Procurement

I. Terms and Conditions of Supplier Registration/Pre-qualification

By completing and submitting the supplier registration/pre-qualification application form, the supplier is deemed to have read, understood and accepted to be bound by the following terms and conditions including, without limitation, to flydubai's Terms and Conditions of Purchase, which are listed below (hereinafter collectively referred to as the "T&Cs"):-

1. The Registration/Pre-Qualification

(a) The supplier is not considered as one of flydubai's registered/pre-qualified suppliers unless a written confirmation of approval is received by the supplier, subsequent to the submission of the supplier's application and all necessary information requested therein (hereinafter referred to as "Registration").

(b) Where the supplier's Application is rejected or the supplier's Registration as approved supplier is cancelled (as the case may be), flydubai will not be obliged to provide any reason(s) thereof.

(c) Without prejudice to the foregoing, flydubai may reject the supplier's Application or cancel the supplier's Registration if flydubai discovers all or any part(s) of the Information submitted by the supplier is false, incomplete, inaccurate or for such other reason(s) as flydubai shall deem fit at its absolute discretion, including but not limited to non-compliance with the T&Cs.

(d) The Registration and the subsequent access to flydubai's supplier portal is for the sole and exclusive use by the supplier and not assignable or transferable under any circumstances whatsoever.

(e) It is flydubai's contracting policy to only engage supplier's willing to comply with flydubai's T&C's, including any specific terms and conditions prescribed for a particular Request For Quotation (RFQ)/Request For Proposal (RFP) issued from time to time. As a registered supplier, the supplier shall be invited to submit quotations/proposals and provided the opportunity to review and price for the risks and/or costs associated with complying with such terms and conditions. In the event of any inconsistency between the T&C's and the terms and conditions of a particular RFQ/RFP, the terms and conditions of the RFQ/RFP in question shall prevail. Non-compliant quotations/proposals will be rejected and registered suppliers submitting non-compliant quotations on at least 3 separate instances will be removed from the approved suppliers list.

(f) The supplier's successful registration does not bind flydubai to necessarily issue a RFQ/RFP or award any contract for services or materials or to reimburse any costs incurred by the supplier in the preparation and submission of the supplier quotation/proposal in response to a RFQ/RFP

2. Warranties and Representations

(a) Any supplier intending to register with flydubai represents and warrants that:

i. It has the capacity and the ability to provide the Information via this Registration and that the supplier possesses the requisite licence(s) and approval(s) in order to execute, deliver and perform its obligations in accordance with flydubai's standard T&Cs;

ii. All Information provided is up-to-date as at the date of submission and is true, current, complete, correct, accurate, does not cause any ambiguity and is not misleading; and

iii. It acknowledges and agrees to let flydubai disclose the Information to its Affiliates at such times and for such purposes as flydubai shall deem fit in its absolute discretion.

(b) Submission of the supplier's application and information and its subsequent approval as a registered supplier (the Registration) is solely for the purpose of including the supplier in flydubai's approved suppliers database and shall NOT at any time be construed, read or interpreted that flydubai in any way, shape or form warrants and/or represents to any supplier:

i. it shall be invited for every RFQ/RFP issued by flydubai;

ii. flydubai shall purchase any goods, products or request for any services from the registered supplier; or

iii. flydubai shall enter or be bound to any other form of contract or arrangement with a registered supplier;

3. Information and Confidentiality

(a) Both parties (flydubai & the supplier) undertake that neither party, at any time, shall not disclose to any person information which the disclosing party identifies as being proprietary and/or confidential or that by the nature of the circumstances surrounding the disclosure, ought to be treated as proprietary and/or confidential (including, without limitation to data and particulars of the company, firm or person with which the disclosing party may be in commercial or technical cooperation or association, data of the disclosing party's guests and customers, its operations and activities, financial standing, profile, claims or actions for or against the disclosing party, its future plans, developments or expansion) (hereinafter collectively known as "Confidential Information").

(b) Each Party may disclose the other Party's confidential information:

i. to its employees, officers, representatives or advisers who need to know such information for the purposes of carrying out its obligations resulting from any contractual relationship ensuing from this Registration. Each party shall ensure that its employees, officers, representatives or advisers to whom it discloses the other party's confidential information comply with the requirements of this Confidentiality clause; and

ii. as may be required by law, court order or any governmental or regulatory authority of competent jurisdiction.

(c) Neither party shall use the other party's Confidential Information for any purpose other than to perform its obligations under an ensuing contract or from this Registration.

II. Online Supplier Pre-Qualification/Registration Checklist

Please ensure the readiness of the following documents before proceeding with the registration process:

• Company Profile
• Trade License
• Chamber of Commerce Membership Certificate
• Quality certificates and achievements (if any)
• Product catalogues and brochures
• Contact information of 3-4 of the supplier current customers including the contact person for reference checks by flydubai
• Copy of audited financial balance sheet and P/L Statement for atleast 3 years

Please note that the documents above must be in softcopy and ready to be uploaded to our Online Supplier Registration System as the supporting documents for information provided by the supplier.

All pre-qualified/registered Suppliers are required to provide goods and services in accordance with flydubai's standard terms and conditions, issued along with the relevant RFQ/RFP from time to time.

III. Confirmation of Registration

Upon the submission of the supplier registration application, the supplier will receive a registration confirmation receipt by email. The supplier application will be routed through flydubai's Supplier Prequalification process for review and approval. Approved applicants will receive another email confirming their Registration.

Your application for Pre-qualification/Registration constitutes your acceptance of all of the above.

The Procurement Department:

• manages the procurement process on behalf of all user departments
• sources materials and services and negotiates the best possible terms & conditions on behalf of user departments
• utilizes the user department inputs for the evaluation and negotiation of supplier proposals
• leverages the 'buying power' of flydubai
• is the primary point of contact for communication with vendors for all commercial matters
• ensures fair, transparent and unbiased sourcing, evaluation and selection of suppliers
• maintains traceable records of all procurement transactions for future audits

The entire procurement process, commencing with the sourcing of requested goods and services and culminating with the invoicing of the delivered goods and services is administered by the Procurement Department, in liaison with the user department requesting the goods and/or services.

The approved procurement policy and procedures applies to and binds all chiefs, directors, managers and employees of the organization in any situation where they are involved in a purchasing process, whether as requisitoners or specifiers, purchasers, negotiators or approvers of purchase requests and payment. 'Purchasing' includes all procurement activities including leasing and hiring, and may, where appropriate, include other activities accompanying the life cycle of goods (or service contracts) and the end-of-life disposal of goods which have been procured (whether or not they remain in our ownership). Adherence to the policy is both an individual and a corporate responsibility. Willful breach of the policy, or unauthorised departure from the procedures derived from the policy, may constitute a disciplinary offence.

flydubai's policy commits the organization, and every individual involved in purchasing and supply management processes within the organization, to use their best endeavours to ensure that our purchasing and contracting activities are:

• legal
• accountable and auditable
• ethically, environmentally and socially responsible
• economically effective
• conducive to maintaining the organization's ability to exploit appropriate technological, commercial and organizational developments as they arise
• capable of identifying, minimizing and managing risks that may threaten the supply chain or the wider organization
• open to continuous improvement and development, in particular by the training, development and support of staff.

flydubai's procurement department strives to exhibit the highest ethical standards, and in turn insists on adherence to ethical standards from its suppliers and all stakeholders involved in the purchasing process. flydubai not only strives to be fair and above board in its dealings, but avoids any conduct which is capable of having an adverse interpretation put on it.

Any improper approaches, whether in the form of inducements or threats, must be reported, even if they are sufficiently ambiguous to allow for an innocent interpretation. All flydubai employees, when undertaking any procurement activity are bound by flydubai's code of conduct and the procurement code of ethics.

The following points are particularly noteworthy:

Gifts, hospitality and other inducements

No employee of flydubai, engaged in the procurement of goods or services, may solicit or receive any gift or other consideration from any person or body with whom they deal as part of their official duties as inducement or reward for doing or refraining from doing anything, or showing any favour or disfavour to any person or firm, in their official capacity. Gifts and other considerations are automatically corrupt unless the individual can prove otherwise.

flydubai also requires all its employees to report in writing the fact that he or she, or any close relation, has a direct or indirect pecuniary interest in a contract to be awarded by flydubai..

Only gifts of small intrinsic value (pens, desk diaries and the like, not greater than AED 500) may be accepted from actual or potential suppliers. Gifts of real worth (valued at more than AED 500) must be reported and returned to the supplier. Suppliers who persist in making such offers shall be made aware that flydubai will cease to deal with them.

Invitations to visit user sites, attend specialist conferences, association annual dinners and the like as the guest of a supplier are treated with fair caution and require the approval of an appropriate approving authority in flydubai. All invitations by suppliers to sporting occasions and other functions with little or no business content are required to be reported to the procurement department and declined.

Conflicts of interest

When dealing with suppliers, potential conflicts of interest may arise. Spouses or other relatives of flydubai employees may be employed by the supplier company or personal friendships may develop over time. Such potential conflicts are required to be reported by the concerned employee to his immediate supervisor or head of department immediately. This would normally not prevent flydubai from trading with the supplier concerned, but the purchasing expenditure is handled by another employee who does not have any conflict of interest in the matter.

All flydubai employees are required to refrain from dealing with suppliers in their private affairs, particularly if this is likely to put them under some obligation to the supplier. Where such arrangements may be unavoidable, it is essential that they ensure they are not offered any sort of deal which is not commonly available, and which could be construed as a reward for actions taken in the course of their employment.

In the case of former flydubai employees working with potential suppliers, any competitive advantage they may have due to their inside knowledge of flydubai's operations is neutralized by the procurement department being the sole point of contact for such suppliers to ensure fair competition amongst all suppliers.

Anti-Competitive Behaviour

As and when flydubai becomes aware of supplier organizations apparently acting in concert to fix prices or divide up the share of business between them, flydubai takes all necessary steps, including, but not limited to, declaring the suppliers and their respective holding companies and subsidiaries 'blacklisted', either indefinitely or for a stated period of time, in order to stamp out such collusive practices.

All employees engaged in any aspect of purchasing of goods and services on behalf of flydubai shall abide by the Corporate Code of Conduct Policy and never use their authority for personal gain and shall seek to uphold and enhance the standing of flydubai by:

• Maintaining an unimpeachable standard of integrity in all their business relationships both inside and outside flydubai
• Fostering the highest possible standards of professional competence amongst those for whom they are responsible
• Optimizing the use of resources for which they are responsible to provide maximum benefit to their employer
• Complying both with the letter and the spirit of:
  • The law of the country in which they operate and with which they deal
  • All contractual obligations incurred by or on behalf of their employer
• Rejecting any business practice which might reasonably be deemed improper

In addition to the particular areas of focus with regards to ethical procurement, the following general guidelines are provided for all flydubai personnel to adhere to:

• It is essential that at all times we work towards getting "Best Value for Money" - this does not mean compromising quality but it does mean getting competitive quotes, being clear about the specification of products and services, and being mindful of the effect of the cost on our cost base.
• So as to maintain the best leverage across the supplier base it is vital that all competitive suppliers are given equal consideration throughout the procurement process up to the point of final decision. This will maximize the competitive spirit between them and will get flydubai the best results.
• At all times, especially when communicating with suppliers, maintain integrity and avoid intentional misrepresentation.
• It is in the best interests of flydubai, both in the short term during the selection and negotiation and the longer term relationship, to provide suppliers with accurate and all necessary information. Without this they cannot accurately understand our requirements and will therefore have trouble in packaging their products and pricing appropriately.
• One of the foundations for the relationship is complete transparency at all stages in the process. It is therefore important that all parties provide copies of relevant correspondence with suppliers,
• To ensure that we are able to maintain the best possible negotiation position, all staff must not tell (directly or by inference) any competing supplier that they are preferred. Again this can completely undermine flydubai's ability to get best value and in the long run can seriously hinder its ability to get best prices from the market.
• Maintain confidentiality, and never disclose confidential information without authorization, of any supplier provided information as this information is what sets them apart and gives them their competitive edge. If that confidentiality is broken, it may damage the Supplier in the market and thus undermine flydubai's relationship with that Supplier.
• In order to maintain professional and mutually profitable relationships with suppliers, all staff must deal with all suppliers' enquiries professionally, promptly and efficiently. An equally efficient response can be expected in return.
• All staff must avoid all potential conflicts of interest and highlight any that do occur. So staff involved in any procurement transaction must avoid any activity in or outside the workplace that could be perceived as a potential conflict of interest.

All procurement activities at flydubai must fully respect and adhere to all applicable laws and executive regulations of the Emirate of Dubai and theUnited Arab Emirates.

While flydubai uses all possible means to minimize its costs, it will not be a party to the evasion of any value added taxes, customs duties or any other charges or fees levied under any law or regulation of the Government of Dubai and/or the Federal Government of UAE. Additionally, flydubai shall abide by, where relevant, international laws, agreements and treaties to which the Government of UAE is a party.

The Procurement Department will seek the advice of flydubai's Legal Department, whenever deemed necessary, to ensure its contracts are in compliance with all applicable laws and executive regulations of the Emirate of Dubai and the United Arab Emirates.

flydubai ensures all its procurement activity is conducted in a manner so as to allow any supplier having the necessary abilities to be of service to have a fair opportunity to secure its business. Furthermore, flydubai makes all reasonable efforts to ensure that its procedures do not place unnecessary obstacles in the way of local, small or new organizations.

flydubai avoids using suppliers, at home or overseas, that exploit child or sweated labour, that disregard basic health and safety provisions, that 'pirate' the intellectual property of others, or that willfully and avoidably damage the environment.

With regards to the environment, flydubai's procurement choices favour products and services showing clear environmental advantages unless there are significant reasons for not doing so.

flydubai displays responsibility towards it suppliers by working with them to improve their performance and to overcome any behavioral deficiencies, in order to meet flydubai's standards, wherever possible.

flydubai also has a responsibility towards the community within which it operates. Other things being equal, flydubai prefers to use local suppliers, as much as possible, and works with local businesses to improve their ability to meet its requirements.

View Information Security Regulation (ISR) Policy

Definitions and Interpretations

The definitions in this section 2 shall apply to this Information Security Regulation (ISR) Policy.

Agreement. The agreement between flydubai and the Third Party in connection to which the Third Party will access flydubai Data.

Authorised Parties. All persons employed by the Third Party together with the Third Party’s agents, representatives and any other party, in each instance, whose engagement and access to flydubai Data is strictly necessary for the performance of the Third Party’s obligations under the Agreement.

Business Continuity and Disaster Recovery. A set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations.

Confidential Information. Information disclosed by (or on behalf of) a party or its representatives to the other party in connection with the Agreement that is marked as confidential or would reasonably be considered to be confidential under the circumstances.

Dynamic Host Configuration Protocol. A network management protocol used on internet protocol networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

flydubai. Dubai Aviation Corporation (trading as ‘flydubai’)

flydubai Data. All information of whatever form relating to flydubai, its business or customers that is provided by flydubai in connection with the performance of the Third Party’s obligations under the Agreement, including any information provided or generated, collected, processed, stored or transmitted in connection with their access to and/or use of the Third Party’s obligations under the Agreement.

Incident Management Process. A set of procedures and actions taken to respond to and resolve critical incidents: how incidents are detected and communicated, who is responsible, what tools are used, and what steps are taken to resolve the incident.

Mobile and Portable Devices. Small form factor of a computing device that is designed to be held and used in the hands used to connect to the internet and communicate with others.

Personal Information. Information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not, including but not limited to personal data for the purpose of the General Data Protection Regulation EU 2016/ 679.

Policy. This Information Security Regulation Policy.

Restrictive, Reciprocal, Hereditary or Copyleft licence. A software licence that requires that information necessary for reproducing and modifying such software must be made available publicly to recipients of executable versions of such software including but not limited to General Public Licence (GPL) and Affero General Public Licence (AGPL) .

Security Gateway. A set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers.

Strong Authentication. A method of user verification that is considered robust enough to withstand attacks on the system to which the users are authenticating.

Strong Encryption. The use of encryption technologies with minimum key lengths of 128-bits for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it will protect the encrypted information from unauthorised access and is adequate to protect the confidentiality and privacy of the encrypted information, and which incorporates a documented policy for the management of the encryption keys and associated processes adequate to protect the confidentiality and privacy of the keys and passwords used as inputs to the encryption algorithm.

Technical and Organisational Security Measures. Functions, processes, controls, systems, procedures, and measures that organisations can implement to promote secure processing and storage of personal & confidential data, avoid data breaches, and facilitate compliance with relevant data protection obligations.

Third Party. The Third Party accessing flydubai Data in connection with this policy.

1. Organisation of Information Security

Third Party shall, at a minimum:

a. Ensure only Authorised Parties are granted access to flydubai Data.

b. Implement Technical and Organisational Security Measures that are no less rigorous than information security best practices to protect the integrity, availability, and confidentiality of flydubai Data and other non-public information and prevent the unauthorised access, acquisition, disclosure, destruction, alteration, accidental loss, misuse or damage of flydubai Data.

c. Establish, implement, and maintain consistent with industry best practices, policies and a program of organisational, operational, administrative, physical and Technical and Organisational Security Measures appropriate to (1) prevent any access by non-Authorised Parties to flydubai Data in a manner not authorised by the Agreement or this Policy, and (2) comply with and meet all applicable laws and regulations and applicable industry standards.

d. Take reasonable steps to prevent unauthorised access to or loss of flydubai Data and the Third Party obligations under the Agreement, systems, devices or media containing this information.

e. Employ risk assessment processes and procedures to regularly assess systems used to provide Third Party obligations or products to flydubai. Third Party shall remediate such risks as soon as possible and commensurate with the level of risk to flydubai Data given threats known at the time of identification. Operate a process to enable the reporting of risks or suspected incidents to the flydubai security team.

f. Keep records of Authorised Parties and Third Party resources that access, transfer, maintain, store, or process flydubai Data.

g. Conduct comprehensive background checks on all Authorised Parties prior to hire, to the extent permitted by law. The comprehensive background check on individuals shall include, at a minimum, the individual’s previous employment history, criminal record, credit history, reference checks, and any additional industry standard background check requirements.

h. Require non-disclosure or confidentiality contractual commitments from Authorised Parties prior to providing them with access to flydubai Data.

i. Ensure that all Authorised Parties who may be performing work under the Agreement or who may have access to flydubai Data are in compliance with these Technical and Organisational Security Measures which shall be evidenced by a written agreement no less restrictive than this Policy.

2. Physical and Environmental Security

Third Party shall, at a minimum:

a. Ensure that all of Third Party’s systems and other resources intended for use by multiple users are in secure physical facilities with access limited and restricted to authorised individuals only.

b. Monitor and record, for audit purposes, access to the physical facilities containing systems and other resources intended for use by multiple users used in connection with Third Party’s performance of its obligations under the Agreement.

c. Limit and monitor physical access to its facilities only to Authorised Parties

d. Equipment used to store, process or transmit flydubai Data must be physically secured including wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.

e. Implement controls to minimise the risk of and protect against physical threats.

f. Protect any device that captures payment card data via direct physical interaction from tampering and substitution by periodically inspecting device surfaces to detect tampering or substitution; provide training for personnel to be aware of attempting tampering or replacement of devices.

3. Access Control

Third Party shall, at a minimum:

a. Separate flydubai’s information from Third Party’s other customers’ data or Third Party’s own applications and information either by using physically separate servers or by using logical access controls where physical separation of servers is not implemented.

b. Identify and require appropriate owners to review and approve access to systems used to access, process, manage, or store flydubai Data at least quarterly to remove unauthorised access; and maintain and track access approvals.

c. Remove access to systems managing flydubai Data within 24 hours of Authorised Party terminating its relationship with Third Party ; and maintain reasonable procedures to remove access to such systems within three business days when it is no longer needed or relevant to the performance of their duties. All other user IDs must be disabled or removed after 90 calendar days of inactivity.

d. Restrict system administrator (also known as root, privileged, or super user) access to operating systems intended for use by multiple users only to individuals requiring such high-level access in the performance of their jobs. Use check-out system administrator IDs with individual user log-in credentials and activity logs to manage high security access and reduce high-level access to a highly limited number of users. Require application, database, network, and system administrators to restrict access by users to only the commands, data, systems, and other resources necessary for them to perform Authorised functions. System administrative roles and access lists must be reviewed at least annually.

e. Require Strong Authentication for all non-console administrative access, any remote access, and all administrative access into cloud environments.

4. Identification and Authentication

Third Party shall, at a minimum:

a. Assign unique user IDs to individual users and assign authentication mechanisms to each individual account.

b. Use a documented user ID lifecycle management process including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all access to flydubai Data and across all environments (e.g., production, test, development, etc.). Such process shall include review of access privileges and account validity to be performed at least quarterly.

c. Restrict all access to flydubai Data to those using a valid user ID and password, and require unique user IDs to employ one of the following: password or passphrase, two-factor authentication, or a biometric value.

d. Require password complexity and meet the following password construction requirements as per flydubai policy: a minimum of eight (8) characters in length for system passwords and four (4) characters for tablet and smartphone passcodes. System passwords must contain three (3) of the following: upper case, lower case, numeric, or special characters.

e. Passwords must also not be the same as the user ID with which they are associated, contain a dictionary word, sequential or repeat numbers, and not be one of the past five passwords.

f. Require password expiration at regular intervals not to exceed ninety (90) days.

g. Mask all passwords when displayed.

h. Limit failed login attempts to no more than five (5) failed logon attempts within 24 hours and lock the user account upon reaching that limit in a persistent state. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity.

i. Verify user’s identity and set one-time use and reset passwords to a unique value for each user. Systematically prompt change after first use.

j. Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards).

k. Restrict service account and proxy passwords to a 12-character minimum, including upper case, lower case, and numeric characters, as well as special symbols. Change service account and proxy passwords at least annually and after employment termination of anyone with knowledge of the password.

l. Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes.

m. Use an authentication method based on the sensitivity of flydubai Data. Whenever authentication credentials are stored, Third Party shall protect them using Strong Encryption.

n. Configure systems to automatically timeout after a maximum period of inactivity as follows: server (15 minutes), workstation (15 minutes), mobile device (4 hours), Dynamic Host Configuration Protocol (7 days), Virtual Private Network (24 hours).

5. Information Systems Acquisition, Development and Maintenance

Third Party shall, at a minimum:

a. Employ an effective application management methodology that incorporates Technical and Organisational Security Measures into the software development process, and ensure that Technical and Organisational Security Measures, as represented by industry best practices, are implemented by Third Party in a timely manner.

b. Follow industry-standard development procedures, including separation of access and code between non-production and production environments and associated segregation of duties between such environments.

c. Ensure internal information security controls for software development are assessed regularly and reflect industry best practices, and revise and implement these controls in a timely manner.

d. Manage security of the development process and ensure secure coding practices are implemented and followed, including appropriate cryptographic controls, protections against malicious code, and a peer review process.

e. Conduct penetration testing on functionally complete applications before released into production and thereafter, at least once every year and after any significant modifications to source code or configuration that align with OWASP, CERT, SANS Top 25, and PCI-DSS. Remediate any exploitable vulnerabilities prior to deployment to the production environment.

f. Use anonymized or obfuscated data in non-production environments. Never use plain text production data in any non-production environment, and never use Personal Information in non-production environments for any reason. Ensure all test data and accounts are removed prior to production release.

g. Review open or free source code approved by flydubai, software, applications, or services for flaws, bugs, security issues or non-compliance with open or free source licensing terms. Third Party shall notify flydubai in advance of using any open or free source code and, if approved for use by flydubai, provide flydubai with the name, version and URL of the open or free source code. Third Party represents and warrants that

(i) any open or free source code it uses in its products or in services shall be licensed under “permissive” open or free source code licenses and not under Restrictive, Reciprocal, Hereditary or Copyleft licenses;

(ii) Third Party has the right to freely amend, adapt open or free source code and combine open or free source code or contain open or free source code with proprietary code without placing restrictions on such amendments, adaptions, or combinations or proprietary code that contains open or free source code and how these can be licensed onwards (collectively, “derivative works”) and (iii) such derivative works will not be subject to any open or free source licence requiring licensing the derivative work or making it available at no charge to third parties under the open or free source licence terms.

h. Not share any code created under the Agreement, regardless of the stage of development, in any shared or non-private environment, such as an open access code repository, regardless of password protection.

6. Software and Data Integrity

Third Party shall, at a minimum:

a. In environments where antivirus software is commercially available, have current antivirus software installed and running to scan for and promptly remove or quarantine viruses and other malware from any system or device.

b. Separate non-production information and resources from production information and resources.

c. Ensure teams use a documented change control process for all system changes, including back-out procedures for all production environments and emergency change processes. Include testing, documentation, and approvals for all system changes and require management approval for significant changes in such processes.

d. Build and maintain a PCI zone if Third Party processes or stores card holder data.

e. For applications that utilize a database that allows modifications to flydubai Data, have and maintain a database transaction audit logging features enabled and retain database transaction audit logs for a minimum of one (1) year with three months immediately available for analysis.

f. Review software to find and remediate security vulnerabilities during initial implementation and upon any significant modifications and updates.

g. Perform quality assurance testing for the security components (e.g., testing of identification, authentication and authorization functions), as well as any other activity designed to validate the security architecture, during initial implementation and upon any significant modifications and updates.

7. System Security

Third Party shall, at a minimum:

a. Regularly create and update the most recent versions of data flow and system diagrams used to access, process, manage, or store flydubai Data.

b. Actively monitor industry resources (e.g.www.cert.org, www.cert.org and pertinent software vendor mailing lists and websites) for timely notification of all applicable security alerts pertaining to Third Party’s systems and other information resources.

c. Effectively manage cryptographic keys by reducing access to keys by fewest number of custodians necessary, storing secret and private cryptographic keys by encrypting with a key at least as strong as the data-encrypting key, and storing separately from the data- encrypting key in a secure cryptographic device, in the fewest possible locations. Change cryptographic keys from default at installation and at least every two years, and securely dispose of old keys.

d. Scan externally-facing and internal systems and other information resources, including, but not limited to, networks, servers, applications and databases, with applicable industry- standard security vulnerability scanning software to uncover security vulnerabilities, ensure that such systems and other resources are properly hardened, and identify any unauthorised wireless networks at least quarterly, and prior to release for applications and for significant changes and upgrades within timeframes resulting from risk analyses based upon reasonable and generally accepted IT policies and standards.

e. Ensure that all of Third Party’s systems and other resources are and remain hardened including, but not limited to, removing or disabling unused network and other services and products (e.g., finger, rlogin, ftp, and simple Transmission Control Protocol/Internet Protocol (TCP/IP) services and products) and installing a system firewall, Transmission Control Protocol (TCP) wrappers or similar technology.

f. Deploy one or more Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Intrusion Detection and Prevention Systems (IDP) in an active mode of operation that monitors all traffic entering and leaving systems and other resources in conjunction with the Agreement in environments where such technology is commercially available and to the extent practicable.

g. Maintain a risk rating process for vulnerability assessment findings aligned with industry best practices to remediate security vulnerabilities in any system or other resource, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be or is in the process of being exploited. Critical vulnerability assessment findings and patches must be remediated immediately upon availability and in no event longer than 7 days after release. High vulnerability assessment findings and patches must be remediated within 30 days of release. Medium & Low vulnerability assessment findings and patches must be remediated within 70 calendar days.

h. Conduct generalized penetration testing internally and externally at least annually and after any significant infrastructure or application upgrade or modification.

i. Remove or disable unauthorised software discovered on Third Party’s systems and employ industry standard malware controls, including the installation, regular update and routine use of anti-malware software products on all services, systems and devices that may be used to access to flydubai Data. Use reliable and industry best practice anti-virus software where practicable and ensure such virus definitions remain updated.

j. Maintain up-to-date software on all services, systems and devices that may be used to access flydubai Data, including appropriate maintenance of operating system(s) and successful installation of reasonably up-to-date security patches.

k. Assign security administration responsibilities for configuring host operating systems to specific individuals.

l. Change all default account names and/or default passwords.

8. Monitoring

Third Party shall, at a minimum:

a. Retain log data for flydubai Data logs shall be designed to detect and respond to incidents and include, but not be limited to:

i. All individual user access to flydubai Data

ii. All actions taken by those with administrative or root privileges

iii. All user access to audit trails

iv. Invalid logical access attempts

v. Use of and changes to identification and authentication mechanisms

b. Record’ Third Parties’ primary system activities for systems containing any flydubai Data.

c. Restrict access for security logs to Authorised individuals and protect security logs from unauthorised modification.

d. Implement a change detection mechanism (e.g., file integrity monitoring) to alert personnel to unauthorised modification of critical system files, configuration files, or content files; configure software to perform critical file comparisons weekly.

e. Review, on at least a weekly basis, all security and security-related audit logs on systems containing flydubai Data for anomalies and document and resolve all logged security

problems in a timely manner.

f. Daily review all security events, logs of system components storing, processing, or

transmitting card holder data, logs of critical system components, and logs of servers and system components performing security functions.

9. Security Gateways

Third Party shall, at a minimum:

a. Require Strong Authentication for administrative and/or management access to Security Gateways, including, but not limited to, any access for the purpose of reviewing log files.

b. Have and use documented controls, policies, processes and procedures to ensure that unauthorised users do not have administrative and/or management access to Security Gateways, and that user authorization levels to administer and manage Security Gateways are appropriate.

c. At least once every six (6) months, ensure that Security Gateway configurations are hardened by selecting a sample of Security Gateways and verifying that each default rule set and set of configuration parameters ensures the following:

i. Internet Protocol (IP) source routing is disabled,

ii. The loopback address is prohibited from entering the internal network,

iii. Anti-spoofing filters are implemented,

iv. Broadcast packets are disallowed from entering the network,

v. Internet Control Message Protocol (ICMP) redirects are disabled,

vi. All rule sets end with a “DENY ALL” statement, and

vii. Each rule is traceable to a specific business request.

d. Ensure that monitoring tools are used to validate that all aspects of Security Gateways (e.g., hardware, firmware, and software) are continuously operational.

e. Ensure that all Security Gateways are configured and implemented such that all non- operational Security Gateways shall deny all access.

f. Inbound packets from the untrusted external network must terminate within the demilitarized zone (“DMZ”) and must not be allowed to flow directly through to the trusted internal network. All inbound packets which flow to the trusted internal network must only originate within the DMZ. The DMZ must be separated from the untrusted external network by use of a Security Gateway and must be separated from the trusted internal network by use of either:

i. another Security Gateway, or

ii. the same Security Gateway used to separate the DMZ from the untrusted external network, in which case the Security Gateway must ensure that packets received from the untrusted external network are either immediately deleted or if not deleted are routed only to the DMZ with no other processing of such inbound packets performed other than possibly writing the packets to a log.

g. The following must only be located within the trusted internal network:

i. Any flydubai Data stored without the use of Strong Encryption,

ii. The official record copy of information

iii. Database servers,

iv. All exported logs, and

v. All environments used for development, test, sandbox, production, and any other such environments; and all source code versions.

h. Authentication credentials not protected by the use of Strong Encryption must not be located within the DMZ.

10. Network Security

Third Party shall, at a minimum:

a. Upon flydubai’s request, provide to flydubai a logical network diagram documenting systems and connections to other resources including routers, switches, firewalls, IDS systems, network topology, external connection points, gateways, wireless networks, and any other devices that shall support flydubai.

b. Maintain a formal process for approving, testing, and documenting all network connections and changes to the firewall and router configurations. Configure firewalls to deny and log suspicious packets, and restrict to only allow appropriate and authorised traffic, denying all other traffic through the firewall. Review firewall rules every six months.

c. Install a firewall at each Internet connection and between any DMZ and the internal

network zone. Any system storing Personal Information must reside in the internal network zone, segregated from the DMZ and other untrusted networks.

d. Monitor firewall at the perimeter and internally to control and protect the flow of network traffic entering or leaving the border or boundary, as necessary.

e. Maintain a documented process and controls in place to detect and handle unauthorised attempts to access flydubai Data.

f. When providing Internet-based services and products to flydubai, protect flydubai Data by the implementation of a network DMZ. Web servers providing services to flydubai shall reside in the DMZ. Any system or information resource storing flydubai Data (such as application and database servers) shall reside in a trusted internal network. Third Party shall use DMZ for Internet services and products.

g. Restrict unauthorised outbound traffic from applications processing, storing or transmitting flydubai Data to IP addresses within the DMZ and Internet.

h. When using radio frequency (RF) based wireless networking technologies to perform or support services and products for flydubai, Third Party shall ensure that all of flydubai Data transmitted is protected by the use of appropriate encryption technologies sufficient to protect the confidentiality of flydubai Data; provided, however, that in any event such encryption shall use no less than key lengths of 256-bits for symmetric encryption and 2048-bits for asymmetric encryption. Regularly scan, identify, and disable unauthorized wireless access points.

11. Connectivity Requirements

In the event that Third Party has, or shall be provided, connectivity to flydubai Data resources in conjunction with the Agreement, then in addition to the foregoing, if Third Party has or is provided connectivity to flydubai’s environment, Third Party shall, at a minimum:

a. Use only the mutually agreed upon facilities and connection methodologies to interconnect flydubai’s environment with Third Party’s resources.

b. NOT establish interconnection to flydubai’s environment without the prior written consent of flydubai.

c. Provide flydubai access to any applicable Third Party facilities during normal business hours for the maintenance and support of any equipment (e.g., router) provided by flydubai under the Agreement for connectivity to flydubai Data resources.

d. Use any equipment provided by flydubai under the Agreement for connectivity to flydubai’s environment only for the furnishing of those services and products or functions explicitly authorised in the Agreement.

e. If the agreed upon connectivity methodology requires that Third Party implement a Security Gateway, maintain logs of all sessions using such Security Gateway. These session logs must include sufficiently detailed information to identify the end user or application, origination IP address, destination IP address, ports/service protocols used and duration of access. These session logs must be retained for a minimum of six (6) months from session creation.

f. Immediately suspend or terminate any interconnection to flydubai’s environment upon Third Parties belief there has been a breach or unauthorised access or upon flydubai’s instructions if flydubai, in its sole discretion, believes there has been a breach of security or unauthorised access to or misuse of flydubai Data facilities or any flydubai information, systems, or other resources.

12. Mobile and Portable Devices

Third Party shall, at a minimum:

a. Use Strong Encryption to protect flydubai Data transmitted using or remotely accessed by network-aware Mobile and Portable Devices.

b. When using network aware Mobile and Portable Devices that are not laptop computers to access and/or store flydubai Data, such devices must be capable of deleting all stored copies of flydubai Data upon receipt over the network of a properly authenticated command. (Note: Such capability is often referred to as a “remote wipe” capability.)

c. Have documented policies, procedures and standards in place to ensure that the Authorised Party who should be in physical control of a network-aware mobile and portable device that is not a laptop computer and that is storing flydubai Data promptly initiates deletion of all flydubai Data when the device becomes lost or stolen.

d. Have documented policies, procedures and standards in place to ensure that Mobile and Portable Devices that are not laptop computers and are not network aware shall automatically delete all stored copies of flydubai Data after consecutive failed login attempts.

e. Have documented policies, procedures and standards in place which ensure that any Mobile and Portable Devices used to access and/or store flydubai Data:

i. Are in the physical possession of Authorised Parties;

ii. Are physically secured when not in the physical possession of Authorised Parties; or

iii. Have their data storage promptly and securely deleted when not in the physical possession of an Authorised Party, or physically secured, or after 10 unsuccessful access attempts.

f. Prior to allowing access to flydubai Data stored on or through the use of Mobile and Portable Devices, Third Party shall have and use a process to ensure that:

i. The user is an Authorised Party authorised for such access; and

ii. The identity of the user has been authenticated.

g. Implement a policy that prohibits the use of any Mobile and Portable Devices that are not administered and/or managed by Third Party or flydubai to access and/or store flydubai Data.

h. Review, at least annually, the use of and controls for all Third Party-administered or managed Mobile and Portable Devices to ensure that the Mobile and Portable Devices can meet the applicable Technical and Organisational Security Measures.

13. Security in Transit

Third Party shall, at a minimum:

a. Use Strong Encryption for the transfer of flydubai Data outside of flydubai-controlled or Third Party-controlled networks or when transmitting flydubai Data over any untrusted network.

b. For records containing flydubai Data in paper format, microfiche, or electronic media to be physically transferred, transport them by secured courier or other delivery method that can be tracked, packed securely and per manufacturer specifications. Any flydubai Data must be transported in locked containers.

14. Security at Rest

Third Party shall, at a minimum:

a. Use Strong Encryption to protect flydubai Data when stored.

b. Not store flydubai Data electronically outside of Third Party’s network environment (or flydubai’s own secure computer network) unless the storage device (e.g., backup tape, laptop, memory stick, computer disk, etc.,) is protected by Strong Encryption.

c. Not store flydubai Data on removable media (e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, or external hard drives) except: for backup, business continuity, disaster recovery, and data interchange purposes as allowed and required under contract between Third Party and flydubai. If removable media is used to store Personal Information or Confidential Information per the exceptions noted within this subsection, the information must be protected using Strong Encryption. Autorun shall be disabled for removable media and storage devices.

d. Appropriately store and secure records containing flydubai Data in paper format or microfiche in areas to which access is restricted to authorised personnel.

e. Unless otherwise instructed by flydubai in writing, when collecting, generating or creating flydubai Data in paper form and backup media for, through or on behalf of flydubai or under the flydubai brand, ensure that such information shall be Personal Information or Confidential Information and, whenever practicable, label such information of flydubai as “Confidential”. Third Party acknowledges that flydubai Data is and shall remain owned by flydubai- irrespective of labeling or the absence thereof.

15. Return, Retention, Destruction, and Disposal

Third Party shall, at a minimum:

a. At no additional charge to flydubai, upon flydubai’s request or upon termination of the Agreement, provide copies of any of flydubai Data to flydubai within thirty (30) calendar days of such request or termination of the Agreement. Third Party shall return or, at flydubai’s option, destroy all of flydubai’s data, including electronic, hard, and secured backup copies as provided for in the Agreement or, if not provided for in the Agreement, within ninety calendar (90) days after the soonest of: (i) expiration or termination of the Agreement, (ii) flydubai’s request for the return of flydubai Data, or (iii) the date when Third Party no longer needs flydubai Data to perform its obligations and products under the Agreement.

b. In the event that flydubai approves destruction as an alternative to returning flydubai Data, certify in writing, by an officer of the Third Party, the destruction as rendering flydubai Data non-retrievable and unrecoverable. Third Party shall completely destroy all copies of flydubai Data at all locations and in all systems where flydubai Data is stored, including but not limited to previously approved Authorised Parties. Such information shall be destroyed following an industry standard procedure for complete destruction such as DOD 5220.22M or NIST Special Publication 800-88 or using a manufacturer-recommended degaussing product for the system affected. Prior to such destruction, Third Party shall maintain all applicable Technical and Organisational Security Measures to protect the security, privacy and confidentiality of flydubai Data.

c. Dispose of Personal Information and flydubai Confidential Information in a manner that ensures the information cannot be reconstructed into a usable format. Papers, slides, microfilm, microfiche and photographs must be disposed by cross-shredding or burning. Materials containing flydubai Data awaiting destruction must be stored in secured containers and be transported using a secure third party.

16. Incident Response and Notification

Third Party shall, at a minimum:

a. Have and use an Incident Management Process and related procedures and staff such Incident Management Process and procedures with specialized resources. Immediately, and in no event more than twenty-four (24) hours, notify flydubai whenever there is any suspected or confirmed attack upon, intrusion upon, unauthorised access to, loss of, or other incident regarding flydubai’s information, systems, or other resources.

b. After notifying flydubai, provide flydubai with regular status updates, including, but not limited to, actions taken to resolve such incident, at mutually agreed upon intervals or times for the duration of the incident and as soon as reasonably possible after the closure of the incident, provide flydubai with a written report describing the incident, actions taken by the Third Party during its response and Third Party’s plans for future actions to prevent a similar incident from occurring.

c. Not report or publicly disclose any such breach of flydubai’s information, systems, or other resources without first notifying flydubai and working directly with flydubai to notify applicable regional, country, state, or local government officials or credit monitoring services, individuals affected by such breach, and any applicable media outlets, as required by law.

d. Have a process in place to promptly identify violations of security controls including those set forth in this Policy by Third Parties. Identified violators shall be subject to appropriate disciplinary action subject to the applicable laws. Notwithstanding the foregoing, violators shall remain under the authority of the Third Parties. flydubai shall not be deemed employer of the Third Party.

17. Business Continuity Management and Disaster Recovery

Third Party shall, at a minimum:

a. Develop, operate, manage, and revise business continuity plans for each location and disaster recovery plans for each core technology in order to minimise impact on flydubai attributable to the Third Party’s performance of its obligations under the Agreement. Such plans shall include: named resources specific to Business Continuity and Disaster Recovery functions, established recovery time objectives and recovery point objectives, daily back- up of data and systems, off-site storage of backup media and records, record protection and contingency plans commensurate with the requirements of the Agreement, store such plans securely off-site and ensure such plans are available to Third Party as needed.

b. Upon flydubai’s request, furnish to flydubai a documented business continuity plan that ensures Third Party can meet its contractual obligations under the Agreement and this document, including the requirements of any applicable statement of work or service level agreement. Such plans shall exercise recovery while protecting integrity and confidentiality of flydubai Data.

c. Have documented procedures for the secure backup and recovery of flydubai Data which shall include, at a minimum, procedures for the transport, storage, and disposal of the backup copies of flydubai Data and, upon flydubai’s request, provide such documented procedures to flydubai.

d. Ensure that backups of all flydubai Data stored or software and configurations for systems used by flydubai are created at least once a week.

e. Regularly, but no less frequently than annually, or following any material change in business continuity or disaster recovery plans, comprehensively exercise such plans at Third Party’s sole cost and expense. Such exercises shall ensure proper functioning of impacted technologies and internal awareness of such plans. Business Continuity and Disaster Recovery plans shall be updated at least annually, or as often as necessitated by significant changes to the business and/or technology environment.

f. Promptly review its business continuity plan to address additional or emerging threat sources or scenarios and provide flydubai a high-level summary of plans and testing within a reasonable timeframe upon request.

g. Ensure that all Third Party or Third Party-contracted locations housing or processing flydubai Data are monitored 24 hours a day, seven (7) days per week against intrusion, fire, water, and other environmental hazards.

18. Compliance and Accreditations

Third Party shall, at a minimum:

a. Retain complete and accurate records relating to its performance of its obligations arising out of this Policy and Third Party’s compliance herewith in a format that shall permit assessment or audit for a period of no less than three (3) years or longer as may be required pursuant to a court order or civil or regulatory proceeding. Notwithstanding the foregoing, Third Party shall only be required to maintain security logs for a minimum of one (1) year after any continuing performance of the Agreement.

b. Allow flydubai, at no additional cost to flydubai, upon reasonable advance notice, conduct periodic security assessments or audits of the Technical and Organisational Security Measures used by Third Party during which flydubai shall provide Third Party with written questionnaires and requests for documentation. For all requests, Third Party shall respond with a written response and evidence, if applicable, immediately or upon mutual agreement. Upon flydubai’s request for an audit by flydubai, Third Party shall schedule a security audit to commence within ten (10) business days from such request. flydubai may require access to facilities, systems, processes, or procedures to evaluate Third Party’s security control environment.

c. Upon flydubai’s request, certify it is in compliance with this document along with supporting certifications for the most recent versions of PCI-DSS, ISO 27001/27002, SOC 2, or similar assessment for the Third Party and for any subcontractor or third-party processing, accessing, storing, or managing on behalf of the Third Party. If Third Party is not able to certify compliance, it shall provide a written report detailing where it is out of compliance and its remediation plan to become compliant.

d. In the event that flydubai, in its sole discretion, deems that a security breach has occurred which was not reported to flydubai in compliance with this Agreement and Third Party’s Incident Management Process, schedule the audit or assessment to commence within twenty-four (24) hours of flydubai’s notice requiring an assessment or audit.

e. Within thirty (30) calendar days of receipt of the assessment results or audit report, provide flydubai a written report outlining the corrective actions that Third Party has implemented or proposes to implement with the schedule and current status of each corrective action. Third Party shall update this report to flydubai every thirty (30) calendar days reporting the status of all corrective actions through the date of implementation. Third Party shall implement all corrective actions within ninety (90) days of Third Party’s receipt of the assessment or audit report or within an alternative time period provided such alternative time period has been mutually agreed to in writing by the parties within no more than thirty (30) days of Third Party’s receipt of the assessment or audit report.

f. Be currently compliant and continue to be compliant with any applicable government

mandated information security standards and reporting requirements and ISO 27001/27002. To the extent that Third Party handles payment account numbers or any other related payment information, Third Party shall be currently compliant with the most current version of Payment Card Industry (PCI-DSS) for the full scope of systems handling this information and continue such compliance. In the event Third Party no longer is compliant with PCI-DSS for any portion of the full scope of systems handling PCI-applicable data, Third Party will promptly notify flydubai, immediately proceed without undue delay to remedy such non-compliance, and provide regular status of such remediation to flydubai upon request.

19. Standards, Best Practices, Regulations, and Laws

In the event Third Party processes, accesses, views, stores, or manages flydubai Data pertaining to flydubai personnel, partners, affiliates, flydubai clients; or flydubai client employees, contractors, subcontractors, or suppliers; Third Party shall employ Technical and Organisational Security Measures no less strict than is required by applicable global, regional, country, state, and local guidelines, regulations, directives and law.