This Security Exhibit (“Security Exhibit”) will become part of the executed agreement between Employ and Customer that references this document. Employ’s performance of the services must be in accordance with the Agreement and this Security Exhibit. Terms used here but not defined here are defined in the Agreement.
This Security Exhibit was last updated January 3, 2023. Employ reserves the right to periodically modify this Security Exhibit to reflect current security practices, and such modification will automatically become effective in the next Service Term.
Employ will make commercially reasonable efforts to prevent loss, theft, or damage to Customer Data from the Services. This Exhibit establishes the requirements necessary to maintain a security program and ensure that sufficient physical, operational, and technical security measures are in place for the protection of Customer Data in the Services. This Security Exhibit applies when Employ provides the Services and Support to Customer.
1. Information Security Management
1.1 Information Security Management System. Employ shall maintain and continually make improvements to a documented information security management system in accordance with industry standard practices and accepted frameworks for the delivery of Employ Services and Support which its personnel are to be made aware of and comply with (“Information Security Management System”).
1.2 Certification. During the term of the Agreement, Employ shall maintain AICPA SOC2 certification or equivalent as well as maintain a lawful transfer mechanism for export of personal data out of the European Union.
1.3 Testing. Employ will conduct at least annual third-party security tests on applications and infrastructure used to support the provision of Services and Support to identify security vulnerabilities. Employ will provide summary reports of security test reports to Customer upon request.
2. Organizational Security
2.1 Information Security Responsibilities. Employ must have dedicated roles with clearly defined responsibilities for the administration of the Information Security Management System.
2.2 Security Policies. As part of administration of the Information Security Management System, Employ will create information security policies that will define responsibility for the protection of Employ and Customer Data (“Information Security Policies”). The Information Security Policies will include requirements designed to monitor compliance with privacy/information security policies and procedures.
3. Asset Classification
3.1 Asset Management. Employ will maintain an asset management policy in accordance with industry standard practices, including asset classification (e.g., information, software, hardware) and an inventory of devices and systems that administer the Services and Support to enable Employ to protect Customer Data and assets.
3.2 Asset Controls. Employ will establish physical, organizational, and technical security controls to protect Customer Data from unauthorized access and disclosure.
4. People Security
4.1 Employ Employees. Employ employees must behave consistently with this Security Exhibit to ensure effective security. Employ will make its employees aware of their responsibilities for maintaining effective security controls, particularly regarding the use of passwords, disposal of information, social engineering attacks, incident reporting, and the physical and technical security of users and company equipment through security awareness/onboarding trainings. Employ will issue documented security policies, update them as necessary, provide security training, and obtain acknowledgement of these policies by all employees at least annually.
4.2 Background Checks. Employ must ensure that its employees involved in providing the Services and Support have passed basic background checks designed to validate the completeness and accuracy of resumes, confirmation of professional qualifications, and verification of identity where permitted by law these checks should also include checks of criminal history.
5. Physical and Environmental Security
Where Employ maintains a physical office location, Employ shall ensure that only authorized users have physical access to the network, critical systems and applications, server rooms, communication rooms and work environments it is required that and that Employ shall provide secure protection for its physical facilities (e.g., through card readers, key cards or a manned reception area) from which Employ provides the Services and Support. Employ will maintain controls to monitor for attempts at unauthorized access. Additional controls will be maintained to prevent or detect the removal of any such equipment.
6. Communications and Operations Management
6.1 Vulnerability/Patch Management. Employ will establish a vulnerability/patch management process that ensures all systems used to provide the Services and Support services, including network devices, servers, and desktop/laptop computers, are patched against known security vulnerabilities in a reasonable period of time based on the criticality of the patch and sensitivity of the Customer Data accessed through the systems.
6.2 Secure System Configuration. Employ will establish controls to ensure that all systems used to provide Services and Support are securely configured in a repeatable manner. This involves changes to default settings to improve system security (e.g., system “hardening”), changes to default account passwords and removal of unnecessary software or services/daemons. Additionally, employee devices used to interact or manage systems that provide the Services and Support are to also be configured in a repeatable manner. Specific additional requirements beyond what also exists in this Exhibit include:
6.2.1 Full/whole disk encryption; and
6.2.2 Remote data wipe and lock capability in case of lost/stolen device
6.3 Malware Prevention. Employ will implement detection and prevention controls to protect against malicious software and appropriate user awareness procedures. Employ will keep and update technical controls and must regularly evaluate all systems for the existence of malware. Employ will run real-time or regular scans of Employ’s owned devices to detect viruses, malware, and possible security incidents.
6.4 Logging and Auditing. Employ will have in place a comprehensive log management program defining the scope, generation, transmission, storage, analysis and disposal of logs based on then current industry practices. The systems and the services will provide logging capabilities in accordance with the following principles:
6.4.1 the scope of logging and the retention policy will be based on a risk-based approach, with minimum retention of six (6) months;
6.4.2 logs will be collected to permit forensic analysis on information security incidents;
6.4.3 logs will record administrative changes to the Services;
6.4.4 log records will be kept virtually secured to prevent tampering;
6.4.5 passwords and other sensitive data elements will not be logged under any circumstances;
6.4.6 will perform regular log analysis to evaluate security;
6.4.7 configuring all affected systems to provide real-time logging of any event that may indicate a system compromise, denial-of-service event, or other security violation, including notifying an administrator when pre-determined event thresholds are exceeded; and
6.4.8 protect logs from unauthorized access or modification.
7. Disaster Recovery and Business Continuity Planning
7.1 Programs. Employ must establish disaster recovery and business continuity programs and must ensure that the plans are capable of ensuring confidentiality and integrity of Customer Data during recovery operations. Employ will ensure the programs do not allow any reduction of security.
7.2 Backups. Employ must ensure the availability of Customer Data stored or processed by Employ that is stored locally through the use of backups.
8. Security Incidents
8.1 Incident Detection. Employ must establish and maintain an operational incident detection capability and a clearly documented incident response program for responding to suspected or known security incidents or system breaches. Incident response plans must include methods to protect evidence of activity from modification or tampering, and to properly allow for the establishment of a chain of custody for evidence.
8.2 Incident Response. In the event of an incident that affects Customer Data, Employ will utilize industry standard efforts to respond to the incident and mitigate the risk to Customer and Customer Data.
8.3 Incident Notification. In the event of an incident that affects Customer Data, Employ will provide notice of the security incident to Customer within forty-eight (48) hours of detection.
9.1 Authentication. Employ must support Single sign on (SSO) mechanisms for Customer to interact with Employ assets (e.g., SAML 2.0).
9.2 Centralization. Employ must have centralized authentication management mechanisms.
9.3 Administrative Access. Employ must use multiple factors of authentication for all Employ administrative access.
9.4 Brute-force Protection. Employ must implement controls to limit the capability of attackers to brute-force authentication endpoints.
9.5 Support Access. If Employ allows Employ employees to access Customer Data through an application support interface, that interface, at a minimum must (a) uniquely identify the Employ employee who used it, and (b) record all interactions in a log that is available to Customer upon request
9.6 User Passwords. Employ will provide training to employees reasonably designed to ensure employees have sufficient complexity and expiration requirements or require an additional layer of security with multi-factor authentication.
9.6.1 Authentication and Two-Factor Authentication. “Two-factor authentication” means the authentication through the combination of something a person knows, such as a username and password, in combination with something a person has, such as a disconnected authentication token, or a biometric factor, such as a fingerprint. Employ must use multiple authentication factors where available, and Employ will use at least two-factor authentication to access accounts used to provide data hosting services. All administrative access by Employ employees must require two-factor authentication.
9.6.2 Inactivity. All Employ devices must be locked after a reasonable period of inactivity.
9.6.3 Employee or Consultant Termination. At the time of the termination of an employee, contractor, or any third-party consultant, the terminated person’s access to the networks, systems, and accounts used to provide the Services and Support, and access to any Customer Data, must be terminated.
9.6.4 Authorization. Employ alone will control and provide access to Customer Data. Employ will not use a third party to control access to Customer Data. Access will be granted only on a need-to-know basis and following the principles of least privilege.
9.6.5 Network Access Controls. All networks Employ uses to provide the Services and Support must be protected through the use of controls capable of blocking unauthorized network traffic, both inbound (ingress) and outbound (egress). Employ will maintain capabilities to monitor network traffic.
10. Data Security
10.1 Data Segregation. Employ logically separate, secure, and monitor production environments.
10.2 Credential Hashing. Employ must have appropriate algorithms in place for hashing secrets, including passwords and API tokens, both for Employ’s accounts and for Customer accounts to access Employ’s system.
10.3.1 Data in Transit. Employ must ensure that HTTPS is enabled in any web interface related to the product or service. Employ must disable non-encrypted transmission services (e.g., FTP). Employ must have commercial certificates to provide Customer the option to utilize TLS 1.2 or greater for web facing applications.
10.3.2 Data at Rest. Customer Data both at rest and in-transit must be encrypted at all times using industry accepted cryptography standards. Employ must have key management in place for high sensitivity data (e.g., key rotation, key encryption, access control, etc.). Where different algorithms are used, they are to have comparable strengths e.g., if an AES-128 key is to be encrypted, an AES-128 key or greater, or RSA-3072 or greater could be used to encrypt it.
11.1 Employ represents and warrants that:
11.1.1 as of the date of this contract, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C.§ 1881a (“FISA Section 702”).
11.1.2 no court has found Vendor to be the type of entity eligible to receive process issued under FISA Section702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
11.1.3 it is not the type of provider that is eligible to be subject to Upstream collection (“bulk” collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the judgment in the EU Court of Justice CaseC-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), and that therefore the only FISA Section 702 process it could be eligible to receive, if it is an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4), would be based on a specific “targeted selector” i.e., an identifier that is unique to the targeted endpoint of communications subject to the surveillance.
11.2 Where possible Employ will use all reasonably available legal mechanisms to challenge any request under FISA Section 702 for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance). Employ will use all reasonably available legal mechanisms to challenge any demands for data access through national security process it receives as well as any non-disclosure provisions attached thereto.
11.3 All employees are required to comply with Employ security and privacy policies and standards. Noncompliance is subject to disciplinary action, up to and including termination of employment.
11.4 Employ regularly reviews our collection, storage, and processing practices to prevent unauthorized access to Employ’s system.
11.5 Employ will promptly notify Customer if Employ can no longer comply with the Standard Contractual Clauses or the clauses in this section 11. Employ shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law.