Software and Services Supplier Portal

Supplier core terms

Supplier Data Protection Agreement (PDF - 264 KB) 

The Supplier Data Protection Agreement (SDPA) replaces the Master Data Protection Agreement (MDPA) in all new agreements with Cisco. The MDPA and former Supplier Privacy and Information Security Exhibit (SPISE) are maintained below for agreements that were formed prior to the introduction of the SDPA. The SDPA is intended for the: Systems Integrator Agreement, Service Provider Agreement, Vendor Services Agreement, Master Purchase Agreement, Master Service Agreement, Professional Services Subcontract Agreement, Supplier Base Agreement, Cloud Services Agreement or similar SaaS terms, Statement of Work, Service Description or Addendum related to the purchase of products and/or services, and applicable licensing and other agreements under which the Supplier has access to Protected Data, or if Supplier has access to Protected Data in the course of its performance under the applicable agreement.

Standard Contractual Clauses, Controller-to-Processor (PDF - 324 KB) 

When Cisco is the Controller and the Supplier processes Personal Data from the EEA or Switzerland on behalf of Cisco in a third country which is not an Approved Jurisdiction under the GDPR, these clauses apply.

Standard Contractual Clauses, Processor-to-Processor (PDF - 295 KB) 

When Cisco and the Supplier are both Processors and the Supplier processes Personal Data from the EEA or Switzerland on behalf of Cisco in a third country which is not an Approved Jurisdiction under the GDPR, these clauses apply.

Standard Contractual Clauses, Controller-to-Controller (PDF - 268 KB) 

When Cisco and the Supplier are both Controllers and the Supplier processes Personal Data from the EEA or Switzerland on behalf of Cisco in a third country which is not an Approved Jurisdiction under GDPR, these clauses apply.

Standard Contractual Clauses, Processor-to-Controller (PDF - 234 KB) 

When Cisco is the Controller and the Supplier is the Processor and Cisco processes Personal Data from the EEA or Switzerland in a third country which is not an Approved Jurisdiction under GDPR, these clauses apply.

UK Addendum to the EU Standard Contractual Clauses (PDF - 147 KB) 

When the Supplier Processes Personal Data from the UK in a third country which is not an Approved Jurisdiction, this addendum to the SCCs applies.

Supplier Information Security Exhibit (PDF - 244 KB) 

The Supplier Information Security Exhibit describes the minimum security measures the Supplier is required to implement when processing Protected Data.

Business Associate Agreement (PDF - 185 KB) 

The Business Associate Agreement lays out the specific terms and conditions that apply when the Supplier Processes Protected Health Information.

Master Data Protection Agreement (PDF - 438 KB) 

The Master Data Protection Agreement (MDPA) replaced the Supplier Privacy and Information Security Exhibit (SPISE) and has been replaced by the Supplier Data Protection Agreement (SDPA). The MDPA is maintained here as a reference for agreements that were formed prior to the introduction of the SDPA.

The Supplier Privacy and Information Security Exhibit (SPISE) was replaced by the Master Data Protection Agreement (MDPA) and is maintained here for agreements that were formed prior to the introduction of the MDPA.

EU Digital Operational Resilience Act Regulatory Terms (PDF - 198 KB) 

The EU Digital Operational Residence Act (“DORA”) Regulatory Terms apply to Supplier when Supplier’s services are included or distributed alongside a Cisco offer that is delivered to financial entities regulated by DORA.

Import and Export Regulations

Policies, training and education to assist suppliers with abiding by global export laws and regulations.

Open Source Guidelines (PDF - 276 KB) 

Procedures and guidelines required when Supplier provides any deliverable that may include open source technology.

Security Vulnerability Policy

Procedures and requirements for addressing Supplier security vulnerabilities.

Supplier Code of Conduct

Cisco has adopted the Responsible Business Alliance (RBA) (formerly Electronics Industry Citizenship Coalition) Code of Conduct as our code of conduct for suppliers.

Supplier resources

Tax resources

Supplier shall ensure it selects the proper tax form for the Cisco entity with which it will do business, if applicable, and submit the tax form electronically with its completed Global Supplier Enrollment Package to its Cisco representative.

Services specific terms

Insurance Requirements for Professional Services

If Supplier is providing professional services to Cisco, the following information relates to insurance requirements for services performed.

Insurance Requirements for Co-Location Services (PDF - 93 KB) 

Regional Provisions (PDF - 328 KB) 

Where there are specific regional legal compliance requirements, they are now captured in this separate document.

Supplier core terms

Supplier Data Protection Agreement (PDF - 264 KB) 

The Supplier Data Protection Agreement (SDPA) replaces the Master Data Protection Agreement (MDPA) in all new agreements with Cisco. The MDPA and former Supplier Privacy and Information Security Exhibit (SPISE) are maintained below for agreements that were formed prior to the introduction of the SDPA. The SDPA is intended for the: Systems Integrator Agreement, Service Provider Agreement, Vendor Services Agreement, Master Purchase Agreement, Master Service Agreement, Professional Services Subcontract Agreement, Supplier Base Agreement, Cloud Services Agreement or similar SaaS terms, Statement of Work, Service Description or Addendum related to the purchase of products and/or services, and applicable licensing and other agreements under which the Supplier has access to Protected Data, or if Supplier has access to Protected Data in the course of its performance under the applicable agreement.

Standard Contractual Clauses, Controller-to-Processor (PDF - 324 KB) 

When Cisco is the Controller and the Supplier processes Personal Data from the EEA or Switzerland on behalf of Cisco in a third country which is not an Approved Jurisdiction under the GDPR, these clauses apply.

Standard Contractual Clauses, Processor-to-Processor (PDF - 295 KB) 

When Cisco and the Supplier are both Processors and the Supplier processes Personal Data from the EEA or Switzerland on behalf of Cisco in a third country which is not an Approved Jurisdiction under the GDPR, these clauses apply.

Standard Contractual Clauses, Controller-to-Controller (PDF - 268 KB) 

When Cisco and the Supplier are both Controllers and the Supplier processes Personal Data from the EEA or Switzerland on behalf of Cisco in a third country which is not an Approved Jurisdiction under GDPR, these clauses apply.

Standard Contractual Clauses, Processor-to-Controller (PDF - 234 KB) 

When Cisco is the Controller and the Supplier is the Processor and Cisco processes Personal Data from the EEA or Switzerland in a third country which is not an Approved Jurisdiction under GDPR, these clauses apply.

UK Addendum to the EU Standard Contractual Clauses (PDF - 147 KB) 

When the Supplier Processes Personal Data from the UK in a third country which is not an Approved Jurisdiction, this addendum to the SCCs applies.

Supplier Information Security Exhibit (PDF - 244 KB) 

The Supplier Information Security Exhibit describes the minimum security measures the Supplier is required to implement when processing Protected Data.

Business Associate Agreement (PDF - 185 KB) 

The Business Associate Agreement lays out the specific terms and conditions that apply when the Supplier Processes Protected Health Information.

Master Data Protection Agreement (PDF - 438 KB) 

The Master Data Protection Agreement (MDPA) replaced the Supplier Privacy and Information Security Exhibit (SPISE) and has been replaced by the Supplier Data Protection Agreement (SDPA). The MDPA is maintained here as a reference for agreements that were formed prior to the introduction of the SDPA.

The Supplier Privacy and Information Security Exhibit (SPISE) was replaced by the Master Data Protection Agreement (MDPA) and is maintained here for agreements that were formed prior to the introduction of the MDPA.

EU Digital Operational Resilience Act Regulatory Terms (PDF - 198 KB) 

The EU Digital Operational Residence Act (“DORA”) Regulatory Terms apply to Supplier when Supplier’s services are included or distributed alongside a Cisco offer that is delivered to financial entities regulated by DORA.

Import and Export Regulations

Policies, training and education required of all Cisco suppliers to abide by global export laws and regulations.

Open Source Guidelines (PDF - 276 KB) 

Procedures and guidelines required when Supplier provides any deliverable that may include open source technology.

Security Vulnerability Policy

Procedures and requirements for addressing Supplier security vulnerabilities.

Supplier policies

Compliance with Global Anti-Corruption Policy

Policies, training and education required of all Cisco suppliers to abide by global anti-corruption laws and regulations.

Environmental Health and Safety Certification

Cisco takes reasonable and practicable steps to help ensure workplace safety and protect the environment in all aspects of its operations. To that end, Cisco has established environmental health and safety requirements that apply to all projects, processes, and operations, regardless of geographic location.

Supplier Code of Conduct

Cisco has adopted the Responsible Business Alliance (RBA) (formerly Electronics Industry Citizenship Coalition) Code of Conduct as our code of conduct for suppliers.

Tax requirements

Supplier shall ensure it selects the proper tax form for the Cisco entity with which it will do business, if applicable, and submit the tax form electronically with its completed Global Supplier Enrollment Package to its Cisco representative.