Salt Thinking supplier security & privacy requirements
Version 1
Effective date: 3rd September 2025
Salt Thinking is committed to high standards of IT security and data privacy and demands that those standards be met by all Service Providers to it.
It is a condition of working for Salt Thinking in any capacity, be that as a sole trader or a corporate, that Service Providers to Salt Thinking comply with these Service Provider Terms (the “Terms”) wherever they are located geographically.
Failure to comply with these Terms will entitle Salt Thinking to terminate immediately any contract in place with the Service Provider without liability.
1.
Interpretation
Agreement means the contract between Salt and Service Provider under which Services are provided.
Client means a client or prospective client of Salt, including its affiliates.
Information Security Incident Any actual or suspected unauthorized access, loss, theft, use, disclosure, or processing of Salt Personal Information or Confidential Information or Salt systems.
Information Security Programme Service Provider's safeguards ensuring confidentiality, security, integrity, and availability of information.
Personal Information means any information relating to an identified or identifiable individual (including, but not limited to, a person’s name, postal address, email address, telephone number, date of birth, national insurance or social security number or its equivalent, driver’s license number, account number, credit or debit card number, health or medical information, or any other unique identifier) that is Processed by the Service Provider for Salt. Personal Information includes Salt employee or personnel business contact information that may be exchanged in the ordinary course of business communications, such as information in email signatures.
Personnel means the employees, officers, directors, consultants and agents of a Service Provider.
Process or Processing means any operation or set of operations performed upon Personal Information, such as accessing, obtaining, storing, transmitting, using, disclosing or disposing of the Personal Information.
Salt means Salt Thinking Limited and any affiliate of the company from time to time.
Service Provider means any third party providing services to Salt.
Services means any services being provided by the Service Provider to Salt.
Sub processor means a third party data processor engaged by Service Provider to Salt who has or will have access to or process personal data from Salt.
2.
Service Provider's obligations
2.1.
When Processing Personal Data Service Provider shall:
2.1.1.
Process Personal Information only as necessary for the Agreement or as required by law.
2.1.2.
Limit access to authorised Personnel who require it to perform services.
2.1.3.
Before providing services it will:
2.1.3.1.
Train its Personnel on information security.
2.1.3.2.
Conduct background checks on all Personnel appropriate to the role and level of sensitive information such Personnel will have access to.
2.1.3.3.
Ensure that third parties can and will maintain confidentiality.
2.1.3.4.
Notify Salt immediately and in any case within 24 hours of relevant Personnel terminations where such Personnel have access to Salt IT infrastructure.
3.
Compliance requirements
3.1.
Service Provider shall:
3.1.1.
Process Personal Information in accordance with the Agreement, applicable laws, and Salt policies notified to it from time to time.
3.1.2.
Maintain an Information Security Programme compliant with laws and industry standards.
3.1.3.
Securely destroy or return all Personal Information when no longer needed.
3.1.4.
Conduct and document a comprehensive risk assessment of its information security controls at least annually and upon any material change to its systems that process Salt data.
4.
International data transfers
4.1.
If Service Provider or any third party acting on its behalf seeks to transfer Personal Information between countries in connection with the Services, Service Provider shall establish a legal basis for such transfer. Prior to any proposed transfer of Personal Information between countries, Service Provider shall obtain Salt written consent to such transfer and comply with any requirements Salt may require Service Provider to take to fulfil, or assist Salt in fulfilling, applicable regulatory requirements.
4.2.
Where services to be provided by the Service Provider anticipate the collection of Personal Information by the Service Provider of residents of the European Union or the UK on Salt or its Clients behalf, Service Provider shall inform data subjects of such transfer and, obtain adequate consent to such transfer where required.
5.
Deletion of Personal Data
5.1.
When Personal Information is no longer necessary for the performance of Services, or promptly upon the termination of the Agreement, Service Provider shall securely destroy or return all Personal Information and Confidential Information in its possession, custody or control.
6.
Technical safeguards
6.1.
Service Provider shall:
6.1.1.
Implement industry-standard encryption for data at rest and in transit.
6.1.2.
Maintain robust access controls with multi-factor authentication for sensitive systems.
6.1.3.
Deploy endpoint protection on all devices accessing Salt data.
6.1.4.
Conduct regular vulnerability scanning and penetration testing.
6.1.5.
Maintain 24/7 security monitoring capabilities.
6.1.6.
Implement automated threat detection systems.
6.1.7.
Establish security logging and audit trails for all systems handling Salt data.
6.1.8.
Implement regular backup procedures with encryption.
6.1.9.
Maintain offsite/offline backup copies of Salt data.
6.1.10.
Conduct security assessments of all subcontractors to ensure subcontractors meet or exceed these security requirements.
6.1.11.
Keep records of all Personnel with access to Salt data.
7.
Information security incident response
7.1.
In the event of a suspected Information Security Incident Service Provider shall:
7.1.1.
Notify Salt by emailing Salt’s Data Protection Lead within 24 hours of discovery, summarising the impact to Salt and corrective actions taken or to be taken by Service Provider.
7.1.2.
Investigate the reasons for the Information Security Incident, and take all necessary and advisable actions to remediate the Information Security Incident, keeping all evidence regarding the cause, response, remedial actions taken.
7.1.3.
Assist with any investigation of a Security Incident by Salt and take such remedial actions as it requests.
7.1.4.
Not disclose without Salt’s prior written approval any information related to the suspected Security Incident to any third party other than a third party hired to investigate/mitigate such Security Incident, except as required by law.
7.1.5.
Provide Salt with a detailed written report of the Information Security Incident within 72 hours of discovery, including root cause analysis and remediation steps.
8.
Cooperation and information requests
8.1.
In the event Service Provider receives a request relating to the Personal Information by Salt or a third party, Service Provider shall respond to Salt or notify Salt in writing of the third party request, within 1 business day, and shall provide such assistance as Salt reasonably requests.
8.2.
In the event the request is from a government or regulatory entity, Service Provider shall disclose the minimum Personal Information necessary to comply with law.
9.
Audit rights
9.1.
Salt reserves the right to audit Service Provider's compliance with these Terms at any time during the term of the Agreement upon providing reasonable notice.
9.2.
Service Provider shall cooperate with Salt's audit and provide any information reasonably requested to verify compliance with these Terms.
9.3.
Salt may conduct such audits no more than once per calendar year, unless there is reasonable suspicion of non-compliance or an Information Security Incident has occurred.
9.4.
If an audit reveals material non-compliance with these Terms, Service Provider shall bear the reasonable costs of the audit and implement necessary remediation measures within timeframes agreed with Salt.
10.
Subprocessor management
10.1.
Service Provider shall:
10.1.1.
Obtain Salt's prior written approval before engaging any Subprocessor to Process Personal Information.
10.1.2.
Ensure that all Subprocessors are bound by written agreements that require them to provide at least the same level of protection for Personal Information as required under these Terms.
10.1.3.
Provide a list of all Subprocessors with access to Salt data upon request.
10.1.4.
Remain fully liable for the acts and omissions of any Subprocessor.
10.1.5.
Conduct security assessments of all Subprocessors before engagement and at least annually thereafter.
11.
Business Ccontinuity and disaster recovery
11.1.
Service Provider shall maintain a business continuity and disaster recovery plan that is adequate and appropriate for a Service Provider of its size and service provision.
12.
Service Provider's obligations
12.1.
Service Provider may only use artificial intelligence ("AI"), including without limitation, machine learning and generative AI ("GenAI"), in the performance of the Services or production of the Work Product provided:
12.1.1.
It is agreed in the SOW.
12.1.2.
No Salt or client Confidential Information is used with AI or GenAI without Salt's prior written consent.
12.2.
Where AI use is permitted, in each SOW Service Provider represents and warrants that Service Provider:
12.2.1.
Has used commercially reasonable efforts to evaluate the AI, including without limitation, undertaking periodic security audits, to ensure the confidentiality, availability, and integrity of data used with AI.
12.2.2.
It maintains current documentation of all AI systems used, including versions, capabilities, and limitations; and implements appropriate access controls and monitoring for AI system usage.
12.2.3.
Uses AI in all cases: (1) in accordance with applicable laws, and (2) in compliance with the terms of use and any other contractual requirements applicable to such AI.
12.2.4.
Upon request, will reasonably assist Salt with its efforts to comply with applicable laws in relation to Service Provider's use of AI, such as transparency and documentation.
12.2.5.
Does not use AI to generate content that is illegal, inappropriate, harassing, discriminatory, offensive, or otherwise harmful (including reputationally) to Salt or its personnel, contractors, affiliates, suppliers or Clients or their respective personnel, contractors, affiliates, suppliers or patients.
12.2.6.
Does not use AI that (1) is classified as a "high-risk" AI system (or similar term) as defined under Applicable Laws or (2) makes fully automated decisions, or is a significant factor in making decisions, that have legal, ethical, or similar effects.
12.2.7.
Validates and corrects any output generated by GenAI to be consistent with the standard of performance set out herein and displays the sources used by GenAI to generate output.
12.2.8.
Ensures transparency through markings, attributions, or similar means of any synthetic audio, image, video, or text content generated by GenAI, as well as their inputs used in the Work Product.
12.2.9.
Has implemented reasonable measures to identify and mitigate potential bias in AI outputs, particularly for applications that may impact individuals or groups.
12.2.10.
Maintains qualified personnel oversight of AI systems, with human review appropriate to the risk level of the AI application.
12.2.11.
Maintains awareness of the training data sources and limitations of AI systems used.
12.3.
For the avoidance of doubt, nothing in this section is intended to limit or amend any other Service