Table of Contents
- What is ProcessUnity Global Risk Exchange?
- What is the ProcessUnity Global Risk Exchange Policy?
- How does the ProcessUnity Global Risk Exchange process work?
- How does the ProcessUnity Global Risk Exchange make the process more efficient for vendors?
- What happens to my data after I answer the questionnaire?
- How do you protect the privacy of my data?
- What if my legal department has questions or concerns about the content of the TPPA?
- What if my legal department requires an NDA to be signed?
- Will my legal department be able to review the questions and/or answers to the questionnaire before the assessment is submitted?
- Will my IT Security department be able to review the assessment results before it’s shared with the requesting customer?
Q: What is ProcessUnity Global Risk Exchange?
A: ProcessUnity Global Risk Exchange is an exchange platform for Third-Party Cybersecurity Risk Management that allows both vendors and customers to more efficiently and effectively manage the risk associated with their third-party ecosystem.
Q: What is the ProcessUnity Global Risk Exchange Policy?
The ProcessUnity Global Risk Exchange operates an exchange model that is predicated on our ability to share your assessment with your upstream Customers. To this end, the ProcessUnity Global Risk Exchange is unable to sign NDAs, including standard or three-way agreements, for any engagement. As part of its services, the ProcessUnity Global Risk Exchange conducts assessments on its Customers’ Third Party vendors to cover the existence of cyber security controls, which allows you to complete one assessment and share it multiple times with multiple Customers.
Our Third Party Profile Agreement specifically addresses your access to our software platform in order to complete the assessment questionnaire, how our assessment process works, and how we can use your data. None of these issues are addressed in an NDA, which ultimately intends to restrict the use of confidential information. This does not align with the intent of our exchange model.
Q: How does the the ProcessUnity Global Risk Exchange process work?
A: Through ProcessUnity Exchange’s SaaS platform, customers receive data and analytics on their vendor security ecosystem. In the event a customer is interested in performing a deeper dive on a particular third-party vendor, it is able to request an assessment of that company. A third-party is then asked, through the ProcessUnity Global Risk Exchange’s customer service team, to complete the “ProcessUnity Global Risk Exchange Assessment Process” by completing a risk assessment questionnaire through the GRX platform. ProcessUnity GRX takes the answers to the questionnaire, runs that answer set through its proprietary process, and prepares a report on the third-party for the mutual customer. The third-party must expressly authorize the GRX to release its assessment to the requesting customer. The GRX platform allows the customer to securely access the GRX assessments of its selected third-party vendors, while at the same time being able to more effectively digest and manage the data security information. Further adding to the effectiveness of the GRX product offering is the ability for third-party vendors to update their information on their assessment periodically, and the ability to build on the initial assessment rather than completing a new assessment each year.
Q: How does the ProcessUnity Global Risk Exchange make the process more efficient for vendors?
A: Once a third-party completes a ProcessUnity Global Risk Exchange assessment, the answers and the resulting assessment remain available to share via the Exchange with other customers proactively, or for the third-party vendor to respond to individual customer requests. This reduces the burden on security professionals who are completing numerous risk assessments for multiple customers and allows them to complete one assessment and share it many times.
Q: What happens to my data after I answer the questionnaire?
A: Upon logging in to the Exchange platform, and prior to answering our questionnaire, you will be met with our Third Party Profile Agreement (TPPA), or “TPPA” for short. Among other things, the TPPA allows ProcessUnity Global Risk Exchange to use the answers you provide to our questionnaire in order to prepare the assessment, share it with the customers you authorize us to share it with, and ultimately store the assessment on our platform in order to allow you to respond to other security audits from other mutual customers.
Q: How do you protect the privacy of my data?
A: With respect to customers accessing your assessment, you have the right to authorize and deauthorize a customer at any time through the platform, for any reason. With respect to general data security, ProcessUnity Global Risk Exchange maintains appropriate technical and organizational security measures to protect against accidental or unlawful destruction or accidental loss, damage, alteration, or unauthorized disclosure of confidential information. Please contact us if you would like further information about our security.
Q: What if my legal department has questions or concerns about the content of the TPPA?
A: If your legal department has questions or concerns with the TPPA, please indicate this in your correspondence with the assigned Assessment Coordinator and they will coordinate with our other internal teams as necessary to provide a response. As referenced above, ProcessUnity Global Risk Exchange operates an exchange where assessment information may be shared with more than one (mutual) customer. As a result, ProcessUnity Global Risk Exchange needs the ability to use the answers you provide on our questionnaire to prepare our assessment as well as the data and analytics we provide our customers in our product.
Q: What if my legal department requires an NDA to be signed?
A: While we understand that an NDA may be a part of your company’s standard process, the terms and conditions of our TPPA will need to govern our contractual relationship in order for you to participate in the Exchange assessment process. ProcessUnity’s exchange model is predicated on our ability to share your assessment with your authorized customers instead of prohibiting disclosure, which is the purpose of an NDA. The TPPA contains confidentiality and non-disclosure provisions that protect your data, but within the framework of our exchange model. We advise your legal department to review our TPPA first, and if they have questions, to please ask the assigned Assessment Coordinator to coordinate our response to any questions they may have instead of sending us your NDA.
Q: Will my legal department be able to review the questions and/or answers to the questionnaire before the assessment is submitted?
A: Yes. There is a section on the Assessment Dashboard called ‘Review and Submit’ that lists all of the questions and answers provided. This section is accessible at any point during the assessment process. You can add a legal representative as a user on your account with view permissions to review that data prior to submitting the assessment.
Q: Will my IT Security department be able to review the assessment results before it’s shared with the requesting customer?
A: Yes, after the assessment is submitted you have the option to review your results before sharing with your customer(s). Your customer(s) will not have access to your assessment data and scores or to your ProcessUnity Global Risk Exchange Report until you authorize their request.