Is compliance with ISO/IEC 27000-series information security standards required for Azal Coffee franchisees?
Azal_Coffee Franchise · 2024 FDDAnswer from 2024 FDD Document
You are responsible for securing the data of your customers. You must comply with industry standards and all applicable laws relating to the protection of Customer Information (defined in Section 10.6) and other personal information. You will be solely responsible for any liability, damages or claims caused by any data breaches or your failure to comply with these industry standards and laws. You must comply with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures and other applicable payment card industry requirements ("PCI Requirements") in connection with the Franchise Business. It is recommended that you also comply with the ISO/IEC 27000-series information security standards (or other comparable third-party information security standards) ("Information Security Standards") in connection with the Franchise Business. It is your responsibility to research and understand the PCI Requirements and Information Security Standards, other industry standards, and applicable laws and to ensure that your business policies and practices comply with these requirements. Although we may provide advice and/or specify or provide Franchise Technology, we do not represent or warrant that the Franchise Technology complies with the PCI Requirements or Information Security Standards, other industry standards, and applicable laws and it will be your sole responsibility to ensure that your business practices comply with these requirements. You must periodically participate in audits of your information technology systems and data security policies by third party auditors as specified by us.
If you detect or are notified of a data breach involving the data of your customers ("Data Breach"), you must immediately notify us of the Data Breach. You must cooperate with us in investigating and halting the Data Breach, including giving us access to your information technology systems. We will have the right to name legal counsel to deal with the Data Breach and to control media communications relating to the Data Breach. You must not make any public statements about the Data Breach without our approval. You must indemnify us and hold us harmless for all claims and costs, including attorneys' fees, incurred by us as a result of any Data Breach that is your responsibility.
Source: Item 22 — CONTRACTS (FDD page 51)
What This Means (2024 FDD)
According to Azal Coffee's 2024 Franchise Disclosure Document, compliance with ISO/IEC 27000-series information security standards is recommended, but not explicitly required, for franchisees. While franchisees must comply with industry standards and all applicable laws relating to the protection of customer and personal information, adherence to the ISO/IEC 27000-series standards is presented as a recommendation.
The franchisee is responsible for securing customer data and must comply with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures, along with other payment card industry requirements. The FDD states that it is the franchisee's responsibility to research and understand these requirements, industry standards, and applicable laws to ensure their business policies and practices are compliant.
Azal Coffee may provide advice or specify franchise technology, but does not guarantee that this technology complies with PCI Requirements or Information Security Standards. Franchisees must also participate in periodic audits of their information technology systems and data security policies by third-party auditors, as specified by Azal Coffee.
In the event of a data breach, franchisees are required to immediately notify Azal Coffee and cooperate in the investigation. Azal Coffee retains the right to appoint legal counsel and control media communications related to the breach, and the franchisee is responsible for indemnifying Azal Coffee for any claims and costs resulting from a data breach that is the franchisee's responsibility.