Security Contract Appendix

Appendix: Security Measures Implementation

This Security Measures Implementation Appendix (hereinafter the “Security Appendix” or the “Appendix”) outlines the security requirements and obligations for parties engaging with Mangopay in Services delivery, particularly regarding the protection and handling of Mangopay's Data.

This Appendix is an integral part of the Agreement signed between Mangopay, as defined in the Agreement (hereinafter "Mangopay"), and the Service Provider. The Appendix reflects the parties agreement with regard to security in relation to the provision of the Services by Service Provider. 

Inquiries: For any questions or clarifications regarding this Security Appendix, please contact security@mangopay.com.

1. Definitions

Agreement: means the main contract in force between Mangopay and the Third Party that frames the conditions under which the Service Provider provides Services to Mangopay. 

Business Days: means any working day other than a Saturday, a Sunday or a public holiday in the country where Mangopay has its registered office.  

Service Provider: means any third-party  that provides Services to Mangopay. These Services  may be delivered either on the Service Provider's own systems or within Mangopay’s systems.

Service Provider Personnel: means person such as but not limited to: any employee, freelance, contractor, agent, contract worker, representative, who is not a Subcontractor but that is involved, directly or indirectly, in the performance of the Services. 

Authorised Personnel: means Service Provider Personnel that have been granted access to Mangopay Information Systems.

Security Incident: means an event that compromises the security of the network and information systems, and has an adverse impact on the availability, authenticity, integrity or confidentiality of Mangopay’s Data, or on the services provided to Mangopay.

Services: means any of the services provided by the Service Provider to Mangopay under the Agreement.  

Subcontractors: third parties engaged by the Service Provider to assist in delivering Services to Mangopay. Subcontractors are hired by Service Provider and are not directly contracted by Mangopay.

Information System: refers to any digital or physical system, platform, or technology utilized to store, manage, or process Mangopay’s Data, including but not limited to operational software, cloud storage, and internal networks.

Mangopay's Data: refers to any information related to Mangopay, its operations, and its customers, including but not limited to:

- Payment Data: Data related to payment methods, such as credit card information and transaction details.

- Personal Data: Information about an identified or identifiable individual.

- Confidential Information: Proprietary business information, trade secrets, and any data designated as confidential by Mangopay.

PCI DSS: Payment Card Industry Data Security Standard (PCI DSS) refers to security standards aimed at ensuring the protection of credit card data. Compliance is mandatory for those handling payment card data, including Service Provider and Subcontractors working with Mangopay’s payment services.

Performance and Stability of Services: The requirement that all Services provided by Service Provider meet agreed standards for reliability, availability, and responsiveness, including ensuring minimal downtime and consistent performance per Service Level Agreements (SLAs).

Personal Data Breach has the meaning provided in Regulation 2016/679 (“GDPR”).

1. Review and Continuous Improvement

Mangopay reserves the right to modify this Security Appendix from time to time, providing notice to the Service Provider. The Services Provider must regularly review and update their security measures to address new threats, vulnerabilities, changes in regulatory requirements and changes in Security Appendix.

1. Obligations applicable to all Service Providers

This Section outlines the fundamental security requirements and obligations that apply to all Service Providers. These obligations ensure a baseline of security practices across all engagements.

3.1 Compliance with Laws

Service Provider must comply with all applicable laws and regulations, including those governing the protection of Personal Data (including but not limited to the GDPR).

3.2 Subcontractor Management

If a Service Provider engages Subcontractor(s), Service Provider must ensure that any Subcontractors involved in delivering Services to Mangopay adhere to the same security standards and compliance requirements as those detailed in this Security Appendix. The Service Provider is responsible for ensuring that Subcontractors adhere to all relevant security and data protection requirements, including, but not limited to, providing proof of compliance and certifications, such as PCI DSS, as applicable.

3.2 - Compliance with Mangopay's Security Appendix

Service Provider must comply with Mangopay’s Security Appendix. Non-compliance will be considered a material breach of the Agreement. Failure to comply  with the Security Appendix may result in termination of the contract, as detailed in Section “Non-Compliance with the Security Appendix” and other legal consequences.

Service Provider must guarantee compliance with this Security Appendix by the Service Provider Personnel. The Service Provider shall take all necessary measures to ensure that the Service Provider Personnel and Subcontractors, as applicable, adhere to the provisions of this Security Appendix.

3.3 - Information Security Management System

Service Provider is  required to implement good security practices that are equivalent to the ISO/IEC 27001:2022 standard. While formal certification is not mandatory, the security measures implemented by Service Providers must be comparable to those outlined in the ISO/IEC 27001:2022 standard. Regular risk assessments must be conducted by the Service Provider to identify and mitigate potential threats and vulnerabilities that could impact Mangopay’s Data or Services delivered.

3.4 - Data Encryption and Protection

Mangopay’ data transmitted over networks must be encrypted using TLS v1.2 or higher to ensure data security during transmission. Data stored on systems must be encrypted using AES256 or an equivalent encryption standard to protect against unauthorised access.

Service Provider must implement robust key management practices. This includes in particular, but not limited to, secure generation, storage, distribution, and rotation of cryptographic keys. Access to keys must be restricted to Authorised Personnel only.

Access to Mangopay’s Data must be restricted to Service Provider Personnel only, following the principle of least privilege. Multi-factor authentication should be implemented to enhance access security.

3.5 - Incident Notification

Service Providers must without undue delay notify Mangopay about any Security Incident involving Mangopay’s Data from becoming aware of the Security Incident, including but not limited to Personal Data Breaches.

Notifications must be directed to security@mangopay.com. The incident report must contain all information necessary for Mangopay to comply with its own obligations to maintain a register of incident and/or notify regulators and/or individuals impacted by the incident (e.g., incident, impact and mitigation actions).

3.6 - Access Management

All Service Provider must manage the access lifecycle for the Service Provider Personnel, ensuring access rights are granted, reviewed, and revoked appropriately. Access should be limited to what is necessary for the performance of their duties. Background checks must be conducted on all Service Provider Personnel with access to Mangopay’s systems or data, ensuring they meet the necessary security and trustworthiness criteria.

3.7 - Business Continuity Planning (BCP)

Service Provider must have a Business Continuity Plan (BCP) in place, ensuring service continuity in case of disruptions. This includes disaster recovery plans and regular testing. If a Service Provider involves subcontractors in BCP activities, they must ensure these subcontractors adhere to the same security and recovery protocols as them. The Service Provider must cooperate with Mangopay in case of a test of the Business Continuity Plan (including disaster recovery plans).

3.8 - Proof of Compliance

Mangopay reserves the right to request, at any time, documentation and evidence of the Service Provider's compliance with the security requirements outlined in this Security Appendix. This includes, but is not limited to:

• Security policies and procedures;

• Records of risk assessments and treatment plans;

• Incident response plans and records of security incidents;

• Subcontractor compliance evidences;

• Audit reports or certifications (e.g. PCI DSS, ISO 27001:2022, SOC2).

Service Provider must provide the requested documentation promptly, demonstrating their adherence to the agreed-upon security standards, and in any case no later than 10 Business Days from Mangopay request.

1. Specific Obligations for Service Providers supporting payment services

PCI DSS Certification: Service Provider, and subcontractors as applicable, supporting payment services must maintain a valid PCI DSS certification relevant to the type of Services services provided. This certification ensures adherence to the necessary security standards for protecting payment data.

1. Specific Obligations for Service Providers operating on Their Information Systems

This Section outlines the specific responsibilities and security measures that Service Provider must adhere to when managing their own information systems while providing Services to Mangopay.

5.1 - Custom Security Controls

Service Provider must implement and maintain at least the following mandatory security policies covering the following activities: 

• Information Security Policy;

• Data Protection Policy;

• Access Control Policy;

• Incident Response Policy; 

• Business Continuity and Disaster Recovery Policy;

• Acceptable Use Policy;

• Third Party Management Policy; 

• Software Development Life Cycle (SDLC) Policy;

• Cryptography Policy;

• Vulnerability Management Policy.

The content of those policies must align with industry-standard practices, taking into account the nature of its activities and its exposure to security risks. These policies must include appropriate measures to address and mitigate risks relevant to the Service Provider’s operations, ensuring the protection of Mangopay’s Data, systems, and Services. The Service Provider shall regularly review and update its policies to remain consistent with evolving industry standards,  emerging threats and this Security Appendix.

5.2 - Access Management

Service Provider must manage privileged accounts with stringent controls. This includes using secure methods for managing and monitoring privileged user access, such as dedicated tools and logging all privileged activities.

Regular reviews of access rights must be conducted to ensure compliance with the principle of least privilege and to promptly adjust access rights as necessary.

As a minimum, Service Provider must use:

• Multi-Factor Authentication (MFA) and Single Sign-On (SSO): Access to systems and data must be protected by Multi-Factor Authentication (MFA). Single Sign-On (SSO) should be implemented where feasible to streamline secure access management and reduce password fatigue.

• Segregation of Duties (SOD) principles to minimise the risk of fraud and errors. Critical tasks must be divided among different individuals or teams to prevent conflicts of interest and unauthorised actions. Duties must be clearly defined and separated, particularly in sensitive areas such as system administration, financial processing, and security monitoring. This helps ensure that no single individual has excessive control over critical processes.

5.3 - Password Policy

Service Provider must enforce a password policy that includes requirements for password complexity, length, expiration, and secure storage. If applicable, the password policy must also comply with PCI DSS requirements, including password protection mechanisms for systems handling payment data.

5.4 - Threat Detection and Protection

Service Provider must deploy and maintain threat detection solutions to identify and respond to potential security threats in real time. This includes using intrusion detection systems (IDS) and security information and event management (SIEM) tools. Implement protective measures such as firewalls, anti-malware software, and intrusion prevention systems (IPS) to safeguard against various types of attacks.

5.5 - Vulnerability Management

Regular vulnerability scans must be performed by the Service Provider in accordance with Service Provider’s policy. This includes identifying, assessing, and remediating vulnerabilities in systems and applications. In addition, Service Provider must ensure timely application of security patches and updates to mitigate risks associated with known vulnerabilities.

5.6 - Log Management

Service Provider must implement comprehensive logging practices, capturing detailed logs of system access, security events, and changes. Logs must be securely stored and regularly reviewed. Logs must be retained for a period consistent with the Service Provider’s policies and regulatory requirements.

5.7 - Segregation of Environments

The Service Provider must ensure that environments for different types of data and applications (e.g., development, testing, production) are logically or physically segregated to prevent cross-environment data leaks and unauthorized access. Additionally, environments and data associated with different customers must be segregated to maintain confidentiality and integrity.

5.8 - Physical Security

Service Provider must implement physical security measures to protect their facilities and data centres. This includes secure access controls (e.g., biometric scanners, key cards), surveillance systems, and visitor management procedures. Physical safeguards must be in place to protect servers, storage devices, and other hardware from unauthorised access, theft, or damage. This includes securing equipment in locked racks and ensuring that only Authorised Personnel have access to sensitive areas.

5.9 - Security Awareness and Training

Service Provider must conduct at least annually security awareness training for all Service Provider Personnel. This training should cover topics such as recognizing phishing attempts, secure handling of sensitive data, and incident reporting protocols.

5.10 - Background Checks

Service Provider must conduct thorough background checks on all prospective Service Provider Personnel who will have access to Mangopay's supporting systems or data. This includes verifying employment history, criminal records, and relevant qualifications, to the extent permitted by applicable laws.

5.11 - Confidentiality Agreements and Policy Acknowledgment

All Service Provider Personnel must sign confidentiality agreements to ensure they understand and agree to protect Mangopay’s Data. This includes prohibiting the unauthorised disclosure of Mangopay’s Data. 

1. Specific Obligations for Service Providers operating on Mangopay’s Information Systems

This Section outlines the specific responsibilities and security measures that Service Provider must comply with when they have direct access to, or are responsible for, operation of Mangopay's Information Systems.

6.1 - Adherence to Organisational Policies

Service Provider must fully comply with any Mangopay’s information security policy and all related policies provided by Mangopay to the Service Provider, including those pertaining to data protection, incident management, and acceptable use.

6.2 - Security Awareness and Training

Service Provider must ensure that all Service Provider Personnel who operate on Mangopay’s Information Systems are regularly trained on Mangopay’s specific security policies and protocols. Service Provider Personnel must also undergo training on compliance obligations, such as GDPR and PCI DSS, relevant to their work on Mangopay’s information systems and as instructed by Mangopay.

6.3 -  Access Management

Service Providers must adhere to Mangopay’s access control procedures, including the use of role-based access controls (RBAC) and multi-factor authentication (MFA) for accessing systems.

6.4 - Data Handling and Storage

All data processing and storage activities performed by Service Provider on Mangopay’s information systems must comply with Mangopay’s Data protection requirements. This includes using organisation-approved methods for data encryption and secure transmission. Service Provider must follow Mangopay’s Data retention policies, securely deleting data from systems when no longer needed and ensuring proper disposal methods are used.

1. Non-compliance with the Security Appendix

Service Providers’ compliance with the obligations set forth in this Security Appendix as well as those communicated thereafter to the Service Providers by Mangopay is an essential obligation, and any failure by Service Provider to comply with such security obligations shall be deemed to constitute at least a material breach by the Service Provider that entitles Mangopay to terminate the Agreement with immediate effect.