GDPR - supplier terms and conditions

Under GDPR rules Affinity reserves the right to audit a supplier or any of it’s sub-contracted services.
• Third party storage, retention and destruction of data policies must align to Affinity's policies.
• Service Organisation Control (SOC) Reports, or similar, should be provided to give additional assurance of the controls within the third party. Third party use of data (whether passed to subsidiaries or additional third parties) and whether all of these organisations must adhere to Affinity's requirements including for Recovery Time Objective (RTO) and Recovery Point Objective (RPO).