Vendor Security & Technical Requirements
Overview
DTC Inc. holds all vendors to a high standard, especially those providing products, platforms, or services critical to our operations, client delivery, or infrastructure. This document outlines our baseline requirements for security, technical interoperability, manageability, and service quality.
These requirements apply to all vendor types—including software, hardware, infrastructure, cloud, and managed services.
-
“Preferred” items are not mandatory but will positively influence vendor selection.
-
Vendors meeting both baseline and preferred requirements will be prioritized during evaluation.
Security Requirements
Data Compliance
-
PII must be stored in infrastructure certified with SOC 2.
-
Credit Card Data must comply with PCI-DSS.
-
Healthcare Information (if applicable):
-
Vendor must be HIPAA compliant.
-
A signed Business Associate Agreement (BAA) with DTC Inc. is required.
-
-
CUI (Controlled Unclassified Information): Vendor must be CMMC Level 2 Certified.
Security Assessments
-
Penetration Testing:
-
Must conduct annual internal and external tests.
-
Results must be shared with DTC, either directly or publicly.
-
-
Vulnerability Scans: Required annually across the vendor’s infrastructure.
-
Patching & Security Updates:
-
Quarterly for bug fixes and features.
-
Monthly for zero-day and critical security updates.
-
Authentication & Access Control
-
SSO Integration required with Microsoft Entra ID via:
-
SAML
-
OpenID (preferred)
-
OAuth
-
-
Disallowed Internet Protocols:
-
Kerberos
-
LDAP
-
-
If SSO is not supported:
-
Enforce MFA with time-based code generation (no SMS/phone; must support Microsoft Authenticator or 1Password).
-
Access must be limited to 1–2 DTC teams only.
-
Shared credentials must be stored in a password manager.
-
-
Must support Role-Based Access Control (RBAC) with groups and roles.
-
All endpoint applications must be:
-
Digitally signed
-
Trusted by both macOS and Windows
-
Signed by a recognized third-party Certificate Authority (CA) in good standing with Microsoft/Apple.
-
Encryption & Transport Security
-
All resources must be delivered via HTTPS (except real-time media like RTSP, RTMP).
-
Enforce TLS 1.2 or higher for all user-to-edge communication.
-
HTTPS certificates must be:
-
Trusted by the OS and major browsers.
-
Signed by a valid third-party CA.
-
-
Must support IP allowlisting/blocklisting.
-
If TLS is not supported, the solution must work with Cloudflare ZTNA or ZeroTier.
Communication Standards
-
Email must be transmitted via TLS or mailbox provider API:
-
Must support SPF and DKIM.
-
-
Mobile Messaging must comply with TCPA (Telephone Consumer Protection Act).
Incident Response & Legal Protections
-
Vendors must provide an up-to-date Incident Response Plan upon request.
-
Breach Notification: Vendors must notify DTC Inc. of any security breach within 48 hours of discovery. Notification must include:
-
Scope and impact
-
Affected data or systems
-
Remediation plan and timeline
-
-
Vendor agreements must include indemnification clauses to protect DTC Inc. from vendor negligence or force majeure.
Technical Requirements
Accessibility
-
Accessible on both Windows and macOS.
-
Must support mobile and workstation devices.
-
Globally accessible, either via a modern web app or dedicated client.
Endpoint Compatibility
-
Must support:
-
macOS
-
Windows
-
Linux (servers only)
-
Domain & Identity Support
-
Must support custom domains for internal and client access.
-
Integrate with Microsoft 365, supporting:
-
Modern email authentication
-
SMTP
-
API Integration
-
An Open or Paid REST/Graph API is required.
-
If unavailable, full support for alternative integration methods must be provided.
-
APIs must be:
-
Stable and secure
-
Well-documented (available to customers)
-
Suitable for production use and automation
-
Integration Requirements
Where applicable, solutions must support:
-
Microsoft 365 mailbox integration
-
Calendar syncing (bidirectional preferred)
-
Task syncing to Microsoft To Do / Planner (preferred)
-
Ticket/task syncing with HaloPSA (preferred)
Preference is given to solutions that sync with existing DTC systems (e.g., HRIS, PSA, etc.).
Service Level Agreements (SLA)
| Usage Scope | Uptime Guarantee | Max Downtime/Year |
|---|---|---|
| 1–5 users | 99.0% | ≤ 3 days |
| 10+ users | 99.99% | ≤ 1 hour |
| Entire company | 99.999% | ≤ 5 minutes |
If SLA is breached:
-
Vendor must compensate via:
-
Service credits, or
-
Monetary reimbursement
-
-
Contracts may include caps on compensation (e.g., not exceeding X months of service).
Multi-Tenancy (for Managed/Resale Tools)
-
Must support multi-tenancy with DTC having full administrative control.
-
Requires a graphical inheritance model (e.g., tree/hierarchy) to:
-
Apply global policies at top level
-
Override local policies as needed
-
-
If no graphical model exists, vendor must support:
-
Policy management via API or code
-
Avoiding manual effort across tenants
-
Hardware Solutions
Hardware vendors must fulfill Security and Technical Requirements, as well as the following:
Network
Must provide enterprise-grade controls, equivalent to Ubiquiti UniFi, including:
-
Deep packet inspection
-
VLAN creation and tagging
-
Port/protocol rules
-
Remote management
-
Firmware staging/deployment
Compute (Servers)
Must match Dell PowerEdge capabilities:
-
iDRAC or equivalent out-of-band access
-
Remote console/power control
-
BIOS & firmware update control
-
Health monitoring and alerting
-
Virtual media mounting
Workstations
Must include access to OEM administrative tools for:
-
BIOS configuration
-
Firmware/driver updates
-
Secure Boot & TPM checks
-
Hardware telemetry and asset management
Approved tooling:
-
Dell Command Suite
-
HP Sure Admin / Image Assistant
-
Lenovo Commercial Vantage
No comments to display
No comments to display