FuelPlus IT Security, Compliance and Privacy Commitment

 

1. Objectives

FuelPlus implements data security measures that are consistent with industry best practices and standards such that FuelPlus:

(a) Protects the privacy, confidentiality, integrity, and availability of all data which is disclosed by You to or otherwise comes into the possession of FuelPlus (“Data”), its affiliates or sub-contractors, directly or indirectly as a result of this Agreement, including but not limited to Your Confidential Information and any Your personally identifiable information; 

(b) Protects against accidental, unauthorized, unauthenticated, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of Your Data including, but not limited to, identity theft; 

(c) Complies with all applicable national and state laws, rules, regulations, directives and decisions (each, to the extent having the force of law) that are relevant to the handling, processing, storing or use of Your Data in accordance with this Agreement; 

(d) Manages, controls and remediates any threats identified in the Risk Assessments findings that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of Your Data, including without limitation identity theft; and 

(e) Complies with and implements the risk policies listed in this document, together with the data protection and confidentiality obligations of the Agreement. 

 

2. Risk Assessments

(a) FuelPlus performs regular (and in any event no less frequently than at every twelve-month intervals) robust, comprehensive internal or external risk assessments which include, among other things, several methods of risk identification and evaluation and remediation tracking and verification that: 

i. identify reasonably foreseeable threats that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of Your Data which includes Your private information and Your financial and operational information. 

ii. assess the likelihood of these threats occurring, and the potential damage that might result, taking into consideration the sensitivity of the relevant types or categories of Your Data (and any special risks or issues identified by You); and 

iii. assess the sufficiency of the security measures, policies, and procedures, information systems, technology, and other arrangements that FuelPlus has in place to control such risks. 

(b) Upon request FuelPlus shall provide You the Risk Assessments (high level summary) results.  

(c) PCI Compliance:   

i. In case FuelPlus performs credit card transactions and/or stores or captures credit card information, FuelPlus provides You on annual basis a Report on Compliance (ROC) by a qualified QSA and a Letter of Attestation that a ROC has been issued with an accompanying Executive Summary defining the scope of the ROC. FuelPlus is required to notify You if FuelPlus falls out of compliance.  

ii. If FuelPlus outsources storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) or the Letter of Attestation that a ROC has been issued with an accompanying Executive Summary documents the role of each service provider, clearly identifying which requirements apply to the reviewed entity and which apply to the service provider. 

(d) Audit  – Compliance Reports:

At FuelPlus own expense and on annual basis FuelPlus provides You assurance report(s) on controls that adheres to the most current standards put forth by the IFAC International Auditing and Assurance Standards Board (IAASB) or AICPA Auditing Standards Board (currently Type II, ISAE 3402, SSAE 18, formerly known as SAS 70) prepared by an independent certified public accountant firm that covers continuous twelve (12) month periods with bridging letters, detailing any control changes that have occurred and the overall operating effectiveness of the controls, to cover any gaps in coverage.  The report will be provided to You by the 10th of January for each previous calendar year covered.  The bridging letters will be provided to You by the end of January.  Such report(s) includes at least the following (Appendix A defines specific controls that would satisfy the control objectives as listed below): 

i. Organization and Administration – Controls provide reasonable assurance that FuelPlus’ Management sets the foundation for and imparts the necessary tone, discipline, and structure to influence the control consciousness of its people necessary for services provided to customers. Controls provide reasonable assurance that the organization of personnel provides adequate segregation of duties between incompatible functions; 

ii. System Software Implementation and Maintenance – Controls provide reasonable assurance that implementation of and changes to system software are logged, authorized, adequately tested prior to implementation and restricted to authorized personnel; 

iii. Application Development and Documentation – Controls provide reasonable assurance that application development, project management, and maintenance activities are authorized and that both new and changed applications are properly documented, tested, and reviewed and approved prior to implementation; 

iv. Protection of Computer Equipment (Physical & Environment Controls) – Controls provide reasonable assurance that physical access to the data centers and facilities with computer equipment, storage media, and program documentation is appropriately restricted to authorized individuals and is monitored by data center personnel.  Controls provide reasonable assurance that computer equipment and facilities are protected from damage of fire, flood, or other environmental hazard, and maintenance agreements are in place; 

v. System and Data Backup – Controls provide reasonable assurance that measures are taken to ensure system, software, and data backups are in place, available, and properly tested; 

vi. Information Security (Logical Access) – Controls provide reasonable assurance that access to system resources, including computing platforms and operating resources is restricted to properly authorized individuals and is logged.  Controls provide reasonable assurance that access to databases, and data files and programs is restricted to properly authorized individuals and is logged.  Controls exist to provide reasonable assurance that remote access is appropriately restricted to authorized personnel and is logged; 

vii. Disaster Recovery/Business Continuity – Controls provide reasonable assurance that the disaster recovery plan is in place and tested at least on an annual basis; 

viii. Operations – Controls provide reasonable assurance that processing is appropriately authorized, scheduled, and that deviations from scheduled processing are identified and resolved.  Controls provide reasonable assurance that operations problems and security incidents are detected, reported, logged, and resolved in a timely manner.  Controls provide reasonable assurance that computer operations follow documented procedures and systems are operating within the uptime and availability parameters agreed with customers; 

ix. Performance and Capacity Planning – Controls provide reasonable assurance that system availability, performance, and capacity are routinely monitored to help ensure that potential issues are captured and investigated; 

x. Network and Availability – Controls provide reasonable assurance that networks are managed to contractual and site requirements, monitored for availability and response times, and issues are tracked and documented; 

xi. Data Transmissions – Controls provide reasonable assurance that networks and system resources are protected from external threats and access violations are detected, reported, and investigated 

(e) In the event these audits identify any deficiencies, FuelPlus provides You with a management response identifying how it will remediate the deficiencies and provide confirmation of resolution.  

(f) Based on any Risk Assessment findings and other requirements of the Agreement, FuelPlus will develop (or modify, as appropriate), implement and maintain appropriate security measures and procedures so as to achieve the objectives set forth in Section 1 above and to manage and control the risks identified during the Risk Assessment, commensurate with the sensitivity of Your information, as well as the complexity and scope of the activities of FuelPlus pursuant to the Agreement.  

 

3. Organization Security Measures 

(a) Environment: FuelPlus provides assurance that it sets the foundation for the necessary tone, discipline, and structure to influence the control consciousness of its people necessary, and for the services provided to You, and/or Your Customers.  

(b) Responsibility: FuelPlus assigns responsibility for information security management to appropriate skilled and senior personnel. 

(c) Qualification of Employees: FuelPlus implements and maintains appropriate security measures and procedures to restrict access to information systems used in connection with this Agreement or to Your information to only those personnel who are reliable, have sufficient technical expertise for the role assigned, and have personal integrity. 

(d) Obligations of Employees: FuelPlus implements and maintains appropriate security measures and procedures in order to verify that any personnel accessing Your Information or information systems used in connection with this Agreement knows his or her obligations and the consequences of any security breach. 

(e) Segregation of Duties: FuelPlus provides reasonable assurance the organization of personnel provides adequate segregation of duties between incompatible functions.  

 

4. Physical Security Measures

(a) Physical Security and Access Control –  Ensure that all systems hosting Your Data and/or providing services on behalf of You are maintained consistent with industry best practices and standards in a physically secure environment that prevents unauthorized access, with access restrictions at physical locations containing Your Data, such as buildings, computer facilities, and records storage facilities, designed and implemented to permit access only to authorized individuals and to detect any unauthorized access that may occur, including without limitation 24 x 7 security personnel at all relevant locations (“Your Secure Area”). 

(b) Physical Security for Media – Implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to prevent the unauthorized viewing, copying, alteration or removal of any media containing Your Data, wherever located. No removable media on which Your Data is stored by FuelPlus (including thumbdrives, CDs, and DVDs, but excluding laptops, PDAS and back-up tapes) may be used or re-used by FuelPlus to store data of any other customer of FuelPlus unless Your Data is securely erased prior to such re-use. No removable media on which Your Data is stored by FuelPlus (including thumbdrives, CDs, DVDs, laptops, PDAS and back-up tapes) may be used to deliver data to a third party, including another FuelPlus customer, unless Your Data is securely erased prior to such delivery. 

(c) Media Destruction – Implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to destroy removable media and any mobile device (such as discs, UBS drives, DVDs, back-up tapes, laptops and PDAs) containing Your Data where such media or mobile device is no longer used, or alternatively to render Your Data on such removable media or mobile device unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed. 

 

5. Computer System Access Control Measures

(a) Access Controls – Implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to ensure the logical separation such that access to all systems hosting Your Data and/or being used to provide services to You is: protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to Your Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events. These security measures and procedures includes, but shall not be limited to: 

(b) Access Rights Policies – appropriate policies and procedures regarding the granting of access rights to Your Data in FuelPlus’ possession or control, in order to ensure that only the personnel expressly authorized pursuant to the terms of the Agreement or by You in writing may create, modify or cancel the rights of access of the personnel.  FuelPlus maintains an accurate and up to date list of all personnel who have access to Your Data and has the facility to promptly disable access by any individual personnel.  For purposes of this Schedule, the term “personnel” as to You or FuelPlus shall mean such Party’s employees, consultants, subcontractor or other agents. 

(c) Authorization Procedures for Persons Entitled to Access – appropriate security measures and procedures to establish and configure authorization profiles in order to ensure that personnel only have access to Your Data and resources they need to know to perform their duties, and that they are only able to access Your Data within the scope and to the extent covered by their respective access permission. Personnel working on development does not normally have access to production systems. For occasional and essential support purposes, such personnel may be granted special access for a limited period of time provided such access is managed, appropriately authorized and logged (e.g. by issuing secure passwords via a Firewall system). 

(d) Authentication Credentials and Procedures – appropriate security measures and procedures for strong authentication of authorized personnel, including, but not limited to, the following: 

i. All systems prevent access by unauthorized users; 

ii. New passwords are communicated to users in a secure manner, with an appropriate proof of identity check of the intended users; 

iii. Passwords are not stored or transmitted in readable form;

iv. When privileged access (e.g. root or superuser level access) is granted to systems which handle or hold Your Data and/or are used to provide services, such access is for a limited duration only and will be fully logged; 

v. Systems will not go into production and services under this Agreement will not commence until all personnel have received appropriate documentation and training, including: 

  1. the handling of security breaches; 
  2. the management of emergency access support for FuelPlus’ support personnel; and 
  3. procedures to follow when personnel require a password reset.  

(e) Access Control from outside Your Secure Area – appropriate security measures and procedures to prevent the information systems used in connection with the Agreement or Your Data from being accessed:  

i. By unauthorized persons from outside Your Secure Area and/or 

ii. Without an approved VPN based remote access solution requiring two-factor authentication 

(f) Access Monitoring – appropriate security measures and procedures for monitoring all access to the information systems used in connection with this Agreement and Your Data, including, but not limited to: 

i. Making available to You, on request, all logs and records; and 

ii. Maintaining full records of system or applicable access attempts, both successful and failed. 

 

6. Intrusion Detection/Prevention and Malware

(a) FuelPlus uses appropriate security measures and procedures (i) to ensure that Your Data in FuelPlus’ possession and control, and /or systems being used to provide Services, is protected against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, and (ii) to monitor and record each and every instance of access to the FuelPlus’ assets and information systems and to Your Data to detect the same, and to promptly respond to the same.  If any malicious code is found to have been introduced by FuelPlus or any third party into any of FuelPlus’ information systems handling or holding Your Data, FuelPlus will take appropriate measures to prevent any unauthorized access or disclosure of any Your Data and in any case (wherever such code originated), FuelPlus will, at no additional charge to You, remove such malicious code and eliminate the effects of the malicious code. Unless, and to the extent, prohibited by law enforcement authorities, FuelPlus will immediately notify Your Chief Information Security Officer if it knows or reasonably suspects that there has been an actual or attempted instance of unauthorized access to Your Data and/or systems holding or handling Your Data and shall cooperate fully in assisting You as necessary to enable You to comply with its statutory and other legal breach notice requirements, if any. 

(b) Incident Response Measures – FuelPlus implements and maintains appropriate incident response measures and procedures for systems that handle or hold Your Data, including, but not limited to: 

i. Operational problems and security incidents are detected, reported, logged, and resolved in a timely manner. 

ii. Processing is appropriately authorized, scheduled, and that deviations from scheduled processing are detected, reported, logged, and resolved in a timely manner.  

iii. System availability, performance and capacity are routinely monitored to help ensure potential issues are detected, reported, logged, and resolved in a timely manner.   

iv. Networks are routinely monitored for availability and response times to help ensure potential issues are detected, reported, logged, and resolved in a timely manner. 

 

7. Data Management Controls Measures

(a) Your Data – Your Data will only be used by FuelPlus for the purposes specified in this Agreement.  

(b) Your Production Data – Where access is given to Your Data on any production system, unless otherwise agreed to in writing by You, FuelPlus will not and will procure that its personnel and sub-contractors do not copy, download or store such Your Data on any desktop, server or other device at any Location, in FuelPlus’ or its personnel’s possession or otherwise.

(c) Data Processing Control – Implementing and maintaining appropriate security measures and procedures to ensure that You Data in FuelPlus’ possession or control may only be processed in accordance with the Agreement, and to ensure that data collected for different purposes can be processed separately, including, but not limited to, production systems shall not depend on development infrastructure; 

(d) Data Integrity Controls – Implementing and maintaining appropriate security measures and procedures to protect the integrity of Your Data in FuelPlus’ possession or control, to prevent the unauthorized recording, alteration or erasure of such Your Data. 

(e) Data Encryption – Implementing and maintaining appropriate security measures and procedures to ensure that Your Data in FuelPlus’ possession or control is encrypted or protected by other technical means, where appropriate, so that it cannot be read, copied, changed or deleted by unauthorized persons while in storage and while it is being transferred electronically or transferred or saved on a data media. 

(f) Link Encryption – All data and voice links, if any, between FuelPlus and You is encrypted using a method approved in writing by both Parties.  Encryption is applied across the whole link between You and Your Secure Area.

(g) Data Transfer, Transport, and Transmission Control – Implementing and maintaining appropriate security measures and procedures to ensure, via logging, the verification and tracing of the locations/destinations to which Your Data are transferred by utilization of FuelPlus’ data communication equipment/devices.   

(h) Data DestructionImplementing and maintaining appropriate security measures and procedures to destroy Your Data in FuelPlus’ possession or control when appropriate and in accordance with the Agreement. At the request of You at any time, FuelPlus will:  (i) erase or destroy all or any part of Your Data in FuelPlus’s possession, in each case to the extent so requested by You, and (ii) issue a certificate for destruction for the same. 

(i) Data Availability Control – Implementing and maintaining appropriate security measures and procedures in order to ensure availability of Your Data, including but not limited to procedures to ensure that Your Data are protected from accidental destruction or loss, and against loss of data caused by a power shortage or interruptions in the power supply. 

(j) Software Patching – Implementing and maintaining appropriate security measures and procedures in order to ensure the regular update and patching of all computer software on systems that handle or hold Your Data to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches. Patching schedule and regular verification access and/or reporting will be communicated by FuelPlus.  

(k) Change Control Procedures – Implementing and maintaining appropriate security measures and procedures to protect Your Data in FuelPlus’ possession or control in the event of changes to, movement of, or replacement of any hardware, computer component, software, or information related to the processing of Your Data.  Change Control schedule and regular verification access and/or reporting will be communicated by FuelPlus. 

(l) Infrastructure Management – FuelPlus demonstrates careful infrastructure management with a robust change control process.  

(m) Backup, Retention, and Recovery – Implementing and maintaining appropriate backup and recovery security measures and procedures in order to ensure availability of Your Data in the event of loss of data or information systems from any cause, including verification reporting of a successful tested DR/Business Continuity Plan no less frequently than at every twelve-month interval. 

(n) Virus Management – FuelPlus implements and maintains appropriate security measures and procedures designed to provide antivirus and spyware software protection to FuelPlus’ systems that handle or hold Your Data, using the most recently distributed version of software including virus signatures updated at least every 24 hours (unless updated by the software vendor over a longer interval). Software protection schedule and regular verification access and/or reporting will be communicated by FuelPlus. 

 

8. Application Development and Maintenance Measures

(a) Business requirements – FuelPlus implements and maintains requirements for IT security controls, and the solutions selected for all system development projects that handle or hold Your Data.  

(b) Design – FuelPlus shall implement and maintain appropriate security measures and procedures including:  

i. application specific controls based on system passwords and user identities, controls linked to transaction value, and the structure and presentation of application menus;  

ii. end-to-end encryption of access control or other security control data;  

iii. compliance with PCI standard, if applicable;

iv. audit trails;  

v. application controls for error prevention, detection and contingency controls, including business needs for:  

vi. automatic data feeds and data files;  

(c) Development – The development of new application or system software is kept separate from the production environment.  Web applications follow secure coding guidelines such as the Open Web Application Security Project Guide (OWASP). 

(d) Testing – FuelPlus implements and maintains appropriate security measures designed to ensure that: 

i. IT security controls are tested as an integral component of project test plans, and subject to documented business acceptance on the same basis as other system requirements;

ii. No production data shall be used for testing or training purposes; 

Live online demonstration of FuelPlus software