DOC AVE-EMV-SEC-006/ REV 1.0/ 06 JUL 2026/ CONTRACT SCHEDULE · SUPPORTS SLA-T3-003 CLAUSE 05

Schedule F.

Cybersecurity controls, insurance limits and audit rights for the Continuum Monitoring System: the schedule behind clause 5 of the Tier 3 SLA.

Draft schedule
Requires CISO review
on both sides before
incorporation
RevDateDescriptionStatus
1.02026-07-06First issue: control domains F1-F10, insurance limits, audit rights, verification evidence per controlCurrent
F0 · Principles

Governing principles

Three principles shape every control below. The Monitoring System must never weaken the physical shield it watches. It must never accept an inbound control path from outside the site. And every promise must map to evidence a customer CISO can inspect, because in a data centre a security assertion without an artefact is worthless.

Scope statement This schedule governs the Continuum Monitoring System only: sensor plane, edge gateway, uplink, digital twin and ops desk (SLA-T3-003 §02). It does not govern, and Provider takes no responsibility for, the Customer's own networks, facility systems or security posture beyond the interfaces defined here. Bracketed values are placeholders pending joint CISO review.
F1-F10 · Controls

Control domains

RefDomainControl commitmentsVerification evidence
F1GovernanceNamed Provider security officer; information-security management aligned to ISO/IEC 27001 with certification of the monitoring service scope targeted within [18] months of first deployment; annual management review shared with Customer in summary.ISO certificate or gap-assessment report; officer appointment letter
F2Architecture & segregationNo inbound control path to shield-side electronics under any configuration; outbound-only telemetry, with hardware data-diode mode available at Customer election; monitoring traffic on a dedicated VLAN or physically separate path; all shield penetrations for monitoring via the designated penetration bay using dielectric fibre, with shield integrity re-verified after installation.Architecture diagram; diode certificate; post-install SE spot check
F3Access controlRole-based access with least privilege; multi-factor authentication for all Provider access to the twin and ops platform; joiner/mover/leaver process with [1] business day revocation; break-glass accounts sealed, logged and reviewed after every use; no shared credentials.Access matrix; quarterly access review minutes
F4Vulnerability & patchingMonthly authenticated vulnerability scans of monitoring infrastructure; critical patches applied within 14 days of vendor release (SLA clause 5), high within [30] days; annual independent penetration test of the platform with findings summary to Customer; edge firmware signed and locally applied only.Scan summaries; patch register; pen-test attestation letter
F5Logging & monitoringTamper-evident audit logs of all access and configuration changes; logs retained [12] months online and 7 years archived (matching the evidential retention of measurement data); synchronised time sources across the chain.Log samples; retention config export
F6Incident responseDocumented playbooks; Customer notified of any confirmed security incident affecting the Monitoring System within 24 hours (SLA clause 5), with a written report within [5] business days; annual joint incident exercise offered; forensic cooperation and evidence preservation on request.Playbook index; exercise report; incident register
F7Data protectionEncryption in transit (TLS 1.2+ or diode-mediated) and at rest (AES-256 class); Customer is controller and Provider processor for any personal data incidentally captured (badge-adjacent metadata, contact records) under a data-processing agreement; measurement data handled per SLA clauses 13-14; deletion or return on exit per Schedule G with certificate of destruction.Encryption config; signed DPA; deletion certificate template
F8Supply chainSoftware bill of materials (SBOM) maintained for edge and platform software; security assessment of critical component vendors; signed firmware provenance; no components from vendors excluded by Customer's published prohibited list, agreed at onboarding.SBOM extract; vendor assessment register
F9PersonnelBackground screening of all personnel with platform or site access to the standard agreed at onboarding; annual security-awareness training; individual confidentiality undertakings; site-access personnel comply with Customer security procedures (SLA clause 15).Screening policy; training completion records
F10ResilienceEdge gateway buffers 30 days locally (SLA clause 8); platform backups tested [quarterly]; disaster-recovery objectives for the twin and ops platform: RTO [24 h], RPO [4 h]; loss of platform never disables local threshold alerting at the edge.DR test report; backup restore log
F11 · Insurance

Insurance limits & audit rights

CoverMinimum limit (placeholder)Notes
Cyber liability (incl. incident response costs)[€5 M] per claimNamed to respond to Monitoring System incidents; evidence annually per SLA clause 17
Professional indemnity[€5 M] per claimCovers negligent survey or certification
Product liability[€10 M] aggregateHardware in the field

Audit rights. Customer may audit Provider's compliance with this schedule once per contract year on [20] business days' notice, plus once following any notified incident, by itself or an appointed assessor under confidentiality; audits use the evidence column above as the checklist, and findings feed the annual joint risk review (SLA clause 19). Provider may satisfy repeat requests across a portfolio with a shared independent assessment report.

Open items for joint CISO review Bracketed values throughout; the Customer's prohibited-vendor list and screening standard; whether diode mode is default-on for this site; alignment of F7 retention with Customer's own data-classification policy; and whether the Customer requires the platform hosted in a specific jurisdiction. Each resolution bumps this schedule's revision.