Company has implemented and maintains an information security program designed to protect against unauthorized or unlawful Processing of Client Personal Data or its accidental loss, destruction, or damage, including the measures described below. With acceptance or execution of an applicable Company Master Services Agreement, this security program framework of technical and organizational measures is made a part of the Master Services Agreement between Client and Company (the “Agreement”). The Agreement reflects the parties’ agreement with regard to the security and safeguarding of Client Personal Data, unless another agreement containing security terms has been agreed to in writing by both Parties. Unless otherwise stated, capitalized terms shall have the meanings set forth in the Agreement.

Security Framework – Company’s security framework is designed based on the security requirements and controls within the US National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and the SOC2 or ISO 27001 frameworks. Where available for the applicable Solution, SOC2 or ISO 27001 certifications are available on the Company website.

Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:

• A badge-based access control system designed to control physical access and movement into and throughout Company’s facilities; and
• Processes and procedures designed to remove facility access rights from terminated personnel.

Access Controls – policies, procedures, and technical controls designed to restrict access to Client Personal Data to members of Company’s workforce who require it to perform their job functions, including:

• Role-based access policies that restrict user access to systems and resources based on job responsibilities;
• Processes to grant and revoke access rights based on business need, and to periodically review user access rights for alignment with business needs;
• Multi-factor authentication processes to manage privileged access rights, including access to production environments;
• The use of firewall and intrusion detection systems to provide reasonable logging;
• The use of single sign-on and multi-factor authentication; and
• Reasonable background check procedures for employees and contractors, as permitted by applicable law.

Security Incident Procedures – policies and procedures designed to detect, respond to, and otherwise address security incidents, including:

• to monitor the solution in real-time and support the delivery of its services, Company employs a dedicated operations support function that manages network performance and outages;
• deployment of an intrusion detection system to provide reasonable logging and to monitor and restrict certain inbound internet traffic;
• documented procedures designed to identify, escalate, and respond to suspected or known security incidents; and
• documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to enhance Company’s response to future threats.

Contingency Planning and Business Continuity – policies and procedures designed to maintain service and/or recover from emergency situations, disasters or other similar occurrences (for example, fire, vandalism, system failure, and natural disaster) that impact Client Personal Data or systems that contain Client Personal Data, including:

• support from Company’s team (via telephone, email, and through its Support Center online) in accordance with its most recently published Support Services Guide;
• documented business continuity and disaster recovery plans and procedures, including procedures to rebuild systems, update software, install patches, and change configurations, as needed;
• documented backup and disaster recovery policies and procedures for cloud-based environments, including periodic backups of production services, files, and databases, and the storage of backups in a separate data center; and
• periodic testing of Company’s business continuity and disaster recovery plans (also referred to as “contingency plans”.

Device and Media Controls for Sanitization and Destruction – policies and procedures that govern the receipt and removal of endpoint hardware and electronic media that contain Client Personal Data into and out of an Company facility, and the movement of these items within a Company facility, including policies and procedures to address the secure disposal of Client Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Client Personal Data from electronic media before the media are made available for re-use.

Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use Client Personal Data, including:

• reasonable logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
• periodic reviews of the logs for unusual or suspicious activity.

Data Integrity – policies and procedures designed to protect the confidentiality, integrity, and availability of Client Personal Data, including protecting Client Personal Data from unauthorized or unlawful access, disclosure, or destruction.

Storage Security – technical security measures designed to protect against unauthorized access to Client Personal Data in storage, including:

• encryption of Client Personal Data in transit over the Internet and at rest in Company-hosted environments;
• use of a key management system to protect encryption keys;
• use of systems management technologies, such as anti-virus software and configuration checks, to protect the confidentiality and integrity of information maintained on approved endpoint computers, laptops, and mobile devices;
• restrictions on the use of USB peripheral devices; and
• logical segregation of Client Personal Data in the fully hosted multi-tenant environment and partitioning of such data within the production database.

Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Company’s security program.

Testing and Risk Management – periodic testing and monitoring of the effectiveness of Company’s security program, such as through audits of Company’s solution performed by an external third-party auditor, and through periodic penetration and vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of Client Personal Data, and address such risks.

Vendor Management – policies and procedures for the management of third-party vendors that process Client Personal Data on Company’s behalf, including steps to select and retain third-party vendors who are capable of protecting the security, confidentiality and integrity of Client Personal Data and procedures for managing, monitoring, and terminating third-party vendor relationships.

Data Retention Policies – policies and procedures for managing the retention of Client Personal Data pursuant to customer agreements, including, as applicable, our standard Data Processing Agreement (DPA).

Company Mobile Apps – Company’s apps are natively designed for secure operation on the operating systems to which they apply (iOS and Android) and Company’s apps leverage certain secure transmission (HTTPS TLS) and secure storage (device encryption) features.

Patching – Company’s vulnerability management practices include periodic application security scans and penetration testing. Identified vulnerabilities are remediated on a reasonable timeline based on the criticality and applicability of the endpoint.

Adjustments to the Program – monitoring, evaluation, and adjustment, as appropriate, of Company’s security program considering relevant changes in technology, industry security standards, and applicable legal requirements, the sensitivity of the Client Personal Data, internal or external threats to Company or to Client Personal Data, and Company’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.