MINIMUM SECURITY STANDARDS FOR THIRD-PARTY SERVICE PROVIDERS

As part of our commitment to information security and data protection, Natixis CIB Americas has established the following minimum-security standards for third-party service providers (each, a “Service Provider” and collectively, “Service Providers”). These standards are designed in a risk-based manner to ensure that Service Providers adhere to the highest levels of security and compliance, safeguarding the confidentiality, integrity, and availability of sensitive information and data as appropriate.The following purchase order terms and conditions (“Terms”) only apply to transactions that do not have a written agreement, duly executed by both parties. If there is such an agreement, then those terms shall be the terms that govern the transaction and relationship of the parties.

Service Providers must undergo a comprehensive risk assessment and due diligence process to evaluate their security controls, practices, and overall risk posture. This assessment will be risk based and be based on the Service Provider’s tier and nature of the services provided and the potential impact on our organization's security.

Service Providers must demonstrate the implementation of robust security controls and practices to protect our organization's data. This includes measures such as access controls, encryption, network security, and vulnerability management.

Service Providers must comply with all applicable laws, regulations, and industry standards related to information security and data protection. This includes but is not limited to GDPR, HIPAA, PCI DSS, and any other relevant data protection regulations based on the nature of the services provided.

Service Providers are required to have a documented incident response plan and promptly notify our organization of any security incidents, breaches, or unauthorized access to our data. This notification should include all relevant details and be provided within a specified timeframe.

Service Providers must ensure the protection of personal and sensitive data in compliance with applicable privacy laws. They should have measures in place to safeguard the privacy and confidentiality of the data they handle on our behalf.

Service Providers must have documented business continuity and disaster recovery plans to ensure the continuous and uninterrupted operation of their services. These plans should include backup and recovery procedures, as well as testing and validation of these processes.

Service Providers should conduct regular security awareness training for their employees to ensure a culture of security and awareness. This includes training on information security best practices, data handling procedures, and incident reporting.

As appropriate and based on risk tier, Service Providers are required to provide regular compliance reports, including but not limited to SOC 2 Type 2, ISO/IEC 27001, and any other relevant certifications. They must also allow for audits and assessments of their security controls and practices.

If the Service Provider engages subcontractors, they must ensure that these subcontractors adhere to similar security standards and practices. The Service Provider remains fully responsible for the actions of their subcontractors.

Upon termination of the service agreement, the Service Provider must return or securely dispose of any data or information belonging to our organization. This includes the secure deletion of data and the return of any data in our possession.

By upholding these minimum-security standards, Service Providers can exemplify their dedication to safeguarding the information and data of Natixis CIB Americas. Non-compliance with these standards may lead to the termination of the service agreement and potential legal repercussions.

This document delineates the critical security standards expected of Service Providers, ensuring the safeguarding of sensitive information and adherence to legal and regulatory requisites. It serves as an essential framework for establishing and upholding a secure partnership with Service Providers.