1. The Contractor shall comply with the Laws of the Republic of Uzbekistan on information and personal data protection, as well as the Cybersecurity Policy of Unitel LLC, and other Customer's cybersecurity requirements.
1.2. The Contractor shall use access to the Customer's information systems solely for the purposes hereof. Any other use, including for testing, demonstration, and personal purposes by the Contractor's employees, ishall be strictly prohibited.
1.3. The Contractor's employees shall be granted access to the Customer's information systems and resources under the least privilege principle and only subject to requests approved by the Customer's authorized representatives. The Contractor shall provide.
1.4. When working with the Customer's systems, the Contractor and its employees shall use the provided accounts as follows.
1.4.1. Accounts are personalized (shared/group logins are prohibited).
1.4.2. Accounts are protected by strong passwords and, where technically feasible, multi-factor authentication (MFA).
1.4.3. Accounts are limited in validity and access rights according to the role of the Contractor's employee.
1.5. In case of changes to the personal data of employees, dismissal or replacement of employees who have access to the Customer's information systems and resources, the Contractor shall inform the Customer within 3 (three) business days after the change.
1.6. The Customer shall be entitled to block employee access.
Using PAM
1.5 All privileged access of the Contractor's employees to the Customer's infrastructure and information systems (including access to operating systems, DBMS, network equipment, virtualization systems, and security tools) shall be managed through the Customer's privileged access management system (PAM) or another PAM system agreed upon by the Parties.
1.6. When using the Customer's PAM-system:
1.6.1. Passwords for privileged accounts are stored and used only through PAM and are not implicitly disclosed to the Contractor's employees.
1.6.2. All privileged access sessions of the Contractor's employees shall be mandatorily registered and stored (screen recording, commands, and actions) by the Customer's PAM system, if this function is available.
1.6.3. It is prohibited to bypass the PAM system, except for emergencies that have been separately agreed with the Customer and are subject to subsequent documentation.
1.7. The Contractor shall not store the Customer's credentials (logins, passwords, keys, access tokens) outside the Customer's secure infrastructure and/or the PAM system and shall not transfer them to third parties.
Data processing and storage
1.8. Copying, uploading, and storing Customer data (including logs, database dumps, configurations, source codes, and other artifacts) is permitted only to the extent necessary to perform hereof, subject to the Customer's approval.
1.9. All Customer data temporarily stored in the Contractor's infrastructure shall be:
1.9.1. Stored encrypted.
1.9.2. Protected against unauthorized access, modification, and destruction.
1.9.3. Destructed or returned to the Customer upon the expiration of the Agreement or upon the written request of the Customer, subject to the provision of relevant documents.
Information security of connections
1.10. If remote access is necessary, such access shall be provided by the Contractor's employees to the Customer's systems only:
1.10.1. Via a secure communication channel agreed upon with the Customer (VPN, secure remote access gateway, etc.).
1.10.2. Workstations/servers used by the Contractor that meet the Customer's information security requirements (up-to-date security updates, antivirus protection, disk encryption, etc.)
1.11. It is permitted to use removable media (USB drives, external hard drives, etc.) when working with the Customer's systems and data, only with the prior written consent of the Customer.
Information security incidents
1.12. The Contractor shall notify the Customer immediately, but in any case, not later than 2 (two) hours after detection, of any information security incidents related to the Customer's systems and/or data, including, but not limited to: unauthorized access, data leaks, suspicious activity in privileged sessions, compromised accounts, etc.
1.13. The Contractor shall fully assist the Customer in investigating information security incidents related to the Contractor's activities hereunder, including providing PAM system logs, access logs, technical information, and explanations.
1.14. Failure to meet this section shall be considered a material breach of this Agreement and may be grounds for its early termination at the Customer's initiative, as well as for imposing on the Contractor the obligation to compensate for damages.
1.15. The Customer shall be entitled to suspend the Contractor's access to its systems upon detection or suspicion of breaches of information security until they are fully eliminated.
1.16. The obligations regarding data protection and return/destruction, log retention, and confidentiality shall remain in force after termination hereof for 1 (one) year.