Cybersecurity controls, insurance limits and audit rights for the Continuum Monitoring System: the schedule behind clause 5 of the Tier 3 SLA.
| Rev | Date | Description | Status |
|---|---|---|---|
| 1.0 | 2026-07-06 | First issue: control domains F1-F10, insurance limits, audit rights, verification evidence per control | Current |
Three principles shape every control below. The Monitoring System must never weaken the physical shield it watches. It must never accept an inbound control path from outside the site. And every promise must map to evidence a customer CISO can inspect, because in a data centre a security assertion without an artefact is worthless.
| Ref | Domain | Control commitments | Verification evidence |
|---|---|---|---|
| F1 | Governance | Named Provider security officer; information-security management aligned to ISO/IEC 27001 with certification of the monitoring service scope targeted within [18] months of first deployment; annual management review shared with Customer in summary. | ISO certificate or gap-assessment report; officer appointment letter |
| F2 | Architecture & segregation | No inbound control path to shield-side electronics under any configuration; outbound-only telemetry, with hardware data-diode mode available at Customer election; monitoring traffic on a dedicated VLAN or physically separate path; all shield penetrations for monitoring via the designated penetration bay using dielectric fibre, with shield integrity re-verified after installation. | Architecture diagram; diode certificate; post-install SE spot check |
| F3 | Access control | Role-based access with least privilege; multi-factor authentication for all Provider access to the twin and ops platform; joiner/mover/leaver process with [1] business day revocation; break-glass accounts sealed, logged and reviewed after every use; no shared credentials. | Access matrix; quarterly access review minutes |
| F4 | Vulnerability & patching | Monthly authenticated vulnerability scans of monitoring infrastructure; critical patches applied within 14 days of vendor release (SLA clause 5), high within [30] days; annual independent penetration test of the platform with findings summary to Customer; edge firmware signed and locally applied only. | Scan summaries; patch register; pen-test attestation letter |
| F5 | Logging & monitoring | Tamper-evident audit logs of all access and configuration changes; logs retained [12] months online and 7 years archived (matching the evidential retention of measurement data); synchronised time sources across the chain. | Log samples; retention config export |
| F6 | Incident response | Documented playbooks; Customer notified of any confirmed security incident affecting the Monitoring System within 24 hours (SLA clause 5), with a written report within [5] business days; annual joint incident exercise offered; forensic cooperation and evidence preservation on request. | Playbook index; exercise report; incident register |
| F7 | Data protection | Encryption in transit (TLS 1.2+ or diode-mediated) and at rest (AES-256 class); Customer is controller and Provider processor for any personal data incidentally captured (badge-adjacent metadata, contact records) under a data-processing agreement; measurement data handled per SLA clauses 13-14; deletion or return on exit per Schedule G with certificate of destruction. | Encryption config; signed DPA; deletion certificate template |
| F8 | Supply chain | Software bill of materials (SBOM) maintained for edge and platform software; security assessment of critical component vendors; signed firmware provenance; no components from vendors excluded by Customer's published prohibited list, agreed at onboarding. | SBOM extract; vendor assessment register |
| F9 | Personnel | Background screening of all personnel with platform or site access to the standard agreed at onboarding; annual security-awareness training; individual confidentiality undertakings; site-access personnel comply with Customer security procedures (SLA clause 15). | Screening policy; training completion records |
| F10 | Resilience | Edge gateway buffers 30 days locally (SLA clause 8); platform backups tested [quarterly]; disaster-recovery objectives for the twin and ops platform: RTO [24 h], RPO [4 h]; loss of platform never disables local threshold alerting at the edge. | DR test report; backup restore log |
| Cover | Minimum limit (placeholder) | Notes |
|---|---|---|
| Cyber liability (incl. incident response costs) | [€5 M] per claim | Named to respond to Monitoring System incidents; evidence annually per SLA clause 17 |
| Professional indemnity | [€5 M] per claim | Covers negligent survey or certification |
| Product liability | [€10 M] aggregate | Hardware in the field |
Audit rights. Customer may audit Provider's compliance with this schedule once per contract year on [20] business days' notice, plus once following any notified incident, by itself or an appointed assessor under confidentiality; audits use the evidence column above as the checklist, and findings feed the annual joint risk review (SLA clause 19). Provider may satisfy repeat requests across a portfolio with a shared independent assessment report.