Fogo Hospitality Inc. and all of its subsidiaries and affiliates (collectively “Fogo“) require all suppliers, service providers and other business partners (“You” or “Supplier“) to maintain a comprehensive written information security program (“Information Security Program”) that includes technical and organizational measures to ensure the confidentiality, security, integrity, and availability of information provided by Fogo, Fogo’s affiliates, and its and their employees, representatives, contractors, customers and suppliers (collectively, “Fogo Data”) and to protect against unauthorized access, use, disclosure, alteration or destruction of Fogo Data. In particular, the Information Security Program shall include, but not be limited to, the following measures where appropriate or necessary to ensure the protection of Fogo Data:
• Access Controls : Policies, procedures, and physical and technical controls: (i) to limit physical access to your information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of your workforce who require access to Fogo Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of your workforce from providing Fogo Data or information relating thereto to unauthorized individuals; and (iv) to encrypt and decrypt Fogo Data where appropriate.
• Security Awareness and Training : A mandatory and documented security awareness and training program, reviewed and updated annually, for all workforce members (including contractors and temporary staff), focusing on emerging threats and compliance obligations.
• Security Incident Procedures : A comprehensive incident response plan that includes procedures for detection, containment, eradication, recovery, and post-incident analysis. The plan must be tested through regular tabletop exercises or simulated attacks.
• Contingency Planning : Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Fogo Data or systems that contain Fogo Data, including a data backup plan and a disaster recovery plan. The plan must be tested through regular tabletop exercises.
• Device and Media Controls : Policies and procedures on hardware and electronic media that contain Fogo Data into and out of your facilities, and the movement of these items within your facilities, including policies and procedures to address the final disposition of Fogo Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Fogo Data from electronic media before the media are made available for re-use. You shall ensure that no Fogo Data is downloaded or otherwise stored on laptops or other portable devices.
• Audit controls : Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
• Data Integrity : Policies and procedures to ensure the confidentiality, integrity, and availability of Fogo Data and protect it from disclosure, improper alteration, or destruction.
• Storage and Transmission Security : Technical security measures to guard against unauthorized access to Fogo Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Fogo Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.
• Assigned Security Responsibility : You shall designate a security official responsible for the development, implementation, and maintenance of your Information Security Program. You shall inform Company as to the person responsible for security.
• Storage Media : Policies and procedures to ensure that prior to any storage media containing Fogo Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, you will delete such Fogo Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. You shall maintain an auditable program implementing the disposal and destruction requirements set forth in this Section for all storage media containing Fogo Data.
• Testing : You shall test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified no less than annually. Such testing shall include periodic penetration testing and a structured vulnerability management program. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
• Adjust the Program : You shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Fogo Data, internal or external threats to you or the Fogo Data, and your own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
More specifically, Supplier’s Information Security Program shall meet or exceed the following requirements:
1. SCOPE; DEFINITIONS
1.1 Security Policy.Supplier will comply in all respects with Fogo’s information security requirements set forth in this Supplier Information Security Policy (the “Security Policy”). The Security Policy applies to Supplier’s performance under any agreement between Supplier and Fogo (the “Agreement”) and all access, collection, use, storage, transmission, disclosure, destruction or deletion of, and security incidents regarding, Fogo Information (as defined below). This Security Policy does not limit other obligations of Supplier, including under the Agreement or with respect to any laws that apply to Supplier, Supplier’s performance under the Agreement, the Fogo Information or the Permitted Purpose (as defined below). To the extent this Security Policy directly conflicts with the Agreement, Supplier will promptly notify Fogo of the conflict and will comply with the requirement that is more restrictive and more protective of Fogo Information (which may be designated by Fogo).
1.2 Definitions.
(A) “Affiliate” means, with respect to a particular person, any entity that directly or indirectly controls, is controlled by, or is under common control with such person.
(B) “Aggregate” means to combine or store Fogo Information with any data or information of Supplier or any third party.
(C) “Anonymize” means to use, collect, store, transmit or transform any data or information (including Fogo Information) in a manner or form that does not identify, permit identification of, and is not otherwise attributable to any user, device identifier, source, product, service, context, brand, or Fogo or its Affiliates.
(D) “Fogo Information” means, individually and collectively: (a) all Fogo Confidential Information (as defined in the Agreement or in the non-disclosure agreement between the parties); (b) all other data, records, files, content or information, in any form or format, acquired, accessed, collected, received, stored or maintained by Supplier or its Affiliates from or on behalf of Fogo or its Affiliates, or otherwise in connection with the Agreement, the services provided under the Agreement, or the parties’ performance of or exercise of rights under or in connection with the Agreement; and (c) derived from (a) or (b), even if Anonymized.
1.3 Permitted Purpose.Except as expressly authorized under the Agreement, Supplier may access, collect, use, store, and transmit only the Fogo Information expressly authorized under the Agreement and solely for the purpose of providing the services under the Agreement, consistent with the licenses (if any) granted under the Agreement (the “Permitted Purpose”). Except as expressly authorized under the Agreement, Supplier will not access, collect, use, store or transmit any Fogo Information and will not Aggregate Fogo Information, even if Anonymized. Except with Fogo’s prior express written consent, Supplier will not (A) transfer, rent, barter, trade, sell, rent, loan, lease or otherwise distribute or make available to any third party any Fogo Information or (B) Aggregate Fogo Information with any other information or data, even if Anonymized.
2. SECURITY POLICY.
2.1 Basic Security Requirements.Supplier will, consistent with current best industry standards and such other requirements specified by Fogo based on the classification and sensitivity of Fogo Information, maintain physical, administrative and technical safeguards and other security measures (A) to maintain the security and confidentiality of Fogo Information accessed, collected, used, stored or transmitted by Supplier, and (B) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure and all other unlawful forms of processing. Supplier will maintain certification or compliance with security frameworks such as SOC 2 Type II or NIST 800-53. Without limitation, Supplier will comply with the following requirements:
(A) Firewall. Supplier will install and maintain a working network firewall to protect data accessible via the Internet and will keep all Fogo Information protected by the firewall at all times.
(B) Updates. Supplier will keep its systems and software up-to-date with the latest upgrades, updates, bug fixes, new versions and other modifications necessary to ensure security of the Fogo Information.
(C) Software Development. Supplier will use secure coding standards, code reviews, and vulnerability scanning of applications where relevant.
(D) Anti-malware. Supplier will at all times use anti-malware software and will keep the anti- malware software up to date. Supplier will mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably have been detected.
(E) Encryption. Supplier will encrypt data at rest and data sent across open networks in accordance with industry best practices.
(F) Testing. Supplier will regularly test its security systems and processes to ensure they meet the requirements of this Security Policy.
(G) Access Controls. Supplier will secure Fogo Information, including by complying with the following requirements:
(1) Supplier will assign a unique ID to each person with computer access to Fogo Information.
(2) Supplier will restrict access to Fogo Information to only those people with a “need-to-know” for a Permitted Purpose.
(3) Supplier will perform quarterly access reviews to validate the principle of least privilege and will promptly remediate any identified excessive or unauthorized access.
(4) Supplier will not use manufacturer-supplied defaults for system passwords and other security parameters on any operating systems, software or other systems. Supplier will mandate and ensure the use of system-enforced “strong passwords” in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to, Fogo Information and will require that all passwords and access credentials are kept confidential and not shared among personnel.
i. Password best practices. Passwords must meet the following criteria:
• contain at least 8 characters;
• not match previous passwords, the user’s login, or common name;
• must be changed whenever an account compromise is suspected or assumed; and
• are regularly replaced after no more than 90 days.
(5) Supplier will maintain and enforce “account lockout” by disabling accounts with access to Fogo Information when an account exceeds more than 10 consecutive incorrect password attempts.
(6) Except where expressly authorized by Fogo in writing, Supplier will isolate Fogo Information at all times (including in storage, processing or transmission), from Supplier’s and any third party information.
(7) If additional physical access controls are requested in writing by Fogo, Supplier will implement and use those secure physical access control measures.
(8) Supplier will provide to Fogo on an annual basis or more frequently upon Fogo’s request,(1) log data about all use (both authorized and unauthorized) of Fogo’s accounts or credentials provided to Supplier for use on behalf of Fogo (e.g., social medial account credentials), and (2) detailed log data about any impersonation of, or attempt to impersonate, Fogo personnel or Supplier personnel with access to Fogo Information.
(9) Supplier will regularly review access logs for signs of malicious behavior or unauthorized access.
(H) Supplier Policy. Supplier will maintain and enforce an information and network security policy for employees, subcontractors, agents, and suppliers that meets the standards set out in this policy, including third-party assessments and methods to detect and log policy violations. Upon request by Fogo, Supplier will provide Fogo with information on violations of Supplier’s information and network security policy, even if it does not constitute a Security Incident.
(I) Subcontract. Supplier will not subcontract or delegate any of its obligations under this Security Policy to any subcontractors without Fogo’s prior written consent. Notwithstanding the existence or terms of any subcontract or delegation, Supplier will remain responsible for the full performance of its obligations under this Security Policy. The terms and conditions of this Security Policy will be binding upon Supplier’s subcontractors and personnel. Supplier (a) will ensure that Supplier’s subcontractors and personnel comply with this Security Policy, and (b) will be responsible for all acts, omissions, negligence and misconduct of its subcontractors and personnel.
(J) Administrative Access. Supplier will ensure that any access from outside protected corporate or production environments to systems holding Fogo Information or Supplier’s corporate or development workstation networks requires multi-factor authentication (e.g., requires at least two separate factors for identifying users).
(K) “In Bulk” Access. Except where expressly authorized by Fogo in writing, Supplier will not access, and will not permit access to, Fogo Information “in bulk” whether the Fogo Information is in an Fogo- or Supplier-controlled database or stored in any other method, including storage in file-based archives (e.g., flat files), etc. For purposes of this section, “in bulk” access means accessing data by means of database query, report generation or any other mass transfer of data. Specifically, this section prohibits any access to Fogo Information except for access to individual records as needed for the Permitted Purpose. Supplier will preserve detailed log data on attempted or successful “in bulk” access to Fogo Information, and provide reports from these logs promptly at Fogo’s request. In the event that Fogo provides written authorization for access to Fogo Information “in bulk”, Supplier will (1) limit such access only to specified employees with the “need to know”, and (2) use tools that limit access and require explicit authorization and logging of all access.
(L) Supplier personnel. Fogo may condition access to Fogo Information by Supplier personnel on Supplier personnel’s execution and delivery to Fogo of individual nondisclosure agreements, the form of which is specified by Fogo. If required by Fogo, Fogo requests that Supplier’s personnel execute the individual nondisclosure agreement. Supplier will obtain and deliver to Fogo signed individual nondisclosure agreements from Supplier personnel that will have access to the Fogo Information (prior to granting access or providing information to the Supplier personnel). Supplier will also (a) maintain a list of all Supplier personnel who have accessed or received the Fogo Information and provide that list to Fogo upon request within an agreed upon timeframe, and (b) notify Fogo no later than 24 hours after any specific individual Supplier personnel authorized to access Fogo Information in accordance with this Section: (y) no longer needs access to Fogo Information or (z) no longer qualifies as Supplier personnel (e.g., the personnel leaves Supplier’s employment).
2.2 Access to Fogo Extranet and Supplier Portals.Fogo may grant Supplier access to Fogo Information via web portals or other non-public websites or extranet services on Fogo’s or a third party’s website or system (each, an “Extranet”) for the Permitted Purpose. If Fogo permits Supplier to access any Fogo Information using an Extranet, Supplier must comply with the following requirements:
(A) Permitted Purpose. Supplier and its personnel will access the Extranet and access, collect, use, view, retrieve, download or store Fogo Information from the Extranet solely for the Permitted Purpose.
(B) Accounts. Supplier will ensure that Supplier personnel use only the Extranet account(s) designated for each individual by Fogo and will require Supplier personnel to keep their access credentials confidential.
(C) Systems. Supplier will access the Extranet only through computing or processing systems or applications running operating systems managed by Supplier and that include: (i) system network firewalls in accordance with Section 2.1(A) (Firewall); (ii) centralized patch management in compliance with Section 2.1(B) (Updates); (iii) operating system appropriate anti-malware software in accordance with Section 2.1(C) (Anti-malware); and (iv) for portable devices, full disk encryption.
(D) Restrictions. Except if approved in advance in writing by Fogo, Supplier will not download, mirror or permanently store any Fogo Information from any Extranet on any medium, including any machines, devices or servers.
(E) Account Termination. Supplier will terminate the account of each of Supplier’s personnel and notify Fogo no later than 24 hours after any specific Supplier personnel who has been authorized to access any Extranet (a) no longer needs access to Fogo Information or (b) no longer qualifies as Supplier personnel (e.g., the personnel leaves Supplier’s employment).
(F) Third Party Systems.
(1)Supplier will give Fogo prior notice and obtain Fogo’s prior written approval before it uses any third party system that stores or may otherwise have access to Fogo Information, unless a) the data is encrypted in accordance with this Security Policy, and b) the third party system will not have access to the decryption key or unencrypted “plain text” versions of the data. Fogo reserves the right to require a Fogo security review (in accordance with Section 2.5 below) of the third party system before giving approval.
(2)If Supplier uses any third party systems that store or otherwise may access unencrypted Fogo Information, Supplier must perform a security review of the third party systems and their security controls and will provide Fogo periodic reporting about the third party system’s security controls in the format requested by Fogo (e.g., SAS 70, SSAE 16 or a successor report), or other recognized industry-standard report approved by Fogo.
2.3 Data Retention and Destruction.
(A) Retention. Supplier will retain Fogo Information only for the purpose of, and as long as is necessary for, the Permitted Purpose.
(B) Return or Deletion. Supplier will promptly (but within no more than 72 hours after Fogo’s request) return to Fogo and permanently and securely delete all Fogo Information upon and in accordance with Fogo’s notice requiring return and/or deletion. Also, Supplier will permanently and securely delete or anonymize all Fogo Information in compliance with NIST standards or equivalent, ensuring that no data is recoverable by any means, and will provide certification of destruction upon request.
(C) Archival Copies. If Supplier is required by Law to retain archival copies of Fogo Information for tax or similar regulatory purposes, this archived Fogo Information must be stored in one of the following ways:
(1) As a “cold” or offline (i.e., not available for immediate or interactive use) backup stored in a physically secure facility; or
(2) Encrypted, where the system hosting or storing the encrypted file(s) does not have access to a copy of the key(s) used for encryption.
(D) Recovery. If Supplier performs a “recovery” (i.e., reverting to a backup) for the purpose of disaster recovery, Supplier will have and maintain a process that ensures that all Fogo Information that is required to be deleted pursuant to the Agreement or this Security Policy will be re-deleted or overwritten from the recovered data in accordance with this Section 2.3 within 24 hours after recovery occurs. If Supplier performs a recovery for any purpose, no Fogo Information may be recovered to any third party system or network without Fogo’s prior written approval. Fogo reserves the right to require a Fogo security review (in accordance with Section 2.5 below) of the third party system or network before permitting recovery of any Fogo Information to any third party system or network.
(E) Deletion Standards. All Fogo Information deleted by Supplier will be deleted in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014 (available at https://www.nist.gov/publications/nist-special-publication-800-88-revision-1-guidelines-media-sanitization), or through degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, or by shredding or mechanical disintegration, or such other standards Fogo may require based on the classification and sensitivity of the Fogo Information. With respect to Fogo Information encrypted in compliance with this Security Policy, this deletion may be done by permanently and securely deleting all copies of the keys used for encryption.
2.4 Forensic Destruction.Before disposing in any manner of any hardware, software, or any other media that contains, or has at any time contained, Fogo Information, Supplier will perform a complete forensic destruction of the hardware, software or other media so that none of the Fogo Information can be recovered or retrieved in any form. Supplier will perform forensic destruction in accordance with the standards Fogo may require based on the classification and sensitivity of the Fogo Information.
(A) Supplier will not sell, resell, donate, refurbish, or otherwise transfer (including any sale or transfer of any such hardware, software, or other media, any disposition in connection with any liquidation of Supplier’s business, or any other disposition) any hardware, software or other media that contains Fogo Information that has not been forensically destroyed by Supplier.
2.5 Security Review.
(A) Risk Assessment Questionnaire. Fogo reserves the right to periodically request Supplier to complete a new Fogo risk assessment questionnaire.
(B) Certification. Upon Fogo’s written request, Supplier will certify in writing to Fogo that it is in compliance with this Agreement.
(C) Other Reviews. Fogo reserves the right to periodically review the security of systems that Supplier uses to process Fogo Information. Supplier will cooperate and provide Fogo with all required information within a reasonable time frame but no more than 20 calendar days from the date of Fogo’s request.
(D) Remediation. If any security review identifies any deficiencies, Supplier will, at its sole cost and expense take all actions necessary to remediate those deficiencies within an agreed upon timeframe.
2.6 Security Incidents.
(A) Supplier must have documented information security and security incident response procedures that enable the effective and orderly management of security incidents. The procedures must cover the reporting, analysis, continuous monitoring and resolution of security incidents.
(B) Reported security incidents shall be verified and then analyzed to determine their impact. All confirmed incidents should be classified, logged and handled by order of priority.
(C) Supplier will inform Fogo within 24 hours of detecting any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption or loss of Fogo Information, or breach of any environment (i) containing Fogo Information, or (ii) managed by Supplier with controls substantially similar to those protecting Fogo Information (each, a “Security Incident”). Supplier will remedy each Security Incident in a timely manner and provide Fogo written details regarding Supplier’s internal investigation regarding each Security Incident. Supplier agrees not to notify any regulatory authority, nor any customer, on behalf of Fogo unless Fogo specifically requests in writing that Supplier do so and Fogo reserves the right to review and approve the form and content of any notification before it is provided to any party. Supplier will cooperate and work together with Fogo to formulate and execute a plan to rectify all confirmed Security Incidents.
(D) Supplier will inform Fogo within 24 hours when Fogo Information is being sought in response to legal process or by applicable law.
(E) Supplier shall reimburse Fogo for any costs or expenses that arise from or relate to any Security Incident, to the extent caused by or relating to any act or omissions of Supplier, its affiliates, or third parties acting on their behalf, and Supplier shall cooperate with Fogo at Supplier’s expense regarding the timing and manner of any notifications to governmental authorities and to the parties whose information has been the subject of the Security Incident. Fogo may disclose the occurrence of a Security Incident in connection with such notifications and as may otherwise be required by or necessary in connection with applicable law, regulation, or policy.