SCHEDULE C / DATA SECURITY

This Data Security Schedule (”Schedule”) forms an inseparable part of the Api Interface Terms and Conditions (“Agreement”) between Finnish Composers’ Copyright Society Teosto (“Teosto”) and the User (“Service Provider”, Teosto and Service Provider referred together as “Parties”) and the Personal Data Processing Appendix of the Service Agreement.

1. General

This Schedule describes those data security principles and policies, procedures of the parties and minimum requirements to ensure data security of the software development services (“Service”) as defined in the Agreement and any projects related to the Service in normal circumstances and in cases of disturbance.

Service Provider shall describe the implementation of requirements expressed in this Schedule in either the data security scheme of the Service or other documents pertaining to managing data security. Service Provider shall keep all documents continuously up to date and accessible to Teosto during the entire time of the Service and store all documents accessible to Teosto for a period of two years after the Service is terminated.

Obligations pursuant to this Schedule shall apply alike to subcontractors used by the Service Provider and own personnel of the Service Provider. Service Provider shall ensure that its subcontractors comply with the terms of this Schedule.

Teosto shall evaluate the requirements and policies described in this Schedule at a time separately agreed together upon verifying Service. Exceptions from obligations pursuant to this Schedule are subject to written approval from Teosto.

2. Service Quality

Service Provider shall comply with security principles, instructions and policies agreed with Teosto when providing the Service and processing confidential information relating to Teosto or the Service. Service Provider shall provide the Service in compliance with good practices on information management and data security.

3. Policy on Data Security

Service Provider shall manage, maintain and develop such data security operations and policies that correspond with data security risks related to the Service at all times during the entire time of Service. Service Provider’s policy on data security shall be approved by management, documented and notified to all personnel and necessary stakeholders. The policy on data security shall describe all aspects of data security as well as risk management, division of responsibility and anticipation including respective minimum requirements.

4. Identifying risks and risk management

Service Provider shall identify the Service’s most critical operations in relation to the business of the Service Provider and Teosto. Service Provider shall classify these operations based on security level and assign them to an owner responsible for process risk management, security and continuity. Service Provider shall compile and document a general risk mapping of the Service (potential and identifiable risks, including risks’ probability and effects).

Service Provider shall continuously identify residual risks and communicate this to Teosto as early as possible.

Service Provider shall continuously identify new risks including their level of criticality, implement risk management and communicate information of risks and their management to Teosto as early as possible.

Service Provider shall maintain continuous risk management policies, covering also risks concerning data, during the entire time of the Service. Service Provider’s description of risk management policies shall include, at least, operations concerning risk management, responsible persons and a scheme for risk management.

5. Encrypting Teosto’s data and managing continuity

Service Provider shall store Teosto’s personal data in a form unidentifiable to third parties (using e.g. data pseudonymisation or encryption). Encryption keys and other information necessary or related to restoring data identifiability shall be protected by implementing appropriate data security measures in accordance with the principles stated in this Schedule.

Service Provider shall describe its continuity management procedures ensuring the functioning of premises, equipment and personnel associated with providing the Service in cases of disturbance or exceptional circumstances so that normal providing of the Service remains undisturbed or can be restored to normal in a period as short as possible.

Service Provider shall have a written:

6. Personnel Safety

Service Provider shall ensure that personnel of the Service Provider comply with the Service Provider’s policy on data security described in clause 3.

The roles and responsibilities of persons and their substitutes taking part in providing the Service shall be described in advance. Prior to starting the Service, the Service Provider shall provide Teosto with a list of those persons having access to Teosto’s personal data and inform Teosto immediately about changes in this list of persons. Conditions governing changes in key persons shall be agreed upon in the Service Agreement.

Service Provider shall ensure that Teosto’s data can be accessed by only those named persons informed to Teosto who necessarily need access to Teosto’s data in order to provide the Service. Service Provider shall ensure that these persons have knowledge about the obligations pursuant to this Schedule and process Teosto’s data in accordance with data security instructions. Service Provider shall provide instructions and data security education to persons taking part in providing the Service and monitor compliance with this Schedule. Should a person no longer process Teosto’s data, the Service Provider shall ensure that such person no longer has access to Teosto’s data. Service Provider shall ensure that such persons are subject to appropriate confidentiality obligations.

Access control related to taking the Service into use and providing the Service (rights, granting basis, changes, removal) shall be described at least for the part of the Service Provider, Teosto and user organisations. Administration of several credentials used by one same person and procedures regarding credentials shared by several persons shall be documented. All Service Provider’s internal requests to access Teosto’s data shall be delivered to Teosto in writing. Written approval from Teosto shall be acquired before granting access rights to Teosto’s data.

7. Physical safety

Service Provider shall ensure safety of its owned or administered premises and equipment related to providing the Service and wherein or from which Teosto’s data or information systems are processed.

Service Provider shall describe access control, procedures to acquire and manage access rights, solutions regarding constructional safety and locking, guarding policies and responsibilities, and rescue operations’ arrangements fulfilling at least statutory requirements for the part of mentioned premises.

Use of physical storage media shall be given particular consideration. Storage media refers to both physical (e.g. hard drives of servers, work stations and disk systems) and portable or movable equipment (e.g. mobile phone, laptop computer, tablet, memory card or stick, CD, DVD).

When disposing equipment used in providing the Service, all data shall be deleted professionally and safely. The deletion process shall be documented to Teosto. Teosto shall be provided with reports on data deletion.

8. Use and administration management

8.1 Capacity management

Service Provider shall describe capacity management functions related to the Service. Service Provider shall monitor capacity and necessary replacing procedures (e.g. solution scalability during time of highest use) shall be agreed upon. Teosto is entitled to receive load reports or similar reports. Service Provider shall update capacity calculations related to providing the Service always after making changes to the Service.

8.2 Change management

Change management shall extend to all activity related to the Service so that changes to information systems, system environments, premises etc. are implemented under control and it is possible to revert to original situation upon need. Data security obligations described in this Schedule shall be considered when implementing changes. Service Provider shall describe change management procedures comprehensively. Changes in descriptions or procedures shall be notified immediately. Service Provider shall provide information regarding contemplated time periods for maintenance breaks and the work to be performed to Teosto prior to performing them, and these shall be approved together. Service Provider shall test changes in accordance with an agreed and documented testing procedure. Service Provider shall maintain a log or change management system.

8.3 Exception management

Service Provider shall document procedures to manage and address security exceptions, disturbance and misuses. Exception situations shall be reported to Teosto without delay. Both parties shall immediately report their detected mistakes, threats and risks (arising either from their own conduct or the conduct of others) potentially affecting safety or the functioning or continuity of the Service. With respect to each information technical solution, the Service Provider shall define disturbances potentially affecting solution functionality and organizational functions, including their management and necessary documentation. This documentation shall encompass problem identification, solution descriptions, recovery and necessary reserve measures.

9. Data network and traffic safety

Transfer and moving of data shall be identifiable. This requires that transfer routes used in data transfers are known and their structures (architectures) are described. Service Provider shall describe the structures of data network used.

10. Equipment safety

Service Provider shall provide a list of equipment in use and describe procedures pertaining to equipment safety concerning:

Necessary equipment shall be procured from known manufacturers and its structural suitability to its purpose and technical architecture shall be ensured. Concerning equipment used to provide the Service, Service Provider shall describe the contemplated life cycle encompassing at least recovery and safe removal of equipment from use.

Service Provider shall monitor each device and its functioning in accordance with a procedure described in advance. Device log files shall be used in monitoring among other sources. Teosto is entitled to receive and use mentioned log files in a form enabling Teosto or a person specified by Teosto to interpret log data received.

11. Software safety and property management

Service Provider shall provide a list of software in use, their licenses and a description of back-up copying and use monitoring. Service Provider shall describe the addressing of detected threats, exception management and implementation of version and revision management. Service Provider shall maintain an updated risk map regarding version management.

11.1 System architecture

System architecture includes development software, utility software and necessary integration solutions. Selected solutions shall be such that are in generally in use and standard compliant. Intellectual property rights and definitions to each software shall be known to all parties. Service Provider shall inform Teosto immediately about all changes affecting security.As regards version management the Service Provider shall ensure that production and development versions are on same stage. Service Provider shall evaluate the significance of version change upon entire system architecture prior to taking the solution into use. Service Provider shall observe potential need for interface updates. Upon agreeing on version change, the Service Provider shall describe solution-related risks and their management. Service Provider shall create a life cycle for each solution and document its management.

11.2 Version management

As regards version management the Service Provider shall ensure that production and development versions are on same stage. Service Provider shall evaluate the significance of version change upon entire system architecture prior to taking the solution into use. Service Provider shall observe potential need for interface updates. Upon agreeing on version change, the Service Provider shall describe solution-related risks and their management. Service Provider shall create a life cycle for each solution and document its management.