D&B Data Security Requirements
Company shall be required to secure the D&B Data it processes, transmits, stores, or otherwise comes in contact with, in accordance with the D&B Data security requirements described below (“Requirements”). “D&B Data” means D&B Products, Licensed Content, Confidential Information, and Personal Data.
1.Security Program & Compliance
1.1.Maintain and adhere to a written and comprehensive security policy, and supporting management framework, and enact standards and guidelines based upon that policy for the protection of the confidentiality, integrity, and availability (CIA) of data, including D&B Data. The security policy shall address a) the information security risks and controls identified through Risk Assessments for each area of information security (i.e., access management, system development and change management, etc.) and supplemental policies should be developed and implemented as appropriate; (b) reflects the requirements of Applicable Law; (c) applies to all Employees; and (d) undergoes annual reviews and is updated to address (i) relevant organizational changes, (ii) D&B contractual requirements, (iii) identified threats or risks to information assets, and (iv) relevant changes in Applicable Law.
1.2.Company understands and acknowledges that the risk environment related to the Confidentiality, Integrity, and Availability (CIA) of D&B Data can change from time to time and that effective security practices may need to be modified to address and mitigate such risks, including executing stricter security practices than those then practiced and/or described herein. Company agrees to take reasonable steps to modify such security measures as those determined and requested in good faith by D&B.
1.3.Unless prohibited by Applicable Law, Company shall perform background verification checks on Employees that have access to D&B Data upon hire or initiation of engagement. Company shall perform comprehensive background checks on all individuals, including Employees, and contractors with physical or logical access to the systems or physical environment in which D&B Data are stored and ensure that those individuals whose background checks are not in agreement with stated records and employment do not have access to D&B Data.
1.4.Ensure that Company staff are provided security awareness training upon hire and annually thereafter. The security awareness training curriculum should include, but not be limited to, information and best practices related to acceptable use, data classification and social engineering (including phishing).
1.5.Periodically assess the risk to Company organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of D&B Data.
1.6.Company shall notify D&B within 48 hours if Company learns or has reason to believe that a confirmed Security Event relating to D&B Data has taken place. Such notice shall summarize in reasonable detail and to the best of Company’s knowledge at the time of the notice: (i) the incident itself; (ii) the impact on D&B and the individuals affected by such privacy or Security Event; and (iii) the corrective action taken or proposed to be taken by Company. If there is a Security Event, Company shall cooperate with D&B to correct or mitigate any information security threats, risks, or other concerns arising from any Security Event.
1.7.Company shall ensure that as part of its vulnerability management program, it periodically reviews historic audit logs to determine if a vulnerability identified in systems which D&B Data resides has been previously exploited. If positive discovery of such exploitation occurs, Company agrees to notify D&B without undue delay and upon confirmation of the exploitation with the date, time and method of exploitation. Company further agrees to confirm and report to D&B if any D&B Data was breached during such exploitation.
1.8.Company shall prevent the disclosure of D&B Data, or information related to D&B Data or its structure (e.g., record and field information), to third parties without the written consent of D&B.
1.9.Company shall implement a formally documented incident management policy that includes: (a) clearly defined management and user roles and responsibilities; (b) a reporting mechanism for incidents and events affecting the security of D&B Data, including the reporting of suspected unauthorized or unlawful access, disclosure, loss, alteration and destruction of D&B Data; (c) procedures for Risk Assessments and Risk Treatments implemented within a reasonable timeframe and proportionate to the nature of the security incident and the harm, or potential harm, caused; (d) procedures for notification to relevant authorities per applicable Law
1.10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by Company information systems) at the external boundaries and key internal boundaries of the information systems.
1.11. Company will implement and maintain technical measures to prevent screen scraping or robotic harvesting of D&B Data (e.g., CAPTCHA, Honeypots, Rate limiting)
1.12. If Company is to leverage the use of a Subcontractor(s) to support the service(s) provided to D&B, D&B must be notified in advance. Included with the notification will be the most recent due diligence assessment, performed by Company, of those Subcontractor(s).
1.13. Company agrees to fully cooperate with any reasonable requests from D&B for information about the Services, security controls and/or Software provided by Company and use commercially reasonable efforts to do so promptly and within any required time parameters set by D&B. Company understands and agrees that such time parameters may be on an urgent/immediate basis in the case of regulatory or legal information requests.
1.14. Company agrees to enlist the assistance of and make available all key and other personnel whose assistance is necessary to respond to any information request from D&B about the Services and/or Software in scope of the agreement between D&B and Company. Company shall make relevant documentation, reports, and evidence available for review upon D&B's request.
1.15. Upon reasonable notice and during regular business hours, once per year (unless there is a material Security Event, in which case a second audit is permitted) D&B shall have the right to examine and inspect Company’s security policies, processes, controls and other related evidences to determine compliance with the requirements defined within this Requirements. The scope of such audit includes but is not limited to validation of compliance with all applicable Laws including, those relating to anti-corruption, fraud, bribery, export controls and trade sanctions. Where physical inspection at Company’s location is not suitable, substantiation of a controls effectiveness may be proved through the sharing of policies, documented evidence, controls evidence, reports, screenshots through remote validation. For the avoidance of doubt, nothing contained herein will allow D&B to review confidential data pertaining to Company’s other partners. D&B shall bear its own costs and expenses with respect to the audits described in this Requirements. Company shall prioritize remediation efforts according to the severity of the identified findings and take prompt action to address all identified “critical” or “high” risk findings by D&B. Company will remediate the identified findings in accordance with our mutually agreed upon audit finding remediation timelines (Not to exceed 120 Days)
2.Security Compliance Frameworks
As applicable, Company shall adhere to the control requirements of the following independently audited security compliance frameworks, certifications, and attestations.
2.1.ISO 27001:2022: Company will use procedural, technical, and administrative safeguards to implement and maintain a comprehensive information security management system (ISMS) designed to protect the Confidentiality, Integrity, Availability (CIA), and privacy of any D&B Data processed or stored in accordance with the measures set forth in the Company’s then-current International Organization for Standardization (ISO/IEC) certificate. During the Term of the agreement between D&B and Company, Company shall maintain compliance with the ISO 27001:2022 control requirements and provide Risk Assessments and treatment reports no later than 10 business days request after a written request. Company shall provide a copy of Company’s Statement of Applicability (SOA) to D&B upon request.
2.2.Soc 2 Type 2: Company will use procedural, technical, and administrative safeguards for its Services designed to protect the confidentiality, security, integrity, availability, and privacy of any D&B Data stored in accordance with the measures set forth in the Company’s then-current Service Organization Control (SOC) 2 Type II report, a copy of which shall be provided to D&B upon D&B’s reasonable written request. During the Term of the agreement between D&B and Company, Company will not materially reduce the overall level of security set forth in its SOC 2 report as of the Effective Date, including, without limitation, safeguards relating to disaster recovery, business continuity and software development. Further, Company shall implement commercially reasonable vulnerability management practices to identify, assess, and remediate potential cybersecurity vulnerabilities. This shall include assessing vulnerabilities in third party systems, performing scanning and testing of applications and infrastructures, and incorporating the results of any self or third-party identified vulnerabilities or control weaknesses. Issues discovered from the outlined avenues shall be remediated immediately.
3.Access Management
Company shall implement and maintain the following access management requirements:
3.1.Company will monitor use of privileged access and maintain security and event management measures designed to: (1) identify unauthorized access and activity, (2) facilitate a timely and appropriate response, and (3) enable internal and independent third-party audits of compliance. Company will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs. Such logs shall be maintained for a period no less than 12 months.
3.2.Allow access (including remote access) to D&B Data only to Employees requiring such access (“need to know”) to carry out the actions in fulfillment of the terms and conditions of the agreement between D&B and Company. Access shall be provisioned only based on the principles of least privilege.
3.3.Access to systems must be based on a valid, unique user identity to ensure traceability and accountability. Shared accounts shall not be used for any purpose other than system maintenance or related activities.
3.4.No less frequently than once per 180 days, review the listing of all individuals with access, including administrator / privileged access, to D&B Data and, including systems and database administrators to ensure that everyone’s access, and the level of and function such access, remains a requirement to execute the actions in fulfillment of the terms and conditions of the agreement between D&B and Company.
3.5.Ensure that IT Assets storing, processing or otherwise containing D&B Data are protected during and after Employees actions such as terminations or transfers.
3.6.Enact and maintain the principle of separation the duties to reduce the risk of malicious activity.
3.7.Company shall implement controls to detect and prevent malware, malicious code, and unauthorized execution of code. Company shall regularly update the controls with the latest technology available (e.g., deploying the latest signatures and definitions).
3.8.Configure automatic session time-out following periods of inactivity exceeding 15 minutes.
3.9.Disable the access to D&B Data of any Company user account inactive for a period not to exceed 30 days.
3.10. Ensure that no individual’s identification or authentication information is used to originate simultaneous connections or sessions from multiple locations, physical or logical.
3.11. Transmit only encrypted account authentication and authorization information across any network and employ technology to ensure that remote access is authenticated by two factors, e.g., using one-time password generator tokens or bio-metric devices.
3.12. Collect and retain access logs of all events involving access to D&B Data for no less than 1 year.
3.13. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
3.14. Detect and alert relevant Company Employees of unauthorized attempts to access D&B Data in real time, and promptly investigate, document, and resolve the matter.
3.15. Retain documentation of all investigations and inquiries of possible unauthorized access attempts and promptly provide same to D&B upon request. For the avoidance of doubt, reports on Company’s shared systems cannot be shared with clients, since it would (i) violate Company’s confidentiality obligations to other clients, and (ii) pose a security risk to other clients.
3.16. Company shall implement and maintain password requirements for all users, services and Subcontractor(s) in compliance with the National Institute of Standards (NIST) Special Publication 800-63B: Digital Identity Guidelines. Company must utilize complex passwords. User accounts must be locked after 5 abortive or unsuccessful logon attempts for a period not less than one-half hour. If a password is possibly disclosed, it must be changed without undue delay. Company will employ processes to minimize the risk of unauthorized or no longer needed user accounts in the systems by performing audits or reviews of user accounts and immediately revoke authentication rights, upon determining that user is not required.
3.17. Company shall engage an independent third party to perform network penetration testing of any environment it controls, analyzing for all possible vulnerabilities no less than at a annual frequency.
3.18. D&B expects the Company to perform an end-to-end penetration test or vulnerability testing and provide a report showing that no security issues are present in the services it provides. Company shall provide D&B an executive summary outlining the results of such tests to D&B upon request. The test reports shall at minimum include (a) Executive Summary with a high-level overview of the testing (b) the scope and methodology utilized; (b) the number of critical, high, and medium severity findings; (c) the name of the third-party tester; and (d) the date of the third-party testing. Company shall remediate any identified vulnerability that D&B defines as “critical” risk or “high” risk in accordance with agreed vulnerability remediation timelines in the agreement between D&B and Company.
3.19. Company shall employ industry standard strong encryption methods for stored and transmitted passwords.
4.Data Protection
4.1.For systems upon which D&B Data resides, establish, and maintain procedures for system hardening which align with industry standards such as CIS, NIST, DISA STIG, COBIT, or PCI.
4.2.Establish and maintain baseline configurations and inventories of Company IT Assets throughout the respective system development life cycles.
4.3.Company shall maintain and operate tools to scan, no less frequently than monthly, servers, network devices, etc. to confirm that Company’s computing assets are in compliance with industry standard system hardening requirements.
4.4.Company shall label any storage media under Company’s control that contains D&B Data with a generic name that does not suggest to a reader that D&B Data is contained on that media.
4.5.Company shall encrypt D&B Data (a) at rest; (b) in transit across networks using strong encryption algorithms AES 256 and TLS 1.2 or better, including transmission across untrusted networks, such as public networks; and (c) when writing to removable media devices. Company shall obtain certificates from an authorized certification authority certifying encryption in transit. Company shall maintain and implement a patch and vulnerability management process to identify, report, and remediate application and system vulnerabilities that is approved by the application or system owner and is commensurate with the level of risk by (a) performing vulnerability scans on a monthly basis and during any major system or application updates; (b) implementing vendor patches or fixes; and (c) developing a Risk Treatment to address identified vulnerabilities.
4.6.For all systems upon which D&B Data reside, Company shall scan such systems, using reputable solutions (i.e., Qualys, Nessus, etc.), to identify and correct security vulnerabilities that may impact the CIA of D&B Data. Such scans are to occur no less frequently than monthly. Vulnerabilities discovered on Company systems as CVSS score "Critical" are to be patched no later than 7 days after discovery. CVSS Score "High" risk findings are to be patched within 30 days after discovery. CVSS Score "Medium" risk findings are to be patched within 120 days after discovery.
4.7.Adequate security solutions shall be implemented and maintained (Including but not limited to Firewall, IPS / IDS, Antivirus, etc.) at the network and perimeter level to ensure that malicious traffic (inbound / outbound) or malicious user access to the application, database and infrastructure is prevented / detected on real time basis to ensure that information security of personal data is not breached.
4.8.Company shall terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
4.9.Company shall implement and maintain a Web Application Firewall (WAF) in alignment with industry best practices such as the OWASP WAF Configuration guide.
4.10. Company shall maintain the WAF with the latest security patches and signatures.
4.11. Company shall monitor the WAF for any malicious activity that could result in a Security Event.
4.12. Company shall actively monitor, restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
4.13. Company shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity Protect audit information and audit tools from unauthorized access, modification, and deletion and limit, monitor management of the audit functionality to a subset of privileged users.
4.14. Data shall not be stored on mobile computing devices. If it is necessary that mobile computing devices are utilized, a mobile device management (MDM) policy must be in place and provide Company with the ability to remote-wipe devices.
4.15. Company shall implement procedures to ensure that D&B Data is securely destroyed when no longer needed for the purposes authorized by D&B, or at the expiration or termination of the agreement between D&B and Company. Company shall (a) secure and confirm the erasure of D&B Data from its systems and servers, including any physical or electronic copies, prior to asset destruction and disposal; (b) provide attestation of destruction of that D&B Data, where applicable; and (c) require that any third parties engaged to process D&B Data securely dispose of the information when no longer needed for the Services.
4.16. Upon request, Company shall return Data to D&B or certify the destruction of Data, pursuant to procedures set forth by NIST SP 800-88 r.1 or the DoD 5220.22-M standards, following use or upon D&B’s reasonable request or as otherwise required by the Agreement.
4.17. Company shall employ controls and procedures that maintain file integrity through periodic scans of the information systems and real-time scans and monitoring of files from external sources as files are downloaded, opened, or executed.
5.Business Continuity & Disaster Recovery
Company shall implement and maintain appropriate technical measures, business continuity and disaster recovery (BC/DR) controls to protect D&B Data and minimize disruption to D&B operations in the event of a disaster or other disruption. Company agrees to:
5.1.perform business continuity Risk Assessments to determine relevant risks, threats, likelihood of a service outage or Security Event, impacts of a service outage or Security Event, and required controls and procedures to secure D&B Data. Based on Risk Assessment results, Company shall document, implement, annually test, and review business continuity and disaster recovery plans to validate the ability to timely restore availability and access to D&B Data in the event of a service outage or Security Event.
5.2.Following each Disaster after the Services have been fully restored, Company shall conduct a root cause analysis and provide to D&B a comprehensive report that describes, at a minimum, (i) the cause or causes of the Disaster, (ii) efforts taken to mitigate the consequences and resolve the Disaster, and (iii) the remedial actions to be implemented by Company to avoid future Disasters.
5.3.follow industry best practices to make regular, encrypted backups of database and repository files of D&B Data to a secured location separate from the primary data center, on a timeframe mutually agreed to by the parties. Information backup procedures and media shall include (a) strong encryption technology; (b) integrity validation; (c) reconciliation with disaster recovery requirements; and (d) secure offsite storage supporting availability requirements. Company shall restore any corrupted files using the most current backup available. D&B may access the backup records to review any record of system activity related to D&B Data without prior notice to the Company.
5.4.On an annual basis, Company shall provide D&B with the opportunity to review the Business Continuity Management Program, including the Business Continuity Plan, and shall remediate any findings. Such review and evaluation may include participation in D&B’s (a) Company testing and assessment process including the completion of online and/or on-site assessment(s), as appropriate, and (b) recovery testing of a mutually agreed upon scope and frequency.
5.5.demonstrate compliance with the business continuity and disaster recovery requirements in this Requirements by providing a copy of Company’s business continuity and disaster recovery plans (BC/DR) upon D&B’s written request.
5.6.If Company fails to recommence performance of Services within the prescribed period, D&B shall have, in addition to any other rights of D&B under the agreement between D&B and Company, the right to a refund of any prepaid amounts for affected Services, prorated for the time such Services were unavailable.
6.Physical Security
The following controls requirements are applicable to Company’s physical environments. Company remains responsible to ensure SaaS and Cloud Service Providers that provide services on behalf of Company are compliant with the industry standard physical security requirements in this Requirements.
6.1.Unless prohibited by applicable Law, Company shall restrict physical access to facilities where D&B Data is stored or processed to its authorized Employees by implementing industry standard physical access controls, such as swipe card technology, monitored CCTV, remotely monitored alarm systems, on-premise security guards, photographic access credentials, visitor escort, physical access logs and authorized access lists
6.2.In order to restrict unauthorized access to D&B Data, Company shall (a) implement controls to protect equipment, information and assets located off-premises, including during remote access sessions, such as teleworking or remote administration; (b) publish, implement and enforce policies governing teleworking, mobile device and removable media devices; (c) encrypt remote access communications to systems or applications containing D&B Data; (d) require a minimum of multi-factor authentication Virtual Private Networking (VPN) device access or equivalent; and (e) require restricted ports and protocols.
6.3. Company’s policies shall prohibit Employees from accessing or storing D&B Data on any personally owned and managed equipment. Company shall prohibit the use of personal USB or other removable storage devices and control and encrypt data on removable media devices, such as USB drives, memory sticks and Bluetooth storage devices.
6.4.Implement and enforce policies and procedures for the purpose of safeguarding D&B Data at all facilities where such data is accessed, processed, stored or otherwise handled (including telework sites).
6.5.Systems storing, processing or otherwise handling D&B Data must be secured within locked rooms and facilities with access restricted to only those individuals with a need for such physical access to perform their job functions.
6.6.Create an appropriate number of layers of physical security between unauthorized Persons and systems on which D&B Data is stored, processed or otherwise handled. For most purposes, the appropriate number of physical security layers will be three (e.g. a security guard or turnstile, a locked server room, and locked server cabinets).
6.7.Physical access logs shall be maintained, capturing the date, time and individual accessing a particular area.
6.8.Maintain at least one layer of the above in which monitoring can be employed, tracked and reviewed (e.g. 24x7x365 monitoring of real-time CCTV surveillance footage).
6.9.Retain surveillance footage and security monitoring logs for a period of, at a minimum, one year.
6.10. Establish procedures for managing Company visitor for the duration of the visit (i.e. providing an employee escort around Company premises).
6.11. Company shall implement and monitor appropriate environmental security controls (i.e. fire detection and suppression systems).
6.12. Media or equipment containing D&B Data shall not be moved off Company premises without prior notification to D&B. Such media and/or equipment shall be properly safeguarded, and a chain of custody shall be maintained to ensure accountability.
7.Company Employees or Third Parties
7.1.Company shall include in its agreements with third parties processing D&B Data information security, confidentiality, and data protection requirements similar to the provisions in the agreement between D&B and Company. Company and those third parties shall be periodically reviewed to ensure (a) validation of those requirements, and (b) the third parties’ information security and data protection requirements to validate the appropriateness of the requirements to the risks represented by the third parties’ processing of D&B Data.
7.2.All the security requirements that apply to Company, also apply to the subcontractors of Company. Company must enforce the obligated security controls, standards, and regulations to their supply chain or third parties. The Company shall conduct due diligence on the supply chain on an ongoing basis. Any risk or compliance issues identified should be communicated to D&B 72 hours from the time of its identification.
7.3.An audit must be carried out (at least annually or as per Company’s schedule for audit, whichever is earlier) to validate and ensure that the applicable controls related to information security are implemented at such partner/subsidiary/sub-contractor’s end to ensure that risk is mitigated.
7.4.Company shall provide third parties access to D&B Data solely when necessary to perform the obligations under the agreement between D&B and Company. In those cases, Company shall (a) provide to D&B, a list of third parties with privileged access to D&B Data; (b) limit third party access to D&B Data only as necessary to perform the Services as contractually agreed to between the third parties and Company; and (c) record third party access to D&B Data within system logs, subject to Company controls for logging and monitoring. Unless otherwise provided in an applicable Agreement or SoW, Company shall restrict third party access to D&B Data.
7.5.If applicable, Company Employees working in D&B facilities shall comply with (i) all D&B physical security requirements as provided to Company, and (ii) D&B logical security requirements as set forth in the applicable SOW.
7.6.Perform and document the results of background checks on individuals that Company contracts for the development, management, maintenance of systems which have access to D&B Data
7.7.Ensure that organizational Employees are adequately trained to carry out their assigned information security-related duties and responsibilities.
7.8.Ensure that developers, managers, systems administrators, and users of Company information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
7.9. If Company is providing applications or Software development, Software enhancement or customization, database administration, system administration or coding Services for D&B, Company’s Employees shall be required (i) to comply with D&B-required secure coding practices and (ii) to have appropriate topic-specific, partner-specific, or Services-specific industry certifications. The specific secure coding practices and industry certifications that are required shall be listed in the applicable SOW.
7.10.Company shall define, document, implement and maintain security principles and requirements for mitigating the risks associated with third party suppliers and their access to processing or hosting assets or provision of network & IT infrastructure where D&B Data resides.
7.11.Company shall include security requirements no less restrictive than those in this Requirements in agreements with its Subcontractors.
7.12.Company shall include an obligation of immediate notification of Security Events in agreements with its Subcontractors that have access to D&B Data.
7.13. For all Subcontractors that process, access or otherwise come in contact with D&B Data, Company shall monitor and review the compliance of its Subcontractor’s security obligations that against these requirements on a regular basis and no less than annually.
7.14.Ensure that the code developed by Company and provided by the Company to D&B will be free from known defects. This means that the code developed by the Company Developers and provided by the Company to D&B should not introduce any known vulnerabilities directly or indirectly, and the code should not contribute negatively to the overall security of the application/project.
8.Indemnification
In addition to any other Indemnification provisions in the agreement between D&B and Company (and subject to the indemnification procedures set forth in the main body of the agreement), Company shall at its expense indemnify, defend and hold harmless D&B and its Affiliates, and their respective officers, directors, employees, agents, representatives, successors and assigns, from and against any and all Losses and threatened Losses arising from, in connection with, or based on third party allegations in connection with a Security Event that arises out of (i) a breach of Company’s obligations under the agreement between D&B and Company or the applicable SOW, (ii) a breach of Law applicable to Company or to the Services being provided, or (iii) the willful misconduct of Company or any employee or subcontractor of Company).
9.Artificial Intelligence Security
As applicable, company shall adhere to the following Artificial Intelligence and Generative AI security control requirements.
9.1.Company shall ensure the integrity of data input into AI systems and detect data poisoning or adversarial attacks.
9.2.Company shall enforce role-based access control (RBAC) for all personnel interacting with AI systems.
9.3.Company shall secure AI models from tampering, model inversion, or theft using strong, industry-standard encryption algorithms and model integrity checks.
9.4.Company shall conduct adversarial testing to assess model resilience against malicious manipulation attempts.
9.5.Company shall ensure they have to procedures, processes, and policies in place to ensure the explainability of and documentation of their AI models' decision-making processes for audit purposes.
9.6.Company must continuously monitor AI systems and environments for unusual behavior, bias, or security incidents.
9.7.Company must maintain an AI-specific security incident response plan and immediately notify the company of AI security incidents.
9.8.Company must conduct formal bias audits, especially in high-stakes applications, with clear reporting and remediation steps.
9.9.Company must integrate AI-specific threat intelligence feeds into their security monitoring processes to detect emerging risks.
9.10.Company must implement mechanisms for human intervention in high-risk AI decisions that affect D&B Data or Personal Data.
9.11.Company must provide fail-safe controls to deactivate or override AI systems in case of critical failures.
9.12.Company must ensure that AI decision-making processes are explainable to both technical and non-technical stakeholders.
9.13.Company must employ tools to communicate AI outputs in an understandable format to external stakeholders.
9.14.Company must deploy AI models in secure, monitored and isolated environments to prevent unauthorized access.
9.15.Company must enforce strict version control and rollback capabilities for AI model updates and ensure there are no defects that could adversely affect intended outputs.
