Vendors/Suppliers

Third Party Risk Management Portal

Third Party Privacy, Security & Risk Management Portal

Third Party Privacy, Security & Risk Management Portal

Carnival Corporation is supporting the planning, automation and management of relationships with third parties. In addition, the portal stores contracts for existing third parties and operates as a portal for new third parties to be assessed, evaluated and classified based on risk profile.

Third Party Privacy, Security & Risk Management Portal is not a completely self servicing resource and not currently open to the public at this time. Third party business owners will be responsible for registering and initiating enrollment in Third Party Privacy, Security & Risk Management process. Third parties are required to be already engaged in our sourcing, procurement, and other business pillars prior to enrollment in the Third Party Privacy, Security & Risk Management Portal.

Third Party Privacy, Security & Risk Management Portal
Third Party Onboarding

Third Party Onboarding

Onboarding Process:

Third Party Risk Management Criteria

All third parties meeting one or more of the criteria below must be successfully engaged through our Third Party Risk Management Program:

  1. Does the third party (or their sub processors) process personal data (frequently known as PII) or Carnival confidential information? 
  2. Does the third party (or their sub processors) require connectivity or access to Carnival network or applications?
  3. Does the third party (or their sub processors) utilize cloud-based services?

Key Definitions:

  1. "Sub processor" is another company used by the vendor to deliver services
  2. "Process" is collect, use, store, share, receive
  3. "Personal data" is the gamut of information from first and last name to passport number to IP address.

Click here to request more details

Contractual Requirements

Data Privacy and Security Addendum (DPSA) requirements:

The Data Privacy and Security Addendum (DPSA) is part of the contract document that forms the contractual relationship between controller and processor for data protection. It is also used for joint controller engagements. Carnival Corporation uses this document globally, so there are optional sections that are required for European contracts.

  1. Processes personal data (frequently known as PII) or Carnival confidential information
  2. Requires connectivity or access to Carnival network or applications
  3. Utilizes cloud-based services (must comply with the Cloud Computing policy)

The DPSA replaces the CPIP, which was used until August 1, 2019.

Click here to view and download DPSA

Contractual Requirements

Security Specifications

In addition to Processor’s information security and privacy policy, Processor employs those of the following technical and organizational measures (Security Specifications) necessary to safeguard Controller Data and Personal Data within the Services, as determined by Controller based on Processor’s responses to Controller’s Vendor pre-screening process.

  • Maintain written information security policies and procedures and incident response programs required to comply at a minimum with (i) all applicable Data Protection Laws and (ii) generally accepted industry standards for data protection including ISO 27001/2.
  • Test its information security procedures and incident response programs at least annually and retain written reports of the test results.
  • Assign personnel with responsibility for the determination, review and implementation of security policies and measures.

Measures employed to prevent unauthorized access to the processing environment and thwart attackers from breaching the Processor’s network. Security measures may include technology in the following categories

  • Perimeter next generation firewalls
  • Denial of Service protection
  • Data loss prevention
  • Advanced Persistent Threat detection/prevention
  • Mobile device management
  • Web application security

Defenses deployed on systems used to process personal data.

  • Implement patch management procedures that prioritize security patches for systems used to process Carnival personal or confidential information.
  • Maintain logs of all auditing, monitoring and security activity for a period of 120 days in a secure environment
  • Employ anti-virus, endpoint protection and response capabilities

Where any part of the Services is supported by cloud hosting, Counterparty will comply with the latest version of the Cloud Security Alliance Cloud Controls Matrix (available here: https://cloudsecurityalliance.org/) or other substantially similar assurance agreed with CARNIVAL. Counterparty must be able to demonstrate the established commonly accepted data protection and privacy control objectives.

  • Electronic access card reading system
  • Management of keys/documentation of key holders
  • Palisade fencing
  • Solid reinforced concrete exterior to building with no windows.
  • 24x7x365 staffed security guards
  • Security service, front desk with required sign in for all visitors
  • Burglar alarm system
  • Internal and external infrared pan, tilt, zoom CCTV Monitored building management system
  • Biometric scanners
  • Man traps
  • Remove unused software and services from devices used to Process Personal Information.
  • Default passwords that are provided by hardware and software producers shall not be used.
  • Mandate and ensure the use of system enforced strong passwords in accordance with leading industry practices on all systems hosting, storing, processing, or that have or control access to CARNIVAL’s information and
  • Passwords and access credentials are kept confidential and not shared among personnel.

Measures taken for preventing data processing systems from being used without authorization.

  • Personal and individual user log-in when entering the system and/or the corporate network
  • Password procedures minimum of 8 characters, with one upper case, lower case, and digit. If the user account has five invalid logon attempts, the account will be locked out. All passwords expire after 90 days. Upon verification of the username and password, the application uses session-based token authentication.
  • Remote access for maintenance requires two-factor authentication
  • Automated screen locks after a defined period of inactivity
  • Password protected screen savers
  • All passwords are electronically documented and protected against unauthorized access through encryption
  • User accounts are audited twice per year.

Measures taken to ensure that persons entitled to use a data processing system have access only to Confidential or Personal Data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorizations in the course of processing or use and after storage

  • User authentication is based on username and strong password
  • Data are stored encrypted at rest
  • All transactional records contain identifiers to distinguish client records
  • System processing uses a role-based mechanism to tailor data access to specific users and roles
  • Data access, insert, and modification are logged
  • ISO certifications and/or Third Party Independent audit reports are maintained at the primary data center

When processing or accessing cardholder data on Controller’s behalf, processor must adhere to the applicable credit card handling standards per card issuer. Processor must be compliant with Payment Card Industry Data Services Standard (“PCI-DSS”) and will provide proof of compliance annually.

Measures taken to ensure that Personal Data cannot be read, copied, modified or removed without authorization dui having electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.

  • All data are encrypted in flight using the latest secured transmission protocols Transport Layer Security (TLS) 1.1 or above
  • Access to reports is logged
  • Backup media are encrypted
  • Removable storage is not used

Taken to ensure that it is possible to check and establish whether and by whom Personal Data have been entered into data processing systems, modified or removed.

  • Record entry is restricted to a defined set of roles
  • All entry is date/time stamped and includes identifiers for entering party
  • Firewalls and intrusion prevention systems are in place to prevent unauthorized access

Employed to ensure that, in the case of commissioned processing of Personal Data, the data are processed strictly in accordance with the instructions of the principal.

  • Confidentiality agreements are in place for all individuals with data access
  • Training is conducted during onboarding and on a regular basis
  • No third parties used for the processing of data other than as described in this Agreement
  • Privacy policy describes rights and obligations of agent and principal

Measures taken to ensure that Personal Data are protected from accidental destruction or loss.

  • Systems employ redundancies such as RAID arrays and redundant equipment
  • Backups are stored in alternate location from primary processing
  • Multiple air conditioning units are installed to provide redundant capacity in an N+1 configuration.
  • High sensitivity smoke detection, and Argonite gas suppression
  • Multiple firewall layers and virus protection on all servers
  • UPS backed by N+1 generators
  • Diverse fiber routing and multiple carriers

Measures taken to ensure that Personal Data collected for different purposes can be processed separately.

  • Three-tier systems are used to physically separate presentation, business processing and storage
  • Controller data are stored in separate databases or in logically separate architectures
  • Separation of duties is used internally to ensure functions pass through change control processes
  • Discrete development, staging and production environments are maintained.
  • All routing of data for processing is controlled through automated rules engines.
  • Computing and storage is on equipment owned by Processor

Promptly communicate Investigation results from incident response to Carnival.

  • Systems and processes are in place to communicate incident and response investigation results
  • Contact privacy@carnival.com [brand to replace with brand-specific email address] to inform Carnival.