CARTONET™ Security Measures



This appendix represents the minimum technical and security measures that will be taken by Data Importer:

Information Security Policies and Standards. The Data Importer will implement security requirements for staff and all subcontractors, vendors or agents who have access to Personal Data that are designed to:

  • Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);
  • Prevent Personal Data processing systems from being used without authorization (logical access control); 
  • Ensure that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
  • Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
  • Ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in or removed from Personal Data Processing (entry control);
  • Ensure that Personal Data are Processed solely in accordance with the Instructions of the Data Controller (control of instructions);
  • Ensure that Personal Data are protected against accidental destruction or loss (availability control); and
  • Ensure that Personal Data collected for different purposes can be processed separately (separation control).

Data Importer will conduct periodic risk assessments and review and, as appropriate, revise its information security practices at least annually or whenever there is a material change in Data Importer’s business practices that may reasonably affect the security, confidentiality or integrity of Personal Information, provided that Data Importer will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of Personal Information.

Physical Security.  The Data Importer will maintain commercially reasonable security systems at all Data Importer sites at which an information system that uses or houses Personal Data is located.  The Data Importer reasonably restricts access to such Personal Data appropriately.

Organizational Security.

  • When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory.  When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of Personal Data stored on them.
  • Data Importer will implement security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.  
  • All Personal Data security incidents are managed in accordance with appropriate incident response procedures.  

Network Security.  The Data Importer maintains network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection and/or prevention systems, access control lists and routing protocols. 

Access Control.

  • Data Importer will maintain appropriate access controls, including, but not limited to, restricting access to Personal Information to the minimum number of Data Importer personnel who require such access. 
  • Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Information.
  • User administration procedures define user roles and their privileges, and how access is granted, changed and terminated; address appropriate segregation of duties and define the logging/monitoring requirements and mechanisms.
  • All employees of the Data Importer are assigned unique User-IDs.
  • Access rights are implemented adhering to the “least privilege” approach.
  • Data Importer implements commercially reasonable physical and electronic security to create and protect passwords.

Encryption.  Data Importer will encrypt, using industry-standard encryption tools, all sensitive data that Data Importer: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; and (iii) stores on portable devices, where technically feasible.  Data Importer will safeguard the security and confidentiality of all encryption keys associated with encrypted Sensitive Information.   

Virus and Malware Controls. The Data Importer installs and maintains anti-virus and malware protection software on the system to protect Personal Information from anticipated threats or hazards and protect against unauthorized access to or use of Personal Information.


  • Data Importer will require personnel to comply with its Information Security Program prior to providing personnel with access to Personal Information.
  • The Data Importer implements a security awareness program to train personnel about their security obligations.  This program includes training about data classification obligations; physical security controls; security practices and security incident reporting.

Business Continuity.  The Data Importer implements appropriate disaster recovery and business continuity plans.  Data Importer regularly reviews and updates its business continuity plan to ensure it is current and effective. 

Primary Security Manager. Data Importer will notify Data Exporter of its designated primary security manager upon request.  The security manager will be responsible for managing and coordinating the performance of Data Importer’s obligations set forth in its Information Security Program and in this Agreement.