Â鶹´«Ã½

Minimum Control Requirements apply to any business or organization that will collect, transmit, share, store, control, process, manage, or access Â鶹´«Ã½ Data (defined as any data, works, content, or other materials provided to or accessed by Third-Party (as defined below), including information or data generated by Â鶹´«Ã½ or its Affiliates, customers, clients, suppliers, or third-party service providers through use of the Services), including through the use of artificial intelligence, machine learning, or other emerging technologies.

To report a suspected or actual security incident relating to Â鶹´«Ã½ information, email: CorpCompliancePrivacy@PacificLife.com.

These Third-Party Minimum Control Requirements ("Minimum Control Requirements") are stated at a relatively high level, and Â鶹´«Ã½ and its affiliates and subsidiaries (collectively "PL") recognize there may be multiple approaches to accomplish a particular Minimum Control Requirement. All Minimum Control Requirements apply to any business or organization that will collect, transmit, share, store, control, process, manage or access Â鶹´«Ã½ Data, including through the use of artificial intelligence (AI), machine learning (ML), or other emerging technologies in the delivery of services, even if a business or organization is not specifically mentioned in the particular control requirement ("Third-Party"). Third-Party Subcontractors include any agents, representatives, or contractors a business or organization may engage to collect, transmit, share, store, control, process, manage or access Â鶹´«Ã½ Data ("Subcontractor"). Fourth-to-Nth parties are any entities engaged by a Subcontractor, directly or indirectly, that access, process, store, or transmit Â鶹´«Ã½ Data in support of services provided to PL. Third-Party must document, in reasonable detail, how a particular control meets the stated Minimum Control Requirement. Third-Party must make sure that the obligations required in the Minimum Control Requirements are tested, documented, reviewed, and approved, with management oversight, on a periodic basis, in alignment with applicable regulatory requirements and industry standards (including NYDFS 23 NYCRR 500, NIST, as applicable).

PL may revise the Minimum Control Requirements from time to time, and such revisions will become effective upon receipt by Third-Party via mail, email, publication to any Third-Party management portal used by PL and Third-Party or by posting updated Third-Party Minimum Control requirements at the following location (/home/privacy-and-other-policies/enterprise-procurement/third-party-minimum-control-requirements.html). Third-Party will comply with the revised PL Minimum Control Requirements as soon as commercially reasonable or otherwise agreed in writing by PL. The term "should" in these Minimum Control Requirements means that Third-Party will use commercially reasonable efforts to accomplish the stated Minimum Control Requirement, and will document those efforts in reasonable detail, including the rationale, if any, for deviation. This documentation may be reviewed by auditors to assess the control and the merit of the rationale for deviation. Not all the stated Minimum Control Requirements will apply to all services or other deliverables, but Third-Party must be able to reasonably show when a Minimum Control Requirement does not apply. Third-Party will immediately notify PL in writing if it is unable to comply with the Minimum Control Requirements.

These Minimum Control Requirements do not limit Third-Party's obligations under the Agreement or applicable Law, and do not limit the scope of an audit by PL. PL may conduct audits on its own or by using an external auditor and will provide notice to the Third-Party of the entity conducting any such audit at the time of such audit. Third-Party will cooperate with any auditor as reasonably requested by PL or any such external auditor, including entering into agreements any of them may request from time to time, fully and promptly answering questionnaires that PL or any of them may submit (including information through electronic means, portals, or other mutually agreed designated methods), meeting with any of them to facilitate the audit, and not requesting any of them to execute a separate non-disclosure agreement.

As used in these Minimum Control Requirements, (i) any capitalized terms not defined herein shall have the same meaning as set forth in the master agreement relating to the services, products, and other deliverables to which these Minimum Control Requirements relate (the "Agreement"); (ii) "Confidential Information" is understood to include "Confidential Information", "Personal Information", "Â鶹´«Ã½ Data" or other terms used for Â鶹´«Ã½ information protected under the Agreement, as applicable; and (iii) "Nonpublic Information" has the meaning ascribed under applicable regulatory requirements, including but not limited to 23 NYCRR 500.

Risk Management

The effectiveness of controls must be regularly validated through a documented risk assessment program and appropriately managed remediation efforts. Identified issues must be prioritized, tracked, and remediated or formally risk-accepted with documented rationale. Risk assessments must also be reassessed upon material events such as cybersecurity incidents, operational changes, or regulatory developments. Where AI or machine learning is used in the delivery of PL services, AI-specific risks must be identified and managed within the program. Evidence of assessments and remediation status must be available upon request.

Security Policy

A documented set of rules and procedures must regulate the receipt, transmission, processing, storage, control, distribution, retrieval, access, presentation, and protection of Â鶹´«Ã½ information, including Nonpublic Information, and associated services. The policy must be reviewed at least annually and updated as needed. A risk-based exception management process must be in place for controls not adopted or implemented, with documented justification and approval. Security policies and responsibilities must be communicated to Third-Party Personnel (e.g., both employees and contractors), with acknowledgments collected. Third-Party Personnel must be trained to identify and report suspected weaknesses and incidents. Where AI-enabled tools or services are used, policies must address acceptable AI use and handling of Â鶹´«Ã½ Data. Evidence of policy reviews, communications, and training must be retained and available upon request.

Organizational Security

A Third-Party's Personnel security policy and agreements must establish organizational requirements to ensure proper training and competent performance, and an appropriate and accountable security organization must be in place. Training and job competence of Third-Party's Personnel providing services to PL must be monitored using a formal performance and appraisal process, with competency gaps addressed. Current organizational charts representing key management responsibilities for services provided, including services provided by Subcontractors, regardless of tier, must be maintained and updated upon material organizational changes. Background checks (including criminal) must be completed on applicable Third-Party's Personnel prior to assignment, with defined screening criteria and rescreening where warranted. Third-Party Personnel must be subject to written non-disclosure or confidentiality obligations before being assigned to PL services and granted access to PL systems and information, covering employees, contractors, and subcontractors. Third-Party must designate a senior information security officer or equivalent responsible for overseeing the security program for services supporting PL. Staffing levels must be adequate, with notification to PL of material staffing changes that could affect service quality or security posture. Where Third-Party Personnel operate or oversee AI-enabled services provided to PL, role-based training and defined human oversight responsibilities must be in place. Evidence must be retained and available upon request.

Technology Asset Management

Controls must be in place to protect assets, including mechanisms to maintain an accurate inventory of assets and handling standards for introduction, transfer, removal, and disposal of all assets. The inventory must specify data storage locations, including on-premises, offshore, and backup sites. End-of-life (EOL) and end-of-support (EOS) status must be tracked with remediation plans. Personally-owned devices are not permissible by Third-Party Personnel for business purposes unless expressly approved by PL. If permitted, they must be treated the same as other assets. Procedures for disposal or reuse of storage equipment must accomplish sufficient destruction of data with certificates of destruction. Where AI-related assets (models, datasets, AI tools) are used, they must be inventoried with assigned ownership. Evidence must be retained and available upon request.

Physical and Environmental

Controls must protect against unauthorized physical access and environmental damage including fire detection and suppression, climate control, power and back-up power, water damage detection, and visitor management. Third-Party may only store Â鶹´«Ã½ Data at facilities or locations that are pre-approved by PL before use, with re-approval required for location changes. Offshore or high-risk locations must be disclosed with PL approval. Approval from PL must be obtained before assets with Â鶹´«Ã½ Data are removed from a facility, with encryption and chain-of-custody in place during transit, as applicable. Evidence must be retained and available upon request.

Communication and Connectivity

Third-Party must implement controls over its communication network to safeguard data, including boundary protections, segmentation, encryption, logging and monitoring, and disabling communications where no business need exists. ÌýNetwork documentation and diagrams must be kept current, identifying at a minimum all external connections, security boundaries and segmentation, and applicable data flow. All Â鶹´«Ã½ Data, including Â鶹´«Ã½ Data shared with Subcontractors, must be stored in a manner that allows for its return or secure destruction upon request. Firewalls or similar network technologies must be used for the isolation of all environments with documented rule governance and periodic review. Devices must have synchronized time sources to ensure reliable time-stamps on logs. Authentication to networks and systems shall require multi-factor authentication (MFA) to include Subcontractor remote access when necessary and with a valid business justification. Network communication includes any Wireless networks. Data Loss Prevention (DLP) solutions must be deployed at key egress points where arrangements include Confidential information. Where Â鶹´«Ã½ Data is transmitted to AI tools, APIs, or model providers, approved channels and governance must be maintained. Evidence must be retained and available upon request.

Email and Instant Messaging

Policies and procedures must be established to ensure proper control of email and instant messaging systems that contain Â鶹´«Ã½ Data. Access to non-corporate/personal email and instant messaging must be restricted and must not be used for Â鶹´«Ã½ Data. Controls must prevent Confidential Information from being sent externally without encryption. Preventive controls must block malicious messages, attachments, and links. Auto-forwarding of emails must be prevented unless approved. Retention must align with Â鶹´«Ã½ data classification requirements. E-discovery and archiving capabilities must be available upon PL request. Evidence must be retained and available upon request.

Change Management

Changes to the system, network, applications, data structures, and related components must be monitored and controlled through a formal change control environment with documented approval workflows, testing, rollback procedures, and separation of duties. Changes materially affecting PL services must be communicated to PL prior to implementation with advance notice, including impact assessment, timing, and rollback plan. Material changes include those affecting availability, security, data handling, compliance, service delivery model, or key personnel. Where AI-enabled services are provided, material AI changes (model updates, training data changes, output use changes) must require impact assessment and notice to PL before implementation. Evidence must be retained and available upon request.

Logical Access Control

Authentication and authorization controls must be appropriately robust for the risk of the data, application and platform. Access rights must be granted based on the principle of least privilege and need-to-know with separation of duties enforced. Documented logical access policies must support role-based access and ensure timely removal upon termination and updates upon role change. Management of privileged user accounts, including service accounts, must follow a documented process with vaulted credentials and periodic review. Shared privileged accounts are prohibited unless documented and approved by Â鶹´«Ã½. A documented authentication and authorization policy must cover all applicable systems, including password complexity, lockout, secure reset, prohibition of defaults, and multi-factor authentication. Access reviews must occur at least quarterly for privileged accounts and semi-annually for standard accounts, with logs retained for a minimum of one year. Evidence must be retained and available upon request.

Data Integrity

Controls must be in place to ensure the integrity and accuracy of data at rest and in transit. Data accuracy must be ensured through validation, change controls, and reconciliation, with corrections documented and approved. Integrity must be protected using cryptographic methods and secure transport protocols. Third-Party must be able to report the approximate volume of Â鶹´«Ã½ data records upon request. Where AI-enabled services are used, controls must ensure the quality and authorized use of AI inputs and outputs. Evidence must be retained and available upon request.

Encryption

Data must be encrypted both in transit (TLS 1.2+) and at rest (AES-256 or equivalent) across all environments, systems, and Subcontractors, including Nonpublic Information. The Third-Party shall maintain encryption controls that remain compliant with commonly accepted industry standards and applicable legal and regulatory requirements, and shall timely update such controls to address emerging risks, including the adoption of post-quantum cryptography. A data protection policy must cover data classifications, encryption requirements, approved cryptographic algorithms and key lengths, and key/certificate lifecycle management. Authentication credentials must always be encrypted in transit and at rest. Plaintext credentials in configuration files, scripts, or logs are prohibited. Subcontractor encryption compliance must be verified. Evidence must be retained and available upon request.

Incident Response

Third-Party must have a documented incident response plan, including responsibilities, severity classification, escalation paths, and parties to be notified; with the plan tested at least annually. Incident management procedures must include prioritization, roles, escalation, notification, tracking, containment, remediation, and preservation of forensic integrity. Third-Party shall promptly notify PL (in no event later than 72 hours) following discovery of any security incident(s), including the nature and extent of the incident, impacted data, and response actions. A root cause analysis and mitigation plan must be delivered within 30 calendar days of disclosure. Third-Party shall cooperate with PL's investigation and bear all reasonable direct costs of legally required notifications, which shall not be made without PL's prior written consent. Where AI-enabled services are provided, incident response procedures and plans must extend to AI-specific events such as harmful outputs, model failure, or drift. Evidence must be retained and available upon request.

To report a suspected or actual security incident relating to Â鶹´«Ã½ information email: CorpCompliancePrivacy@PacificLife.com.

Business Continuity and Disaster Recovery

Third-Party must have formal documented recovery plans identifying resources and specifying actions to minimize losses from disruptions to the business unit, application, or infrastructure component. Plans must define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for PL services. Plans must address operational resilience, including fallback capabilities and contingency for transition to an alternative provider. Business resiliency plans must cover Subcontractor dependencies with periodic testing and updates upon material changes. Where AI-enabled services are material, continuity plans must address scenarios where AI functionality is unavailable or degraded. Evidence must be retained and available upon request.

Back-Up and Offsite Storage

Documented backup policies must be maintained for Â鶹´«Ã½ Data, defining scope, frequency, retention, and monitoring. Backup locations must be disclosed to PL. Backup media must be protected and sanitized prior to disposal or reuse. Full restoration must be achievable within defined RTO/RPO targets with periodic testing. Media no longer required must be rendered unreadable with certificates of destruction. All backup storage must be encrypted. Transport to offsite locations must use secure handling with chain-of-custody logs. Evidence must be retained and available upon request.

Media and Vital Records

Policies for handling and storing electronic media containing Â鶹´«Ã½ Data and paper records must be in place, including secure disposal and secure transport to and from Third-Party and Subcontractors. Records awaiting disposal must be stored in locked, access-controlled locations. Retention must follow PL schedules, including legal holds. Destruction must prevent reconstruction, with certificates of destruction. Electronic media in transit must be encrypted. Upon termination, Â鶹´«Ã½ Data must be returned or destroyed. Any data retained for legal reasons must remain protected until destroyed. Evidence must be retained and available upon request.

Subcontractor Relationships

All Subcontractors and fourth-to-Nth parties must be identified, assessed, managed, and monitored with risk tiering. PL approval is required before new fourth-to-Nth parties access Â鶹´«Ã½ Data. Due diligence must cover security and regulatory compliance, performed before engagement and periodically thereafter. Concentration risk must be assessed and disclosed. Material Subcontractors must comply through written contracts including data protection, incident notification, audit rights, and termination provisions. PL must be notified of material Subcontractor changes. Where Subcontractors provide AI-enabled services, equivalent controls must be contractually required. Evidence must be retained and available upon request.

Standard Builds

Information systems must be deployed with documented secure baseline configurations and reviewed periodically for compliance. Security patching must follow defined timelines. Default passwords on systems and devices shall be promptly removed or changed. ÌýPermissions to systems shall be controlled to ensure only authorized access. Unnecessary services shall be disabled where practical. New technology introduced into PL environments must be assessed before deployment. EOL/EOS systems must not be used for Â鶹´«Ã½ Data without compensating controls and a migration plan. PL confidential information shall only be stored in PL approved systems and environments. Writing to electronic media must be limited to documented exceptions. Evidence must be retained and available upon request.

Application

Third-Party must have an established Software Development Life Cycle (SDLC) with integrated security for defining, acquiring, developing, enhancing, modifying, testing, or implementing information systems handling Â鶹´«Ã½ Data. Release management must include approval gates, segregation of duties, and rollback procedures. Software supply chain risks must be assessed, including open-source component tracking. Applications leveraging AI, ML, Generative AI, or IoT (The Internet of Things) for PL services must be disclosed with an associated risk assessment. Vulnerability assessments and penetration tests must be performed at defined intervals with findings tracked to remediation. Sanitized or synthetic data must be used in non-production environments. Where the use of production data is unavoidable, all Personal Information must be masked or redacted before use, and production-equivalent security controls must be applied. Evidence must be retained and available upon request.

Vulnerability Monitoring

Third-Party must continuously gather information and analyze vulnerabilities considering existing and emerging threats, actual attacks and including external threat intelligence sources. Vulnerability scans, anti-malware, Intrusion Detection/Prevention Systems, and logging/SIEM must be in place with documented response procedures. Third-Party must respond to PL inquiries on patch and vulnerability status within defined timeframes. Where AI-enabled services are provided, monitoring must extend to AI-specific anomalies and drift. Evidence must be retained and available upon request.

Cloud Technology

In addition to the other requirements listed elsewhere, adequate safeguards must ensure the confidentiality, integrity, and availability of Â鶹´«Ã½ Data stored, processed, or transmitted using cloud technology. Third-Party must disclose cloud providers, deployment models, and data residency regions, with PL approval for cross-border hosting. A shared responsibility model must be documented. Cloud security certifications (e.g., SOC 2 Type II, ISO 27017) must be maintained and provided upon request. Backup and recovery must be maintained. Where cloud services include AI/model providers processing Â鶹´«Ã½ Data, governance and oversight must be maintained. Evidence must be retained and available upon request.

Privacy and Regulatory Compliance

Applicable laws and regulations must be identified, compliance ownership assigned, and compliance monitored for services supporting PL. Third-Party must proactively report regulatory changes affecting PL services. PL must be notified of alleged noncompliance, regulatory inquiries, enforcement actions, or related legal claims. Material customer complaints indicating systemic control weaknesses must be reported to PL. Third-Party must adhere to PL's ESG and ethical conduct expectations where communicated. Where AI-enabled services involve Â鶹´«Ã½ Data, legal review must address privacy, transparency, and AI risk. Evidence must be retained and available upon request.

Business Practices

Third-Party must have policies and procedures addressing standard business operations, including the handling of non-public information and change control. A fraud detection and mitigation program must include monitoring, investigation, and notification to PL for events impacting PL services or data. Conflicts of interest affecting the impartiality or independence of services must be disclosed to PL. Where AI materially affects services or outcomes provided to PL, governance must include oversight, escalation, and communication to PL. Evidence must be retained and available upon request.

Data Use

Â鶹´«Ã½ Data must be used solely as necessary to provide services to PL; any other use, including secondary use for analytics, AI/ML training, benchmarking, or marketing, is prohibited without prior written PL approval. Data sharing with fourth-to-Nth parties must be disclosed and pre-approved. Retention and disposal must follow PL authorization. Evidence must be retained and available upon request.

Concentration Risk and Financial Viability

Third-Party must maintain adequate financial viability throughout the engagement and notify PL of material changes to financial condition, ownership, or business model. Appropriate insurance coverage must be maintained with proof available upon request. Concentration risk, such as dependency on a single Subcontractor, facility, or platform for critical functions, must be disclosed.

Offboarding / Exit Strategy

Upon termination, Third-Party must: (1) at PL’s direction, return all Â鶹´«Ã½ Data in a consumable format; (2) securely destroy all retained Â鶹´«Ã½ Data including Subcontractor copies, with certificates of destruction; (3) terminate all logical access and connectivity; (4) decommission PL-specific configurations; and (5) fulfill transitional service obligations. Â鶹´«Ã½ Data retained post-termination for legal reasons must remain protected with PL notified of scope and destruction timeline.

Ìý

Last Updated: 5/20/2026