Citi Requirements for Suppliers Page 57 of 60
© 2024 CITIGROUP INC.
availability of this information could have a significant impact on the individual (including,
but not limited to financial loss, fraud or discriminatory impact.
o Data specifically relating to: race, religion, religious or philosophical beliefs, ethnicity,
political affiliation or opinions, union membership, criminal background information or
criminal offenses, genetic data, biometric data, or data regarding an individual’s sexual
orientation or activity.
o Personal Health information (PHI) which includes information regarding the individual’s
medical history or mental or physical condition.
Client shall mean any client or customer of Citi and may include individuals (i.e., natural persons)
as well as businesses, institutions, organizations, and legal entities.
Cloud Region is a physical location where the Cloud Service Provider clusters data center(s).
Communications Equipment, Systems and Services are any hardware, software or
applications used in the transmission of written, voice, or video electronic communications. eComm
Channels include but are not limited to: computers, laptops, tablets, mobile devices or mobile
phones, including “Bring Your Own Device” (BYOD), BlackBerry, telephone, facsimile (fax
services), intranet and internet access, Wi-Fi Services, e-mail services, instant messaging services
such as Microsoft Lync, Skype, and Bloomberg messages, websites and applications with
embedded communications features, video meeting or collaboration platforms such as Zoom or
Microsoft Teams, and social media services, interactive information sharing services, third party
chat rooms, electronic bulletin boards and blogs.
Content means Citi’s Confidential Information and any other data, reports, statistics or information
of any kind (a) furnished or made available directly or indirectly to Supplier by or on behalf of Citi
or its Affiliates or by or on behalf of its or their clients, customers or service providers, (b) created,
produced via the Services, or (c) derived from any of the foregoing.
Contract is a written legal document signed by two or more parties that includes an offer,
acceptance, consideration, obligations of the parties and legality of purpose. Examples of
Contracts may include Master Agreements for products and services, statements of work / work
orders, amendments and addenda, schedules, orders or any other written document signed by a
Citi entity and a Supplier. A Non-Disclosure Agreement (NDA) is also considered a Contract for
the purposes of these Standards
Denial of Access (DOA) Test validates the staffing and support for Citi business processes that
can be recovered within the defined RTO.
Denial of Service (DOS) Test is where Citi either logs in (signs on) to an application of or managed
by Supplier or on Supplier’s systems, Supplier must conduct, at least once annually in accordance
with Citi requirements for each data center / technology room where these applications reside, a
DOS test to demonstrate that the application can be recovered to the DR site specified in Supplier’s
Disaster Recovery Plan.
Electronic Communications are messages or information sent, received, or used by Personnel
using electronic means, carried over wire or by wireless signals. Electronic Communications
include but are not limited to text messages, email, peer-to-peer or instant messages, blog posts,
social media posts, messages sent through messaging applications such as WhatsApp, WeChat,
Line, Signal, or Viber, and include attachments, screenshots, recorded voice or video files, live
voice or video, and files created, received, downloaded, stored, transmitted, deleted or used via
Electronic Communications Equipment, Systems, and Services.