TDCX (PH) Inc Data Security and Privacy (DSAP) Supplier’s Agreement

As a TDCX (PH) Inc Supplier, you are responsible in protecting TDCX data and its client/s.

As stated on the TDCX DSAP Policy (1-001), all suppliers are required to follow the commitment by the TDCX
Executive Committee in ensuring that all data shall have appropriate controls to preserve its confidentiality,
integrity, and availability.

TDCX (PH) Inc is committed in safeguarding and in ensuring privacy to all data that is being processed and/or
stored by the resources that TDCX has a legal and contractual requirement to. In line with this commitment, TDCX
created a Data Security and Privacy Management System (DSAPMS) that consists of policies which will be owned
and managed by the Business Compliance Manager of the Business Excellence Department which is co-led and
supported by the TDCX Executive Committee. The DSPMS has the pillars of governance, monitoring, evaluation,
and continuous improvement towards the current system to ensure that every data point preserves its
confidentiality, availability, integrity, and compliance to all regulations, legislations, and contractual
requirements.

Data Classification and Handling

TDCX requires all suppliers classify and handle TDCX data with the highest security controls that can be made
available by the supplier’s organization. This to ensure you ensure that TDCX data preserves its confidentiality,
integrity, and availability.

Data Confidentiality
TDCX requires all suppliers to ensure that the data can be accessed by authorized personnel, entity, and/or parties
that is under the agreement with TDCX.

Data Availability
TDCX requires all suppliers to provide appropriate processes and controls to ensure that the data entrusted to all
suppliers is resilient to any threat; guaranteeing it is always available when it is required to be accessed based on
the scope of work.

Data Integrity
TDCX requires all suppliers to provide appropriate processes and controls to ensure that the data entrusted to all
suppliers can only be modified by the authorized person based on the scope of work.

Data Privacy Act of the Philippines

TDCX requires all suppliers that could access TDCX employee’s personal data and personal sensitive data, as
described by the Data Privacy Act of the Philippines, to be compliant with its Implementation Rules and
Regulations (IRR). TDCX has the right to obtain the result of the assessment associated on the process, systems,
and anything related to the privacy impact assessment made by the supplier.

People Security

Suppliers must ensure that the people/human resource who will provide services in handling TDCX data directly or
indirectly (visual and/or audible) shall undergo the following check/s:

Document version no. 3.0 Document control no. BEX/PE/F/1007 Classification Confidential
 • Background Check – This is to ensure that the credentials declared shall be validated based on the
requirement of the agreement on scope of work. This is to ensure competence of the individual in handling the
TDCX data

• Police/ NBI Clearance – This is to ensure that the individual who can directly or indirectly access TDCX has
no criminal records

• Non-Disclosure Agreement (NDA) – This is to ensure that the Individual who can directly or indirectly access
TDCX data shall sign the NDA form that binds the individual as an unauthorized person who must not disclose
any TDCX data that one processes or comes across when on any given event.

• Security Awareness – The suppliers ensure that all resources shall undergo training before they access TDCX
data and shall have an annual refresher of the TDCX’s data security policies. The Data Security Awareness
materials will be shared by TDCX once requested.

Physical Security
Facilities where the TDCX data is being processed shall have appropriate controls to ensure that the TDCX
data being processed is protected from any visual or audible collection by unauthorized personnel who is not
part of the scope of work.

Logical Security
Technologies used shall have appropriate security protocols to ensure that the TDCX data is protected from
unauthorized access, modification, and/or deletion.

Right to Audit
TDCX has the right to audit the supplier to assess and ensure compliance to this TDCX Supplier DSAP
agreement and all existing agreement with TDCX.

Data Incident
All suppliers are required to report, without any exemptions or delays, any data incident of TDCX data within
twelve (12) hours from the time of discovery and provide a data incident report within the seventy two (72)
hours’ from the time of discovery. (Supplier is required to call AND email their TDCX point of contact and
shall email and/or call datasecurity.ph@tdcx.com +63 2 862 9566 ext. 89556.

 Data incident means any incident is an intentional, accidental, or unlawful destruction,

unauthorized access to, use, disclosure, or loss of any TDCX Data or any other suspected
breach or compromise of the security, confidentiality, integrity or availability of TDCX
Data.

 Data Incident Report must consist of the following

- Date and Time of discovery of the security incident
- Details of the TDCX data involved
- Actions taken to remediate and removal of threat
- Root Cause Analysis of the incident
- Preventive Plans and Commitment Date to commit.

End of Agreement
Suppliers shall delete all the TDCX data upon cessation of the agreement. All physical and digital copies of all
type of TDCX data shall be deleted in a method that cannot be recovered.

Deviation/ Exemption
Any request for exclusion from any segments terms of this agreement shall secure a written approval from
datasecurity.ph@tdcx.com

Document version no. 2.0 Document control no. BEX/PE/F/1007 Classification INTERNAL
_____________________________
Authorized Supplier Representative

_____________________________
Date

Document version no. 2.0 Document control no. BEX/PE/F/1007 Classification INTERNAL