Updated June 23, 2022
I. Administrative and Organizational Safeguards
1. Processor maintains ISO 27001, ISO 27701 and SOC 2 Type 2 certifications.
2. Processor maintains policies and procedures, including the following:
i. Information Security Program, which sets forth Processor’s procedures with regard to maintaining the safeguards set forth in this Addendum.
ii. Incident Response Plan, which sets forth Processor’s procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
iii. Business Continuity and Disaster Recovery Plans, which set forth Processor’s assessment of the criticality of its systems and data and establishes procedure for maintaining backups, recovering lost Controller Data, operating in emergency mode, and testing contingency and recovery procedures.
3. Processor regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
4. Processor has appointed a qualified individual to oversee and manage its Information Security Program and has a predefined incident response team for activation in the event of a Security Breach.
5. Processor maintains role-based access restrictions for its systems, including restricting access to only those Processor employees or subcontractors that require access to perform the services described in the Agreement, or to facilitate the performance of such services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
6. Processor periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Processor employees that no longer need such access.
7. Processor assigns unique usernames to authorized Processor employees and requires that Processor employees’ passwords satisfy minimum length and complexity requirements and be changed periodically.
8. Processor provides training to Processor employees, as relevant for their roles, at least annually on confidentiality and security, including on the topics of data protection, phishing and social engineering.
9. Processor requires Processor employees to acknowledge Processor’s Information Security Program.
10. Processor has a policy in place to address violations of its Information Security Program.
11. Processor implement HR security practices in accordance with Processor Company Policy and Law.
12. Processor conducts annual assessments of the risks and vulnerabilities to the confidentiality and security of Controller Data.
II. Technical Security
1. Processor logs system activity—including authentication events, changes in authorization and access controls, and other system activities—and regularly reviews and audits such logs.
2. Processor maintains network security measures, including but not limited to firewalls to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert of suspicious network activity, and anti-virus and malware protection software.
3. Processor has implemented workstation protection policies for its systems, including automatic application logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
4. Processor requires multi-factor authentication for remote network and system access.
5. Processor conducts regular and periodic vulnerability scans and assessments on all systems storing, processing, or transmitting Controller Data to identify potential vulnerabilities and risks to Controller Data.
6. Processor remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, processing, or transmitting Controller Data.
7. Processor has implemented controls, including AES 256 encryption using file system encryption, to ensure that Controller Data is not improperly modified without detection.
III. Physical Security
1. Processor restricts access to its facilities, equipment, and/or devices to Processor employees with authorized access on a need-to-know basis.
2. Processor logs access to its facilities, equipment, and devices and regularly reviews and audits such logs.
3. Processor runs real-time database replication to ensure that Controller Data is both backed up and available on redundant and geographically dispersed systems, physically separated from the primary Processor application servers.
4. Processor has implemented policies and produces regarding the proper disposal or re-use of equipment, devices, and electronic media. As part of any such disposal or re-use, Processor requires that Controller Data on physical media be destroyed such that it cannot reasonably be reconstructed.
5. Processor has disaster recovery and unscheduled incident plans and procedures in place in the event of an emergency, including maintaining disaster recovery infrastructure.
IV. Incident Response
1. Consistent with its Incident Response Plan, Processor takes steps in the aftermath of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Data to investigate, mitigate, remediate, and otherwise respond to such security incident. Processor will inform Controller of a confirmed security incident within 72 hours of becoming aware. Processor will notify Controller at the email address associated with Controller’s administrator account, or at another email address that Controller provides to Processor in writing for purposes of security incident notifications.
2. In the event that Controller is subject to a regulatory inquiry or threatened litigation relating to a security incident, Processor will provide Controller with reasonable assistance and support in responding to such investigation.
V. Subcontractors
1. Processor conducts diligence of prospective subcontractors to ensure that they are capable of meeting the security standards set forth herein and requires them to comply with terms that are substantially similar to those set forth herein.
