We are requesting information to assess the security posture and compliance of TPSPs supporting ATIC. The data helps us manage vendor risk, meet regulatory requirements, and support audit and compliance processes.
We only collect information necessary to evaluate vendor security, including:
• Business contact details (name, email address, phone number)
• Security policies and procedures
• Technical and operational controls
• Responses to security and compliance questions
Your responses are used exclusively for:
• Assessing vendor security practices
• Guiding risk-based vendor engagement decisions
• Supporting internal audits and regulatory reporting
Access is limited to authorized personnel:
• Vendor Risk Management team
• Information Security team
• Compliance and Legal teams (as needed)
All responses are stored securely in ATIC’s internal environment with encryption in transit and at rest. Access is controlled via role-based permissions to ensure confidentiality.
Responses are retained for the duration of the vendor relationship or 7 years, whichever is longer, then securely deleted in line with ATIC’s data retention policy.
Do not submit personal sensitive information unrelated to vendor assessment (e.g., Social Security numbers, personal bank details). Only business and security information should be included.
For questions regarding this questionnaire or how your information is handled, contact:
• Information Security: cybersecurity@american-transit.com