1. Introduction
Unite is committed to safeguarding the confidentiality, integrity, and availability of its information assets. To maintain this level of protection across the entire supply and service chain, Unite sets out the following minimum requirements, which every Supplier must observe and enforce.
2. Scope
These requirements apply to all persons, systems, and facilities of Suppliers that process Unite Data. ‘Unite Data’ means any data from Unite's customers, as well as other technical, commercial, or confidential information that is provided by Unite or generated for Unite.
3. Information-Security Principles
The technical and organisational measures below constitute the minimum standard. Suppliers shall establish internal processes to ensure their ongoing adherence.
3.1 Access Control
Access to Unite Data shall follow the principles of least privilege and need-to-know, with clear segregation of duties to prevent unauthorised disclosure or manipulation. State-of-the-art authentication mechanisms must be implemented, unique user IDs assigned, and passwords stored only in encrypted (hashed and salted) form.
3.2 System, Network, and Physical Security
Security patches and updates must be monitored continuously, with critical patches applied without delay, and secure software-development methods adopted. A segmented network architecture protected by firewalls is required, and any remote access must take place through secured VPN connections. All systems processing Unite Data must be appropriately hardened to reduce vulnerabilities. In addition, physical access to data centres and server rooms must be controlled, with continuous surveillance and suitable environmental safeguards in place.
3.3 Incident Response and Security Incidents
Suppliers must maintain documented procedures for detecting, reporting, and managing security incidents. Any event affecting Unite Data is to be reported without undue delay to infosec@unite.eu, followed by a root-cause analysis aimed at preventing recurrence.
3.4 Employee Training and Awareness
Regular training on information-security practices, including incident-reporting procedures, must be provided to all relevant personnel to ensure ongoing awareness and preparedness.
3.5 Vendor management
Where Suppliers rely on third parties, they shall impose contractual security obligations equivalent to these requirements, perform periodic assessments, and ensure that data confidentiality, integrity, and availability are preserved throughout the supply chain.
3.6 Compliance
Suppliers must comply with all applicable external regulations as well as Unite’s internal policies.
4. Information-Security Obligations
4.1 Technical and Organisational Security Measures
Suppliers shall implement and maintain industry-standard technical and organisational measures to safeguard all Unite Data against unauthorised processing, loss, destruction, or damage.
At a minimum, Unite Data must be encrypted using the current state of the art technology (e.g. TLS 1.2 or higher for data in transit and AES-256 for data at rest). Sound key-management practices – including secure generation, distribution, rotation, storage, and destruction – are mandatory to preserve confidentiality and integrity. Unite Data must be securely disposed of when no longer required for the agreed purpose, using processes that ensure data is irretrievable.
Suppliers shall regularly review and update these safeguards – ensuring they remain effective and consistent with prevailing industry standards and regulatory requirements.
4.2 Data Return, Deletion and Subcontracting upon Termination
Upon termination or expiry of the agreement – or upon Unite’s written request – the Supplier shall,
4.2.1 within thirty calendar days and at Unite’s discretion,
(1) return to Unite all Unite Data;
or
(2) irreversibly erase or physically destroy such data and assets so that no forensic recovery is possible, using accepted industry practices,
4.2.2 confirm in writing that the chosen option has been completed,
and
4.2.3 impose the same obligation on all subcontractors engaged in processing Unite Data.
4.3 Retention Requirements
If immediate deletion is prevented by statutory or regulatory retention, Suppliers shall block the data, protect it in accordance with this clause, and destroy it promptly after the retention period.
4.4 Survival of Confidentiality Obligations
Confidentiality obligations remain in effect for the longer of three years after the agreement ends, or until all Unite Data has been returned or securely destroyed.
5. Cooperation and Auditing
Suppliers shall support Unite’s verification efforts by supplying relevant evidence and information within a reasonable period. On request, Suppliers shall allow Unite, or an auditor appointed by Unite, to verify this during normal business hours, on reasonable notice and subject to customary confidentiality.
6. Breach and Remedies
If there is any indication of a breach of these requirements, Unite is entitled to take appropriate measures as defined in the General Terms and Conditions Unite.
Last updated 01/2026