1. Purpose of this policy 

The purpose of this Information Security Policy is to communicate Nanosonics expectations to external stakeholders regarding the secure handling, transmission, storage, and processing of Nanosonics information. It ensures alignment with best practices and regulatory obligations and fosters a secure and trusted business relationship.

2. Nanosonics' Information Security Statement

Nanosonics is committed to preserving the confidentiality, integrity, and availability of its information assets. We adopt globally recognized security frameworks, i.e. ISO/IEC 27001 and align where relevant with NIST SP 800-53. We expect the same level of diligence from our partners, vendors, and contractors. This commitment forms the foundation of our secure operations and mutual trust with stakeholders.

3. Scope

This policy applies to all external entities including vendors, suppliers, service providers, customers, partners, and contractors who access, process, store, or manage Nanosonics data, systems, or technology platforms. It also covers subcontractors and third-party systems that interface with Nanosonics infrastructure.

4. Definitions 

5. Policy Requirements

• External stakeholders must protect Nanosonics information based on its classification (Public, Internal Use, Commercial, Regulated & Restricted).

• Information must not be shared with unauthorized individuals or used outside its intended purpose.

• Multi-factor authentication (MFA) must be implemented for all access.

• Systems connected to Nanosonics infrastructure must be patched, monitored, and protected by endpoint security tools.

• Any subcontracting must be pre-approved by Nanosonics and follow equivalent security controls.

• AI tools (including Generative AI) must not be used with Nanosonics data unless explicitly approved.

• Third parties must ensure all staff handling Nanosonics data are annually training in information security, data privacy, and phishing threats.

• All storage devices containing Nanosonics data must be securely wiped or physically destroyed before disposal or reuse. Third parties must maintain evidence of secure disposal.

• Critical vendors must have documented and tested Business Continuity and Disaster Recovery Plans (BCP/DRP). Nanosonics reserves the right to request and review these plans.

• Third parties must retain Nanosonics data only as long as contractually required and must delete it upon request or project closure.

• Vendors must use Nanosonics-approved tools (e.g., Teams) to secure all communication. Use of public cloud storage, file transfer services, or messaging apps is prohibited unless explicitly authorized.

• Vendors must conduct background verification on personnel who will access Nanosonics data or systems. Nanosonics reserves the right to request personal adjustments, review BGC results or request re-screening for high-risk roles.

• Vendors must comply with all applicable laws and regulations related to data privacy, intellectual property, and information security. Nanosonics may request proof of such compliance at any time.

• Nanosonics reserves the right to audit third-party environments (on-site or remotely) where its data is stored or processed, with appropriate notice.
• Outside parties should report any security incident to Nanosonics via email address [email protected] or by dialing +61 2 8063 1602 and cooperate fully in investigations and remediation efforts.

6. Compliance & Enforcement

Failure to comply with this policy may result in contractual penalties, termination of access or services, and legal actions where applicable. Nanosonics reserves the right to audit stakeholders to validate compliance, and all stakeholders must cooperate with such reviews. This policy will be reviewed annually or upon significant changes.

7. Contact Information

Questions or clarification requests regarding this policy should be directed to: [email protected]