Nextworld logo
Watch Demo Contact Sales
Home  >  Partner Security Measures

Partner Security Measures

The Partner Security Measures (“Measures”) describe the information security requirements for Nextworld Partners (“Partners”). These Measures ensure that Nextworld and Partners are safeguarding Customer information assets and complying with regulatory requirements of the Customers’ jurisdictions.

The Measures you are required to comply with will depend on the partnership type you have engaged in with Nextworld. If you have more than one partnership type, you must comply with the Measures at the highest partnership level. The following partnership types are covered in this document:

  1. Implementation Partner
  2. Industry Solution Provider
  3. Technology Partner
Implementation Partner

Nextworld will evaluate Implementation Partners’ adherence to the following Measures as they pertain to Nextworld confidential information, Customer data, and systems used to store, and process said information:

  • An information security policy shall be established and maintained.
  • Cybersecurity roles and responsibilities shall be established.
  • Policies shall be reviewed at least annually and updated as necessary.
  • All employees shall be required to complete Security Awareness training at least annually.
  • Background checks shall be performed on employees.
  • All employees shall be bound by Confidentiality Agreements.
  • All contractors with access to company data shall be bound by Non-disclosure Agreements.
  • Physical devices and systems shall be inventoried. Inventories shall be reviewed at least annually.
  • Inventories of software platforms and applications shall be maintained and reviewed at least annually.
  • Organization devices shall be protected against malware.
  • All Organization assets shall be returned by employees upon termination.
  • Confidential information received from Nextworld shall be encrypted at rest when stored in your systems.
  • Procedures for providing, managing, verifying, and revoking access to Partner systems shall establish and maintain.
  • Access permission and authorizations shall incorporate the principle of least privilege.
  • Individuals shall be provided with unique user accounts on Partner systems.
  • Policies and procedures ensuring strong passwords on Partner systems shall be established and maintained.
  • Multi-factor authentication shall be implemented on Partner systems.
  • Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, shall be understood and managed.
  • Risk management processes shall be established, managed, and agreed to by organizational stakeholders.
  • Risk management program shall address fraud risks.
  • A risk assessment shall be performed at least annually.
  • A Disaster Recovery/Business Continuity Plan (DR/BCP) shall be established and maintained.
  • The DR/BCP shall be reviewed annually and updated as necessary.
  • The DR/BCP shall be tested annually.
  • An Incident Response Plan (IRP) that describes the activities in the event of a cyber incident shall be established and maintained.
  • The IRP shall be reviewed annually and updated as necessary.
  • Monitoring and alerting mechanisms to notify appropriate employees of potential cyber incidents shall be implemented.
  • Data protection policies and procedures addressing the handling and protection of personal identifiable information (PII) shall be established and maintained. PII includes Customer PII data and PII your organization stores or processes (business contact data).
  • Your company's website shall include a Privacy Policy that informs individuals of their rights.
  • If third-party providers are used in providing services, a Third-Party Management program shall be established and maintained.
  • The Third-Party Management program shall include the performance of risk assessments on current and new providers.
  • The Organization shall establish written Service Level Agreements (SLAs) with third-party providers.
  • Procedures for applying security updates to all computers systems and software solution shall be established and maintained.
  • Critical vulnerabilities in computers systems and software shall be patched when the patch becomes available.
Industry Solution Provider

Along with the above Measures, Nextworld will evaluate Industry Solution Providers’ adherence to the following Measures as they pertain to Nextworld confidential information, Customer data, and systems used to store, and process said information:

  • A software development process shall be documented and implemented for the development of your solutions to ensure new functionality does not introduce security vulnerabilities.
  • Changes to the production solution shall be approved and tested following a documented change management process that protects against introducing security vulnerabilities in the product.
  • Procedures for reporting and managing technical issues with their solution prior to production deployment shall be established and maintained.
Technology Partner

Along with the above Measures, Nextworld will evaluate Technology Partners’ adherence to the following Measures as they pertain to Nextworld confidential information, Customer data, and systems used to store, and process said information:

  • Development and testing environments shall be separate from the production environment.
  • A vulnerability assessment of the product integrating with the Nextworld environment shall be conducted annually.
  • Penetration testing of the product integrating with the Nextworld environment shall be conducted annually.
  • Policies and procedures for destroying client and/or Nextworld data upon termination of the agreement shall be established and maintained.
  • Backups of client data in systems integrating with the Nextworld environment shall be performed at least daily.
  • Retention policies for system backups shall be implemented.
  • All information transferred/transmitted from your solution and the Nextworld environment shall be encrypted.
  • Firewalls shall be implemented to restrict traffic into and out of systems integrating with the Nextworld environment.
  • A security solution shall be in place to protect your solution's endpoints.
  • Audit logs for systems integrating with the Nextworld environment shall be maintained to support incident investigations.
  • Client data hosted in the cloud shall be in data centers that comply with the privacy laws of the client.

If the Organization maintains data centers for systems integrating to Nextworld, the following Measures must be met:

  • Physical Security policy and procedures for the data center shall be established and maintained.
  • Documented procedures shall be established and maintained preventing the accessing of networks by unauthorized devices (i.e., phones, laptops, tablets).
Due Diligence Reviews

Prior to acceptance of any Agreement, and periodically over the life of the Agreement, Nextworld will complete a Due Diligence Review of the Partner’s compliance to these Measures. Partners shall assist Nextworld in completing the Due Diligence Review by providing any requested documentation and responses to any questions regarding the Partner’s security program.

Effective May 2024, Version 1.0