Talk to Expert

Third-Party Vendor & API Integration Policy – Secure & Compliant Partnerships

Effective Date: January 1, 2025
Last Updated: January 1, 2025

  1. Introduction

    1. Net Onboard Sdn Bhd recognizes the importance of secure and compliant third-party vendor relationships and API integrations to ensure business efficiency, security, and regulatory compliance.
    2. This Third-Party Vendor & API Integration Policy establishes guidelines for:

      1. Evaluating, approving, and managing vendor partnerships and API integrations.
      2. Ensuring third-party services comply with industry security, privacy, and legal standards.
      3. Mitigating risks related to data breaches, financial fraud, and regulatory non-compliance.
    3. This policy applies to:

      1. All third-party vendors, technology partners, and API providers working with Net Onboard.
      2. All internal teams managing vendor relationships and integrating third-party APIs.
    4. This policy aligns with:

      1. ISO 27001 Information Security Standards
      2. General Data Protection Regulation (GDPR) (if applicable)
      3. Malaysia’s Personal Data Protection Act (PDPA) 2010
      4. Payment Card Industry Data Security Standard (PCI-DSS) for payment processors
  2. Vendor Selection & Approval Process

    1. Vendor Evaluation Criteria:

      1. Before engaging with a vendor, Net Onboard assesses the following factors:
        1. Security & Compliance: Adherence to ISO 27001, PCI-DSS, and PDPA.
        2. Reputation & Reliability: Track record in providing secure and stable services.
        3. Data Protection Measures: Encryption, data access control, and compliance with data privacy laws.
        4. Operational & Financial Stability: Vendor’s financial health and long-term service reliability.
    2. Due Diligence & Risk Assessment:

      1. Vendors must undergo risk assessment and compliance checks before onboarding.
      2. Net Onboard reserves the right to reject or terminate vendors that do not meet compliance standards.
  3. Third-Party API Integration Guidelines

    1. API Security Standards:

      1. All integrated APIs must use OAuth 2.0, JWT, or other secure authentication methods.
      2. API traffic is encrypted using SSL/TLS to prevent unauthorized interception.
    2. Data Access & Privacy Controls:

      1. API integrations must comply with data minimization principles, ensuring only necessary data is shared.
      2. Vendors must not store, copy, or misuse data obtained through API access.
    3. Performance & Reliability Standards:

      1. Vendors must meet 99.9% uptime SLA for mission-critical integrations.
      2. Net Onboard continuously monitors API response times, failure rates, and security vulnerabilities.
  4. Vendor & API Compliance Requirements

    1. Security & Privacy Compliance:

      1. Vendors handling payment processing must be PCI-DSS certified.
      2. Vendors handling personal data must comply with Malaysia’s PDPA and GDPR (if applicable).
      3. Vendors must implement multi-factor authentication (MFA) and role-based access controls (RBAC).
    2. Contractual Obligations & Data Protection Agreements (DPA):

      1. All third-party vendors must sign a Data Processing Agreement (DPA) to ensure GDPR and PDPA compliance.
      2. Vendors must agree to periodic audits and compliance assessments by Net Onboard.
    3. Service Level Agreements (SLA) & Liability Protection:

      1. Vendors must comply with Net Onboard’s SLA terms regarding uptime, data integrity, and security.
      2. Liability clauses protect Net Onboard against vendor-related breaches or failures.
  5. Vendor Performance Monitoring & Risk Management

    1. Ongoing Vendor Audits & Security Reviews:

      1. Net Onboard conducts annual security audits on critical vendors.
      2. If a vendor fails compliance checks, Net Onboard reserves the right to suspend or terminate the partnership.
    2. Incident Response & Vendor Breach Notification:

      1. Vendors must notify Net Onboard within 24 hours of a security incident or data breach.
      2. In case of a vendor-related breach, Net Onboard will conduct an internal risk assessment and mitigation plan.
    3. Vendor Termination & Exit Strategy:

      1. If a vendor relationship ends, the vendor must:
        1. Return or delete all Net Onboard data securely.
        2. Terminate API access and revoke authentication credentials.
  6. Enforcement & Consequences of Non-Compliance

    1. Vendor Non-Compliance Consequences:

      1. Failure to comply with this policy may result in:
        1. Suspension or termination of API access or vendor agreement.
        2. Financial penalties or legal claims for breach of contract.
    2. Legal Action for Vendor-Related Breaches:

      1. Net Onboard reserves the right to take legal action against vendors responsible for data breaches, fraud, or compliance violations.
  7. Governing Law & Dispute Resolution

    1. This policy is governed by Malaysian law, including the Personal Data Protection Act (PDPA) 2010 and the Contracts Act 1950.
    2. Vendor disputes will be resolved through mediation before arbitration or legal proceedings.
  8. Amendments & Updates

    1. Net Onboard reserves the right to modify this Third-Party Vendor & API Integration Policy at any time.
    2. Vendors and API partners will be notified of material changes via email or official updates.

For vendor compliance inquiries, contact [email protected].