Skip to content
English
Sign in
Go to expressbadging.com
  • There are no suggestions because the search field is empty.

Vendor and Subcontractor Security Controls Policy

eXpress badging® (“EBS”) utilizes select vendors, subcontractors, hosting providers, manufacturers, technology providers, and operational partners to support the delivery of products and services to customers. This Vendor and Subcontractor Security Controls Policy establishes the administrative, operational, and security requirements applicable to third parties that may access, process, host, transmit, store, print, mail, or otherwise interact with customer information, confidential information, personally identifiable information (“PII”), or regulated data.

The purpose of this policy is to reduce operational, privacy, confidentiality, cybersecurity, and regulatory risks associated with third-party service providers and subcontractors.

1. Vendor Risk Evaluation

Prior to engagement, EBS performs a commercially reasonable evaluation of vendors and subcontractors based on the nature of the services provided and the sensitivity of the information potentially involved.

Vendor evaluations may include review of:

  • Security questionnaires
  • Hosting environments
  • Access control practices
  • Privacy and confidentiality practices
  • Industry certifications
  • Cybersecurity controls
  • Data handling procedures
  • Business reputation and operational maturity
  • Insurance coverage
  • Regulatory or contractual obligations

Where appropriate, EBS may require vendors or subcontractors to complete the EBS Vendor Security Questionnaire.

 

2. Contractual Security Requirements

EBS requires vendors and subcontractors with access to regulated or confidential information to agree to commercially reasonable contractual obligations appropriate to the services being performed.

Such obligations may include:

  • Confidentiality provisions
  • Data protection requirements
  • Security obligations
  • HIPAA flow-down obligations where applicable
  • Incident notification requirements
  • Data retention and destruction requirements
  • Restrictions on unauthorized disclosures
  • Subcontractor flow-down requirements

Where appropriate, EBS may require execution of:

  • Non-Disclosure Agreements (“NDAs”)
  • Business Associate Agreements (“BAAs”)
  • Data Security Addenda
  • Confidentiality Agreements
  • Subcontractor Security Agreements

3. Access Controls and Data Minimization

EBS follows commercially reasonable data minimization practices and limits vendor access to information reasonably necessary to perform authorized services.

Vendors and subcontractors are expected to:

  • Limit workforce access to authorized personnel
  • Maintain reasonable access controls
  • Utilize secure authentication practices
  • Restrict access based on legitimate business need
  • Protect credentials and authentication mechanisms
  • Maintain commercially reasonable safeguards appropriate to the nature of the services provided

4. Hosting and Infrastructure Providers

Where cloud hosting, infrastructure, or technology platforms are utilized, EBS prefers commercially recognized providers that maintain industry-standard security and operational practices.

Examples may include:

  • Amazon Web Services (AWS)
  • Microsoft Azure
  • Cloudflare
  • Managed infrastructure providers
  • Secure print and manufacturing providers

Use of such providers does not eliminate the requirement for EBS operational oversight and security management responsibilities.

5. Incident Reporting and Security Events

Vendors and subcontractors are expected to notify EBS without unreasonable delay of any known or reasonably suspected:

  • Unauthorized access
  • Unauthorized disclosure
  • Security Incident
  • Cybersecurity event
  • Malware or ransomware event
  • Breach involving regulated or confidential information associated with EBS services

EBS may require reasonable cooperation in investigating, mitigating, containing, or responding to such events.

6. Data Retention and Destruction

Vendors and subcontractors shall retain regulated or confidential information only for the period reasonably necessary to perform authorized services unless otherwise required by law or contract.

Upon completion of services, vendors and subcontractors may be required to:

  • Return regulated information
  • Securely destroy regulated information
  • Certify destruction upon request
  • Remove unnecessary duplicate operational data

EBS recognizes that unnecessary duplication and extended retention of regulated information may increase operational and cybersecurity risk exposure.

7. Offshore Restrictions

Unless specifically authorized by EBS in writing, vendors and subcontractors shall not process, store, transmit, or access regulated information outside the United States.

8. Vendor Monitoring and Review

EBS may periodically review vendors and subcontractors based upon:

  • Nature of services performed
  • Operational importance
  • Security risk profile
  • Customer contractual obligations
  • Regulatory requirements
  • History of security or operational incidents

Monitoring activities may include:

  • Updated questionnaires
  • Contract reviews
  • Security discussions
  • Operational reviews
  • Insurance verification
  • Review of publicly available certifications or reports

9. Policy Administration

This policy may be updated periodically to reflect operational, regulatory, contractual, or cybersecurity changes affecting EBS services or vendor relationships.