Security Requirements for Nooco Suppliers

At Nooco, protecting our data, systems, and the confidentiality of our information, as well as our clients’ data, is an absolute priority. We believe that a strong, trusting relationship with our partners is essential to ensuring this security. This is why we require all suppliers who process, store or access our data, as well as those that provide services that could impact our security posture, to adhere to rigorous security standards.

These requirements are an indispensable prerequisite for any commercial relationship with Nooco and must be strictly adhered to throughout our collaboration. 

The extent and relevance of these  requirements will depend on the nature and scope of the services provided, the degree of access to Nooco’s data or systems, and the associated risks. 

In working with Nooco, our suppliers accept to adhere to these standards and agree that they form an integral part of the contract with us. Non-compliance with these requirements constitutes a material contractual breach and may lead to the termination of our agreements.

1. Governance and Security Management

  • Security Policies and Procedures: The Supplier must have documented, up-to-date information security policies and procedures covering all relevant aspects of its operations.
  • Personnel and Awareness: The Supplier’s personnel with access to Nooco’s data or systems must receive regular training and awareness on security best practices. The Supplier also commits to ensuring its own personnel comply with all security obligations stipulated in this document.
  • Compliance and Certification: The Supplier must comply with all applicable laws and regulations concerning data protection, notably the General Data Protection Regulation (GDPR). Nooco strongly encourages its suppliers to obtain and maintain ISO 27001 certification, or an equivalent certification.

2. Data Access and Protection

  • Data Access: Access to Nooco’s data and environments is strictly limited to data necessary for the mission and must adhere to the principle of least privilege.
  • Strong Authentication: Multi-Factor Authentication (MFA) is mandatory for all access to our environments or data. The Supplier commits to enabling Two-Factor Authentication (2FA) on all privileged accounts used in the context of services provided to Nooco.
  • Single Sign-On (SSO): The Supplier must provide an SSO solution compatible with Okta for services used by Nooco. 
  • Accountability of Actions: The Supplier must at all times ensure the accountability of actions performed by its personnel and systems, allowing for tracing who did what, when, and where.
  • Data Encryption: Any data exchanged with the Supplier (“Nooco Data”) must be encrypted in transit (TLS 1.2 or higher) in all cases and at rest (AES 256 or equivalent) where technically feasible.
  • Data Hosting: All Nooco Data must be hosted exclusively within the European Union (EU), unless Nooco provides prior written and specific agreement.
  • Prohibition of Data Use (AI): Nooco Data must under no circumstances be used, directly or indirectly, for the training, development, or improvement of artificial intelligence models, machine learning algorithms, or any other similar technology.
  • Data Reuse and Transfer: Nooco Data must not be reused or transferred without Nooco’s prior written authorization.
  • Asset Management: The supplier must have an asset management policy that follows best practice, and must treat Nooco Data as confidential or equivalent.
  • Data reversibility: The data provided by Nooco to the Supplier must remain recoverable at all times, in a standard format, within a maximum period of one month.
  • Data Deletion: Upon completion of the services, Nooco Data must be securely and irreversibly deleted within two (2) months from the end of the contractual relationship between the Parties.
  • Subcontracting: The Supplier commits to ensuring that all its subcontractors and co-contractors comply with these security requirements. Any recourse to a sub-processor involving Nooco Data or services is subject to Nooco’s prior written approval. The Supplier must notify us of any change or addition of sub-processors. Nooco reserves the right to object to any subcontracting if it poses a risk to security or confidentiality. In the event the Supplier insists on continuing with the appointment of an objectionable sub-contractor, Nooco shall have the right to terminate its agreement with the Supplier without any right of recourse by the Supplier to Nooco. The Supplier remains fully responsible for complying with its obligations and those of its subcontractors.

3. Security Incident Management

  • Incident Notification: The Supplier is obligated to notify any actual or suspected security incident involving Nooco’s data or systems within 48 hours of its initial detection.
  • Incident Details: The notification must include known details of the impact, immediate measures taken, and a remediation plan.
  • Cooperation: The Supplier commits to cooperating fully with Nooco during the investigation and resolution of any incident.
  • Incident Contact: All incident notifications must be sent to soc@deepki.com.

4. System Security and Periodic Review

  • System Security Measures: The Supplier commits to implementing sufficient security measures to protect its information systems and the services provided to Nooco. This includes installing and maintaining all hardware and software resources (antivirus solutions, anti-malware devices, EPP, EDR, etc.) in versions supported by their vendors or manufacturers and incorporating the latest security updates.
  • Vulnerability Management and Patches: The Supplier must have a rigorous process for identifying and remediating vulnerabilities. Critical security patches must be applied within 14 days of their publication. For vulnerabilities posing a “high” or “critical” risk (according to CVSS v3.1), this deadline is reduced to 7 days. If it’s impossible to meet these deadlines, Nooco must be informed without delay, and acceptable temporary mitigation measures must be proposed.
  • Client Equipment Configuration: When Nooco’s IT equipment is entrusted to the Supplier as part of the services, the Supplier is prohibited from modifying hardware and software configurations, as well as security elements in place on the workstation or any other equipment.
  • Penetration Testing: Regular penetration tests conducted by independent third parties are strongly recommended for critical services.
  • Business Continuity and Backups: The Supplier must have tested Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). The Supplier commits to implementing relevant backups to ensure service continuity, with a minimum RPO (Recovery Point Objective) of 24 hours and a minimum RTO (Recovery Time Objective) of 48 hours, unless otherwise specified in the contract. These backups must be regular, encrypted, and tested for Nooco’s data.
  • Secure Development: The Supplier must have a secure development policy compliant with the state of the art, which it applies from the design phases and throughout the service lifecycle. Test data must be carefully selected, protected, and controlled, avoiding the use of real and sensitive data when not strictly necessary.
  • Practice Review: Nooco reserves the right to request an annual review of the Supplier’s security practices and to conduct audits or send control questionnaires to verify compliance with these requirements.

Reference: This document applies by default to any contractual relationship with Nooco, unless explicitly stated otherwise in the agreement.

Version: v1.0 – Published on november 3, 2025 – https://www.nooco.com/en/vendors-security-requirements/