BACK TO TRUST CENTER HOME

Customer data hosting locations & approved sub-processors

Note: the below does not apply to Moody’s Ratings.


At Moody’s, we are deeply committed to transparency and accountability in all aspects of our data management practices. We understand the importance of knowing where and how your data is stored and processed, and we strive to provide this information clearly and openly.

Our data hosting locations are strategically chosen to facilitate optimal performance and robust security. We understand that our customers want to know where their data is hosted, and we seek to provide this information in a transparent manner.

We engage trusted sub-processors to deliver some aspects of our services, including cloud hosting. These sub-processors are carefully selected based on their commitment to data protection, security, and compliance with global regulations. 


TC


Customer data hosting locations and approved sub-processors


Vendor management

At Moody’s, we understand the importance of transparency and accountability, especially when it comes to the handling of personal data by our vendors. 

Our vendors play a crucial role in providing services to our organization, and in some instances, they process personal data of our customers. 

We are committed to working with our vendors to uphold the high standards of data protection that we do. We carefully select vendors, with particular attention to their data protection policies and practices. We require our vendors to comply with applicable data protection laws and regulations.

Moody’s maintains a comprehensive Third-Party Risk Management (TPRM) approach that includes:  

  • Contracts: We have contractual agreements with our third parties, including data privacy and security obligations. 

  • Third-Party Assessment Program: We have a third-party assessment program that defines minimum security and privacy requirements and criteria that third parties must adhere to. This includes a review of the third party’s current security environment. 

  • Third-Party Incident Response: We have a documented process for handling security incidents reported by third parties.  

  • Third-Party Business Continuity: Business Resumption and Contingency: We evaluate  business continuity and/or disaster recovery plans require from third parties and suppliers of critical services/products so that their provision of services/products will continue with minimal disruptions or delays if there is an operational failure or unplanned disruption. 

TC

Data transfer compliance

We are committed to data privacy and protection. We understand the importance of complying with applicable data privacy laws in our data transfers.

  • EU Standard Contractual Clauses: We have executed EU Standard Contractual Clauses, UK Standard Contractual Clauses, Swiss Standard Contractual Clauses, and other country-specific data transfer agreements between Moody’s affiliates to legitimately transfer personal data within the Moody’s global group. We also execute EU Standard Contractual Clauses, UK Standard Contractual Clauses, Swiss Standard Contractual Clauses, and other country-specific data transfer agreements with our customers and vendors, where applicable.

  • Data Transfer Impact Assessments: In compliance with the EU Schrems II requirements and EDPB guidance, we conduct data transfer impact assessments. These assessments identify and mitigate any potential risks associated with data transfers, supporting our aim of maintaining the privacy and security of transferred personal data in compliance with applicable law.

Click here to download a copy of our customer-facing EU Standard Contractual Clauses + UK + Swiss addenda.

Moody’s customers only: to request copies of product-specific data transfer impact assessments, please contact your usual Moody’s representative, who will be happy to provide you with copies for the contracted Moody’s products and services.


TC