IT Security requirements
Full list of IT Security requirements for ecosystem programs
We want to make the life of our sellers and customers as easy as possible. IT Security has a very important role in making lives easier. The last thing we, the sellers and the customers want is to have their (sensitive) data compromised. We as bol.com and you as an ecosystem partner process a lot of sensitive customer data as, addresses, contact information and order details. Hence, we have to process this data carefully. Everyone at bol has a role in this, we expect the same from your company.
All of our partnership levels are accompanied with different IT Security requirements. These requirements will become more strict with the higher levels. Bol follows industry IT Security standards (e.g. ISO), so you don’t have to be in compliance just for us. You can use these IT Security ‘accomplishments’ also for your other customers/partners.
The requirements below are applicable to the relevant technical ecosystem categories where mentioned in the requirements.
| Requirements | Ambassador/Bronze | Silver | Gold |
| You will ensure adequate technical and governance measures to protect your data, and you will ensure a security level that protects against data loss, manipulation, breaches etc. The measures you take will take into account the state of technology and costs and balance them out with the sensitivity of the protected data. | |||
| You will ensure that your subcontractors and suppliers have the same level of data protection measures as yourself (technical and governance) | |||
| Only relevant employees can access sensitive data and are also obliged to protect this data | |||
| Logical paths to data within databases, applications and infrastructure are protected with multi-factor authentication | |||
| All data processed with bol.com is encrypted in-transit (default with the bol Retail API) | |||
| Logging and monitoring of access to systems used for services to bol for at least: | 3 Months | 6 Months | 12 Months |
| Use ISO27001 certified hosting provider | |||
| Systematically scan all relevant systems for known security vulnerabilities once every quarter | |||
| Periodic checks on employee access rights to critical infrastructure and sensitive data | |||
| Reasonable measures against automated attacks (e.g., DDOS or ransomware) | |||
| An annual audit on security policy and logging to all connections and data connected with bol. SOC2 is the most used framework for this, you do not need to achieve a SOC2 status, but show that you have your assets and policies in order. (When requested, bol will be provided with an overview of the findings related to bol) | |||
| Annual PENtest by a third party on all relevant direct and indirect systems that are connected to the internet (a template will be provided by bol, to sign off on bol relevant data and connections) | |||
| All systems that are connected to bol.com receive the most actual security updates at least once every 90 days. When not possible, you will notify bol. | |||
| A publicly available link on your website for responsible disclosure of security vulnerabilities |