This is the main content.

Publix Super Markets, Inc. Third Party Connectivity Policy

Vendor shall comply with Publix’s requirements set forth in this Third Party Connectivity Policy (the “Policy”) when connecting to the Publix Enterprise Network, including but not limited to the following:

Definitions
The following definitions shall apply to this Policy:

“Authorized User” means any employee, agent, or contractor of Vendor authorized to connect to the Publix Enterprise Network.

“Confidential Information” means any information disclosed by Publix to Vendor or that is otherwise accessible by Vendor pursuant to any agreement to which this Policy applies in a context that would cause a reasonable person to believe the information is intended to be treated as confidential, including but not limited to documents expressly designated as confidential and information related to Publix’s members, clients, customers, processes, existing or future products, employees, technology, applications, methods of operation, facilities, equipment, security systems, information systems, finances, marketing plans, suppliers, or distributors; provided, however that “Confidential Information” shall not include information that: (a) is now generally available or becomes generally available to the public without breach of this Policy or any other confidentiality agreement by and between the parties; (b) is explicitly approved for release by written authorization of Publix; (c) is lawfully obtained from a third party or parties without a duty of confidentiality; (d) is disclosed to a third party by Publix without a duty of confidentiality; (e) is known to Vendor prior to disclosure by Publix; or (f) is at any time developed by Vendor independently of any such disclosure(s) by Publix.

“Sensitive Information” includes (a) an individual’s name with one or more of the following: (i) social security number; (ii) driver’s license number, state identification card number, Passport number, resident alien identification card number, or other number used for legal identification purposes; (iii) bank account or EBT number; or (iv) any other information used to verify identity or authorization, such as a PIN number, account password, security question response, scanned fingerprint or ink fingerprint; (b) full credit or debit card numbers in the clear; (c) information related to human resources or personnel, such as results of criminal background, credit, drug or alcohol checks, or diversity information such as race, gender, and age information (aggregated or with enough detail to aggregate); (d) financial information not publicly available, including financial results or Publix stock prices before release; (e) proprietary data such as strategies, decisions, new markets, new concepts, trade secrets, results, merger or acquisition plans, business ventures or manufacturing production recipes before release; (f) legal information, including settlement documents, court orders that are not publicly available, communications protected by attorney/client privilege, and information compiled for law enforcement purposes before disclosed; and (g) any information that Vendor may have or may obtain concerning Publix’s employees, customers, contractors or agents that is subject to Privacy Laws.

“Protected Information” means information that is either Sensitive Information or Confidential Information, regardless of whether such information is created, maintained or stored in a digital, electronic, paper or other medium, or any combination thereof.

“Privacy Laws” shall mean the privacy, data security and data disposal laws and the corresponding rules and regulations enacted by a governmental authority.

“Publix Enterprise Network (“PEN”)” is a geographically-dispersed private network owned and operated by Publix Super Markets, Inc.

“Third-Party Service Provider” shall mean a third-party provider which offers any or all of the services necessary to meet the parties’ obligations under this Policy, including any third-party provider which will have or potentially have access to Confidential and/or Sensitive Information.

“Information Resources” means all hardware, software, or other computing devices used to store, receive, process, access and/or transmit Protected Information and all information technology associated with the creation, collection, processing, use, storage, transmission, analysis and/or disposal of Protected Information.

“Network Equipment” means any and all hardware and/software used by Vendor to enable connection or connect to the PEN.

Third Parties Connecting to the PEN
Any computing device owned or operated by Vendor that may connect to the PEN must comply with all applicable provisions of this Policy. Any individual connecting to the PEN on Vendor’s behalf must be setup within Publix’s third party connectivity solution to facilitate a secure connection and must comply with all applicable provisions of this Policy. Vendor shall promptly notify Publix should a (i) device, or (ii) individual, or (iii) electronic business connection (e.g. VPN, Dial Up, SSH, etc.) no longer be required or authorized to obtain access to the PEN.

Publix retains the right to deny access to the PEN to some or all Vendor employees, agents or contractors at Publix’s sole discretion. Publix retains the right to disable all or any Authorized User(s) previously authorized to connect to the PEN with or without notice to Vendor and at any time and for any reason, all at Publix’s discretion.

Access Management
Access to the PEN in any form shall be restricted to those Vendor employees/agents who provide services to Publix, have received appropriate criminal and/or financial background checks and been properly trained and instructed as to all obligations with respect to the access and use of the PEN set forth in any agreement with Publix and in this Policy.

In order to prevent use of or access to the PEN by any person other than authorized employees/agents, Vendor shall implement security measures, including but not limited to:

  • Remote access to hardware and/or software that connects to the PEN must, at a minimum, use multi-factor authentication and generally accepted industry network encryption standards for connection.
  • Vendor shall implement and maintain secure authentication protocols that provide for the control of individual user accounts and passwords as set forth below, blocking access after multiple unsuccessful attempts to gain access, and controls to ensure that passwords are kept in a location and format that does not compromise the security of the PEN.
  • All Authorized Users must be assigned individual accounts with unique passwords generated or selected using a secure method that are reasonably designed to maintain security of such access control. Default passwords shall not satisfy this requirement.
  • The following password requirements must apply:
    • Temporary passwords must be given in a secure manner, with expiration on first use;
    • Passwords must be encrypted or hashed when transmitting over networks and in storage;
    • User account credentials must not be shared; and
    • Strong password practices must be enforced that include minimum password length, lockout, set expiration period, and complexity consistent with relevant industry practices.
  • An established process is in place to periodically validate that current user accounts with access to the PEN is appropriate based on job function.
  • All user accounts that are no longer required or authorized to access the PEN, including hardware and/or software that enables connection or connects to the PEN must be promptly disabled, deleted and removed from all access control lists, security groups, database tables or other methods used to provide the access to the PEN.
  • Vendor shall maintain accurate records sufficient to identify all current and past Authorized Users with access to the PEN.
  • Vendor will not enter into contracts or otherwise hire one or more Third-Party Service Providers to perform on its behalf the work described in this Policy without the prior written consent of Publix. In no event shall Vendor be relieved from its obligations under this Policy. Vendor shall be responsible for the acts or omissions of its Third-Party Service Providers.

System Configuration and Maintenance
Vendor shall ensure Network Equipment complies with each of the following standards:

  • All Network Equipment must be configured to industry accepted security standards and benchmarks for securely configuring the type of system or device in use.
  • All Network Equipment, including installed applications, must be patched in accordance with Vendor’s established procedures. Additionally, if a patch is identified and evaluated as critical by Vendor’s established procedures or active exploits exist for vulnerable Information Resources, the patch must be tested and installed within one month of generally available release to all Network Equipment.
  • Processes and functionality must be implemented and followed to create accurate and appropriately comprehensive audit trails to identify who has connected to the PEN on the Network Equipment and within any individual applications. Processes must actively monitor and aggregate security relevant event information and Vendor must implement and follow a documented incident response function that is linked to and integrated with the monitoring process.
  • All Network Equipment must be configured with adequate and up-to-date system security agent software (including malware protection) and up-to-date security patches, and virus and malware signatures and definitions.
  • Without express written or email permission from a manager in Publix’s IS Security and Compliance group, Vendor shall not move any data off the PEN.
  • Vendor must ensure that the appropriate security controls are implemented to match those stated in this Policy, for any Network Equipment under the control of Vendor (remotely via the internet or any extranet) including, but not limited to, continuous firewalls, up-to-date anti-malware software with current malware signatures/definitions, current security patches, etc.

Right to Audit
Publix or its designee shall have the right, upon reasonable prior notice and at Publix’s expense, to audit Vendor’s processes and records and to conduct an evaluation of products and controls in order to confirm Vendor’s compliance with its obligations under this Policy. Any such audit shall be conducted at such time and manner so as to minimize interference with Vendor‘s business operations. Publix shall be responsible for the fees and expenses of the audit unless the results demonstrate Vendor’s material non-compliance with its obligations, in which case Vendor shall reimburse Publix the reasonable fees spent on such audit upon submission of supporting documentation to Vendor. The assessments, work papers and other materials generated or used by Publix during the course of the audit shall be treated as Protected Information of Publix.