Supplier Data Protection & Privacy Requirements (Thailand)

Appendix A

Supplier Data Protection & Privacy Requirements (Thailand)

1. General

1.1. Supplier acknowledges that CBRE is subject to laws and regulations in jurisdictions which impose strict obligations relating to the protection of Personal Data (including Thailand’s Personal Data Protection Act B.E. 2562 (2019)) (“PDPA”). Supplier shall comply (and shall ensure that Supplier’s staffs, employees, and/or approved Sub-Processor shall comply) with the requirements set out in this Appendix relating to Processing of Personal Data on behalf of CBRE.

1.2. The parties agree that under the Principal Agreement and this Appendix, with respect to Processing of CBRE Personal Data, CBRE is acting as the Data Controller and Supplier is the Data Processor. Supplier warrants that it will Process CBRE Personal Data in compliance with all applicable Data Privacy Law, including the PDPA.

1.3. CBRE shall retain all rights in, title to and interest in and to CBRE Personal Data and Supplier agrees not to Process CBRE Personal Data other than in relation to the performance of its obligations under the Principal Agreement.

2. Definition

2.1. For purposes of this Appendix, the following terms are defined as follows:

a. CBRE Personal Data means any Personal Data processed by the Data Processor on behalf of CBRE pursuant to or in connection with the Principal Agreement;

b. Data Controller means a person or juristic person having the power and duties to make decisions regarding the collection, use, disclosure of the Personal Data;

c. Data Privacy Law means the data protection laws, including the Personal Data Protection Act (B.E. 2562 (2019), to which CBRE and the Supplier are subject, and any other data protection laws as may be specified in the Principal Agreement or any work or purchase orders issued under the same;'

d. Data Processor means a Person or juristic person who operates in relation to the collection, use, disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller;

e. Data Subject means owner of the Personal Data;

f. Personal Data means any information relating to a living person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular;

g. Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

h. Principal Agreement means the main agreement between CBRE and Supplier for the provision of Services;

i. Processing or Process means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

j. Services means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for CBRE pursuant to the Principal Agreement.

3. Processing of CBRE Personal Data

Supplier, as Data Processor, shall have the following duties:

3.1. Carry out the activities related to the collection, use, and/or disclosure of CBRE Personal Data only for performing its obligations under the Principal Agreement and pursuant to the instruction given by CBRE as Data Controller, except where such instruction is contrary to law or any provisions regarding Personal Data protection under the PDPA. If the Supplier fails to comply with this section 3.1 on the collection, use, or disclosure of CBRE Personal Data, it shall be fully liable and responsible directly to the Data Subject and the relevant authority as the Data Controller for such collection, use, and/or disclosure of such Personal Data.

3.2. Prepare and maintain records of CBRE Personal Data processing activities as required by CBRE and the Data Privacy Law.

3.3. Supplier shall ensure that persons authorized by it to process CBRE Personal Data:

a. are informed of the confidential nature of CBRE Personal Data and are aware and be bound by confidentiality obligations under the Principal Agreement and the Data Privacy Law;

b. have committed themselves to only access, use, disclose, or otherwise process CBRE Personal Data in accordance with this Appendix and for the sole purposes as defined and agreed by CBRE,

c. have access to CBRE Personal Data only for the purpose of providing the Services under the Principal Agreement (and only to that extent);

d. have received from Supplier appropriate training with respect to the correct handling of CBRE Personal Data so as to minimize the risk of accidental Personal Data Breaches, and to process CBRE Personal Data in compliance with the requirements of applicable Data Privacy Law and this Appendix.

3.4. Supplier shall take all measures required pursuant to the Data Privacy Law, and in particular,

a. Supplier shall, at all time, have in place and implement appropriate technical and organizational security measures to protect CBRE Personal Data from Personal Data Breach with due consideration of the nature, scope, context and purposes of Processing as set out in Appendix B (Information Security Requirements). Supplier shall procure that any Sub-processor operates also in compliance with the requirements in Appendix B;

b. upon becoming aware of a Personal Data Breach, inform CBRE without undue delay and within a maximum of twenty-four (24) hours, and provide all such timely information, allow CBRE to participate the Supplier’s assessment or investigation of such Personal Data Breach, and cooperation as CBRE may require in order to fulfil any Personal Data Breach reporting obligations under (and in accordance with the timescales required by) the Data Privacy Law and to minimize or stop such Personal Data Breach.

3.5. In the event of Personal Data Breach, as a minimum, Supplier shall provide the following information to CBRE within twenty-four (24) hours of the determination or notification (as applicable) of the Personal Data Breach:

a. Provide the information regarding the nature of the Personal Data Breach, including the categories and number of Data Subjects and the Personal Data concerned by the Personal Data Breach;

b. a description of the measures CBRE could take to mitigate the possible adverse effects of the Personal Data Breach and to prevent from another potential Personal Data Breach;

c. the consequences of the Personal Data Breach;

d. the measures proposed or taken by Supplier following the Data Breach, including to prevent from any new occurrence;

e. Supplier shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Personal Data Breach and shall keep CBRE up-to-date about all developments in connection with the Personal Data Breach;

f. In any case, CBRE shall first approve any public communication and/or official notification to any competent authority or to Data Subjects regarding such potential or actual Personal Data Breach.

3.6. Personal Data Breach attributable to breach of this Appendix, negligence or willful default of the Supplier, its staffs, employees, and/or approved Sub-Processor shall be treated as material breach of the Principal Agreement and would result in termination of the Principal Agreement without any liability or compensation imposed to CBRE as a result of such termination. The Supplier will remain fully liable and responsible for obligations which are performed by its staffs, employees, and/or approved Sub-Processor as if they were acts or omissions of the Supplier.

3.7. Supplier shall have in place, at no additional cost for CBRE, appropriate technical and organizational measures, for the fulfilment of CBRE’s obligations to respond to requests for exercising the Data Subject's rights, in particular:

a. to request Data Subject’s consent in relation to the Processing of their Personal Data by CBRE and/or the Supplier; and

b. to respond to any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of CBRE Personal Data by the Supplier on behalf of CBRE.

In the event that any such request, correspondence, enquiry or complaint is made directly to the Supplier, the Supplier shall promptly inform CBRE and within a maximum of twenty-four (24) hours, provide full details of the same and shall in any case prevent from answering to the Data Subject directly without CBRE’s prior consent.

3.8. Supplier shall provide CBRE with all such reasonable and timely assistance as may be required in order to conduct a data protection impact assessment.

3.9. Supplier must conduct regular backup of CBRE Personal Data on Supplier’s information systems and maintain a disaster recovery and business continuity plan in compliance with Appendix B defining how CBRE Personal Data will be recovered from backup record, and how the business will continue operating during the recovery period.

3.10. Supplier must notify CBRE and agree in writing any significant changes to any system used to Process CBRE Personal Data.

4. Retention

4.1. Supplier shall not retain CBRE Personal Data (or any documents or records containing any CBRE Personal Data, electronic or otherwise) for any period of time longer than is necessary to perform Services under the Principal Agreement.

4.2. Subject to section 4.3, Supplier shall at the choice of CBRE delete or return all CBRE Personal Data to CBRE at a format and on a media decided by CBRE, after the end of the provision of Services relating to Processing, and delete existing copies, no later than fifteen (15) days following CBRE’s request, including CBRE Personal Data that sub-processed by another data processor (the “Sub-Processor”), and further certify to CBRE it has done so, unless any applicable law requires storage of Personal Data, in which event Supplier shall isolate and protect CBRE Personal Data from any further Processing except to the extent required by such law.

4.3. Should the law prevent Supplier from deleting all or part of CBRE Personal Data, Supplier shall inform CBRE of such requirements and implement, at its costs, the relevant anonymization or pseudo-anonymization measures.

5. Audit

5.1. Supplier shall make available to CBRE (or its appointed third-party auditors) all information, systems, premises and staffs, as well as those of any approved sub-processor necessary to demonstrate compliance with the obligations laid down in this Appendix and allow for and contribute to audits, including inspections, conducted by CBRE or another auditor mandated by CBRE, in accordance with the provisions of the Principal Agreement related to audits.

6. Engagement of a Sub-processor

6.1. Supplier shall not engage or appoint on a Sub-Processor without CBRE’s prior express approval and impose on the approved Sub-Processor the same data protection obligations as set out in this Appendix, by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of this Appendix and Data Privacy Law, will be in accordance with instructions of CBRE only, and will entitle CBRE to carry out appropriate reviews and inspections, if necessary on site, at the Sub-Processor's premises or to have them carried out by third parties.

6.2. Notwithstanding the above, where the Personal Data Breach occurs or the Sub-Processor fails to fulfil its data protection obligations, the Supplier shall fully indemnify and keep CBRE and any person or entity that CBRE is required to defend, indemnify, and hold harmless in connection with Supplier’s performance of the Services, including, but not limited to, the Client (as defined in the Principal Agreement) (collectively, “Indemnified Parties”) fully indemnified against any and all liability incurred by CBRE and the Indemnified Parties as a result of such failure of the Sub-Processor's obligations. The contract with the Sub-Processor must clearly define and distinguish the responsibilities of the Supplier and the Sub-Processor; if several Sub-Processors are used, this shall also apply to the responsibilities between these Sub-Processors.

7. Transfer of CBRE Personal Data

7.1. Supplier must not disclose CBRE Personal Data to a third party or Process CBRE Personal Data outside Thailand.

7.2. In the event that Processing of CBRE Personal Data needs to be conducted outside Thailand in order to complete the Services, Supplier shall obtain prior express written consent of CBRE. Supplier shall request such prior consent by notifying CBRE with a reasonable prior notice and with all relevant information relating to the purpose of such transfer and the country where Personal Data would be transferred, and the Supplier shall demonstrate an appropriate level of protection for CBRE Personal Data transferred.

7.3. Supplier shall ensure that the following requirements, as a minimum, shall apply to any transfer of CBRE Personal Data to and from CBRE, or its agent, subcontractor or Sub-Processor:

7.3.1 All electronic transfers of CBRE Personal Data must be secured using encryption.

7.3.2 When transferring CBRE Personal Data on paper, the document must be labelled as “Confidential”, use double-wrapped envelopes, and sealed in a way that tampering with the seal will be noticed evidently.

7.3.3 When transferring CBRE Personal Data using removable media (e.g. CD, memory stick, external hard drives), all media must be labelled “Confidential”, use appropriate encryption, use double-wrapped envelopes, and sealed in a way that tampering with the seal will be noticed evidently.

7.3.4 Following transferring and delivery CBRE Personal Data pursuant to section 7.3.2 or 7.3.3 above, a signature of recipient must be obtained as confirmation of receipt. If the delivery to specified recipient is not achieved, then the envelope must be returned unopened.

7.3.5 Throughout the term of Principal Agreement and/or as required by Data Privacy Law, Supplier must maintain completed and accurate records of all transfers of CBRE Personal Data in connection with the Principal Agreement and/or this Appendix.

8. CBRE’s obligation with respect to Supplier’s Personal Data

8.1. In case the Supplier provides any information containing Personal Data, including business contact information, regarding Supplier, any Supplier Staff, as part of performing of Services under the Principal Agreement or maintaining its business relationships with CBRE, the Supplier warrants that all Personal Data provided to CBRE has been lawfully obtained and the Supplier has authority to disclose such Personal Data to CBRE for the purposes mentioned above. The Supplier shall fully indemnify and keep CBRE and the Indemnified Parties fully indemnified against any and all liability incurred by CBRE and the Indemnified Parties as a result of such breach howsoever arising. In addition to the aforesaid, certain Personal Data may be obtained indirectly through internal security systems or other means. The Supplier agrees that CBRE may Process such Personal Data for purposes related to the Principal Agreement and in compliance with all applicable Data Privacy Law. For such purposes, CBRE may transfer such Personal Data to any country where CBRE operates.


Appendix B

Information Security Requirements (Thailand)

Section I

Defined Terms:

1. As used in the Principal Agreement and this Attachment, “CBRE Data” means: all information or data contained within CBRE systems, applications or solutions, whether hosted by CBRE, Supplier, or a CBRE third party; all generated deliverables, outputs and reports provided by Supplier in association with the Services; and, all entries and information provided by CBRE, CBRE’s third parties and/or clients in the performance of the Services. CBRE Data includes both CBRE owned and CBRE's client-owned data. CBRE Data includes, without limitation, Aggregate Data and Critical Data.

2. As used in this Appendix, the following terms are defined as set forth below:

  1. Aggregate Data” means information or data that does not constitute Critical Data which does not identify CBRE, a CBRE client or a specific person.

  2. Critical Data” means information or data that identifies CBRE, CBRE's client or a specific person, as well as all data or information that is domestically or internationally regulated or critical to CBRE's information systems for example, source code or authentication credentials.

3. Confidentiality: For purposes of this Appendix, CBRE Confidential Information, as defined and governed by the terms of the Principal Agreement, also includes all CBRE Data, data files, web access log data, reports, statistical information, current, future, or proposed products, computer programs, specifications, systems, records, know-how, procedures, processes, data management, ideas and concepts, client names, lists and printouts, marketing or sales plans, software pricing information, servicing pricing information, developments, works in progress, future business plans and any or all other information or materials relating to the business and technology of CBRE or CBRE’s clients.

4. Indemnity: Supplier shall, at its own expense, defend, indemnify and hold CBRE harmless from and against any and all claims, suits, demands, actions, damages, losses, liabilities, proceedings, litigation, costs and expenses, including reasonable attorney’s fees, to the extent arising out of (i) any improper, unauthorized or unlawful access to, use of, or disclosure of CBRE Data by Supplier or Supplier Personnel, or (ii) any material misrepresentation or breach made by Supplier in connection with this Appendix. CBRE reserves the right to participate at its own expense in the defense of any matter subject to indemnification by Supplier hereunder, and Supplier shall reasonably assist CBRE in such participation.

5. Compliance: Supplier represents, warrants, and covenants that, in its provision of the Services, it (a) does and will comply with (i) all applicable domestic and international laws, rules and regulations including all applicable data protection, privacy, and encryption security laws which requires encryption either explicitly or by way of reducing liability (ii), rules and regulations, all laws that apply to cross-border data transfers and those industry standards that are applicable to the Services; and (b) has developed and implemented, and will maintain and monitor, a written and comprehensive information security program in compliance with these requirements and applicable laws and regulations. In such event Personal Information shall be transferred from the individual’s resident country to another country, Supplier shall notify CBRE in advance and such cross-border transfer shall require CBRE’s written approval and subject to execution of Standard Contractual Clauses, Data Processing Agreements, or such other documentation as may be required by CBRE in order to insure that any such transfer is made in compliance with applicable law. For purposes of this Appendix B Security Requirements, “Personal Data” shall include (i) information that can be used to authenticate an individual, such as passwords or PINs, biometric data, unique identification numbers, answers to security questions; and, (ii) any information protected under applicable data protection, privacy or data security laws and regulations. Upon request from time-to-time, Supplier will certify its compliance with the foregoing. Supplier warrants to CBRE it will use, process, store, access and transfer CBRE Data strictly in accordance with applicable law and regulation and the terms set forth in the Principal Agreement or in accordance with instructions from CBRE. Additionally, if Supplier is not to have the capability to either access and/or download CBRE Data, at any time, Supplier discovers such capabilities, Supplier shall immediately notify CBRE in writing of such capability and not retain any such data.

6. Material Changes Affecting the Delivery of Services: In the event Supplier desires to materially modify the policy, process, method or means by which CBRE Data is used, disclosed, stored, processed or otherwise transmitted or handled which would diminish the security of CBRE Data or increase the risk to CBRE Data, Supplier shall provide CBRE at least sixty (60) days prior written notice. CBRE shall have the right, in its sole discretion, to determine if the modifications represent unacceptable risks to CBRE or CBRE Data and to prohibit Supplier from implementing any such material modification until such time as the risks can be mitigated or an alternate source for the Services can be found. Examples of such material modifications include without limitation (i) disclosing CBRE Data to new Supplier Personnel or (ii) rerouting CBRE Data flows. As part of the provisioning of Services contemplated under the Principal Agreement, any material changes to the Service, and/or any new service(s), Supplier agrees to provide any requested information in connection with, and/or actively participate in, CBRE’s security governance processes.

Section II

In the event the Services or other activities of Supplier or Supplier Personnel involve accessing and/or hosting CBRE Data either currently or in the future, this Section II also applies, and Supplier hereby agrees as follows:

1. Audit Rights:

  1. Supplier and Supplier Personnel shall maintain accurate and complete records of its activities and operations relating to the Principal Agreement and the accessing or hosting CBRE Data. Specifically, CBRE or individuals or entities authorized by CBRE (provided that such individuals or entities so authorized shall not be a competitor of Supplier and execute appropriate confidentiality agreements) may audit Supplier’s facilities, systems, procedures, and records associated with such accessing and/or hosting as may be necessary for CBRE to certify the extent to which Supplier’s internal controls and procedures comply with this Appendix and any applicable regulatory requirements. Any such audit shall be in compliance with the following terms: (1) limited to no more than twice annually during the term of the Principal Agreement; (2) when possible, CBRE shall provide at least ten (10) business days prior written notice of any audit conducted under this section; (3) CBRE shall utilize the third party security audits provided by Supplier to confirm compliance with relative general controls in lieu of auditing the same controls as part of such audit; (4) shall be conducted during normal business hours; and, (5) the audit shall be conducted upon mutually agreed upon terms reasonably necessary to confirm regulatory or contractual compliance including the use of WebEx presentations where industry appropriate. Each Party shall be responsible for their own costs and expenses associated with such audit conducted under this section. Remediation efforts will be negotiated in good faith between the Parties based on industry standards (such as: Common Vulnerabilities and Exposures (CVE®) framework or on the Open Web Application Security Project (OWASP) framework) in relation to the risk to CBRE Data and systems. Remediation effort expenses shall be borne by the Supplier.

  2. Additionally, CBRE may require an SSAE 16 SOC 1 or 2 Type II, ISO 27001, or similar third party audit to be performed at Supplier’s sole expense pertaining to the services involving CBRE Data (“Services”) and Supplier’s facilities at which Services are being performed, initially and periodically as required by business conditions and/or changes, in such manner and at such times as is consistent with the audit practices of well managed operations performing services similar to the Services. Supplier shall promptly make available to CBRE copies of any third party data processing or information security assessment, test results, audit or review (e.g., SOC 2 Type II, SysTrust, WebTrust) or other equivalent evaluations in its possession or control or otherwise reasonably required by CBRE, but in each case information which discloses specific details of any other Supplier client, such details relative to any other Supplier client may be redacted or deleted.

2. Business Continuity and Disaster Recovery:

  1. During the Term and Transition Period, Supplier shall maintain and comply with, at its own expense, a comprehensive disaster recovery and business continuity plan (the "Business Continuity Plan") through which it shall be able to perform its obligations under the Principal Agreement and this Appendix with minimal disruptions or delays. Supplier represents and warrants that (a) the Business Continuity Plan includes processes and procedures to fully restore the Services (including business processes, personnel utilized in or required for provision of the Services and CBRE Data) regardless of whether the event causing the outage is on a local or national level and, if any software or data is hosted, stored or maintained by Supplier hereunder, requires Supplier to maintain full backups of such software and data at two (2) separate locations, including a secured data storage facility that is geographically distant from the other location, and to advise CBRE of the location of such backups; and (b) the Business Continuity Plan will cover pandemic and other events not involving technology that may impact Services. Supplier shall provide a copy of the Business Continuity Plan and proof of backup capabilities and facilities to CBRE upon request.

  2. Supplier shall test the Business Continuity Plan at least annually. If CBRE wishes to participate in any test, Supplier will make test objectives and procedures for connecting to the test site available to CBRE prior to the test and will otherwise permit and facilitate CBRE’s participation as reasonably requested. Following each test, Supplier will provide CBRE with access to the test objectives and results, including recovery time objective ("RTO") timeframes. RTO timeframes define the time required to recover critical business functions. If CBRE requests disaster recovery/business resumption testing in addition to that provided as part of Supplier’s standard test plan, Supplier shall comply, provided that any reasonable out-of-pocket costs incurred by Supplier for such testing shall be reimbursed by CBRE.

  3. This infrastructure includes enterprise class equipment with 24x7x365 monitoring and built-in resiliency. The disaster recovery system offers a recovery time objective, which describes the time required to restore the Service after a catastrophic event, of 24 hours, and a recovery point objective, which describes the potential data loss that could occur as a result of a catastrophic event, of 2 hours.

3. Security Incident:

  1. Upon discovery of any actual or suspected (by inference due to circumstance) unauthorized access, alteration, loss, damage, disclosure or use of CBRE Data, (a “Security Incident”), Supplier shall (a) promptly notify CBRE in writing (but in no event longer than 24 hours after Supplier discovers the Security Incident), (b) promptly begin an investigation of the Security Incident, (c) take all appropriate actions to remediate the effects of the Security Incident and mitigate any risk that may arise from the Security Incident, (d) preserve all records and other evidence relating to the Security Incident, (e) provide CBRE with a written report on the outcome of its investigation including the date of the Security Incident, risk to CBRE Data, the corrective action Supplier will take, or has taken, to respond to the Security Incident and such other information as CBRE may reasonably request, and (f) provide CBRE with assurance satisfactory to CBRE that such Security Incident shall not recur. CBRE may disclose the occurrence of a Security Incident in connection with notice to CBRE’s consumers, employees or governmental authorities and law enforcement agencies. CBRE may also disclose the occurrence of a Security Incident to legal counsel, advisors and other third parties that CBRE reasonably determines should be notified. Supplier shall cooperate in good faith regarding the timing and manner of (a) any notification to affected parties concerning a Security Incident, and (b) disclosures to appropriate governmental authorities. For the avoidance of doubt, Supplier shall not make any disclosure with respect to any Security Incident without CBRE’s prior written approval. To the extent a Security Incident was due to Supplier’s failure to satisfy the security requirements set forth herein, Supplier agrees to fully indemnify CBRE for any and all losses incurred in connection with a Security Incident including, without limitation, the cost of reconstructing data, data forensics, and security audits or reviews of Supplier’s systems reasonably requested by CBRE and all associated legal costs and fees and any penalties arising from or in relation to Supplier’s failure.

  2. In the event a Security Incident materially compromises the security, confidentiality or integrity of Critical Data (“Data Security Breach”), Supplier shall reimburse CBRE for the direct or indirect, verifiable costs incurred by CBRE in (a) preparing and mailing notices to such individuals to whom such notification is required by statute or regulation; and (b) the provision of credit monitoring services to such individuals for a period not exceeding twelve (12) months, provided that CBRE provides Supplier reasonable prior written notice of its intent to deliver such notice and services.

4. Supplier Personnel:

  1. Supplier and Supplier Personnel shall comply with the privacy and information security requirements herein and with all applicable laws and regulations and all reasonable instructions from CBRE at all times while Supplier has access to or is in the custody or control of, (whether such information is on Supplier’s systems or facilities, in transit or being disposed of) CBRE Data. Supplier Personnel shall mean (individually and collectively) all Supplier employees and third parties (including, without limitation, Supplier’s agents, representatives, suppliers, and contractors) used by Supplier that directly or indirectly to provide anything tangible or intangible, including, without limitation, software, documentation, equipment, information, data or services, used in providing the Services under the Principal Agreement.

  2. With respect to Supplier Personnel who at any time have access rights to CBRE Data, Supplier agrees as follows: (i) to limit such access to only those Supplier Personnel with a need for such access in order to perform Supplier’s obligations under the Principal Agreement and who have agreed to comply with obligations substantially similar to those set forth herein; (ii) prior to allowing any Supplier Personnel to have access to CBRE Data, Supplier will advise (via training or other processes designed to acquaint such person with the security guidelines/programs instituted by Supplier) such Supplier Personnel of the confidential and sensitive nature of such information; and (iii) Supplier shall remain liable for its compliance and the compliance of all Supplier Personnel with the obligations under this Appendix.

  3. If the Service offering will be hosted by a third party at one of their facilities (“Third Party Host”):

    1. Supplier (i) shall undertake to insure that such Third Party Host shall enter into any data processing agreements, Standard Contractual Clauses, or other documentation as may be required by CBRE in order to insure compliance with applicable law and regulation; (ii) shall ensure each Third Party Host adheres to all the terms hereunder; (iii) shall be liable for each Third Party Host’s compliance hereto to the same extent as Supplier would be for its own compliance, and (iv) agrees that CBRE will not be responsible for any fees or costs related to each Third Party Host meeting CBRE’s requirements hereunder, including any financial and/or security audits, inspections, and/or related security audits, inspections and/or any related security assessments during the term of the Principal Agreement.

    2. CBRE may review Supplier’s due diligence processes performed on any Third Party Host. Supplier shall remain responsible for obligations, services and functions performed by Third Party Hosts to the same extent as if such obligations, services and functions were performed by Supplier and for purposes of the Principal Agreement such work shall be deemed work performed by Supplier.

    3. In the event Supplier has knowledge of a potential violation by a Third Party Host of its agreement with Supplier or any action that, if performed by Supplier, would be potentially a violation of the Principal Agreement, Supplier shall notify CBRE promptly upon becoming aware of the same and CBRE shall have the right to terminate the Principal Agreement and to require the Third Party Host to return or delete all CBRE Property from all of such Third Party Host’s systems immediately.

5. Security Awareness:

  1. Supplier shall provide security and privacy awareness training, utilizing Supplier’s training course to all individuals authorized by Supplier to have access to CBRE Data. The training shall be consistent with practices prevailing in the industry and designed, at a minimum, to educate all such individuals on maintaining the security, confidentiality, integrity and availability of CBRE Data and in accordance with the terms of the Principal Agreement, and shall occur before such individuals are allowed access to CBRE Data and no less than annually thereafter. CBRE reserves the right to review Supplier’s training. Supplier’s assigned administrator(s) must retain sole responsibility for granting access to CBRE Data for all Supplier employees and other users, and for providing a process by which employee and other user accounts shall be created and deleted in a secure and timely fashion. This process must include appropriate leadership approval, auditable history of all changes, and an annual review of access authorization and excess access remediation.

6. Security Requirements:

  1. Supplier shall maintain appropriate information security provisions to be in compliance with industry best practices such as ISO 27001 and compliant with all applicable privacy, data security, breach notification, and data collection, use and processing regulations. At a minimum, Supplier will develop, implement, maintain and adhere to a written, comprehensive information security program (“ISP”), including safeguards for CBRE Data sufficient to establish and maintain administrative, technical and physical safeguards to (1) ensure the availability, integrity, security and confidentiality of CBRE Data, (2) protect against anticipated threats or hazards to the security, confidentiality or integrity of CBRE Data, (3) protect against unauthorized access, alteration, compromise, loss, damage or disclosure of CBRE Data and (4) comply with all applicable current regulatory requirements and guidelines regarding data privacy, security and breach notification. These security measures shall be reviewed at least annually, and additional information security measures may be required as determined by the information and the volume of data received. Supplier shall promptly provide to CBRE, upon request, at a minimum, access to copies of all relevant data privacy and security policies and standards (including escalation procedures for non-compliance) relating to CBRE Data for CBRE review.

  2. CBRE may, from time to time, notify Supplier of additional, new or updated security requirements and Supplier shall comply with such reasonable security requirements within thirty (30) days of receipt of such notice. If Supplier is unable to meet required additional security requirements for any reason, Supplier shall notify CBRE to discuss other mitigation approaches or otherwise address the matter. Additionally, CBRE reserves the right to require Supplier to promptly change, update, delete, encrypt, truncate and/or mask any CBRE Data, in any reasonable manner, stored by Supplier or any Supplier Personnel.

  3. CBRE Data, or any portion thereof, shall not be retained in any manner whatsoever, beyond the expiration or termination of the Principal Agreement, except as required by law or unless the Parties otherwise agree. Furthermore, unless otherwise instructed by CBRE, all CBRE Data must be returned or properly disposed of in a manner that is reasonably designed to render the information permanently unreadable and so that it cannot be reconstructed into a usable format. Any such return or disposal shall occur at such time that any CBRE Data is no longer reasonably required to perform the Services, but in any event, no later than upon completion of the disengagement of the relevant Services. Upon written request, Supplier shall certify full compliance with this provision in writing.

  4. Supplier’s written ISP shall include, at a minimum:

    1. designating one or more employees to maintain the ISP;

    2. identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing CBRE Data; and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks:

    3. ongoing employee (including Supplier Personnel) training;

    4. executing confidentiality agreements with all Supplier Personnel who access, have access to, or potentially have access to, CBRE Data;

    5. ensuring Supplier Personnel compliance with policies and procedures, including, but not limited to, taking action for non-compliance;

    6. developing security policies for employees relating to the storage, access and transportation of records containing CBRE Data outside of business premises;

    7. preventing terminated Supplier Personnel from accessing records containing CBRE Data;

    8. implementing reasonable restrictions upon physical access to records containing CBRE Data, and storage of such records and data in locked facilities, storage areas or containers;

    9. monitoring on a regular basis to ensure that the ISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of CBRE Data; and upgrading information safeguards as necessary to limit risks;

    10. reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing CBRE Data;

    11. in addition to contacting CBRE immediately, documenting responsive actions taken in connection with any incident involving a breach of security; including but not limited to: CBRE notification, collection of evidence procedures, mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of CBRE Data;

    12. implementing acceptable use policy and procedures regarding the use of Supplier’s assets, including computing systems, networks, and messaging; and, which prohibits the illegal use of software and the use of technology that would create a legal or security liability for either company;

    13. developing and implementing information classification, labeling, and handling policies and procedures related to CBRE Data including, but not limited to, the permissible methods for information transmission, storage, and destruction;

    14. restricting access to active users based on user’s job role; and

    15. removing CBRE user account access immediately upon termination of employment from Supplier or when no longer performing CBRE services.

  5. Supplier shall implement user authentication protocols designed to enforce traceability and accountability, including, but not limited to:

    1. control of user IDs and other identifiers;

    2. a reasonably secure method of assigning and selecting unique passwords, or use of unique identifier technologies, such as biometrics or token devices;

    3. assigning unique identifications plus passwords, which are not Supplier supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

    4. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

    5. requiring two-factor authentication for remote access into systems which house CBRE Data;

    6. blocking access to user account after multiple unsuccessful attempts to gain access. Access should remain disabled until the user is verified via support personnel;

    7. restricting access to records and files containing CBRE Data to those who need such information to perform their job duties;

    8. no CBRE Data may be transmitted, stored, or placed on portable devices unless Supplier has received explicit written permission from CBRE; in which case, the device must be encrypted without housing the encryption keys and all protection requirements as noted in such permission and/or in this Appendix B shall apply without exception;

    9. encrypting all CBRE Data that will be transmitted over networks or in storage, stored on laptops or other portable devices or mediums, and all CBRE Data at rest that is required by applicable law either explicitly or by way of reducing liability (i.e. providing encryption as described in State Breach Notification Laws), or by contractual commitments;

    10. for files containing CBRE Data on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the CBRE Data;

    11. not engage in any scanning, probing sniffing or other such activities of the CBRE networks or systems;

    12. reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions;

    13. employ consistent hardening procedures and practices for all systems which access, store or connect to CBRE systems and/or CBRE Data;

    14. systems housing or accessing CBRE Data will be updated with security patches within 30 days of release;

    15. Supplier agrees to allow CBRE to monitor CBRE Data, in any reasonable manner, to detect the improper, unlawful or unauthorized access to, use of, or disclosure of CBRE Data, as long as the method of monitoring the CBRE Data will not cause Supplier to be in breach of any law or regulation. Such monitoring by CBRE shall not alleviate Supplier’s responsibilities or liabilities in connection with the Services provided;

    16. Supplier agrees that no CBRE Data will be used by Supplier in development and/or test systems unless authorized by CBRE and then only if all Critical Data, as determined by CBRE, has been altered before it is copied to test or development systems, or the CBRE Data is in a secured and controlled environment with limited access and appropriate control equal to or greater than the production environment;

    17. Supplier shall establish, maintain and enforce the security access principles of “segregation of duties” and “least privilege” with respect to the CBRE Data hereunder;

    18. implementing means for detecting and preventing security system failures. The logging system must include alerting of significant events and an established incident handling process which includes notification to CBRE of material events related to services provided or confidentiality, availability or integrity of CBRE data;

    19. Supplier agrees to maintain and enforce retention policies of a minimum of 12 months for any and all reports, logs, audit trails and any other documentation that provides evidence of security, systems, and audit processes and procedures related to CBRE Data or according to requirements mutually agreed upon in writing by CBRE and Supplier and in accordance with all applicable laws and regulations. At a minimum these audit trails shall include all accesses, unsuccessful attempts and data modification;

    20. physical entry controls and monitoring for all areas where CBRE Data is stored, accessed, or processed that are commensurate with the sensitivity of the CBRE Data, including requiring any personnel accessing these areas to employ one or more unique, individually identifiable entry controls (such as card keys) that provide an audit trail of each entry; and

    21. up-to-date intrusion prevention and detection systems to monitor and log system resources for potential unauthorized access and generate alerts on attempted breaches and attacks.

Section III

In the event the Services or other activities of Supplier or Supplier Personnel include website hosting, providing an application or software, and/or performing code development either currently or in the future, this Section III also applies, and Supplier hereby agrees as follows:

  1. Code Developers must complete annual SDLC Training, designed to meet industry standards and focusing on the OWASP Top Ten Vulnerabilities;

  2. Supplier will have in place a formal SDLC Policy which will require segregation of duties and security testing based on the OWASP Top Ten Vulnerabilities and static code analysis. All Source Code changes must adhere to this SDLC Policy.

  3. Supplier will use commercially reasonable efforts to test the Services (including the Equipment), prior to making such available to CBRE for use, for any vulnerability or computer software, code or script (i) designed to disrupt, erase, disable, harm, or otherwise impede in any manner the operation of any software, firmware, hardware, computer system, network or service; or (ii) that constitutes a virus, time bomb, trap door, executable file virus, Trojan horse, worm, or any other similar harmful, malicious or hidden procedure, routine or mechanism that would damage or corrupt data, storage media, programs, equipment or communications, or otherwise interfere with operations, and upon finding any such software, code or script shall remove it;

  4. Supplier agrees to perform quarterly ASV Vulnerability Scans and annual Penetration Tests, or such scans and tests as reasonably requested in writing by CBRE thereafter, or to promptly perform and provide to CBRE a summary attestation from an application penetration test or such other testing demonstrating that the Internet facing application has no material security vulnerabilities. The testing shall be limited to those specific systems used by Supplier to deliver services to CBRE. The attestation report must include, at a minimum, a definition of how the vulnerabilities are rated (e.g., Critical / High / Medium / Low) and evidence that the application has no open vulnerabilities at the highest rating and shows the number of vulnerabilities at any lower ratings. All Critical and/or High vulnerabilities, whichever is the second highest rating, must be remediated within thirty (30) days, and all Medium vulnerabilities remediated within forty-five (45) days. All Low vulnerabilities are to be remediated within timeframes as mutually agreed upon. If such vulnerabilities are not remediated within these timeframes and after written notice, CBRE shall have the right to terminate applicable Services, unless the Parties otherwise mutually agree. The cost of implementing any remedies to eliminate any vulnerabilities reflected in the test report will be borne by Supplier.

Section IV

In the event the Services or other activities of Supplier or Supplier Personnel involve hosting CBRE Data either currently or in the future, this Section IV also applies, and Supplier hereby agrees to implement the following security measures:

  1. picture ID badges;
  2. two-factor authentication for entry into the physical facility;
  3. physical access logs shall be maintained for twelve (12) months;
  4. security guards shall be present 24x7x365;
  5. walls shall extend from floor to deck so as to prevent access into server area except through designated entry;
  6. alarm system shall be present to include unauthorized access and fire notification;
  7. camera system shall be present at all entries, exits and for each row within the server area;
  8. video shall be retained for ninety (90) days;
  9. pre-action fire suppression system;
  10. floor and ceiling water detection system;
  11. raised flooring is in place;
  12. temperature and humidity alarms;
  13. infrastructure security requirements;
  14. dual power supplies;
  15. generators and UPS Systems are in place to ensure continuous uptime at N+; and
  16. multiple network providers are in place to support redundancy and continuous connectivity.