCSI data protection control requirements, including background checks to the extent permitted by applicable law.
      3. All employees, contractors and third party users must be provided with education and training in privacy and security procedures and the correct information processing requirements.
      4. All employees, contractors, and third-party users must be notified of the consequences for not following the minimum information security requirements in connection with the handling of CCSI Information.
      5. If Vendor has knowledge that an agent is using or disclosing CCSI Information in a manner contrary to the scope of services, Vendor will take reasonable steps to prevent or stop the use or disclosure.
  5. Operations Management
    1. Vendor must provide appropriate security and protection from unauthorized access, damages and interference of assets based on classification, information sensitivity, and other factors.
      1. All assets used to manage or store CCSI Information must be protected against unauthorized access, disclosure, modification, destruction or interference.
      2. All software used by Vendor in providing services to CCSI must be properly licensed before entering into an Agreement with CCSI.
      3. Vendors must ensure that media sanitization of assets conforms to an industry accepted Media Sanitization standard (e.g., NIST SP 800-88).
    2. Vendor is responsible for data protection, privacy compliance, and security control validation/certification of its sub-contractors.
    3. Vendor will protect against the risk of malicious code by using anti-malware products on clients and servers; use an appropriate blocking strategy on the network perimeter, filtering input to applications; and creating, implementing and training staff in appropriate computing policies and practices.
  6. Security Breach
    1. Vendor must comply with specified incident response processes for CCSI Information and CCSI systems.
      1. Vendor shall follow documented responsibilities and procedures to respond to information security incidents quickly, effectively, and in an orderly way. “Security Breach” means any act or omission that compromises either the security, confidentiality or integrity of the CCSI Information or the physical, technical, administrative or organizational safeguards put in place that relate to the security, confidentiality, or integrity of the CCSI  Information.
    2. Vendor shall bear all costs associated with resolving a security breach, including those costs associated with conducting an investigation, notifying consumers and others as required by law or the relevant Security Standard (e.g., PCI-DSS, HITRUST).
    3. Vendor shall report any Security Breach through appropriate management channels as quickly as possible. Any Security Breach involving or impacting CCSI or a CCSI affiliate or subsidiary must be reported to CCSI. Notification must be within twenty-four (24) hours from detection of compromise to CCSI Information, CCSI brand, logo or trademarks.
    4. Vendor shall cooperate with CCSI in investigations of any incidents involving CCSI Information or CCSI systems. Vendor shall cooperate with CCSI and CCSI personnel, affiliates and representatives in responding to inquiries, claims, and complaints regarding the processing of CCSI information, including, but not limited to: 
      1. Assisting with any investigation as requested by CCSI.
      2. Providing CCSI with physical access to facilities and operations affected.
      3. Facilitating interviews with Vendor’s representatives and others involved in the matter.
      4. Making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably requested by CCSI.
    5. Vendor shall not inform any third party of any security breach, which affects CCSI, without first obtaining the prior written consent of CCSI, other than to inform a complainant that the matter has been forwarded to CCSI legal counsel. CCSI shall have the sole right and authority to determine: 
      1. Whether notice of the security breach is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in CCSI discretion.
      2. The contents of such notice.
      3. Whether any remediation may be offered to affected persons.
      4. The nature and extent of any such remediation.
  7. Encryption and Data Management Controls
    1. Cryptographic controls must be used to protect the confidentiality, integrity, and availability of CCSI Information in transit and while in Vendor’s possession (at rest). Controls for the management and use of cryptographic keys must be developed, implemented, and reviewed by Vendor on a periodic basis.
    2. Vendor must encrypt:
      1. Desktops, laptops, and all other portable devices storing CCSI Information, or folders/files containing CCSI Information.
      2. All messages and files containing CCSI Information during transit over public networks.
    3. If the processing involves the transmission of CCSI Information over a network, Vendor shall have implemented appropriate supplementary measures to protect CCSI Information against the specific risks presented by the processing. CCSI Information may only be transmitted in an encrypted format.
    4. CCSI Information may not be stored on any portable computer devices or media (including laptop computers, removable hard disks or flash drives, personal digital assistants (PDAs) or computer tapes) unless the CCSI Information is encrypted, or the hard drive that contains the CCSI Information on the portable computer device or media is fully encrypted.
      1. Vendor should also be aware of any regulations, standards, or industry or sector specific guidelines that set forth minimum guidelines for encrypting personal data.
  8. Access Controls
    1. Access to resources, including CCSI Information, must be regulated by using information security access controls and authorization mechanisms commensurate with risk.
    2. Vendor will secure its computer networks using multiple layers of access controls to protect against unauthorized access. In particular, the Vendor will:
      1. Group network servers, applications, data and users into security domains.
      2. Establish appropriate access requirements within and between each security domain.
      3. Implement appropriate technological controls to meet those access requirements consistently, including (for example) firewalls.
    3. Vendor will secure remote access to and from its systems by disabling remote communications at the operating system level if no business need exists and/or tightly controlling access through management approvals, robust controls, logging and monitoring access events and subsequent audits.
    4. Vendor must deploy Multi-factor Authentication or Single Sign-On measures where possible to its systems containing CCSI information or adjacent systems that can potentially be used to access CCSI information. 
    5. Vendor must limit access to the minimum necessary to perform the required function.
    6. Vendor must maintain and enforce a password policy, which addresses password length, composition, complexity, lockout, history and expiration.
    7. Vendor, within 24 hours, must revoke access for any Vendor employee, contractor, or third party user of CCSI Information, and facilities processing CCSI Information, upon their termination of employment contract or agreement, or adjust access upon a change of responsibility.
    8. Vendor will define physical security zones and implement appropriate preventative and detective controls in each zone to protect against the risks of physical penetration by malicious or unauthorized people, damage from environmental contaminants, and electronic penetration through active or passive electronic emissions.
    9. Vendor must appropriately leverage firewall infrastructure to segregate sensitive environments and restrict the use of insecure protocols. Network segments connected to the internet must be protected by a firewall, which is configured to secure all devices behind it.
  9. Vulnerability Management and Patch Management
    1. Vendor must have appropriate vulnerability management controls to identify and mitigate deficiencies and weaknesses within their networks, systems, and software.
    2. Vendor must conduct periodic vulnerability scans to identify vulnerabilities.
    3. Vendor must prioritize remediation of identified vulnerabilities commensurate to their risk and remediation schedule.
    4. Vendor must conduct periodic penetration testing by a qualified external party and remediate identified findings commensurate to their risk and remediation schedule. Upon request, Vendor must provide a report of the latest penetration test and vulnerability remediation progress.
    5. Vendor must have a formal patch management schedule and controls to identify, test, and implement all required industry patches.
      1. Vendor must apply all industry patches, as soon as they are available (in accordance with a patch schedule).
      2. Vendor must implement all security patches, including those released to remediate critical deficiencies (e.g., zero-day exploits), immediately.
    6. Vendor must implement strict code review practices for its software development lifecycle.
    7. All software must be reviewed for security flaws and security flaws remediated prior to release. Security flaws that cannot be remediated prior to release, must be made known to CCSI and include a list of compensating controls mitigating the flaws and a remediation plan to fix identified flaws.
  10. Business Continuity and Disaster Recovery
    1. Vendor must have appropriate Business Continuity and Disaster Recovery plans that do the following:
      1. Prevent or mitigate business interruption and associated impact.
      2. Address ongoing access to the CCSI Information, as well as security needs for backup sites and alternative communication networks.
    2. Vendor must test the Business Continuity and Disaster Recovery capability regularly.
    3. Vendor must counteract interruptions to business activities and protect critical business processes from the effects of major information systems failures or disasters, and ensure their timely resumption.
    4. Vendor must counteract interruptions to business activities and protect critical business processes from the effects of major information systems failures or disasters, and ensure their timely resumption.
  11. Compliance
    1. Vendor information security and data protection controls and processes must comply with applicable law and contractual obligations. If Vendor is unable to do so, it must notify CCSI immediately.
    2. PCI Data Security Standards. If Vendor has access to or will create, receive, store, process, or transmit CCSI cardholder information (e.g. credit, debit, stored value, or prepaid card information), Vendor, at its own expense, warrants:
      1. Vendor is, and will remain, responsible for securing cardholder information in its care, custody, possession, or control.
      2. Vendor will comply with the applicable current Payment Card Industry Data Security Standards (“PCI Standards”).
      3. Vendor will provide CCSI with an annual third party Attestation of Compliance.
        1. If a third party provider will have access to, or will create, receive, store, process, or transmit CCSI cardholder information to perform under the Agreement, Vendor warrants that it will require this of the third party provider and will provide CCSI with the third party provider’s annual Attestation of Compliance issued  by another party unaffiliated with the third party provider.
    3. HIPAA Protected Health Information. If Vendor has access to or will create, receive, store, process, or transmit Protected Health Information, Vendor, at its expense, warrants:
      1. Vendor is, and will remain, responsible for securing Personal Health Information in its care, custody, possession or control.
      2. Vendor will comply with HIPAA, including all applicable privacy and security standards.