Royal Caribbean Group Information Security Schedule

This Information Security Schedule (“Schedule”) sets forth the applicable information security requirements governing the relationship between Royal Caribbean Group (RCG) and Counterparty. Throughout the term of the Agreement and for as long as Counterparty controls, possesses, stores, transmits, or processes Protected Data, or connects to or access any RCG Information Assets as part of the services provided to RCG or otherwise under the Agreement between the parties, Counterparty shall comply with the requirements set forth in this Schedule. Any breach of this Schedule shall be deemed a material breach under the Agreement.

1. Definitions:

“Affiliate” means any company or other entity which directly or indirectly controls, is controlled by or is under common control with a company, or any limited partnership or limited liability partnership whose general partner or managing member is an aforementioned company or entity.

“Authorized Personnel” for the purposes of this Schedule, means Counterparty’s employees or subcontractors who: (i) have a need to receive or access Protected Data to enable Counterparty to perform its obligations under the Agreement; and (ii) are bound in writing with Counterparty by confidentiality obligations sufficient for the protection of Protected Data in accordance with the terms and conditions set forth in the Agreement and this Schedule.

“Common Software Vulnerabilities” (CSV) are application defects and errors that are commonly exploited in software. This includes but is not limited to:

“Credit Card Data” includes: Credit or Debit Card Account Number, Security Code, Expiry Month, Expiry Year, or any data taken from the magnetic stripe of a credit or debit card.

“Data Protection Legislation” means, in each case to the extent applicable to activities undertaken in connection with this Agreement: (i) Regulation (EU) 2016/679; and (ii) UK GDPR (the “GDPR”), Directive 2002/58/EC, the California Consumer Privacy Act and any other legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data, data protection and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities.

“Industry Standards” mean generally recognized industry standards, best practices, and benchmarks, including but not limited to the latest version from time to time of the following:

“Information Assets” means all RCG and RCG Affiliate data, networks, systems, applications, or other resources housing RCG and/or RCG Affiliate data.

“Personal Data” also known as Personally Identifiable Information (PII), is information of RCG customers, guests, employees, and subcontractors held by Counterparty that can be used on its own or combined with other information to identify, contact, or locate a person, or to identify an individual in context. Examples of Personal Data include name, social security number or national identifier, biometric records, driver’s license number, either alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Personal Information may also be defined under applicable state or federal law in the event of a Security Incident.

“Restricted/Confidential Data” is information that the RCG or its Affiliates designate as having a higher degree of confidentiality or sensitivity and includes:

Collectively ”Personal Data” and “Restricted/Confidential Data” may be referred to herein as “Protected Data.”

“Security Incident” is any actual or suspected occurrence of:

“Security Vulnerability” is an application, operating system, or system flaw (including, but not limited to, associated process, computer, device, network, or software weakness) that can be exploited resulting in a Security Incident.

“controller”, “processor”, “data subject”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.

2. General Security Requirements:

2.1 Information Security Program Management 

Counterparty represents and warrants that it currently employs one or more employees in the development, implementation and maintenance of Counterparty’s enterprise information security program. In the event Counterparty cannot so warrant, Counterparty agrees to either (a) assign a qualified member of its workforce or (b) commission a reputable third-party service provider to be responsible for the development, implementation and maintenance of Counterparty’s enterprise information security program. 

2.2 Policies and Standards 

To protect RCG and RCG Affiliates’ Protected Data, Counterparty shall implement and maintain reasonable security that complies with Data Protection Legislation and meets data security Industry Standards. 

Counterparty shall maintain formal written information security policies and standards that as a minimum:  

2.3 Security and Privacy Training 

Counterparty, at its sole cost and expense, shall train any new and existing Counterparty employees and subcontractors to comply with the security obligations under the Agreement and this Schedule. Ongoing training is to be provided by Counterparty at least annually, more frequently as Counterparty deems appropriate, or as requested by RCG. RCG may provide specific training material to Counterparty to include in its employee/subcontractor training.  

2.4 Access Control 

Counterparty shall ensure that RCG Protected Data shall be accessible only by Authorized Personnel after appropriate user authentication and access controls (including but not limited to two-factor authentication) that satisfy the requirements of this Schedule. Each Authorized Personnel shall have unique access credentials and shall receive training which includes a prohibition on sharing access credentials with any other person. Counterparty shall maintain access logs relevant to RCG Protected Data for a minimum of six (6) months or other mutually agreed upon duration. 

2.5 Data Backup 

As part of any Statement of Work, the parties shall agree upon the categories of RCG Protected Data that are required to be backed up by Counterparty.  [DAFA1] Unless otherwise agreed to in writing by RCG, backups of RCG Protected Data shall reside solely in the United States. For the orderly and timely recovery of Protected Data in the event of a service interruption: 

2.6 Network Security 

Counterparty agrees to maintain network security controls that conform to Industry Standards including, but not limited to, the following: 

2.7 Application and Software Security 

Counterparty, agrees at all times to provide, maintain and support its software applications or Software as a Service (SaaS) and subsequent updates, upgrades, and bug fixes such that the Software is, and remains secure from Software Vulnerabilities and, at a minimum, incorporate the following: 

2.8 Disaster Recovery and Business Continuity  

Counterparty agrees to maintain up to date plans for reestablishing critical business processes whenever extraordinary conditions occur that prevent normal operation. Counterparty agrees to test disaster recovery plans at least once a year and allow RCG or its authorized third party, upon a minimum of thirty (30) days’ notice to Counterparty’s designated Security Contact, to perform an assessment of Counterparty’s Business Continuity and Disaster Recovery plans once annually, or more frequently if agreed to in an SOW or other document.  Counterparty shall notify the RCG Information Security Department Incident Response Team by telephone and e-mail within 24 hours, whenever a disaster or emergency situation is declared. 

2.9 Change Management Procedures  

Counterparty agrees to follow change management procedures for services that are provided to RCG including but not limited to infrastructure, applications, databases, security, and networking infrastructure.  The change management procedures shall meet the minimum Information Technology Infrastructure Library (“ITIL) Change Management Framework or Information Technology Service Management (“ITSM”) to confirm that standardized methods and procedures are used to minimize the impact of change-related incidents upon service quality and availability.   

2.10 Right to Audit 

RCG or an RCG-appointed audit firm shall have the right to audit Counterparty, its subcontractors or affiliates’ policies, procedures, software, system(s), and data processing environment to confirm compliance with this Schedule.  RCG may conduct such audit by providing Counterparty no less than two weeks (10 business days) notice to the Counterparty, following the Notice provision in the Agreement. Should documentation requested be unable to be removed from the Counterparty’s premises, Counterparty shall allow RCG or its auditors access to Counterparty’s premises. Where necessary, the Counterparty shall provide a personal site guide for the Auditors while on site. Counterparty shall provide a private accommodation on site for data analysis and meetings; the accommodation shall allow for a reasonable workspace, with appropriate lighting, electrical, a printer and Internet connectivity. Counterparty shall make necessary employees or contractors available for interviews in person or on the phone during the time frame of the audit.  Counterparty shall provide reasonable support to the audit team. Audits shall be at RCG sole expense, except where the audit reveals material noncompliance with contract specifications, in which case the cost shall be borne by the Counterparty.  Upon request, Counterparty shall provide any relevant third-party assessment reports, such as SOC 2, PCI DSS Report on Compliance, or ISO 27001 certification, etc. At RCG’s request, Counterparty shall provide a remediation plan to RCG to remedy such issues at Counterparty’s expense. RCG has the right to review the controls tested as well as the results of third-party assessment reports, and has the right to request additional controls to be added to third party assessments for testing controls that have an impact on RCG data.  

2.11 Payment Cardholder Data 

If Counterparty accesses, collects, processes, uses, stores, transmits, discloses, or disposes of RCG / RCG Affiliate and/or RCG / RCG Affiliate Credit Card Data, Counterparty agrees to the following additional requirements: 

3. Protected Data

3.1 Authorized Personnel 

Counterparty shall require all Authorized Personnel to meet Counterparty’s obligations under the Agreement with respect to Protected Data. Counterparty shall screen and evaluate all Authorized Personnel and shall provide appropriate privacy and security training, as set forth above, in order to meet Counterparty’s obligations under the Agreement. Upon RCG’s written request, Counterparty shall provide RCG with a list of Authorized Personnel. Counterparty shall remain fully responsible for any act, error, or omission of its Authorized Personnel.

3.2 Handling of Protected Data  

Counterparty shall:  

3.3 Data Security 

Counterparty agrees to preserve the confidentiality, integrity and accessibility of RCG / RCG Affiliate data with administrative, technical and physical measures that conform to generally recognized Industry Standards and best practices that Counterparty then applies to its own processing environment. Maintenance of a secure processing environment includes, but is not limited to, the timely application of patches, fixes and updates to operating systems and applications as provided by Counterparty or open source support. 

3.4 Data Storage  

Unless otherwise agreed to in writing by RCG, any and all RCG Protected Data shall be stored, processed, and maintained solely on designated systems located in the continental United States.  RCG Protected Data shall not be stored, processed, or transferred to any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of the Counterparty’s designated backup and recovery processes and encrypted in accordance with “3.7. Data Encryption”.  Counterparty shall segregate RCG Protected Data from Counterparty’s data and from the data of Counterparty’s other customers or third parties. 

3.5 Data Retention and Destruction 

Except as required to comply with its recordkeeping or audit requirements or if required by law, Counterparty agrees that any and all data associated with RCG and/or RCG Affiliate transactions shall be irreversibly destroyed when the data is no longer necessary for the purposes for which it was processed.  Upon expiration or termination of this Agreement or upon RCG’s written request, Counterparty and its Authorized Personnel shall promptly return to RCG all RCG Protected Data and/or securely destroy RCG / RCG Affiliate Protected Data.   At a minimum, destruction of data activity is to be performed according to the standards enumerated by the National Institute of Standards, Guidelines for Media Sanitization – see  If destroyed, an officer of Counterparty must certify to RCG in writing within ten (10) business days all destruction of RCG Protected Data.  If Counterparty is required to retain any RCG Protected Data or metadata to comply with a legal requirement, Counterparty shall provide notice to both the general notice contact in the Agreement as well as RCG’s designated Security Contact.   

3.6 Data Transmission. 

Counterparty agrees that any and all electronic transmission or exchange of system and application data with RCG and/or any other parties expressly designated by RCG shall take place via secure means (using HTTPS or SFTP or equivalent) and solely in accordance with “4.8. Data Re-Use”. 

3.7 Data Encryption 

Counterparty agrees to store all RCG and RCG Affiliate backup data as part of its designated backup and recovery processes in encrypted form, using a commercially supported encryption solution. Counterparty further agrees that any and all RCG and/or RCG Affiliates’ Personal Data stored on any portable or laptop computing device or any portable storage medium be likewise encrypted. Encryption solutions shall be deployed with no less than a 128-bit key for symmetric encryption and a 1024 (or larger) bit key length for asymmetric encryption. 

3.8 Data Re-Use. 

Counterparty agrees that any and all data exchanged shall be used expressly and solely for the purposes enumerated in the Agreement and addenda. Data shall not be distributed, repurposed or shared across other applications, environments, or business units of Counterparty.  Counterparty further agrees that no RCG data of any kind shall be transmitted, exchanged, or otherwise passed to other interested parties except on a case-by-case basis as specifically agreed to in writing by RCG. 

4. Security Incident

4.1 Security Contact 

The individuals identified below shall serve as each party’s designated Security Contact for security issues under this Schedule. 

RCG Security Contact: 

RCG Information Security Department Cyber Threat Response and Investigations Team  

4.2 Incident Response 

Counterparty shall take Industry Standard measures to ensure that RCG and its Affiliates are protected against any and all reasonably anticipated Security Incidents, including but not limited to:  

4.3 Incident Notification 

Counterparty agrees to comply with all applicable laws applicable to it that require the notification of individuals in the event of unauthorized release of RCG or RCG Affiliate Protected Data. In the event of a Security Incident, Counterparty agrees to: 

5. Third Party Location

5.1 Due Diligence

Counterparty shall conduct thorough background checks and due diligence on any third and fourth parties which materially impact Counterparty’s ability to provide the products and/or Services to RCG as described in the Agreement. 

5.2 Third Party Location 

Counterparty shall not outsource any work related to its products or the Services provided to RCG in countries outside the United States, which have not been disclosed in the Agreement or without prior written approval from RCG Legal and Information Security departments. If Counterparty desires to outsource certain work during the Term of the Agreement, Counterparty shall first notify RCG so that the parties can ensure adequate security protections are in place with respect to the Services provided to RCG.    

6. Changes

In the event of any change in RCG’s data protection or privacy obligations due to legislative or regulatory actions, industry standards, technology advances, or contractual obligations, Counterparty shall work in good faith with RCG to promptly amend this Schedule accordingly.