Skip to content
English
Sign in
Go to expressbadging.com
  • There are no suggestions because the search field is empty.

TRG Contract Requirements for Granting Access to PII and Confidential Data

Per TRG Contract Section 8 (Security), the following steps MUST be completed before any employee or contractor is granted access to a TRG Customer account, database, or any form of PII.

TRG Contract – Requirements for Granting Access to PII / Confidential Data

1. Access is NOT allowed without documented approval

Access to any TRG Customer’s data requires:

  1. A written internal request

  2. Approval from EBS Security & Compliance (or designated manager)

  3. Confirmation that all conditions below are met

No informal access, verbal approval, or “temporary access” is permitted.

2. Contractor/Staff Must Meet All Security Controls

Before access is granted, the individual must:

  • Have a valid, active confidentiality agreement on file

  • Have completed security training within the past 12 months

  • Use MFA on all systems being accessed

  • Be U.S.–based (TRG prohibits offshore access entirely)

  • Be approved as a Subcontractor under TRG rules (if applicable)

⚠️ No exceptions.
If the contractor is not pre-approved in the TRG Subcontractor table, they cannot access customer data.

3. TRG Security Measures Must Be Followed

Anyone accessing data must operate under:

  • EBS’s documented Security Program

  • Industry-standard cybersecurity practices

  • The TRG Third-Party Security Exhibit

  • All applicable privacy laws (HIPAA-adjacent PII rules, state laws, etc.)

Any deviation requires TRG’s prior written approval, not just internal approval.

4. System Changes Cannot Reduce Security

No team member or contractor may:

  • Alter server configurations

  • Modify database access policies

  • Disable logging, MFA, or encryption

  • Introduce new tools or plugins

  • Create temporary bypass accounts

Unless EBS Security & Compliance approves AND—if it materially affects security—TRG provides written authorization.

5. All Access Must Be Logged & Documented

When access is approved:

  • Ticket ID must document the reason (“Support need,” “Bug reproduction,” etc.)

  • Access timeframe must be specified (start/end date)

  • Logs must be retained and reviewable

  • Access must be revoked immediately after completion

6. SOC 2 or HITRUST Reporting Requirements

If TRG requests validation:

  • EBS must provide current SOC 2 Type II or HITRUST documentation

  • Must be delivered within 90 days of report date

  • Contractors must operate only within SOC-covered environments

🔒 7. Absolute Prohibitions

The following are strictly forbidden:

  • Access to TRG customer data without pre-approval

  • Storing any TRG data outside AWS

  • Copying data to laptops, desktops, USB, or local storage

  • Offshore access of any kind

  • Use of personal devices

  • Use of unencrypted tools or shared credentials

🟧 Summary (For Quick Scanning)

Before granting access:

  • ✔ Confirm contractor is TRG-approved

  • ✔ Confirm training + NDA completed

  • ✔ Confirm MFA + U.S. location

  • ✔ Document reason for access

  • ✔ Log all activity

  • ✔ Remove access after completion

No access may occur without these steps.