Security and Compliance Standards (SOC2/ISO/PCI conditional)

Vendor shall implement and maintain administrative, technical, and physical safeguards designed to protect Client data and systems against unauthorized access, use, disclosure, alteration, and destruction, appropriate to the nature of the data processed and consistent with any applicable data-protection obligations. Where the SOW so specifies, Vendor shall maintain and, on reasonable request, evidence compliance with recognized standards, which may include SOC 2 Type II reporting and ISO/IEC 27001 certification, and shall promptly notify Client of any material lapse. If, and only if, payment-card data is within the scope of the Services, Vendor shall comply with the Payment Card Industry Data Security Standard (PCI-DSS) applicable to its role. Vendor shall ensure its personnel receive appropriate security training and that access to Client data follows least-privilege principles. The specific controls, certifications, and audit/evidence mechanics shall be as set out in the SOW or an accompanying security schedule.