Security Compliance

Vendor shall maintain security controls appropriate to the sensitivity of the Services and Client data, including least-privilege access, multi-factor authentication for production systems, secure credential storage, vulnerability remediation, logging, and separation of development, staging, and production environments where applicable. If the Services involve payment card data, regulated financial workflows, or systems represented as compliant with SOC 2, PCI-DSS, ISO 27001, or similar standards, Vendor shall provide reasonable evidence of the applicable control posture and shall not store, transmit, or process such regulated data outside the approved architecture without Client's prior written consent.