Security

Last Updated: May 9, 2025

The ibex Security Standards described below apply to all vendors, service providers, and their representatives (“Provider“) engaged by ibex. These standards apply while delivering services (“Services”) under any statement of work or agreement with ibex  and are intended to supplement and reinforce all data security, privacy, and compliance obligations set forth in such agreements. In the event of any conflict between these ibex Security Standards and an applicable agreement, these standards will control with respect to data security and protection obligations.  Any capitalized terms not expressly defined in this policy shall have the meaning assigned to them in the applicable services agreement or statement of work between the Provider and ibex.

I. Data Security Safeguards

  1. Without limiting its obligations under any statement of work or agreement with ibex, Provider will establish, maintain, and follow appropriate safeguards (including electronic, physical and organizational security procedures, measure and controls), in order to protect against a Security Incident (as defined below) relating to Personal Data. Such safeguards (“Provider Safeguards“) will, at a minimum, be consistent with best practices of similar companies in the United States and the European Union that provide similar Services.
  2. Provider will maintain comprehensive Provider Safeguards that comply with International Standards Organization and the International Electrotechnical Commission 27001/2:2013 (ISO/IEC 27001:2013) standards, for which Provider will obtain third party certification on an annual basis from the applicable independent and accreditation body. Upon request, Provider will provide to ibex any information relating to Provider’s Processing (as defined below) of Personal Data as well as any and all documentation relevant to Provider’s protection of Personal Data, including policies and procedures, operations manuals or instructions, confidentiality agreements, and any subcontracts or Subcontracting Agreements pertaining to Processing of Personal Data. “Process” or “Processing” means the collection, recording, organization, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, destruction, disposal, or other use of Personal Data.
  3. SSAE 18 Type II Reports. If the Provider processes Personal Data in connection with the Services, or if otherwise required under the applicable services contract, the Provider shall, on an annual basis, provide SSAE 18 Type II audit reports. The results of each such audit will be provided to ibex in a form acceptable to ibex within ten days of the completion of such audit. Provider will also inform ibex of any material vulnerabilities discovered by any audits and the nature of each vulnerability. If any audits reveal one or more material vulnerabilities, Provider will promptly correct each vulnerability at its sole cost and expense and will certify in writing to ibex that it has corrected all such vulnerabilities.
  4. Provider will complete ibex’s vendor risk assessment immediately upon execution of any services contract, and annually thereafter. Failure to comply with the requirements constitutes a material breach.
  5. Where Provider Processes credit card data, Provider will comply with the then-current versions of Payment Card Industry Data Security Standard (PCI-DSS), the Payment Application Data Security Standard (PA-DSS) and all standards issued by the Payment Card Industry Security Standards Council, payment card brands or networks, and provide ibex with a PCI-DSS Attestation of Compliance on an annual basis.
  6. Provider will make all commercially reasonable efforts to correct, at ibex’s request and sole discretion and at no charge to ibex, any destruction, loss or alteration of any Personal Data caused by Provider.

II. Data Transfer and Encryption Safeguards

  1. Provider will ensure that Personal Data cannot be accessed, read, copied, modified, removed or otherwise Processed without authorization of Provider during electronic transmission or transport. Provider will maintain electronic records of where and to whom Personal Data is transferred and by whom it has been accessed, through the use of monitoring and appropriate access management tools and systems.
  2. Provider will encrypt Personal Data in transit consistent with the requirements of Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules and NIST guidance, including, as appropriate, standards described in NIST Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140¬2 validated. Provider will encrypt all Personal Data transmitted in connection with the Services by the use of the then-current TLS cryptographic protocol or a stronger cryptographic protocol.
  3. Provider will use a strong, current cryptographic protocol to encrypt Personal Data at rest consistent with the National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for end user devices.
  4. At ibex’s request, Provider will provide proof of compliance with the encryption obligations through an audit in accordance with Section V of this policy.

III. Physical and Network Access Safeguards and Reporting

  1. Provider will physically and logically segment and isolate Personal Data from personal data from other Provider clients at all times, including under adverse conditions.
  2. To prevent unauthorized access to ibex Resources and Provider Systems, including physical access, Provider will implement all appropriate physical safeguards, including locks for rooms (floor to ceiling, including past any drop ceiling height) or cages containing Personal Data or ibex Resources, security card or badge readers controlling access to authorized service locations and the areas of such Provider facilities where Provider is providing the Services or Processing Personal Data, 24-7 video surveillance of the access points to the authorized service locations and of access to the network cabinets, locked cabinets for storage of paper files containing Personal Data, and cable locks for devices containing Personal Data or ibex Resources. Provider will store all video surveillance recordings of the access points to the authorized service locations and of access to the network cabinets required pursuant to this Section III.B for at least 90 days.
  3. Provider will prevent unauthorized persons from accessing Provider Systems that Process any Personal Data.
  4. In all authorized service locations and in all areas of such Provider facilities where Provider will have access to Personal Data, Provider will strictly prohibit personal electronic devices (including mobile phones and cameras), bags and purses, and all other items that could be used to conceal objects. Provider will physically monitor such areas to ensure that they do not bring any prohibited items into such areas.
  5. Provider will limit access to Provider Systems processing Personal Data to its representatives that have a need- to-know and to the extent necessary to fulfill Provider’s obligations to ibex in accordance with the service contract obligations.
  6. Provider will maintain complete and accurate logs of any access to Provider Systems or ibex systems during the term of the services contract and for a period of six years following its expiration or termination.
  7. If performance of the Services requires ibex to grant Provider access to any ibex or ibex Affiliate proprietary software or ibex systems, such access will be provided only pursuant to protocols and controls dictated by Ibex, and Provider with comply with all terms and conditions associated with the provision of such access.
  8. ibex may immediately terminate connectivity to ibex systems or request prompt return of certain ibex Resources if Provider does not comply with any part of this policy or where a Security Incident is detected or reasonably suspected by ibex . Provider will promptly comply with any such return request.
  9. Provider will immediately report to ibex in writing and by telephone any violation or suspected violation of the physical and network access safeguards contained in this policy.

IV. Security Incident Response

  1. If Provider reasonably believes there has been a Security Incident (defined below), it will, without undue delay and in any event within 8 hours, notify ibex of the Security Incident and provide sufficient information to allow ibex to report the Security Incident or notify individuals and regulators as required under applicable data protection laws, including regarding: (i) the nature of the Security Incident; (ii) the categories and approximate numbers of individuals and Personal Data records concerned; (iii) any investigations into such Security Incident; (iv) the likely consequences of the Security Incident; (v) any measures taken to address the Security Incident; and (vi) any other information required by applicable data protection laws; provided that, without limit to the above obligations, if Provider cannot provide all these details within such timeframes, it shall before the end of this timeframe, provide ibex with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give ibex regular updates on these matters. If Provider identifies any unauthorized access to any of its systems that materially impact any ibex Resources deployed at a Provider facility and/or used by Provider for performance of the Services, Provider will provide ibex with written notice of the same within 24 business hours of identifying such unauthorized access by sending an email to security@ibex.co.
  2. Security Incident” means any actual or suspected: (i) unauthorized interference with the availability of, or unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to Personal Data or any other data received from ibex; (ii) violation of the physical and network access safeguards described in this policy; (iii) unauthorized access to Personal Data or to any authorized service locations or any areas of such Provider facilities where Provider is providing the Services or Processing Personal Data; or (iv) other unauthorized Processing or theft of Personal Data.
  3. Provider will also:
  • -allow ibex to involve its own investigator, as reasonably determined by ibex, and fully cooperate with such ibex-selected investigator;
  • -cooperate with ibex in providing information to governmental or regulatory authorities or notices regarding the Security Incident that ibex deems appropriate; and
  • -take all reasonable actions necessary or requested by ibex to remediate and mitigate the effects and to minimize any damage resulting from the Security Incident (including taking all commercially reasonable steps to enforce against any person that is or may be engaging in activities relating to the Security Incident any rights Provider has to require such person to cease such activities relating to the Security Incident).
  1. In the event of any loss of Personal Data arising from media failure, the media will be taken out of commission and physically destroyed, in consultation with ibex in such a manner to ensure the Personal Data cannot be accessed or reconstructed. Provider will provide a written certificate of destruction to ibex.
  2. Provider will keep and maintain a record of every Security Incident (including in accordance with any requirements prescribed by applicable data protection laws) and the responsive actions taken in connection with the Security Incident and, on ibex’s request, will provide ibex with a copy of such records and permit such records to be disclosed to governmental and regulatory authorities. Provider will also perform post-Security Incident reviews of events and actions taken, if any, and, without derogating from its obligations hereunder, will make any required changes in its practices relating to protection of Personal Data or Provider Systems and ibex systems (as applicable), including upgrading information safeguards as necessary to limit risks.
  3. As a part of the Provider Safeguards, Provider will establish, maintain, and follow a written Security Incident response plan designed to assist Provider in promptly responding to, and recovering from, any Security Incident. Without limiting Provider’s other obligations in this policy, or the services contract, such Security Incident response plan will include at least the following: (i) the internal processes for responding to a Security Incident; (ii) the goals of the Security Incident response plan; (iii) the definition of clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) identification of requirements for the remediation of any identified weaknesses in ibex systems or Provider Systems (as applicable) and associated controls; (vi) documentation and reporting regarding Security Incidents and related incident response activities; and (vii) the evaluation and revision as necessary of the incident response plan following a Security Incident. Provider will test the Security Incident response plan no less frequently than annually and provide attestation to ibex, upon completion.
  4. Provider will provide ibex with the name and contact information of the employee of Provider who will serve as ibex’s primary security contact and will be available to assist ibex 24 hours per day, 7 days per week as a contact in resolving obligations associated with a Security Incident. In the event the primary contact is changed, Provider will immediately inform ibex .
  5. Without limiting the generality of the foregoing, in the event that data protection laws or other applicable laws impose obligations on ibex to take additional steps in the event of a Security Incident, Provider will reasonably cooperate and assist ibex to enable ibex to comply with such laws, including by providing ibex with notice of Security Incidents within legally required timeframes, and related information required by ibex to comply with applicable laws.

V. Audit and Certification

  1. Without limiting the rights and obligations under this policy, or the services contract, reports or evidentiary proof of compliance with this policy by qualified independent auditors may be required of Provider at the request of ibex (e.g., KPMG, PWC, etc.). For Processing of PCI data, auditors must be certified by the Payment Card Industry – Security Standards Council (PCI) industry authority as a “Qualified Security Assessor” (QSA).
  2. Upon 30 days’ prior written notice, ibex (or upon ibexs election, a third party on ibex’s behalf) will have the right to audit, review, and inspect, subject to Provider’s reasonable restrictions, for purposes of security and safety: (i) any Provider System, Provider facility or part of a facility at which Provider is providing the Services or Processing Personal Data; (ii) all audit records located anywhere; and (iii) any processes, activities, or controls (“Audit”). ibex will have the right to conduct no more than four Audits per year with at least 30 days’ notice. Audits will not last more than three days unless mutually agreed by both parties or one of the parties, in the good-faith determination of the other party, is not reasonably cooperating with the Audit. Audits may be conducted to verify any or all of the following standards:
  • -performance by Provider of its obligations under the services contract;
  • -the security, integrity, and availability of the Personal Data and the facilities used to provide the Services as specified in the services contract;
  • -the sufficiency of the internal controls, practices and procedures used by Provider and its Subcontractors relating to the Processing of Personal Data and the Services, including compliance with the requirements of this policy; and
  • -compliance with applicable laws, including all data protection laws.
  1. In addition to the right to conduct four Audits, ibex may conduct a spot audit at any time during operating hours (“Spot Audit”). A Spot Audit shall not last in excess of six hours of one day during operation hours. ibex acknowledges that during any such Spot Audit, due to schedules and the conduct of business by Provider, it will not have access to all records, processes and appropriate employees.
  2. In addition, ibex may perform penetration testing or other security testing to simulate attempts at unauthorized internal or external access to Provider Systems to detect potential security weaknesses, (collectively, “Pen Testing”). The parties agree that (i) any techniques, data, results, or other information obtained from Pen Testing, and (ii) any remediation actions taken to remedy any vulnerabilities discovered through any Pen Testing will be considered confidential. The parties agree that Pen Testing and remediation activities may be performed by third parties and that the third parties will require access to confidential information related to such Pen Testing. The parties hereby authorize disclosure of such confidential information with these third parties solely for the purposes of Pen Testing and associated remediation activities. The parties agree that all such disclosure or communication of this confidential information will be pursuant to a written agreement with such third party.
  3. Provider will require its subcontractors who Process Personal Data to perform a SSAE 18 (Statements on Standards for Attestation Services No. 18), Service Organizations Control Reporting Type II SOC 1 or SOC 2 Review (a “SSAE 18 Review”) or other agreed upon independent third-party assessment at least once per calendar year covering the Services for no fewer than ten months during such year. Provider shall provide ibex periodic updates on the status of the review, and specifically notify ibex of any weaknesses that are identified in Provider’s internal Provider will provide ibex with a complete report of the findings from the SSAE 18 Review (the “SSAE 18 Report”) or third-party assessment report within 30 calendar days after Provider receives such SSAE 18 Report. If a SSAE 18 Report shows more than a de minimis deficiency in the effectiveness of Provider or its Subcontractor’s internal controls, Provider will remedy the deficiency indicated by the SSAE 18 Report.
  4. Provider will cooperate and provide ibex with such reasonable assistance as ibex may require from time to time in order to fully exercise the audit rights provided in the services contract. In particular, Provider shall fully cooperate with any such audit by providing access to knowledgeable personnel, physical premises, documentation, infrastructure and application software that Processes Personal Information for ibex during normal business hours and in accordance with any reasonable security procedures and other policies in effect at such facilities. In addition to subsection V.E, upon ibex’s written request, Provider shall provide ibex with the results of any audit by or on behalf of Provider performed that assesses the effectiveness of Provider’s information security program as relevant to the security and confidentiality of Personal Information shared during the course of the services contract. Working papers relating to an internal controls audit will be made available to ibex or any governmental or regulatory authority or agency for review upon ibex’s written request.
  5. If an Audit discloses a breach or violation of any of the standards, certifications, requirements, or laws referenced in Sections V.A through V.C of this policy, ibex will have the right, in its sole discretion, to suspend performance of the Services at one or more of the authorized service locations, until Provider is able to demonstrate to ibex that the breach or violation is fully rectified. The determination of whether a breach or violation is fully rectified will be made by ibex in its sole discretion. Any payments from ibex to Provider related to any suspended authorized service locations will be suspended during the time that the performance of the Services is suspended pursuant to this Section V.F. Prior to exercising its right to suspend performance under this Section, ibex will confer with Provider and the parties will cooperate in good faith to determine the appropriate response to the situation at hand, provided that ibex will retain the right to suspend performance of the Services in its sole discretion.