Information Security Measures

Effective as of January 2024

The following document outlines Company’s technical and organizational measures to secure Personal Data, End User Data, and Systems Data (collectively, “Data”) and mitigate risks to data integrity, confidentiality, and availability, in line with regulatory requirements and industry standards.

1. Data Encryption

Company utilizes industry-standard encryption practices to secure Data:

  • Data in transit is protected through TLS (Transport Layer Security), which ensures encryption and protection against tampering or interception.
  • Data at rest is encrypted using AES 256-bit standards to safeguard against unauthorized access.

2. Ensuring Confidentiality, Integrity, and Availability

Security Program

Company maintains a security management program designed to address potential risks to data and system security:

  • Executive leadership provides oversight, support, and accountability for all security policies.
  • Risk assessments are conducted regularly, focusing on systems processing sensitive data.
  • Security incidents are reviewed promptly, with a documented response plan for analysis and corrective actions.
  • A comprehensive testing methodology combines multiple testing techniques to assess and maintain system security, integrity, and resilience.

Personnel Security and Access Controls

To minimize security risks associated with human error or misuse, Company enforces strict personnel security controls:

  • Security awareness training is provided for employees with access to data.
  • Access to systems is limited to authorized individuals and is controlled through mechanisms like two-factor authentication.
  • Access to data is restricted on a need-to-know basis, and duties are separated to prevent a single individual from controlling all aspects of sensitive processes.

3. Due Diligence on Sub-Processors

Company exercises due diligence in the selection and ongoing evaluation of sub-processors to ensure adherence to security measures:

  • Security capabilities of sub-processors are reviewed periodically to verify compliance with Company's information security standards.
  • Sub-processors are required to adhere to security policies and practices that are at least as rigorous as those described in this document.

4. Data Availability and Resilience

Company has implemented a robust approach to ensuring data availability and recovery:

  • Redundant storage practices are in place to minimize disruption in case of data center issues.
  • Deployment processes are semi-automated, allowing for efficient restoration in the event of a system incident.

5. Software Development and Maintenance

Company follows a structured approach for software development to mitigate risks associated with vulnerabilities and ensure secure operations:

  • Open-source software and third-party libraries are evaluated for vulnerabilities, with static code analysis and manual reviews conducted as required by risk.
  • Security validation measures, including penetration testing, are conducted by third-party security experts and red teams.
  • A documented change management process is in place, including separate environments for development and production, to ensure changes are implemented securely and systematically.

6. Access and Authorization

Company enforces robust access and authorization controls:

  • Each user has a unique account, and sharing of accounts is not permitted.
  • Passwords are stored following industry standards to ensure data security.
  • Failed login attempts are logged, and the system prevents brute-force attacks by limiting login attempts.

7. Data Transmission Security

Data transmitted over public or wireless networks is secured using TLS to protect data integrity and prevent unauthorized access.

8. Data Storage Security

Data at rest is protected with AES 256-bit encryption, ensuring data remains secure against unauthorized access.

9. Physical Security

All infrastructure supporting Company's applications is hosted in secure, certified data centers with strict access control measures:

  • Biometric access controls, professional security staff, and formal access requests are in place to manage physical access.
  • These facilities operate in accordance with strict security protocols for data protection.

10. Business Continuity and Disaster Recovery

Company has a structured Business Continuity and Disaster Recovery (BCDR) program to support resilience in its operations:

  • The BCDR program includes Business Impact Analysis, Crisis Management, Business Continuity, and Disaster Recovery plans, all exercised annually.
  • Plans outline the actions necessary to maintain business operations and recover services in case of a disruption, including system requirements, personnel, and critical resources.

11. Data Minimization and Retention

Company enforces data retention policies to align with legal, regulatory, and operational needs. Automated procedures anonymize data based on retention requirements. Clients may request immediate data anonymization or deletion in line with Company policies.

12. Accountability and Compliance

Company reviews its security policies regularly to ensure alignment with evolving standards. All personnel are required to acknowledge these policies, and disciplinary measures are in place for non-compliance.

13. Data Portability and Erasure

Company provides clients with tools to export or anonymize their data upon request. Additional support is available for data not covered by built-in tools, ensuring flexibility for data portability and compliance with data protection requirements.