EDI Certification and security

BUNZL IMPROVES eCOMMERCE SECURITY

PLAN REVEAL

As of January 1st 2023, Bunzl Continental Europe will only implement new EDI connections with trusted partners.

We have several options to determine if a partner can be listed as Trusted Partner. Existing EDI Partners will be audited or can volunteer for this program. New partners need to comply to this program before setting up a connection.

We expect our partners to do everything in their power to make sure that EDI messages, independent of content, format or communication method is secure.

This is why the Bunzl EDI team has decided to audit partners before establishing a new connection. This will exist of an audit on the content of the exchanged information, security of the communication, security measures taken by our partner, and in case our partner uses an external EDI implementation partner the measures taken by that partner, and compliancy to the classic 4 corner model.

Existing business partners can volunteer for this program, but Bunzl will not force existing partners to comply.

Existing 3rd parties (EDI implementation partners) can be included if the Bunzl EDI team has reasons to do so.

Business Partner with on premise Middleware

In case the business partner manages and control their own middleware, the partner needs to take steps to make sure that the content and communication is secure.

CONTENT
The content of the messages should not contain other formats than ASCII, XML, JSON or equal formats. Sending Executables, JPEG, MP3, MP4 or any other non EDI formats is not allowed and will result in immediate cancelation of the connections.
The content of the message should be GDPR compliant.

CONNECTION
The business partner has to make sure that communication channels are secure.
In case of an AS2 connection, the AS2 software used has to be Drummond certified.
In case of sFTP; the business partner has to use/allow IP whitelisting or use an SSH key for authentication.
In case of other connections, security measures will be discussed bilaterally.

SYSTEM SECURITY
The Business partner has to make sure that appropriate security measures are taken on system level. This includes high quality Virus scanners, firewalls etc.

CERTIFICATION
In those case where the Business Partner is compliant with the above, and has also proven to be able to sent consistent and error free EDI messages, Bunzl will list the partner as certified. A certificate can be provided if asked for. This certificate can help our Business partners (more specific our suppliers) to connect to other Bunzl entities, inside and outside Continental Europe. The Bunzl EDI team will maintain a register of certified partners.

Business Partner uses external EDI implementation partner

In case the business partner makes use of an external implementation partners, the implementation partner needs to take steps to make sure that the content and communication is secure.

CONTENT
The content of the messages should not contain other formats than ASCII, XML, JSON or equal formats. Sending Executables, JPEG, MP3, MP4 or any other non EDI formats is not allowed and will result in immediate cancelation of the connections.
The content of the message should be GDPR compliant.

CONNECTION
The implementation partner has to make sure that communication channels are secure.
In case of an AS2 connection, the AS2 software used has to be Drummond certified.
In case of sFTP; the implementation partner has to use/allow IP whitelisting or use an SSH key for authentication.
In case of other connections, security measures will be discussed bilaterally.

SYSTEM SECURITY
The Implementation partner has to make sure that appropriate security measures are taken on system level. This includes high quality Virus scanners, firewalls etc.

INTEROPERATIBILITY
The implementation partner has to be at least member of EESPA or be a certified Peppol Gateway (in case of Peppol invoicing).
In case the implementation partner is not a member of EESPA, an additional agreement Interchange Agreement will need to be signed by all partners in the communication chain.

COSTS OF MESSAGE EXCHANGE
Bunzl Continental Europe will not pay for services performed by the EDI implementation partner of our partners. This includes the cost for traffic, setup, mappingchanges and support. This according to the classic 4 corner model.

Bunzl has created an interchange agreement based on EU regulations. Most of the text can be found on EU websites.

If you are requested to sign the agreement, please download it and sign it, or send an email in which you confirm to agree on the content. Bunzl will reply to you that we have received the document.

The document has no commercial implications (as clearly stated in the text), it is a mutual understanding on the workings and safety of message exchange. Signing the document does not implicate that Bunzl will set up an EDI connection as that is a commercial decision.