1.1 Definitions. The following capitalized terms will have the respective meanings as set out below.

1.1.1 “Affiliate” means any entity controlling, controlled by or under common control of a party, as the context requires. For this definition, “control” means the: (i) direct or beneficial ownership of fifty percent (50%) or more of the entity’s voting securities; or (ii) ability to elect a majority of the entity’s directors.

1.1.2 “Agreement” means a written agreement that references this Annex.

1.1.3 “Annex” means this security requirements document, as updated from time to time in accordance herewith.

1.1.4 “Anonymization”means irreversible and permanent modification of Personal Data, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.

1.1.5 “Applicable Law” means all applicable domestic or foreign law, rule, statute, regulation, by-law, order, ordinance, protocol, code, guideline, treaty, policy, notice, direction, or judicial, arbitral, administrative, ministerial or departmental judgment, award, decree, treaty, directive, or other requirement or guideline, as issued by each Governmental Authority having jurisdiction over the parties or the Deliverables, or as otherwise duly enacted, enforceable by law, the common law or equity. For certainty, the term “Applicable Law” includes repeals of, replacements of, successors of and amendments to the foregoing, where applicable, made by a Governmental Authority.

1.1.6 “Artificial Intelligence” or “AI” or “AI System” means a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.

1.1.7 “Bell” means the Bell Company, including its successors and permitted assigns, that entered into the Agreement.

1.1.8 “Bell Company” means either Bell Canada or one of its Affiliates, as the context requires; and “Bell Companies” means Bell and all its Affiliates.

1.1.9 “Bell Data” means any information and data that has been made available by Bell Companies and their Personnel to Supplier or its Personnel in connection with the Agreement and includes Bell Companies’ Confidential Information.

1.1.10 “Confidential Information” means any information (including Personal Data and Derived Data), whether in tangible or intangible form, made directly or indirectly available by or on behalf of one party (the “Disclosing Party”) to the other party, its Affiliates or Personnel (the “Receiving Party”) in connection with this Annex or the Agreement, and which information: (i) is identified or being treated as confidential by the Disclosing Party; (ii) would be understood to be confidential by a person exercising reasonable business judgment; and (iii) includes the existence of this Annex and the Agreement and the fact that discussions between the parties have been or are taking place. Confidential Information does not include information which the Receiving Party can prove: (a) was rightfully known by it prior to disclosure of such information by the Disclosing Party; (b) is or becomes generally available to the public, other than due to the Receiving Party’s breach of this Annex or the Agreement; (c) was independently developed by the Receiving Party; or (d) is or becomes available to the Receiving Party on a non-confidential basis from a source other than the Disclosing Party, provided that such source is not in breach of its obligations of non-disclosure towards the Disclosing Party. Notwithstanding the foregoing, items (a), (b), (c) and (d) will not apply to any of the Disclosing Party’s Personal Data.

1.1.11 “De-Identification” means modification of Personal Data so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.

1.1.12 “Deliverables” means:

1.1.12.1 “Products” means the tangible products and equipment supplied by or on behalf of Supplier pursuant to the Agreement;

1.1.12.2 “Services” means the services performed by or on behalf of Supplier pursuant to the Agreement, which may include: (i) hosted software or infrastructure services; (ii) consulting or professional services; and (iii) outsourcing services; and

1.1.12.3 “Software” means any software supplied by or on behalf of Supplier pursuant to the Agreement and which software: (i) is licensed to Bell Companies for their Use; (ii) Bell Companies may resell to their customers for their Use; or (iii) is developed or customized for Bell Companies. For the purposes of the Agreement, “Use” means any act which, if committed without authorization of the owner of IP Rights, would constitute an infringement of such IP Rights.

1.1.13 “Derived Data” means any and all data derived from Bell Data in connection with: (i) provision of the Services and Hosted Services; and (ii) Bell Companies’ Use of the Products, Software and Hosted Services.

1.1.14 “Effective Date” means the date on which the Agreement became effective.

1.1.15 “Governmental Authority” includes any domestic or foreign federal, provincial or state, municipal, local or other governmental, regulatory, judicial or administrative authority.

1.1.16 “IP Right” means any right that is or may be granted or recognized regarding patents, copyright, moral rights, trade secrets, trade-marks, domain names, industrial designs, integrated circuit topography, and personality rights, and any other legislative provision or common or civil law principle regarding intellectual property, whether registered or unregistered, and includes rights in any application for any of the foregoing.

1.1.17 “Personal Data” means information relating to an identified or identifiable individual that Bell Companies make available to Supplier, directly or indirectly, in connection with this Annex or the Agreement. Personal Data includes any "personal information" as defined in Section 2(1) of the Personal Information Protection and Electronic Documents Act (S.C. 2000, C.5), as may be amended or replaced.

1.1.18 “Personnel” means directors, officers, employees, agents, and subcontractors.

1.1.19 “Software Composition Analysis” or “SCA”means a test to be performed on all software to identify open source software components and review such components for all known security vulnerabilities, including those identified in the MITRE Common Vulnerabilities and Exposures (CVE) database and the NIST software security vulnerabilities bulletins, as updated from time to time.

1.1.20 “Software Bill of Material” or “SBOM” means a comprehensive nested inventory of all Software components (including any integrated third-party open-source software components, tools, libraries, modules, and other assets) and dependencies that comprise the Software.

1.1.21 “Supplier” means the supplier, including its successors and permitted assigns, that entered into the Agreement with Bell and is required to comply with this Annex.

1.1.22 “Usage Data” means data related to the performance and usage of the Products, Software and Hosted Services, which data: (i) does not contain any of Bell Companies’ Personal Data or Confidential Information; and (ii) is aggregated and anonymized such that it cannot be used to identify Bell Companies or their respective customers and Personnel.

1.2 Interpretation. The term “including” means “including without limitation”, and “include” and “includes” will be interpreted to have corresponding meanings, and references to “and” or “or” will mean “and/or”.

1.3 Incorporation; Changes. This Annex is incorporated into and forms part of the Agreement. Bell may update this Annex from time to time by posting a revised version on this website. Supplier is solely responsible for periodically checking this website for updates. Any changes to this Annex will be effective thirty (30) days after posting.

1.4 Notifications. All notices required under this Annex must be in writing and sent to the applicable contact designated in the Agreement based on the subject matter.

2.1 Security Contacts.

2.1.1 Primary. Upon Bell’s request, Supplier shall designate and provide contact information for one (1) named individual to be Bell’s primary security contact (the “Security Contact”). The Security Contact shall respond to Bell’s requests for assistance, information, investigations, and all other matters concerning Supplier’s security obligations as set out in this Annex or in the Agreement.

2.1.2 Alternate. Upon Bell’s request, Supplier shall designate and provide contact information for at least one (1) alternate contact to fulfill Supplier’s obligations, as set out in Section 2.1 (Security Contacts), in the event the Security Contact is not available. Such alternate contact(s) must collectively have similar skills and qualifications held by the Security Contact.

2.2 Costs. Unless expressed otherwise in this Annex, Supplier’s compliance of this Annex, including any remediation efforts, shall be at Supplier’s sole cost, and Bell will not reimburse Supplier for any costs or expenses incurred by Supplier, its Affiliates, or their respective Personnel, in complying with any Bell requests under this Annex.

2.3 Security, Privacy and Risk Awareness Training. Supplier shall ensure that its Personnel participate in and successfully complete, at a minimum, an annual security awareness program focusing on common and emerging threats, including in relation to cybersecurity, privacy, and responsible use of AI.

2.4 Industry Organization Membership. Supplier shall enroll and maintain membership with Canadian Cyber Threat Exchange (CCTX) (https://cctx.ca/about-cctx/) or other equivalent industry threat exchange organization.

2.5 Audit Trails. Supplier shall maintain industry best practice audit trails for all security-related functions, tasks and obligations set out in the Agreement (including, for certainty, this Annex), including for any environments, information systems or networks used in connection with the Agreement.

2.6 Network Access Control. Upon Bell’s request, Supplier shall promptly provide a complete list of site URLs: (i) required to implement or use the Deliverables; and (ii) that a Bell Company may otherwise need to access in connection with the Deliverables.

3.1 Reporting. Upon discovery, Supplier shall immediately notify Bell in writing, of any security issue or incident, including: (i) actual or suspected breaches of its obligations under this Annex; (ii) security issues and known security vulnerabilities affecting Supplier’s environments or that otherwise negatively impact the security, integrity or availability of Bell Data or Sensitive Assets; and (iii) environmental, business continuity or health and safety incidents. “Sensitive Assets” means Bell Companies’, or their customers’, information systems, networks or premises and Supplier’s information systems, networks or premises on which any Bell Data may be stored.

3.2 Resolution. Supplier shall investigate and respond to any actual or suspected security issues and incidents that it reports pursuant to this Annex in accordance with: (i) Bell’s reasonable instructions; and (ii) risk mitigation and incident management requirements set out in this Annex.

3.3 Risk Mitigation. Supplier shall:

3.3.1 establish a formal remediation plan, including the investigation of root causes and the development and implementation of corrective action for all security and due diligence compliance issues that Supplier is aware of;

3.3.2 provide such formal remediation plan, prior to its adoption, to Bell for Bell’s approval, acting reasonably, which Bell may review, test and request that additional security and due diligence terms and conditions be added to such plan;

3.3.3 upon approval, implement such formal remediation plan;

3.3.4 provide Bell with periodic status updates during remediation and a detailed explanation of the corrective action used to resolve the issue or incident at the conclusion of remediation effort; and

3.3.5 implement and maintain incident management policies to ensure that: (i) security breaches affecting Supplier’s information systems and networks, and any information stored on the foregoing, can be identified, contained, and remediated; (ii) root causes can be identified; (iii) corrective actions can be implemented, tracked and reported on; and (iv) Supplier can comply with its obligations set out in this Section 3 (Incident Management).

3.4 Breach. For certainty, failure to resolve a security issue or incident in compliance with Section 3.2 (Resolution) of this Annex will be deemed a material breach of the Agreement.

3.5 Investigations. Upon Bell’s request and in relation to any security incidents identified under this Section 3 (Incident Management) or as a result of a review conducted or a report issued under Section 6 (Compliance Review), Supplier shall make its information systems and networks available to Bell for Bell to conduct further investigations on such security incidents. In relation to such investigations, Supplier shall:

3.5.1 Support and Cooperation. provide an independent, reputable third party for the support and cooperation with Bell during the investigation of any security-related situation, event or incident that Bell reasonably deems necessary;

3.5.2 Interviews. allow Bell Personnel to attend and participate in any investigative interview that Bell reasonably deems necessary;

3.5.3 Security Review. upon request, provide Bell Personnel access to each Supplier environment running Bell processes for the purpose of conducting reasonable security and access right reviews, vulnerability assessments and penetration tests, audits of hardware, application software, information systems, networks and other facilities being used in connection with the Agreement; and

3.5.4 Bell Obligation. to the extent Bell exercises any rights set out in this Section, Bell shall ensure that its Personnel adheres to Supplier’s reasonable internal security procedures and is bound to confidentiality provisions no less stringent than those set out in the Agreement.

4.1 Background Checks. Supplier shall arrange for an independent background check provider to perform criminal background checks on each Supplier Personnel who may have access to: (i) Bell Data; or (ii) Sensitive Assets. Such background checks must be completed by: (a) Bell’s approved vendors; or (b) subject to Bell’s prior written approval, a reputable background check provider either accredited by or a member of the Professional Background Screening Association. The foregoing background checks must be completed within one hundred and eighty (180) days prior to the performance or provision of any Deliverables.

4.2 Bell’s Rights. Upon Bell’s request, Supplier shall: (i) re-perform background checks in accordance with this Annex; (ii) provide proof of criminal background checks; (iii) replace any Supplier Personnel with an offense or alleged offense identified in a criminal background check report, whether punishable by indictment or summary conviction, which has not been discharged, expunged or pardoned, if such offense or alleged offense is reasonably connected with the nature of the Deliverables being performed or provided under the Agreement.

4.3 Invalid Background Checks. If Supplier becomes aware of a change in the status of any of the criminal background check performed on its applicable Personnel under this Annex, Supplier shall promptly: (i) notify Bell of such change in the Personnel’s criminal background check; (ii) provide Bell with a remediation plan or alternate Personnel to ensure compliance with this Annex.

4.4 Personnel Removal. If Supplier becomes aware of any Supplier Personnel being charged with a crime or involved in any prior actual or alleged criminal activity, Supplier shall: (i) immediately notify Bell; and (ii) ensure that such Supplier Personnel immediately ceases to perform or provide any Deliverables for Bell Companies.

5.1 Access Restriction. Supplier shall ensure that Supplier Personnel do not attempt to access or allow access to any Bell Data: (i) within an environment to which they do not have access rights; or (ii) except to exercise or perform Supplier’s rights or obligations under the Agreement. Supplier shall immediately: (a) notify Bell of a breach of the foregoing; (b) describe in detail all accessed materials and the method of access; and (c) upon request, provide Bell with copies of all accessed materials.

5.2 Security Measures. Supplier shall maintain industry recognized security measures to protect against: (i) the destruction, degradation, loss, unauthorized access to, disclosure or alteration of Bell Data, Bell Companies’ or their customers’ intellectual property, and assets (tangible and intangible), in Supplier’s possession or under its management or control; and (ii) the destruction or alteration of any component of the Sensitive Assets, or the environments and systems on which Bell Data is stored. At a minimum, Supplier shall maintain the security measures identified below, and, upon request, shall provide to Bell all reasonable documentation supporting the implementation of such measures:

5.2.1 Controls. logical and physical access controls, such as access control lists, firewalls, and intrusion detection and prevention mechanisms;

5.2.2 Logical Access. user access management software installed on Supplier’s information systems and networks that: (i) authorizes and authenticates users and their access rights; and (ii) allow administrators to control and track additions of, changes to, and deletions of authorized users and their access rights;

5.2.3 Logging and Monitoring. record all access and changes to systems or software and maintain all such records in a centralized and secure electronic audit log for a minimum of ninety (90) days. Electronic audit logs must be monitored and backed up in a secure location;

5.2.4 Risk Assessment and Improvement. up-to-date and risk-appropriate safeguards, which are regularly updated for currency, that detect, prevent, and automatically remove any threats and vulnerabilities to Supplier’s information, information systems and networks are addressed;

5.2.5 PCI DSS Certification. security standards and certification requirements for any payment processing applications and supporting network infrastructure as set out in the latest version of Payment Card Industry Data Security Standard document, as may be amended or replaced from time to time by the PCI Security Standards Council;

5.2.6 Certified Telecom Industry Alliance (CTIA). obtain and maintain at least a Level 2 CTIA certification for any IoT Device. “IoT Device” means a Product that: (i) contains an application layer that provides identity and authentication functionality, as well as at least one communications module that supports wired 5G, 4G LTE, or Wi-Fi connectivity; and (ii) connects to at least one network to exchange data with other applications and devices, including vehicles, home appliances, personal mobile device, and infrastructure elements;

5.2.7 Business Continuity Measures. implementation of business continuity and disaster recovery plans to ensure that: (i) all data is backed up to off-site storage, which is suitably distanced from the main storage site; (ii) information systems and applications can be recovered from the backup copies; and (iii) the backup copies are secure from unauthorized access, modification or use;

5.2.8 Third Party Software. maintain and, upon Bell’s request, provide to Bell a list of all third party code, including open source and commercially available code, and third party software tools used to maintain the security of Supplier’s environments, information systems or networks used for processing any Bell Data;

5.2.9 Penetration Testing and Vulnerability Management Program(s). industry standard vulnerability management and penetration testing programs for Deliverables interconnected to a Bell Company’s (or its customers’) information systems or network, which, at a minimum: (i) applies to all assets associated with the Deliverables; (ii) identifies the level of security testing conducted for all assets (including, by way of example only, network scanning, DAST, SAST or penetration testing); (iii) identifies the frequency of testing for all assets; and (iv) identifies remediation timelines for all vulnerability severity levels; and

5.2.10 Bell’s Requirements. any other reasonable security measures required by Bell from time to time.

5.3 Evidence and Confirmation. Upon Bell’s request, Supplier shall provide Bell with: (i) documentation describing all of Supplier’s code review and vulnerability testing practices; (ii) documentation describing vulnerability mitigation practices for all areas affecting Bell Companies; (iii) documentation confirming protection against web borne attacks including protection against layer 7 protocol exploitation such as web application firewalls and runtime application self-protection; and (iv) written confirmation of Supplier’s compliance with the practices referenced in (i), (ii), and (iii) above.

5.4 Network Segregation. If Supplier provides hosted Services as a Deliverable, Supplier shall: (i) ensure that its internal network(s) are segregated from Internet facing networks using firewall and VLAN technologies; (ii) implement regular vulnerability and penetration testing prior to providing any Deliverables to Bell; and (iii) physically and logically segregate Bell Data from the data of Supplier’s other customers.

5.5 Bell Data Location and Access. In connection with any Bell Data to which Supplier has access, Supplier, its Affiliates, and their respective Personnel shall not, without Bell’s prior written consent:

5.5.1 Location. store or transfer any Bell Data outside of Canada, whether physically or electronically;

5.5.2 Access. access Bell Data from outside of Canada; or

5.5.3 Changes. change the location of where Bell Data is stored or the location from where Bell Data is remotely accessed.

5.6 Bell Data Access and Storage Locations. Unless otherwise approved by Bell in writing, in its absolute discretion, Supplier represents and warrants that any Bell Data to which Supplier has access will be stored and accessed only at the Approved Locations. “Approved Locations” means the locations identified to Bell during the security assessment process conducted in connection with the Agreement and the applicable Deliverables. Supplier shall send approval requests for changes to the Approved Locations to the email address designated in the Agreement.

5.7 Access Restriction. If Bell reasonably determines, in its sole discretion, that any access to Bell Data poses an unacceptable security risk to Bell, Bell may revoke any access privileges granted to any Personnel that has access to Bell Data or Sensitive Assets.

5.8 Secure Destruction, Preservation and Return of Information. Where Supplier has access to Bell Data:

5.8.1 Data Destruction Requirements. Subject to any express obligations under the Agreement to retain Bell Data, including in connection with record retention requirements and litigation hold as may be requested by Bell, upon Bell’s request and when the Agreement has expired or terminated, Supplier shall: (i) delete and render unrecoverable all Bell Data; (ii) destroy storage media that contains Bell Data in a secure manner and within a secure area, if such storage media cannot be reused or repurposed; (iii) maintain an auditable chain of custody of the destroyed storage media (if applicable) that allows verification of when and the method of destruction; and (iv) provide proof of destruction to Bell when: (a) storage media that contains Bell Data is returned to Supplier for service; (b) Bell Data is removed from Bell Companies’ sites or networks for the purpose of trouble shooting and is no longer required; and (c) the Agreement expires or is otherwise terminated.

5.8.2 Litigation Hold Notice. If Bell requests in writing that Supplier retain or preserve any information (including any Bell Data or Supplier Confidential Information) within its possession and the process by which such information must be delivered to Bell, including technical and timing requirements, for the purposes of an investigation, litigation hold, legal hold (each a “Hold Notice”), Supplier shall comply with such Bell request, which, for certainty, Bell may amend from time to time with written notice to Supplier. To the extent that Supplier does not comply with a Hold Notice, Supplier shall defend, fully indemnify and hold Bell Companies harmless from and against all actual and alleged claims, demands, causes of action and liability, of any kind, for damages, losses, costs and expenses, including legal fees and disbursements, arising out of or relating to Supplier’s inability to comply with the Hold Notice.

5.8.3 Anonymization and De-Identification of Personal Data. To the extent expressly required under the Agreement or requested by Bell in writing, anonymization and de-identification must be performed in accordance with Applicable Law and industry best practices and standards. Without limiting the foregoing, Supplier shall: (i) provide to Bell a re-identification risk analysis and a description of the techniques and processes used to perform anonymization or de-identification, and (ii) keep a record of the foregoing for auditing purposes.

5.9 Loss or Damage. Where Bell Data is provided to Supplier and such Bell Data (in whole or in part) is lost or damaged:

5.9.1 Reasonable Assistance. Supplier shall, at no additional cost to Bell, use all commercially reasonable efforts to assist Bell in repairing, recovering and replacing such damaged or lost Bell Data; and

5.9.2 Loss or Damage Due to Breach. without limiting the generality of the foregoing, if such Bell Data is lost or damaged as a result of non-compliance by Supplier, its Affiliates, or their respective Personnel, of the Agreement (including, for certainty, this Annex), Supplier shall assist Bell in recovering such lost or damaged Bell Data by providing all additional resources reasonably required by Bell at no additional cost to Bell.

5.10 Software Development and Deployment. If Supplier provides Services involving Software development or deployment, Supplier shall:

5.10.1 Secure Build Environment. ensure the build environments, individual developer environment and production build environment, including source code repositories, are hardened with all access to the build pipeline logged, and must be developed and maintained in accordance with the applicable security standards set out in this Annex;

5.10.2 Secure Source Code. ensure that the source code, including third party code, open-source code and open source libraries, to such Software does not contain any known security vulnerabilities;

5.10.3 Secure Software Components. ensure prior to the incorporation of third party components into any Software that Supplier is authorized to use them, they do not contain any known security weakness or vulnerabilities and that the applicable SBOM reflects the presence of and interdependencies of such components;

5.10.4 Secure Development Practices and Procedures. ensure that Software is developed in a manner that complies with industry best practices and standards (including ISO/IEC 5055:21) for secure software development, including secure software development life cycle techniques and methodologies, including code scanning, code review and penetration testing, to proactively identify, mitigate and remediate security vulnerabilities;

5.10.5 Standards Review. provide details and supporting documentation regarding the Software development standards and methodologies it follows, including code testing, SCA, vulnerability scanning and penetration testing, for Bell’s review prior to the delivery of any Software source code, including any subsequent modifications thereto, to Bell (e.g., Open Web Application Security Project (OWASP)). If Bell is not reasonably satisfied with the standards and methodologies implemented by Supplier, Supplier shall cooperate with a third party designated by Bell to review and test any Software source code, including any subsequent modifications thereto, in accordance with Bell’s instructions, to determine if Supplier is in compliance with Section 5.10.2 (Secure Source Code) and Section 5.10.4 (Secure Development Practices and Procedures);

5.10.6 Secure the Supply Chain. maintain and, upon Bell’s request, provide to Bell the SBOM, and all tools used during the development life cycle or included in the Software; and

5.10.7 Confirmation. provide written confirmation of compliance with Section 5.10 (Software Development and Deployment), at Bell’s request.

5.11 Government Agreements. If Supplier provides Deliverables to a Governmental Authority or requires remote or physical access to any information, information systems, networks or premises of a Governmental Authority, then for each Supplier Personnel providing such Deliverables or requiring such access, Supplier shall obtain: (i) all security clearances required by the applicable Governmental Authority, including, where applicable, a Designated Organization Screening approval from the Treasury Board of Canada; and (ii) any other clearance or authorization required by a Governmental Authority or Bell.

6.1 External Control Audits. Supplier shall: (i) at least once per every twelve (12) month period, undergo an industry-recognized external control audit, such as SOC 1/SOC 2, SSAE 18, ISAE 3402 and CSAE 3416 (or their respective successors), as performed by an independent, reputable third party auditor, covering the scope of Supplier’s obligations under the Agreement (including, for certainty, this Annex); and (ii) upon Bell’s request, provide to Bell copies of all reports produced from such external control audits and any remediation action plans (and statuses thereof) for any issues identified in such reports.

6.2 Compliance Review and Verification. Upon Bell’s request, Supplier shall participate in Bell’s on-going compliance review process, including one or more of the following activities:

6.2.1 Assessment. completion of any then-current Bell security assessments;

6.2.2 Support and Cooperation. provide support and cooperation to Bell for the completion of on-site assessments of facilities, operations and Personnel performing obligations pursuant to the Agreement, excluding incident investigations;

6.2.3 Data Location. provide a complete list of addresses at which Bell Data is (or will be) stored, accessed or otherwise made available to Supplier, its Affiliates, or their respective Personnel;

6.2.4 Supplier Policies Review. provide access to Supplier’s applicable internal policies, including to its:

6.2.4.1 Security policy and governance documents for testing, scanning, vulnerability management, incident management, access control, and privacy policy, including Supplier’s processes for identifying and resolving Personal Data breaches; and

6.2.4.2 code of conduct, or similar documents, including standards for business integrity and ethics, and investigative and resolution process for non-compliance thereof by Supplier Personnel.

6.2.5 Certification Review. provide access to industry standard certifications, and any reports produced during their respective certification processes, including for the following industry standards (or their respective successors):

6.2.5.1 ISO 27001 Information technology — Security techniques — Information security management systems — Requirements;

6.2.5.2 ISO 5055 Information technology — Software measurement — Software quality measurement — Automated source code quality measures;

6.2.5.3 ISO 22301 — Business Continuity Management Systems;

6.2.5.4 CSA STAR Certification – Cloud Security;

6.2.5.5 PCI DSS — Payment Card Industry Data Security Standard; and

6.2.5.6 Information Security Forum — Standard of Good Practice.

6.2.6 Security Issues Summary. a summary of all past security issues, as well as investigation and remediation actions taken during the prior twelve (12) month period;

6.2.7 Personnel Access Rights. provide: (i) current lists of all Supplier Personnel requiring access to Bell Data or Sensitive Assets; and (ii) security and access permissions granted to such Supplier Personnel.

7.1 Applicability. This Section 7 (Artificial Intelligence Measures) applies only to the extent that AI is used or provided in association with the Deliverables.

7.2 AI Security and Risk Management Measures. Supplier shall develop and make AI available in a secure manner and in compliance with Applicable Law. Without limiting the generality of the foregoing, Supplier shall:

7.2.1 Risk Identification. regularly assess, identify, document, and upon request, provide to Bell a detailed summary of potential risks, limitations, and mitigations associated of each AI System used or provided in association with the Deliverables. Supplier shall immediately notify Bell if it becomes aware of any issues that could lead to a state in which human life, physical and mental health, property, or the environment is endangered, or in which Bell is at a loss or exposed to a higher level of risk.

7.2.2 Human Oversight & Monitoring. enable users of an AI System to gain deeper understanding of the inference chain (explainability) and how the AI System generates the output data (interpretability). Upon request, Supplier shall maintain and provide a record of output data and available inference processes in addition to Section 5.2.3.

7.2.3 No Storing of Bell Data. ensure that Bell Data processed by an AI System is not stored, unless otherwise approved by Bell in writing. To the extent that Bell provides such written approval, Supplier shall ensure that Bell Data is stored in accordance with Bell’s data retention requirements communicated to Supplier.

7.2.4 No Training with Bell Data. not use any Bell Data (including, for greater certainty, any Derived Data) for the purposes of training any AI models. For greater certainty, this restriction does not apply to Usage Data.

7.2.5 Third Party AI. Supplier must obtain Bell’s prior written approval before: (i) any third party AI is used or provided in association with the Deliverables, and (ii) any Bell Data is made available to a third party AI for the purposes of training, system improvement, research, storage or processing of any kind.

7.3 Trustworthy and Responsible AI measures. Supplier is committed to provide trustworthy and responsible AI services to Bell. Without limiting the generality of the foregoing, Supplier shall ensure:

7.3.1 Fairness & Equity. usage of data to drive unethical decisions or actions based on biases such as race, religion, ethnicity, gender, age are prohibited. Appropriate actions must be taken to mitigate discriminatory outcomes for individuals and groups.

7.3.2 Validity and Reliability. that AI Systems are often assessed by ongoing testing or monitoring that confirms the system is performing as intended.