Client Q&A — Westpac LoanIQ
Internal use only. Westpac-specific responses to the Third Party Supplier Information Form. Source: Third_Party_Supplier_Information_Form_VENDOR RESPONSE NEEDED (003).xlsx, prepared by Jimmy. For reusable standard answers, see Supplier Standard Q&A.
Supplier Information Form Responses
| # | Question | Westpac-Specific Answer |
|---|---|---|
| 1 | Is the supplier providing a data storage or processing service to WBC, where data storage, back-up, or processing is the primary function? | Yes. The service involves processing of Westpac data; however, data storage is not provided as a managed service by the supplier. |
| 2 | Will the supplier store or process business-critical data in providing the services? | The supplier may process business-critical data as part of the service. All data remains under Westpac's control. |
| 3 | What is the nature of access the third party will have to Westpac information or systems? | Access is limited to application-level access required to deliver the service. No direct access to Westpac core systems unless explicitly approved and configured by Westpac. |
| 4 | Volume of records accessed/stored by third party | Variable and determined by Westpac use cases. No data is retained by the supplier beyond customer-controlled environments. |
| 5 | Data Stored (Location) | All data is stored at the customer's designated location. |
| 6 | Data Stored | Westpac data is stored exclusively on customer-managed infrastructure (on-premises or customer private cloud). |
| 7 | Is Westpac data stored in an internet-facing system? | No. Deployment can be configured in non-internet-facing environments based on Westpac security requirements. |
| 8 | Do you provide a cloud service to Westpac? | No. The supplier does not provide a hosted SaaS cloud service. |
| 9 | Does the third party use a cloud service to store Westpac data? | No. Westpac data is not stored in any third-party public cloud operated by the supplier. |
| 10 | Provisional Security Tier | To be determined by Westpac based on deployment model and data classification. |
| 11 | Does ISO 27001/2 Certification Exist? | Yes, ISO 27001 certified. |
| 12 | Is the third party ISO Certified for the service provided? | Yes. The organisation is ISO 27001 certified. |
| 13 | Is the third party ISO Certified for the location where the service is provided? | Yes. ISO 27001 certification covers the organisation's operational locations. |
| 14 | ISO 27001/2 Certificate | Available upon request. |
| 15 | Does the Vendor have a SOC 2 Type 2 report for the service provided? | As the solution is deployed on customer-managed infrastructure (on-premises or customer private cloud), SOC 2 Type 2 is not applicable — the report would cover the bank client infrastructure side. Customers retain full responsibility for the security, availability, and compliance of the underlying infrastructure. |
| 16 | Can the vendor provide any independent penetration testing reports for the service provided? | Yes. Independent penetration testing reports can be provided upon request under NDA. |