Information Security Policy

Tradeshift undertakes to implement appropriate technical and organizational measures in accordance with state-of- the-art technology to protect Customer data and shall endeavor to comply with these provisions. Due to the sensitivity of the data belonging to the Customer able to pass through the Tradeshift Information Systems, Tradeshift will attach special care to ensure the security of such Data. As such, Tradeshift will undertake to set out, maintain and enforce an Information System security policy based on the ISO 27001 standard.

1. Confidentiality and integrity. Tradeshift undertakes to ensure the security of Data processed and of its platform. In this context Tradeshift will adopt in particular all necessary measures to ensure Data confidentiality, availability and integrity by protecting against accidental or unlawful destruction or accidental loss, or alteration, from disclosure or access by unauthorized third parties, and through control of access to Data on a need to know basis.
   1. Traceability. Solely in Tradeshift’s discretion, Tradeshift agrees to keep over a reasonable period of time of the logs of the actions carried out in its Platform used as part of the Services in order to ensure the possibility of reconstituting a potential breach.
   2. Malicious programs. Tradeshift shall take necessary precautions to prevent the introduction of any malicious program or vulnerabilities on the Tradeshift platform and employee workstations.
   3. Obligation of information and correction on security incidents. Tradeshift shall inform the Customer immediately and by any means in the event that they have knowledge of an incident where customer data confidentiality was breached. Each notification shall be evidenced in writing within a maximum period of 48 hours after the discovery of the incident. Furthermore, Tradeshift undertakes to correct any security incident as soon as possible and notify the Customer of the correctives measures to be taken and the effective implementation of those measures.
   4. Security audit. Tradeshift undertakes to maintain throughout the term of the Agreement, at its own costs, annual audit reports for the i) SOC 1 ii) SOC 2 iii) ISAE 3402 iv) ISO 27001 standards. In addition, Tradeshift shall perform an application penetration test to be conducted by a competent third party at least once a year, at its own costs. Tradeshift also will adopt vulnerability management and bug bounty programs to find and address the existence of security problems on the platform.
   5. Customer security policies. Tradeshift agrees to use all reasonable efforts to ensure that its staff complies with the customer’s rules and procedures applicable to external companies when present on Customer’s premises, including those relating to health and security.
   6. Updates, security patches. Tradeshift agrees to apply in a timely fashion the patches recommended by the hardware and software solution providers (system or application software, embedded software) on all materials under its responsibility. In case of emergency when no fix is available, Tradeshift shall follow the recommendations of the publisher as part of a temporary workaround. If the workaround requires disabling an essential functionality to the system, Tradeshift undertakes to propose measures to prevent the exploitation of the vulnerability.
   7. Intrusion detection. Tradeshift agrees to ensure that intrusion detection systems shall at all times be running on internal hosts to detect potentially malicious activity including but not limited to privilege escalation, failed login attempts, unauthorized services running on the platform and unplanned changes to critical system components.
   8. Incident response. Tradeshift will endeavor to ensure availability of qualified personnel to respond to potential security incidents. Such personnel shall be trained in incident response and proper escalation paths in the event that a breach is discovered.

Posted on or before September 15, 2017