1. Overview
KIVO BPO is committed to protecting the confidentiality, integrity, and availability of sensitive information in our custody, including data that may be accessed by third-party vendors. This 3rd party vendor assessment and data access policy outlines the procedures and controls that are in place to assess and manage third-party risks and data access.

2. Vendor Assessment

KIVO BPO conducts a comprehensive vendor assessment process to ensure that any third-party vendors who have access to sensitive data meet our security and privacy standards. This assessment includes a review of the vendor’s security controls, policies, and procedures, as well as an evaluation of their reputation and track record. The vendor assessment process includes the following:

• Evaluation of the vendor’s security controls, policies, and procedures to ensure that they are aligned with our data access control policy.
• Review of the vendor’s track record, reputation, and certifications to ensure that they have a history of operating securely and are compliant with relevant data protection regulations.
• Validation of the vendor’s controls through onsite assessments or third-party audits where appropriate.

3. Contractual Obligations
KIVO BPO requires all third-party vendors who have access to sensitive data to sign a contract that includes specific obligations related to data access, data protection, and data handling. These obligations may include confidentiality agreements, data protection addendums, and adherence to our data access control policy. The contractual obligations include the following:

• Specific details of the services being provided by the vendor and the type of data access required.
• Obligations related to data protection and data handling, including confidentiality and data retention requirements.
• Liability and indemnification clauses that allocate responsibility for data breaches or other security incidents.
• Compliance with applicable data protection laws and regulations.

4. Roles of Third-Party Vendors
The roles of third-party vendors who have access to sensitive data may vary depending on the nature of the services being provided. Examples of roles that may require access to sensitive data include:

• IT service providers who provide support and maintenance for our systems and infrastructure
• Marketing and advertising partners who handle customer data for targeted campaigns
• Payment processors who handle payment card data for our clients
• Fulfillment partners who handle shipping and logistics information for our clients

5. Circumstances for Data Access
Third-party vendors are granted access to sensitive data only when necessary to perform their job functions. Access is granted based on a need-to-know basis and is reviewed periodically to ensure that access is appropriate and necessary. KIVO BPO also monitors third-party vendor access to sensitive data and requires vendors to promptly report any security incidents or data breaches.

6. Review and Maintenance
KIVO BPO regularly reviews and updates this 3rd party vendor assessment and data access policy to ensure that it remains effective and aligned with our information security objectives and controls.

If you have any questions or concerns about this 3rd Party Vendor Assessment and Data Access Policy or our handling of sensitive information, please contact us at [email protected].