Supplier requirements for information security

Wolpert Holding GmbH Schmalbachstraße 26 D-74626 Bretzfeld
Phone: +49 79 46 / 91 15 – 0 Telefax: +49 79 46 / 91 15 990
E-Mail: info@wolpert-gruppe.de
Internet: www.wolpert-holding.de
Requirements for information security
FB 00.03.03 Rev. 02
Created: QM Status: 30.04.2021 Page 2 of 3

Information security is of great importance to the Wolpert Group.
In order to comply with the necessary information security standards within the Wolpert Group, the parties agree to the following information security requirements for all services in the area of information and telecommunications technology in addition to the General Terms and Conditions of Purchase.
These requirements for prototype protection apply in principle to companies that are designated by the Wolpert Group or its customers for an order for which the exchange of information is necessary. The basic prerequisite for this is that a Wolpert Group company concludes a non-disclosure agreement with the contractor.

1. general information on service provision
Information security means that an appropriate level of integrity, availability and confidentiality of data and systems is guaranteed in all processes in which information and telecommunications technology is used in accordance with the current state of the art. To this end, the Contractor shall ensure the following points.

1. when providing services, it must be ensured that the general state of the art is observed. This includes compliance with the relevant DIN standards, data protection regulations and corresponding international and European standards (e.g. DIN ISO, DIN EN) as a minimum standard. Services must be provided in such a way that they do not conflict with the client's compliance with information security standards.

2. when providing services at the Client's premises, the Contractor shall comply with the security regulations and information guidelines applicable there, which the Client shall make available to it on request. When accessing the Client's information and telecommunications technology, the Contractor shall strictly observe the applicable information security guidelines and the following regulation, in particular also in the case of remote access.
a. Data is only processed remotely if this is agreed or regulated in the underlying service contract. This also includes activities in which data is migrated from one system to another.

3. if the Contractor's IT systems are used, they must have the following basic security measures in place:
 The IT systems must have the necessary licenses.
 The IT systems must be adequately protected against malware. Endpoint protection must be used to ensure that updates are provided on a daily basis.
 The operating systems on the IT systems must comply with the latest security updates from the respective operating system provider. Only operating systems that are still supported and maintained by the manufacturer are to be used.

1. upon termination of the contract, access authorizations for the Contractor's personnel to the Client's systems and premises shall end at the same time. ID cards and other items provided for authentication purposes shall be returned to the Client without being requested to do so.

2. the Contractor shall check deliveries and services, in particular deliveries and services transmitted electronically (e.g. via email or data transfer), as well as all data carriers used within the scope of the service, for malware (e.g. Trojans, viruses, spyware, etc.) using the latest testing and analysis procedures, thereby ensuring that they are free of malware. If malware is detected, the data carrier may not be used. If the Contractor detects malware at the Client's premises, it shall inform the Client immediately. The same obligations apply to any form of electronic communication.

3. the Contractor undertakes to immediately and effectively secure all information and data of the Client against unauthorized access, modification, destruction or loss, unauthorized processing and other misuse in accordance with the state of the art. When backing up the Client's data, all precautions and measures in accordance with the current state of the art must be observed in order to archive and restore data in a loss-proof and legally compliant manner at all times.

4. the information and data of the client may only be used by the contractor for the contractually agreed purposes and insofar as this is necessary for the fulfillment of the contract. When processing data from different clients, their separation must be verifiably ensured (client separation).
Requirements for information security

FB 00.03.03 Rev. 02
Created: QM Status: 30.04.2021 Page 3 of 3

2. control rights
1. the Client shall be entitled to monitor compliance with the provisions of this agreement to the extent necessary in the form of audits. For this purpose, the Contractor shall grant the Client unhindered entry, access and access to information-processing systems, programs, files and information related to the performance of the activities after consultation. The Contractor shall provide the Client with all information required to fulfill the control function.

2. if the contractor is ISO 27001 or BSI Grundschutz certified, or has a valid TISAX label, this serves as proof of compliance with the regulations described here. For this purpose, all locations, processes, organizational units and IT systems relevant to the provision of services must be included in the scope of the certification. Proof must be provided to the client immediately upon request.

3. all services rendered and related activities shall be documented by the Contractor and made available to the Client upon request.

4. behavior in the event of incidents
1. the contractor shall inform the customer immediately if there is a risk that unauthorized persons may access data of Wolpert Group companies due to seizure, confiscation or other official access, in insolvency or composition proceedings or due to other events or measures by third parties. The Contractor shall inform the third parties that the data in question is data from Wolpert Group companies.
2. the Contractor must inform the Client immediately if it becomes aware of or has reasonable grounds to suspect data protection violations, security breaches and other manipulations of the processing procedure that affect Wolpert data and must immediately - in coordination with the Client - take all necessary steps to clarify the facts and limit the damage. The notification must be made by e-mail or by telephone (if e-mail is not possible). A report must also be made immediately in the event of suspicion.

Contact details:
Position / Information Security Officer
E-Mail / ISB@wolpert-holding.de

Examples of a data protection and information security incident can include:

 Loss of data carriers, documents or devices with Wolpert information
 Breach (or suspected breach) of confidentiality through spying (e.g. on the train)
 Malware infestation
 Violation of the regulations laid down in this document
 Detection of unauthorized access to Wolpert premises or own premises
 Misdirected e-mails
 etc.

en_USEnglish
de_DEGerman en_USEnglish