Vendor security compliance requirements
Security expectations and explanations
1. Security compliance requirements
These vendor SCR establish minimum security expectations applicable to all vendors, suppliers, contractors, and other third parties that process, store, access, transmit, or otherwise interact with FedEx Freight including majority owned affiliates (FedEx Custom Critical) data (Company). In the event of a conflict between these SCR and the agreement between FedEx Freight and Company to which these SCR are made a part of, the terms and conditions in these SCR shall prevail for the purposes set forth herein.
Compliance with these SCR is a precondition and ongoing requirement for providing services to FedEx Freight and may be demonstrated through alignment with recognized security frameworks, independent assessments, or equivalent practices.
Notwithstanding any contrary terms or conditions in the Mutual Nondisclosure Agreement (MNDA) or any other agreements between Company and FedEx Freight, any exclusion in the MNDA or such agreements to the definition of confidential information shall not limit the application of these SCR to FedEx Freight data.
These SCR apply to Company and all authorized providers and sub-processors at any tier.
2. Definitions
Authorized provider
Any agent, consultant, auditor, contractor, subcontractor, outsourcer, or other third party acting on behalf of the Company who has contractually agreed in writing to comply with these SCR. Compliance may be demonstrated through recognized security frameworks, independent assessments, or equivalent practices.
Breach
Any unauthorized processing of FedEx Freight data, or any act or omission that compromises the physical, technical, or organizational safeguards required to protect such data. Unauthorized processing includes misuse, loss, destruction, alteration, unauthorized access, disclosure, collection, retention, storage, or transfer of FedEx Freight personal data or other protected information.
Card
A credit card, debit card, charge card, or stored value card issued under the service marks of a card organization.
Cardholder
The individual to whom a card is issued.
Cardholder data
Information associated with a cardholder or card transaction, including but not limited to name, address, account number, expiration date, CVV/CVC, PIN, magnetic stripe data, and any other information identifying the cardholder or account.
Card organization
An entity such as Visa, Mastercard, JCB, American Express, Discover, or any debit network that establishes operating rules and facilitates the exchange of payment card transactions.
Card processor
An entity engaged by FedEx Freight to process payment card transactions.
Debit networks
Telecommunications and processing systems for shared electronic funds transfer networks.
FedEx Freight personal data
Any information relating to an identified or identifiable natural person. This includes, but is not limited to:
- User authentication credentials (passwords, PINs, challenge responses)
- Government-issued identifiers (SSN, driver’s license, state ID)
- Date of birth
- Financial account details
- Health coverage identifiers
- Biometric identifiers
- Employee-related data (performance, medical, compensation, family info)
- Electronic signatures
FedEx Freight sensitive data
Includes the following categories of sensitive or proprietary information:
- Cardholder data
- Corporate financial data not publicly released
- Customer data, including account numbers, contact information, ship/bill addresses, rewards balances, and system identifiers
- Customer invoice data
- Critical systems and configuration data, including route planning and security intelligence subscriptions
- FedEx Freight personal data
- Marketing configuration data, including customer notification and campaign artifacts
- Non-user application passwords, including system, application, and database credentials
- Session identifiers representing authenticated identities (e.g., SSO tokens)
- Shipment data, including tracking numbers, addresses, names, status, POD, and duties/taxes
- Support artifacts, such as screenshots, chat logs, instructional materials, and training documents
- System information, including URLs, IP addresses, and ownership/administration details
- Vulnerability data, including scan results, penetration test findings, and remediation information
Note: Compliance may be demonstrated using recognized security frameworks, independent assessments, or equivalent security practices.
Process(ing) (of FedEx Freight data)
Any operation performed on FedEx Freight data, including access, collection, recording, organization, structuring, storage, retrieval, transmission, dissemination, alteration, use, restriction, deletion, or destruction.
Services
Professional services, technology services, maintenance and support, and any other services provided to or for the benefit of FedEx Freight as defined in the applicable service agreement.
Derivations
All grammatical variations of defined terms (e.g., processed, breached) carry the same meaning as the defined base term.
3. Security framework alignment
3.1 Baseline framework
These SCR are aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) security control frameworks and represent the minimum-security expectations of FedEx Freight. The requirements provide a practical, risk-based security baseline that balances strong controls with flexibility for implementation.
3.2 Use of independent assessments
FedEx Freight may, at its discretion, accept SOC 2 Type I or Type II reports, ISO certifications, Payment Card Industry Data Security Standard (PCI DSS) assessments, or other independent third-party assessments as evidence of control implementation, provided such materials reasonably demonstrate alignment with the intent of these SCR. Acceptance of such evidence does not relieve Company of its obligation to comply with these SCR but recognizes that compliance may be met through equivalent frameworks or practices rather than prescriptive controls.
4. Risk-based applicability
4.1 Baseline requirements
All companies are subject to the baseline requirements set forth in these SCR.
4.2 Enhanced requirements
Based on FedEx Freight assessment of risk—including but not limited to data sensitivity, system access, operational criticality, regulatory exposure, and geographic scope—FedEx Freight may require enhanced security controls, additional attestations, or monitoring.
5. General security requirements
Company shall:
- Implement administrative, technical, and physical safeguards consistent with the NIST CSF (Identify and Protect) and the organization’s risk management program, including documented policies, standards, and controls.
- Restrict access to FedEx Freight data to authorized personnel on a least-privilege, need-to-know basis, backed by formal identity and access management processes (provisioning, deprovisioning, role-based access, and access reviews).
- Protect FedEx Freight data in transit and at rest using industry-standard cryptographic and other technical controls proportionate to the assessed risk.
- Segregate FedEx Freight data from data belonging to other customers through appropriate logical or physical separation, tenancy controls, and data handling procedures.
- Ensure secure disposal of FedEx Freight data at end-of-life in accordance with FedEx Freight retention and disposal requirements and documented destruction procedures that meet the organization’s data protection objectives under the CSF Protect function.
- Process FedEx Freight data solely for the purposes of performing the services and in accordance with FedEx Freight documented processing instructions; maintain records/audit trails of processing activities sufficient for oversight and compliance verification.
- Require that all personnel and authorized providers are subject to confidentiality obligations and receive role-appropriate security awareness training, vetting, and contractual security commitments before receiving access to FedEx Freight data.
- Maintain a vulnerability and security deficiency management program to identify, assess, prioritize, and remediate findings within risk-appropriate timeframes; provide notice and remediation status to FedEx Freight as required by the agreement.
6. Incident response and notification
Company shall maintain a documented incident response plan. Company shall notify FedEx Freight of any suspected or confirmed security incident involving FedEx Freight data within twenty-four (24) hours of discovery. Notify privacy@fedexfreight.com and SOC-FIST@fedexfreight.com.
Company shall:
- Cooperate fully with investigation and remediation
- Preserve relevant records and evidence
- Refrain from notifying third parties without the prior written consent of FedEx Freight, unless legally required
7. Connectivity and access controls
Where Company is granted access to FedEx Freight systems, Company shall:
- Use only FedEx Freight-authorized connection methods
- Prohibit network bridging
- Enforce strong authentication and encryption
- Prohibit shared accounts
- Limit access duration to business necessity
- Report lost or compromised credentials immediately
8. Development and testing services
Where applicable, Company shall ensure that:
- Developers complete secure coding training aligned with industry standards (e.g., Open Worldwide Application Security Project [OWASP])
- Security testing is performed in accordance with industry best practices
- If applicable, PCI-related development or testing complies with PCI DSS requirements
9. Cardholder data requirements
Company will comply with card organizations’ registration requirements (including, but not limited to site inspections, background investigations, provision of financial statements) and reporting requirements. In addition, each year, and as otherwise requested by FedEx Freight, Company shall provide proof of compliance to PCI DSS by: (i) being published in Visa Global List of PCI | DSS Validated Service Providers; or (ii) providing FedEx Freight a copy of Company’s signed and dated PCI Security Standards Council approved documentation of either (a) its PCI DSS Report on Compliance (ROC), (b) PCI DSS ROC Attestation of Compliance (AOC), (c) Self-Assessment Questionnaire (SAQ), (d) SAQ Attestation of Compliance (AOC), or (e) executive summary of either its ROC or SAQ, whichever is applicable based on Company’s PCI vendor or merchant level, as determined by the card organizations.
10. Continuous monitoring and remediation
FedEx Freight may conduct ongoing monitoring through assessments, automated tools, or intelligence platforms. Identified security gaps shall be:
- Validated or refuted by Company
- Remediated within timelines specified by FedEx Freight based on risk assessment
Failure to remediate constitutes non-compliance with these SCR.
11. Certifications and evidence
Upon request, Company shall provide:
- Security policies and procedures
- Independent assessments or attestations
- Written certification of destruction or return of FedEx Freight data
12. Third-party risk monitoring
FedEx Freight may utilize third-party cyber risk intelligence, security rating, and monitoring platforms to assess Company’s security posture on an ongoing basis.
13. Risk rating triggers and escalation
Where Company’s security rating or other risk indicators fall below thresholds established by FedEx Freight, or indicate a material degradation in security posture, FedEx Freight may, at its discretion:
- Require Company to provide additional documentation or clarification
- Require Company to validate or refute identified findings
- Require a targeted or comprehensive security assessment
- Require remediation within a timeframe specified by FedEx Freight
- Impose enhanced monitoring or reporting obligations
- Exercise contractual remedies, up to and including termination
Failure to cooperate shall be deemed non-compliance with these SCR.
14. Audit rights
Upon reasonable notice (thirty (30) days unless otherwise justified by risk or incident), Company shall permit audits of its systems, processes, and controls. Audits may be periodic or triggered by incidents, risk indicators, or intelligence findings. Company shall cooperate fully. Audit costs shall be borne by FedEx Freight unless non-compliance or a security incident is identified, in which case Company shall bear such costs.
15. Authorized providers and sub-processors
Company remains fully responsible and liable for the acts and omissions of all authorized providers and sub-processors. Company shall ensure written agreements impose obligations no less protective than these SCR, and compliance may be demonstrated through recognized frameworks or equivalent practices.
16. Geographic scope
These SCR apply to vendors operating in or supporting operations in the United States, Canada, and Mexico. Company shall comply with applicable local laws in addition to these SCR.
17. Non-compliance and termination
Material or repeated failure to comply with these SCR may constitute a material breach and may result in termination of applicable agreements, in addition to other remedies available to FedEx Freight.
18. Return or destruction of data
Upon termination or expiration of services, Company shall return or securely, with certification to FedEx Freight, destroy FedEx Freight data within thirty (30) days, unless retention is required by law. Audit rights extend to verification of compliance with this section.
19. AI oversight
Where Company uses, develops, or integrates artificial intelligence (AI) systems or models in the provision of services that interact with FedEx Freight data, Company shall:
19.1 Governance and accountability
- Maintain documented policies governing AI use, including ethical considerations, data protection, and model validation.
- Assign responsible personnel to oversee AI operations, including monitoring performance, accuracy, and compliance.
19.2 Data handling and privacy
- Ensure AI systems only access FedEx Freight data necessary for performing the services.
- Implement safeguards to prevent unauthorized access, use, or retention of FedEx Freight data in AI processes.
- Maintain audit logs of AI data access and model outputs when they involve sensitive or regulated data.
19.3 Model validation and monitoring
- Conduct periodic testing and validation of AI models to confirm accuracy, reliability, and alignment with intended business purposes.
- Monitor for bias, drift, or unintended behavior and remediate promptly.
19.4 Incident response for AI systems
- Notify FedEx Freight of any AI-related incidents impacting FedEx Freight data within 24 hours of discovery.
- Preserve all relevant logs and outputs and cooperate fully with investigation and remediation efforts.
19.5 Compliance verification
- Maintain documentation demonstrating alignment with FedEx Freight AI oversight policies.
- Provide evidence upon request, which may include model validation reports, monitoring logs, and incident records.