Carnival Corporation maintains security and assessment requirements for all of its third party suppliers (“Vendors”) who meet one or more of the following criteria:

  • Processes or accesses personal or confidential data
  • Has access to Carnival‘s network, applications, or infrastructure
  • Provides a cloud-based service

All onboarded Vendors who meet one or more of the above criteria will be assessed, evaluated, and classified based on risk profile as part of Carnival Corporation’s Third Party Security Risk Management (TPSRM) program. Inclusion in the program is a requirement for execution of contracts where Vendors meet the criteria. After the initial assessment, Vendors will be assessed annually for the duration of providing services to Carnival Corporation. Please note that the TPSRM program does not apply to independent consultants.

Carnival Corporation TPSRM Criteria

All third party Vendors meeting one or more of the criteria will be enrolled and assessed via the TPSRM program, and will be required to adhere to certain security specifications. To determine if a Vendor meets the criteria, an answer of “yes” to any of the following questions will mean that the Vendor qualifies:

  1. Does the third party (or their sub processors) process personal data (frequently known as PII) or Carnival confidential information? 
  2. Does the third party (or their sub processors) require connectivity or access to Carnival network or applications?
  3. Does the third party (or their sub processors) provide cloud-based services?

Key Definitions:

  1. “Carnival Corporation” means Carnival Corporation, Carnival plc, and/or any other subsidiary or affiliate of Carnival Corporation and/or Carnival plc, and includes the AIDA, Carnival, Costa, Cunard, Holland America, P&O Cruises, Princess, and Seabourn cruise lines.
  2. “Sub processor” is another company used by the Vendor to deliver services.
  3. “Process” includes collecting, using, storing, sharing, receiving, and/or viewing.
  4. “Personal data” is any information relating to an identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or society of that natural person. Credit card information is personal data.
  5. “Confidential data” is non-public information from Carnival’s business operations that is proprietary, private, sensitive, or subject to contractual or other legal obligations of confidentiality.
  6. “Connectivity or Access” means connecting or accessing Carnival’s networking environment via VPN, or other means such as API.
  7. “Cloud-based Services” means Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).

Contractual Security Specifications (Requirements)

Security specifications (requirements) for Vendors meeting TPSRM criteria were previously located in the Data Privacy and Security Addendum (DPSA) via a link to this site until February 18, 2025. They are now included via a link to this site in the Master Services Agreement (MSA), the Data Privacy Addendum (DPA), as well as several other contract types. Please refer to this site frequently for the Carnival Corporation’s current required security specifications, which may be updated from time to time.

Third party Vendors will be required to meet the following technical and organizational measures (Security Specifications) to safeguard Carnival’s confidential data, personal information, and systems.

CLICK HERE TO VIEW AND DOWNLOAD THE SECURITY SPECIFICATIONS >

  • Maintain written information security policies and procedures and incident response programs required to comply at a minimum with (i) all applicable Data Protection Laws and (ii) generally accepted industry standards for data protection including ISO 27001:2013
  • Obligation to align with the ISO 27002:2013 security standard or above
  • Test its information security procedures and incident response programs at least annually and retain written reports of the test results
  • Assign personnel with responsibility for the determination, review and implementation of security policies and measures

Measures employed to prevent unauthorized access to the processing environment and thwart attackers from breaching the Vendor’s network. Security measures may include technology in the following categories:

  • Perimeter next generation firewalls and VPN-based access controls to protect the private service networks and back-end servers
  • Denial of Service protection
  • Data loss prevention
  • Advanced Persistent Threat detection/prevention
  • Mobile device management
  • Web application security
  • Continuously monitoring infrastructure security
  • Regularly examining security risks by internal employees and third-party auditors
  • Role-based access control implemented in a manner consistent with principle of least privilege
  • Remote access secured by using various two-factor authentication tokens, or multi-factor authentication

Defenses deployed on systems used to process Confidential Information or Personal Data.

  • Implement patch management procedures that prioritize security patches for systems used to process Carnival Confidential Information or Personal Data
  • Maintain logs of all auditing, monitoring, and security activity for a period of 120 days in a secure environment
  • Employ anti-virus, endpoint protection and response capabilities

Where any part of the Services is supported by cloud hosting, Vendor will comply with the latest version of the Cloud Security Alliance Cloud Controls Matrix (available here: https://cloudsecurityalliance.org/) or other substantially similar assurance agreed with Carnival. Vendor must be able to demonstrate the established commonly accepted data protection and privacy control objectives.

Security Measures in place as applicable to at the location where Confidential Information or Personal Data will be processed or stored.

Established security areas:

  • Electronically locked doors  
  • Electronic access card reading system  
  • Management of keys/documentation of key holders  
  • Solid reinforced concrete exterior to building with no windows.  
  • 24x7x365 staffed security guards  
  • Security service, front desk with required sign in for all visitors  
  • Burglar alarm system  
  • Internal and external infrared pan, tilt, zoom CCTV Monitored building management system   
  • Biometric scanners  
  • Remove unused software and services from devices used to Process Confidential Information or Personal Data.
  • Default passwords that are provided by hardware and software producers shall not be used   
  • Mandate and ensure the use of system enforced strong passwords in accordance with leading industry practices on all systems hosting, storing, processing, or that have or control access to Carnival’s information and   
  • Passwords and access credentials are kept confidential and not shared among personnel.  

Measures taken for preventing data processing systems from being used without authorization.

  • Personal and individual user log-in when entering the system and/or the corporate network
  • Password procedures minimum of 8 characters, with one upper case, lower case, and digit. If the user account has five invalid logon attempts, the account will be locked out. All passwords expire after 90 days. Upon verification of the username and password, the application uses session-based token authentication.
  • Remote access for maintenance requires two-factor authentication
  • Automated screen locks after a defined period of inactivity
  • Password protected screen savers
  • All passwords are electronically documented and protected against unauthorized access through encryption
  • User accounts are audited twice per year.

Measures taken to ensure that persons entitled to use a data processing system have access only to Confidential Information or Personal Data to which they have a right of access, and that Confidential Information or Personal Data cannot be read, copied, modified, or removed without authorizations while processing or use and after storage.

  • User authentication is based on username and strong password  
  • Data are stored encrypted at rest    
  • All transactional records contain identifiers to distinguish client records    
  • System processing uses a role-based mechanism to tailor data access to specific users and roles    
  • Data access, insert, and modification are logged  
  • ISO certifications and/or Third-Party Independent audit reports are maintained at the primary data center  

When processing or accessing cardholder data on Carnival’s behalf, Vendor must adhere to the applicable credit card handling standards per card issuer. Vendor must be compliant with Payment Card Industry Data Services Standard (“PCI-DSS”) and will provide proof of compliance annually.

Measures taken to ensure that Confidential Information or Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Confidential Information or Personal Data by means of data transmission facilities is envisaged.

  • All data (particularly including Sensitive Personal Data) are encrypted in flight using the latest secured transmission protocols Transport Layer Security (TLS) 1.3 with a 2048-bit RSA key exchange or above  
  • Access to reports is logged  
  • Backup media are encrypted  
  • Removable storage is not used  

Taken to ensure that it is possible to check and establish whether and by whom Confidential Information or Personal Data have been entered into data processing systems, modified, or removed.  

  • Utilization of user identification credentials  
  • Record entry is restricted to a defined set of roles  
  • All entry is date/time stamped and includes identifiers for entering party  
  • Firewalls and intrusion prevention systems are in place to prevent unauthorized access  

Employed to ensure that, in the case of commissioned processing of Confidential Information or Personal Data, the data are processed strictly in accordance with the instructions of the principal.  

  • Confidentiality agreements are in place for all individuals with data access  
  • Privacy and information security training is conducted during onboarding and on a regular basis  
  • No third parties used for the processing of data other than as described in Agreements  
  • Privacy policy describes rights and obligations of agent and principal  

Measures taken to ensure that Confidential Information or Personal Data are protected from accidental destruction or loss.

  • Systems employ redundancies such as RAID arrays & redundant equipment  
  • Backups are stored in alternate location from primary processing  
  • Multiple air conditioning units are installed to provide redundant capacity in an N+1 configuration  
  • High sensitivity smoke detection, and an industry-recognized data center fire suppression system
  • Multiple firewall layers and virus protection on all servers  
  • UPS backed by N+1 generator  
  • Diverse fiber routing and multiple carriers  

Measures taken to ensure that Confidential Information or Personal Data collected for different purposes can be processed separately.  

  • Three-tier systems are used to physically separate presentation, business processing and storage  
  • Carnival’s data is stored in separate databases or in logically separate architectures  
  • Separation of duties is used internally to ensure functions pass through change control processes  
  • Discrete development, staging and production environments are maintained.  
  • All routing of data for processing is controlled through automated rules engines.  
  • Computing and storage are on equipment owned by Vendor       

  • Systems and processes are in place to communicate cybersecurity incident and response investigation results  
  • Promptly communicate investigation results from cybersecurity incident response to Carnival.  
  • Contact cyber@carnival.com to inform Carnival.

Where services and/or deliverables by Vendor include software development:

  • Source code is managed via a secure version control system
  • Secrets i.e. passwords, API keys, etc., are not stored in source code
  • Source code is subject to regular SAST (static analysis) scans 
  • Software dependencies i.e. code libraries, packages, modules, frameworks subject to SCA (software composition analysis) scans
  • Development practices and testing methodologies (including the above scanning techniques) take into account common vulnerability vectors and up-to-date vulnerability databases e.g. OWASP Top 10, NIST NVD

TPSRM

If you are an existing, onboarded, Carnival Corporation Vendor and have any further questions regarding the TPSRM program, please contact:

TPSRM@CARNIVAL.COM >

CLICK HERE TO REPORT A PRIVACY OR SECURITY INCIDENT

Our Cruise Lines

Learn More about Our Cruise Lines.
Learn More about Our Cruise Lines.