← Back to RegisterRegister

Customer Security Responsibilities Schedule

Customer obligations on access control, backups, patching

1. APPLICATION

This Schedule sets out the operational security responsibilities of the Customer in respect of its installation of the Software, its VPS or other hosting environment, its Authorised Users, and its Customer Data. It forms part of the Customer Licence Agreement (CLA) between Bhalekar and the Customer and is referenced from clause 5.1 of the CLA. Defined terms have the meanings given in the CLA.

Where the CLA and this Schedule are inconsistent, the CLA prevails.

2. ACCESS CONTROL

The Customer must:

  • enable multi-factor authentication (MFA) for all administrator accounts and, where supported, for all Authorised Users;
  • restrict administrator access to the smallest practical number of named individuals;
  • maintain unique credentials for each Authorised User and prohibit credential sharing;
  • rotate administrator credentials, encryption keys and access tokens at least every twelve (12) months and following any suspected or actual compromise;
  • promptly remove access for any Authorised User who ceases to be employed or engaged by the Customer, or who no longer requires access for the Permitted Purpose;
  • review user permissions at least quarterly and ensure they remain consistent with the principle of least privilege; and
  • maintain secure storage of all credentials, keys and tokens and not store them in plain text in any unprotected file, repository or shared location.

3. VPS AND HOSTING ENVIRONMENT

The Customer must:

  • select a Hosting Provider that is suitable for the type, sensitivity and volume of Customer Data processed through the Software, having regard to the Customer's privacy, security, data residency and regulatory obligations;
  • apply operating system and dependency security patches within a reasonable time after release, and within thirty (30) days for any patch designated as critical by the relevant vendor;
  • configure and maintain firewall rules that restrict inbound network access to required services only;
  • configure secure DNS settings for the domain on which the Software is hosted, including DNSSEC where supported;
  • maintain a current and valid TLS certificate for the Customer's domain and ensure all access to the Software is over encrypted connections;
  • maintain endpoint security software on devices used by Authorised Users to access the Software, including anti-malware and current operating system patches;
  • monitor relevant logs for indicators of compromise or unauthorised access; and
  • configure network and system access in accordance with reasonable industry practice for hosting software that processes the type of data the Customer processes.

4. BACKUPS AND DISASTER RECOVERY

The Customer must:

  • maintain regular backups of the Software installation and Customer Data at a frequency appropriate to the Customer's recovery objectives, but not less than daily for active production data;
  • store backups in a location that is separated from the primary VPS and protected against the same failure modes (including ransomware);
  • test restore procedures at least every six (6) months and document the outcome;
  • retain backups for a period appropriate to the Customer's legal and professional obligations, including AML/CTF record-keeping (which generally requires retention for at least seven (7) years); and
  • maintain a documented business continuity and incident response plan covering the loss of, or unauthorised access to, the Software or Customer Data.

5. THIRD-PARTY INTEGRATIONS AND SERVICES

The Customer must:

  • manage Stripe credentials and other third-party service credentials with the same care as administrator credentials, including rotation and revocation;
  • review the security and compliance posture of any third-party service the Customer integrates with the Software;
  • not configure integrations that route Customer Data to services the Customer does not control or has not assessed; and
  • promptly review and act on any security advisories issued by a third-party provider whose services the Customer uses with the Software.

6. CUSTOMER DATA HANDLING

The Customer must:

  • maintain accurate and current privacy notices and consent records, including where consents are collected via the Software;
  • apply retention and destruction practices consistent with the Privacy Act 1988 (Cth), the AML/CTF Laws, the Customer's professional obligations, and the Customer's own privacy policy;
  • encrypt sensitive Customer Data at rest where the Software, the VPS or third-party services support it; and
  • maintain a documented process for responding to access, correction and complaint requests from individuals under the Australian Privacy Principles.

7. INCIDENT NOTIFICATION

The Customer must:

  • promptly investigate any suspected or actual unauthorised access, use, disclosure, alteration or loss of Customer Data;
  • notify Bhalekar where the Customer reasonably suspects that the incident involved the Software or Bhalekar's support activities, in accordance with clause 12.4 of the CLA; and
  • comply with the Customer's own notifiable data breach obligations under the Privacy Act 1988 (Cth) where applicable.

8. CHANGES TO THIS SCHEDULE

Bhalekar may update this Schedule from time to time in accordance with clause 14.3 of the CLA, including to reflect changes in security best practice, threat landscape or regulatory requirements. Updates will not materially diminish the substance of the Customer's obligations during the then-current Subscription Term in a way that requires significant additional expenditure by the Customer, except where the change is required by law or to address a material security risk.

— END OF CUSTOMER SECURITY RESPONSIBILITIES SCHEDULE —

Onboard Customer Security Responsibilities Schedule v1.0 DRAFT · Bhalekar Pty Ltd · ABN 22 642 063 385

Questions about these terms? sales@bhalekar.com.au