The article shows the Saas or on premise capability, critical application, capacity, compliance level and How the platform covers each point
| Technological and Security Requirements | |||||
| SaaS or on Premise Capability | Critical application | Brief description of the capacity | Compliance Level |
Detailed explanation of how the platform covers the point.
|
|
| Service maturity and adoption level | |||||
| 1 | List of customers that have adopted the cloud solution (In the region and worldwide) | Required | We want to have as a reference the customers that have adopted the cloud solution, mainly those that belong to the banking industry (if not possible the complete list, at least the most relevant ones) and with customers/transactionality similar to BG. Some references should be contacted to verify. | T - Fully complies | We have more than 200 clients globally. For business and confidentiality reasons, we cannot provide a complete list. However, we can mention some of them: |
| 2 | Number and Percentage of customers that have adopted the cloud solution | Required | We want to compare the total number of customers using the solution vs. the percentage of customers that have adopted it in the cloud, both regionally and globally. | T - Fully complies | |
| Resilience and Redundancy for Recovery | |||||
| 3 | Physical location where data is stored (Production region) | Required | The provider must provide information on where the data will be stored, indicating the country and/or region of the physical infrastructure that will contain the information. The data protection law is defined according to the region where the content and data is located. | T - Fully complies | Our main production servers are located in: Cayman, Switzerland, Hong Kong, Canada, Brazil, United States. |
| 4 | Disaster Recovery Region and periodicity with which it is tested or operated in the region | Required | The vendor should indicate the recommended disaster recovery region and indicate how often this region is tested. | T - Fully complies | Same regions as in item 3 |
| 5 | Redundancy and resiliency of services and data (site and database replication to other DR regions) | Required | The supplier must explain the resilience capabilities, redundancy, site and database replication mechanisms to another region, etc., offered to minimize negative impacts on the availability of services and information. Contingency activation times must comply with the RTO and recovery point with the RPO. This includes the ability to have private and redundant networks according to your offer. | T - Fully complies | The main production servers described in point 3 are available 24/7. DBs can be migrated from one region to another at any time. DBs are backed up daily. |
| 6 | Security updates and patches | Required | The supplier must establish the periodicity of its updates and times for the installation of patches from their availability according to best practice. It must describe how this process is performed, including emergency patches. | T - Fully complies | Updates are done monthly. If patches are available, they are done as soon as possible. Process: Every time there is a software update, the updates of the OS, DB and application servers are checked. If there is a new patch we proceed with the update. |
| 7 | Backup Mechanisms (Backups) | Required | The supplier is responsible for taking the necessary measures to provide backup copies for partial or total service recovery. These copies must be securely stored and must be indicated: With what tool are they made? How often are they made? What is the retention period? Where are they stored securely? How is the immutability of the backup copies guaranteed? How often are restore tests performed? Enable compliance with the RPO defined by the BIA |
T - Fully complies | Tool: Database backup processes. Periodicity: Daily. Retention period: For the moment without limit. Secure storage: Cloud servers for this purpose. Immutability: With role-based access control to restrict unauthorized access. Restore tests: Annual. |
| Identity, authentication, authorization, roles and access permissions | |||||
| 8 | Centralized identity management at a single point (Zero Trust). | Required | The provider must adopt as a single point of identity (Azure AD) and replicate in different environments to synchronize credentials of users, groups, applications to access resources in the cloud, considering robust policies on passwords, higher trust authentication (Multiple Factor Authentication - MFA), Single Sign On (SSO), if possible Biometric recognition. Explain how this integration will be done. | T - Fully complies | The App has SSO via Oauth and LDAP, 2FA. |
| 9 | IAM policy management for applications (Storage Access Permission Management / Role-based Access) ( Zero Trust). | Required | Ability to precisely and rigorously define application permissions, at the principal, action and resource levels, only allowed for users who must have them; changes can be automatically validated or rejected using policy-as-code. Applies the principle of least privilege. Allows to associate access roles to users. | T - Fully complies | The App has role management according to user functionalities. |
| 10 | Adaptive access control to the platform (Zero Trust). | Recommended | It offers adaptive access control (Conditional) that allows evaluating the context and filtering access requests by considering day, time, location, device, among other parameters. | N - Does not comply | Not applicable at this time. |
| 11 | Secure vault for key and secret management | Recommended | Applications must use a secure vault for the management and self-rotation of keys and secrets. | T - Fully complies | It has configuration for key rotation. |
| Security | |||||
| 12 | Data and computation isolation between clients | Required | Ability to perform data processing and storage in isolation between clients using the platform or service. | T - Fully complies | One server per customer can be configured with its own database. |
| 13 | Reduction of trust zones (Zero Trust). | Required | Ability to create isolation zones by implementing security controls and continuous monitoring to limit the radius of contagion between applications in case of incidents. | T - Fully complies | Vertical configuration per application. |
| 14 | Use of Digital Certificates for Secure Authentication | Required | Private certificate management in support of securely managing the lifecycle of cryptographic secrets for VMs, containers, and local resources. | T - Fully complies | Provider certificates: AWS or Azure. |
| 15 | A collection of capabilities that enable visibility and control of hybrid cloud resources. | Required | Automated vulnerability identification management that discovers and scans virtual machines, container images and serverless functions; clearly defined policies for automating patching of internal systems, as well as for addressing security issues. | T - Fully complies | Self-managed by AWS or Azure. |
| 16 | Centralized defense in depth network (Zero Trust). | Recommended | Ability to align network architecture management and establish the necessary micro-segmentation to secure applications to allow segmentation and inspection of network traffic between cloud and ground based on Zero Trust principles. | T - Fully complies | Use of whitelist and geolocation monitoring. |
| 17 | IP address management | Recommended | Ability to automatically manage IP addresses in hybrid cloud and on-premise configurations, enabling tracking and integration, ensuring efficient resource allocation and reducing IP conflicts. | N - Does not comply | Not applicable. |
| 18 | Data encryption (Zero Trust). | Required | Provides encryption of data in transit (TLS 1.2 or higher recommended) and at rest (AES 256 or higher encryption of data stored in the Database). | T - Fully complies | Use of TLS 1.2 and AES 256. |
| 19 | Keys for encryption | Recommended | It offers the possibility to indicate the keys that will be used for the encryption of the stored data. | T - Fully complies | The keys to be used are indicated. |
| 20 | Encryption key management delegated to provider services | Required | The use of cryptographic keys is more efficient when we delegate key management to native services. | T - Fully complies | Use of keys provided by AWS, Azure. |
| 21 | Protection against malware, spyware, ramsonware, malicious software (Zero Trust)... | Required | Ability to automatically detect and remove the threat of malware, malware, spyware and ransomware and have automated backups and rapid recovery in the event of ransomware attacks, accidental or malicious deletions or other data loss in the cloud. | T - Fully complies | Managed by AWS and Azure. |
| 22 | Denial of service protection | Required | Supports common DDoS attacks without significant data loss or disruption. | T - Fully complies | We use AWS DDoS services. |
| 23 | Documentation describing how to use security functions and features | Required | The SaaS provider offers clear and transparent details about the security features it implements and how best to configure them. | T - Fully complies | Configurable in the administrator module. |
| 24 | Secure integration flexibility through documented APIs. | Required | Provides complete and up-to-date documentation of the ways and methods of integration with the platform or service. | T - Fully complies | Use of Spring security. |
| 25 | API security | Required | Published APIs for accessing client data must require authentication to prevent accidental or malicious exposure (MTLS, Oauth, JWE, etc.). | T - Fully complies | Use of Spring security. |
| 26 | Data Loss Prevention (DLP) tools (Zero Trust). | Required | The provider is obliged to provide adequate measures (monitoring of sensitive data) to secure the information contained in the service provided, to prevent accidental or unlawful loss, access or disclosure. | T - Fully complies | Access management with Spring security and 24-hour backup. |
| 27 | Collaborative data sharing, if applicable. | Required | The vendor enables monitoring of collaboratively shared data. Collaboration controls can detect granular permissions on files that are shared with other users, including users outside the organization who access the file via a web link. | T - Fully complies | Configurable in the administrator module. |
| 28 | RMS - Right Management Service, if applicable. | Recommended | It allows encrypting the content of documents and applying defined security policies indicating conditions of use and permission of the information. Including automated retention and purging policies and terms. | N - Does not comply | Not applicable. |
| 29 | Self-destruct mechanism for resources and Sandbox accounts | Recommended | Sandbox accounts and resources must have self-destruct mechanisms to reduce the risk of maintaining an active attack surface if they are not manually deleted. | N - Does not comply | Not applicable. |
| 30 | Implement Zero Knowlegde scheme | Recommended | The supplier has no way of knowing the content of the information stored in the solution provided. | N - Does not comply | Not applicable. |
| Event Monitoring, Logs, Metrics and Alerts | |||||
| 31 | Logging of all user activity, reports, alerts (Zero Trust) | Required | Show activity log of users of the platform or service and have the ability to connect to our SIEM. | T - Fully complies | Record of activities for audits. |
| 32 | User behavior analysis (Zero Trust) | Recommended | Displays analysis of user behavior within the platform or service. | N - Does not comply | Not applicable. |
| 33 | Verification of application health status | Recommended | Provides possibilities for platform or service health checks to be configured and monitored. | T - Fully complies | Monitoring with Zabbix. |
| Use of services offered | |||||
| 34 | Full disclosure of ALL terms and conditions during evaluation | Required | The SaaS provider should provide a complete set of all terms and conditions (any Addendums, SLAs, order form terms, and add-on product terms, among others), in addition to the main subscription agreement, with sufficient time for review. All documents that are linked to the agreement and may change should be listed and included in the contract as separate attachments, so that it is clear what the entitlements are at the time of purchase. | T - Fully complies | Required documents and items are attached to the main proposal document as part of the RFP. |
| 35 | All terms and conditions must be in the current/proposed contract and cannot be diminished (URL link removal). | Required | The supplier shall provide all URLs containing relevant information to be reviewed in detail for inclusion as Attachments to the contract. A clause shall be included in the contract stating that the terms current at the date of signing cannot be decreased during the term of the contract and/or during the renewal period. | T - Fully complies | The aforementioned information shall be included as required in this item. |
| 36 | Descriptions of functions and protections (Term and Renewal) | Recommended | A detailed generic (rather than SaaS vendor product names) description of the functionality of each SaaS product included in the contract and a clause stating that the documented functionality and capability cannot be materially diminished during the term of the contract is included as an Attachment. | T - Fully complies | The aforementioned information shall be included as required in this item. |
| Preferential cost based on agreements | |||||
| 37 | Renewal price limit protections | Required | A 0% increase limit will be agreed and documented in the contract on the first renewal, which reverts to a 3% limit (or cost of living increase) on subsequent renewals, and applies for the entire renewal period, not year after year, if it is a multi-year renewal. | P - Partially complies | For 1-year contracts, there must be a fixed % increase (i.e. for contracts that are renewed year to year). For 3-year contracts, a 3% fixed annual increase may be allowed; i.e. 3% each year of the contract duration. For contracts of 5 years or longer, there is no annual increase. |
| 38 | Improved Unit Price (Tiered Price) | Recommended | An improved pricing matrix for higher volumes will be agreed and documented in the contract, which will include additional discounts during the life of the contract, when there is an increase in volumes (e.g., due to the acquisition of another entity or increased demand). | T - Fully complies | Agreed. |
| 39 | Pricing for quantity reduction at the time of renewal | Recommended | A unit price will be agreed upon and documented in the contract for a decrease in the unit volumes to which it is committed during the renewal term. | T - Fully complies | Unit item prices are specified in the proposal and they will be maintained during the contract. If a reduction of a unit item is requested, the original price will be respected. |
| 40 | Price is held for future additional functionality / product requirements. | Recommended | Price holds for additional products (maximum price you would pay to add specific products listed), which are not initially required, but may be required midway through the deal, will be agreed upon and documented in the contract. | T - Fully complies | Prices for additional products are specified in the commercial proposal (part of this RFP) and will be maintained in the event of mid-term contract requirements, as requested. |
| 41 | Pooling Protection (Term and Renewal) | Required | A clause shall be included in the initial contract, agreeing to the right to purchase incremental units of the same capacity or package during the term of the contract, for the renewal period (e.g., 1 to 3 years), to avoid the regrouping of functionalities. | T - Fully complies | Incremental units of the same capacity or package may be purchased during the term of the contract. |
| 42 | Variable pricing ("Pay-as-you-go", "Consumption-based" or "True up/down") | Required | To agree this payment model through a contract, it is ideal to have consumption and expenditure information available online (e.g. through a portal, otherwise periodic reports should be agreed. There should be no storage limit and it will apply for the entire term, including incremental subscriptions during the renewal term. | N - Does not comply | The proposed prices are fixed, not per use or consumption. |
| 43 | Consumption review protections | Required | It should be established by contract that there are no additional penalties for exceeding limits, beyond the difference between what is being consumed and what was paid. If there is no Real-Time Visibility, then it will be agreed that, when within 10% of any contracted threshold, the supplier will report and work with us to reduce the limits. There should be at least 30-60 days to understand and evaluate reports showing excessive usage before payment is due. SaaS providers may not suspend rates due to disputed invoices. | T - Fully complies | |
| 44 | Contingency, Test and Development (Sandbox) environment fees | Required | Include and document in the contract, all contingency, testing and development environments in the subscription costs, specifying the type, quantity and for the duration of the agreement, with no increase in price. The supplier must provide details of what is included in the contract (how many sandbox environments and their type), as well as environments for stress testing, proportional to performance and real productive load. | ||
| Payment Terms | |||||
| 45 | Initial payments and payment frequency | Required | Advance payments of fees, for a maximum period of one year. Longer periods pose greater risks, in case the provider's capabilities do not perform as expected and credits/refunds for SLA violations will be more difficult to administer. | T - Fully complies | Our invoicing and corresponding payment is on an annual basis. |
| 46 | Post implementation payment | Recommended | If implementation is going to take time, then payment deferral periods will be included and should be credited at the beginning of the agreement, so that only 8 months of the first 12 (resulting from a 4 month payment deferral) will be paid, for example. | T - Fully complies | The shared cloud implementation option has no cost. The server (on-premise) or private cloud implementation options have an additional one-time fixed cost, i.e. you only pay for the first year. |
| 47 | Taxes | Required | Each party shall be responsible, in accordance with applicable laws, for identifying and paying all taxes, assessments and governmental charges (as well as any penalties, interest and/or additions thereto) imposed on such party with respect to transactions and payments under the Agreement. | T - Fully complies | The proposed value is net. The customer is responsible for paying any related tax or withholding. |
| Data Protection | |||||
| 48 | Data Protection (Privacy) Compliance | Required | A clause is included that obliges the SaaS provider to show evidence of current compliance or certification of a privacy management framework on an annual basis. For example, GDRP - EU General Data Protection Regulation. PCI DSS - Security standards to protect bank cardholder data. EuroPriSe - European Privacy Seal. BIPA - USA, Biometric Information Protection Act (Illinois). | T - Fully complies | |
| 49 | Third-party certifications and audits, visible to customers | Required | A clause is included that obliges the SaaS provider to show evidence of current certifications on an annual basis, such as the following: ISO 27001 Standard - National Institute of Science and Technology (NIST) Privacy Framework, mandatory. ISO 27018 Standard. Cloud Privacy for the protection of personally identifiable information (PII). Cloud Security Alliance Star Certification. SOC2 Report - Evaluates information systems for security, availability, processing integrity and confidentiality; and indicates that if audit reports show severe risks or risks are not mitigated in a reasonable amount of time, it is cause to terminate the contract. | ||
| 50 | Data confidentiality and intellectual property protection | Required | Personal information collected by the SaaS provider may not be shared with third parties and may only be used by the provider to provide offerings of the service provided, to measure and support improvements to the service provided or to communicate with the Bank. The provider will not use the information contained in the application or the contracted service unless it is to comply with a legal provision or a governmental court order. Clauses will be included to sufficiently protect our intellectual property, if applicable. | T - Fully complies | |
| 51 | Security Breach Notification (including Data Breach) | Recommended | Include a clause in the contract that explicitly states the vendor's obligations, deadlines, responsibilities and/or damages associated with a security breach and agree to send an immediate, written notification directly to a designated person or group in the organization, detailing what security or data breach has occurred (and detailing what data was or may have been exposed). Compensation should be defined to cover data breach damages, corrective actions or disclosure issues associated with the data breach and request a short-term report, detailing what is being done to mitigate future data breaches of this type. | T - Fully complies | The aforementioned information shall be included as required in this item. |
| 52 | Limitations of liability | Recommended | If the data is highly sensitive, liability limits will be agreed with the SaaS provider, at least up to the term of the agreement (e.g., 3 years of fees). Depending on the case, it is possible to include a high total coverage amount (e.g., $3 million or more) or opt to apply for commercial liability and/or cybercrime insurance policies, taken out by the SaaS provider on our behalf, up to even higher limits (e.g., between $5 and up). | ||
| 53 | Data retention compliance | Required | The vendor provides tools or capabilities necessary for regulatory compliance for information retention in the event that the application requires it. | T - Fully complies | The system is fully traceable and allows downloading and saving of data and information entered as required in various formats. |
| 54 | Data access protections | Required | The data must be available for download and transfer at any time and at no additional or hidden cost. The data format should be agreed upon and documented in the contract. In addition, negotiate that the parties can mutually agree to change the format. | T - Fully complies | The system is fully traceable and allows downloading and saving of data and information entered as required in various formats. |
| Service Level Agreements | |||||
| 55 | SLA uptime protections | Required | The activity SLA shall be documented within the contract to obtain a high percentage of availability (minimum 99.9%) and credit/reimbursement in case of failure to meet the SLA. Simulate the calculation of the value in case of impact to determine that it has meaning and reasonable consequence for the impact of failures. | ||
| 56 | Uptime SLA (Scheduled Downtime) | Recommended | You will receive at least 72 hours notice for any scheduled downtime, specify the times when it should occur (usually on weekends) and should be limited to a certain amount of time per month (usually 4 to 8 hours maximum per month). It should not be cumulative scheduled downtime and should preferably apply to all products. For electronic channels, scheduled maintenance downtime is not allowed and must be transitioned to alternate environments in advance to meet the annual availability indicator. | T - Fully complies | |
| 57 | Uptime SLA Remedies | Required | Downtime tolerance for each specific SaaS capability (% Uptime (TA) and % Monthly Service Fee Credit (CrM) shall be determined and documented in the contract. TA ≥ 99.0% and < 99.5% = 25% CrM; TA ≥ 97.0% and < 99.0% = 60% CrM; TA ≥ 95, % and < 97 % = 80% CrM; TA < 95.0% = 100% CrM. For electronic channels it must be at least 99.9% availability. | ||
| 58 | Disaster recovery management SLA | Required | The SaaS provider is contractually obliged to perform periodic tests of the disaster recovery plan (6 months to one year), which must be formally documented and include the SLAs on RPO and RTO (they must be equal to or better than those established in the BIA or, failing that, those established by Risk and Contingency). If the disaster recovery SLAs are repeatedly or chronically breached, it will be the right to terminate the contract. | T - Fully complies | |
| 59 | Levels of support (inclusion) | Required | The support offer must be documented in the contract, whether included with the subscription and/or support plans not included, e.g., premium (whichever applies based on the criticality and experience on the platform), the rights and SLAs, which should not decrease during the term of the annual agreement. The resolution SLAs (fixed time) included in any higher priced support agreement will have penalty clauses if they are not met. For electronic channels it must be no more than 30 min. | ||
| 60 | Support levels (SLA and solutions) | Recommended | The contract should consider at a minimum, escalations and also that service credits are paid if support response times are not met and failures recur or persist, primarily Severity 2 issues, as they could indicate that significant capacity is missing or too slow. An explicit right of termination will be included, should the vendor persistently fail to meet the support SLA. If the vendor provides SaaS subscriptions, such as on-premises services (hybrid environments), holistic support should be offered. | ||
| 61 | System performance SLA | Recommended | The contract should consider the measurement of the system performance and its respective monthly SLA. Typically performance is measured by page refresh time or the time we see the result of a query appear, e.g., page refresh < 3 seconds. The system performance service credit, could be 25% of non-compliance, apply 3% of the monthly service fees payable as credit; 50% of non-compliance, apply 7%; and over 75%, apply 10%. In any case validate the times with Architecture. | ||
| 62 | Uptime SLA: definition and calculation | Required | Any questions regarding the calculation of the Uptime SLA will be understood and clarified and documented in the contract. Measurement periods will be monthly and will eliminate exclusions for micro outages (e.g., excluding the first 15 minutes of downtime) or third party vendor failures. | ||
| 63 | SLA reporting and claims | Recommended | The supplier should automatically record penalties and credits should be automatically applied and the customer should be able to audit the suppliers' records at least once a year, so that it is not left to the customer to report downtime or any other SLA violation, and file any related claims for service credits, within a limited period of time, as it imposes a large administrative burden, as well as the risk of a potential incident being missed and not properly credited. | ||
| Contractual Terms | |||||
| 64 | Audit of the Superintendency of Banks of Panama and/or THE BANK. | Required | The Superintendency of Banks of Panama is empowered to conduct periodic audits at the facilities of the SUPPLIER in order to verify compliance with all aspects contemplated in the rules issued by said regulatory entity. Based on the unsuccessful result of complying with good practices in these audits or in the event that such audits are denied, THE BANK may unilaterally terminate this Agreement, without additional costs or penalties of any kind for THE BANK. | T - Fully complies | Agreed. |
| 65 | Self-renewal | Required | Contracts are automatically renewable, where maximum prices and the right to terminate the contract will be established, with a 30-day notice prior to renewal. If the contract will not automatically renew, the clause will be removed and the SaaS provider will be actively notified. | T - Fully complies | Our contracts are automatically renewable, with 30 days notice prior to renewal for cancellation request. |
| 66 | Exit assistance (transition period or transition/termination assistance) | Recommended | The supplier is obligated to assist in exiting and transitioning to another supplier quickly and easily, either upon expiration or termination of the agreement, due to non-compliance. Transition services that are available and the cost, if applicable, will be documented up front (as an agreed discount from the provider's then current list price). There will be the ability to purchase subscriptions beyond the expiration/termination date for a period of less than 12 months. | T - Fully complies | Agreed. |
| 67 | Suspension/disconnection protections in case of dispute | Required | It is agreed and documented in the contract that if a payment dispute arises, the supplier cannot suspend services. | T - Fully complies | Agreed. |
| 68 | Notice of termination of supplier renewal | Recommended | The supplier may not terminate the agreement at the time of renewal without cause, except in certain circumstances (e.g., withdrawal from that particular market or complete withdrawal of the product). At least 6 months notice of termination must be given, longer periods may be possible depending on the criticality of the application to the business, the level and complexity of integration with other systems and what activities must be undertaken to terminate the agreement. | T - Fully complies | Agreed. |
| 69 | Termination for SLA breaches | Required | The contract shall document the ability to terminate the agreement, especially if it is a multi-year commitment, if SLAs are breached in 3 months out of 12 (not consecutively). There should also be a well-defined escalation process for resolving disputes and receiving refunds. Upon termination for cause, all fees paid in advance for the remainder of the subscription period must be refunded. | T - Fully complies | Agreed. |
| 70 | Completion Data | Required | The process and format for extracting data shall be documented in the contract and data extraction shall be tested during the contract term to identify any potential problems when data needs to be extracted upon expiration or termination. There should be a buffer at the back-end, i.e., a period of 60 to 90 days after termination, where data can be backed up and confirmation or certification that all data that can be legally deleted has been deleted. | ||
| 71 | Subcontractors | Required | There will be a single contract and all subcontractors are obligated to operate within those contractual obligations. It is mandatory that the SaaS provider assumes responsibility for those subcontractors and subcontractor performance management. The contract must state, that if there is a change of subcontractors, the provider will give 60 days notice of this upcoming change. If the supplier fails to provide this notice, or the proposed change is deemed unfavorable (at our sole discretion), then we will have the ability to terminate the agreement without penalty or obligation. Where the supplier uses a third party hosting facility, copies of the third party's SOC 2 Type 2 compliance must be submitted. | ||
| Other considerations | |||||
| 72 | It has integration with the DGI to send reports. | Desable | Ability to integrate with DGI for automatic report submission | N - Does not comply | The system generates the XML file ready and validated to be uploaded to the DGI portal. We do not have direct connection to the DGI. |
| 73 | Provides a mechanism for validation of TIN formats (API) to integrate bank applications. | Required | The platform through an API or web service allows to consult the validation of the TIN formats according to the jurisdiction, receiving the queries from the bank's systems. The bank's systems send the query with the TIN reported by the client and the service confirms whether or not it conforms to the format according to the jurisdiction. | T - Fully complies | The requirement is met as indicated. |
| 74 | Return format suggestions by jurisdiction via API | Desirable | Through the same API in the validation operation or in a separate operation, the platform returns examples of valid formats according to a Jurisdiction. | T - Fully complies | The requirement is met as indicated. |
| 75 | Has integration mechanism with the AD to enable SSO strategy | Desirable | Bank users are not required to enter username and password (SSO) to access the platform and if required, they must enter their network username and password, the validation is done against our active directory. |
SSO is available for installed solutions only. Cloud users can have 2FA set for extra security.
|
|