1. Purpose
This document describes the data security program and operation policies that redIQ or, as appropriate, its cloud service provider or data center operator engaged to operate the Service (in each case, as applicable, the “Processor”) will maintain in its efforts to protect Customer Data from unauthorized use, access, or disclosure. redIQ will exercise commercially reasonable efforts to implement the Data Security Practices referenced herein. Customer acknowledges that no system can be made entirely secure from unauthorized access or hacker attack. The transmission and storage of Customer Data may not be entirely secure, and third parties could compromise redIQ’s systems even if redIQ substantially performs its obligations hereunder. redIQ advises Customer to maintain Cyber Liability Insurance Coverage to help mitigate the risk of data security threats.
2. Information Security Management System
Processor will maintain a comprehensive information security management system (the “ISMS“) throughout the Term of the Agreement. The ISMS will include administrative, technical, and physical safeguards designed to: (a) protect and secure Customer Data from unauthorized access, use, or disclosure; and (b) protect against anticipated threats or hazards to the security or integrity of Customer Data. The Processor will document and keep the ISMS current based on changes to industry-standard information security practices and legal and regulatory requirements applicable to redIQ.
3. Standards
Processor’s ISMS will, at a minimum, adhere to applicable information security practices as identified in International Organization for Standardization 27001 (ISO/IEC 27001) (or a substantially equivalent or replacement standard) or other authoritative sources (e.g., SSAE 18, SOC1, SOC2).
4. Independent Assessments
On an annual basis, Processor will have an independent, suitably qualified third-party organization conduct an independent assessment consisting of a Report on Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality, and/or Privacy (SOC2 Type II) or such other comparable assessment at its sole discretion (e.g., ISO 27001 Certification). Processor will provide a copy of such assessment to Customer upon Customer’s written request to Processor. Processor also undergoes at least an annual penetration test from independent, suitably qualified third parties. Processor will provide Customer with an executive summary of the most recent penetration test results upon Customer’s written request to Processor.
5. Information Security Policies
As part of the ISMS, Processor will implement, maintain, and adhere to its internal information security and privacy policies that address the roles and responsibilities of Processor’s personnel who have direct or indirect access to Customer Data in connection with providing the redIQ Service. This requirement applies to both technical and non-technical personnel. Processor’s information security policies provide for continual assessment and reassessment of the risks to the security of the redIQ Service, including: (a) identification of internal and external threats that could result in a Security Breach (as defined below); (b) assessment of the likelihood and potential damage of such threats, taking into account the sensitivity of Customer Data and (c) assessment of the sufficiency of the policies, procedures and information systems of Processor, and other arrangements in place, to control risks. Additionally, Processor’s information security policies address appropriate protection measures against such risks. Processor’s information security policies shall, at a minimum, include:
- organization of information security
- asset management
- human resources security
- physical and environmental security
- communications and operations management
- access control
- information systems acquisition
- development and maintenance
- information security incident management
- business continuity management
6. Information Security Operations
6.1. Access Controls. Per the ISMS, Processor shall maintain appropriate access controls (physical, technical, and administrative), which shall include the following as applicable:
- Processor Service Access Controls.
- Physical Access Controls. Processor will implement the following suitable measures designed to prevent unauthorized persons from gaining access to the data processing equipment used to process Customer Data:
- Access authorizations for employees and third parties
- Keycards and passes
- Restrictions on keys
- Appropriate requirements for third parties
- Identifying the persons having authorized access
- Protection and restriction of entrances and exits
- Establishing security areas especially for deliveries and handover
- Securing the building (security alarm system, supervision by guards)
- Technical Access Controls. Processor will implement the following suitable measures designed to prevent unauthorized reading, copying, alteration, or removal of the data media, unauthorized input into memory, and reading, alteration, or deletion of Customer Data:
- Access authorization requirements
- Identification of workstation and/or the users accessing the redIQ Service
- Automatic disablement of user IDs after multiple erroneous passwords entered
- Logging of events and activities (including monitoring of break-in attempts)
- Issuance and safeguarding of identification codes
- Dedicated workstations for users
- Authentication of authorized personnel
- Use of encryption where deemed appropriate by Processor
- Separation production and non-production environments
- Automatic session logoff of users who have been inactive for a period greater than thirty (30) minutes
- Designation of areas for the location of data media
- Designation of persons in such areas for authorized handling and removal of data media
- Control the removal of data media
- Secure the locations of data media
- Controlled and documented destruction of data media
- Data Access controls. Processor commits that its employees and contractors entitled to use Processor’s data processing systems will only access data within the scope and to the extent covered by the respective access permission (authorization). Processor will accomplish this by:
- Securing workstations
- Requirements for user authorization driven by need basis
- Appropriate confidentiality obligations
- Differentiated access policies based on function and scope (e. g., partial blocking)
- Controlling the destruction of data media
- Deleting remaining data before changing data media
- Policies controlling the production of backup copies
- Transmission control. Processor will implement the following suitable measures to secure Customer Data processed through the use of the redIQ Service:
- Authenticating authorized personal
- Securing confidential data media
- Documentation of transfer, retrieval, and transmission
- Encrypting external online transmission
- Input control. Processor will provide the retrospective ability to review and determine the time and point of Customer Data entry into the redIQ Service by utilizing electronic recording of data processing.
- Organizational control. Processor will implement the following suitable measures to maintain its internal organization in a manner that meets the requirements of ISMS:
- Maintaining Internal data processing policies and procedures, guidelines, instructions, and/or process descriptions for development, testing, and release
- Implementing an emergency/backup contingency plan
- Implementing a formal Business Continuity and Disaster recovery plan
- Control of separation of Customer Data. Processor will implement suitable measures to allow the separate processing of Customer Data from data of other customers. Processor will accomplish this by the logical separation of Customer Data from other customers’ data. Note: If Customer elects to contribute Customer Data to the Anonymized Data Pool, then such Customer Data will be anonymized and aggregated with other customers’ data and made available to customers participating in the Anonymized Data Pool described in the Agreement. Once Customer contributes Customer Data to the Anonymized Data Pool, it cannot later be identified, segregated, or removed upon expiration of the Term or at any time after that.
6.2. Encryption. Processor will encrypt Customer Data at rest within the redIQ Service. Processor will use a minimum AES algorithm for encryption of Customer Data at rest with a default value of 256-bit strength. For Customer Data in transit to and from the redIQ Service, Processor uses encryption unless Customer uses a method of transmission or feature which does not support encryption (such as unencrypted FTP, email, etc.).
6.3. Network and Host Security. Processor has network intrusion detection and firewalls in place. Per its ISMS, Processor uses commercially reasonable efforts to ensure that redIQ Service operating systems and applications associated with Customer Data are patched or secured to mitigate the impact of security vulnerabilities following Processor’s patch management processes.
6.4. Data Management. Per its ISMS, Processor has information security infrastructure controls in place for Customer Data obtained, transported, and retained by Processor to provide the redIQ Service. Processor will, under its security policies and processes (and except for Customer Data contributed to the redIQ Data Pools), destroy, delete, or otherwise make irrecoverable Customer Data: (i) following the termination or expiration of the Agreement; and (ii) upon the disposal or repurposing of storage media containing Customer Data.
6.5. Audit Logging and Monitoring. Processor shall implement the following controls for audit logging and monitoring:
- Audit Logging. Processor shall enable audit logging on systems that contain Customer Data to capture at a minimum the security-related events defined below:
- Account logon (both successful and unsuccessful) and logoff
- Failed access attempts
- Account lockouts
- Elevation of privileges (both successful and unsuccessful), and every use of elevated privileges or actions taken while privilege is elevated
- Creation, modification, and deletion (both successful and unsuccessful) of:
- Accounts or logon identifiers
- Group memberships
- Access privileges/attributes for accounts and groups
- User rights and permissions
- Changes in account or logon identifier status (both successful and unsuccessful)
- Modifications to, or unauthorized attempts to modify, the security configuration, security function, or authorization policy
- Audit Logs. Audit logs shall capture, at a minimum, the information for each security-related event defined below:
- User, system, or process identifier that triggered the event
- Description of the event
- Date and time the event occurred (Processor must periodically synchronize the date and time to ensure it is accurate)
- Identifier of the system generating the event (e.g., IP address)
- Authorization information associated with the event
- Audit Log Retention. Processor shall retain audit logs for not less than ninety (90) days. Processor shall protect audit logs from accidental or intentional modification or destruction.
6.6 Physical and Environmental Security. Processor’s data center or cloud service provider shall (as applicable):
- Implement physical access control mechanisms (e.g., electronic access control, locks) to ensure only authorized individuals can obtain physical access to Processor’s facilities
- Lock and/or have strong access controls in place to control access to all of its data centers, equipment rooms, telecommunication closets, and utilities
- Control unauthorized access to unattended areas (e.g., offices, conference rooms) within any Processor facility that contains Customer Data by using locks or equivalent means
- Conduct at least annual inspections of the perimeter and all access control mechanisms to provide assurance that its hardware cannot be easily manipulated or bypassed to gain unauthorized access
- Establish protocols to protect against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster at Processor facilities and data centers
- Require its personnel or third-parties within Processor’s facilities (e.g., employees, visitors, resident contractors) can be immediately identified (e.g., using identification badges, visual recognition, or other means)
- Monitor access/egress points by security staff and/or recorded with security cameras twenty-four (24) hours a day, seven (7) days a week at a Processor facility that contains Customer Data. Processor’s data center or cloud service provider shall store security camera recordings for no less than sixty (60) days
- Require unique registry for all visitors and maintain access control logs at Processor data centers
6.7. Equipment Security. Processor shall:
- Protect its systems and other equipment to reduce the risk from environmental threats and hazards and opportunities for unauthorized access
- Protect equipment that is power-dependent from power failures, surges, and other electrical anomalies
- Protect all power, telecommunication, and network cabling from unauthorized access and damage
- Maintain its systems and other equipment to ensure its continued availability and integrity
- Implement exit procedures to control unauthorized removal of systems and other equipment
6.8. Training. Processor shall provide regular training (or require regular training to be provided) to its employees and contractors on security and privacy requirements applicable to their roles. Such training shall occur at least annually and upon initial employment.
6.9. User Security Controls. Notwithstanding the foregoing, Customer understands and agrees that it is responsible for selecting Users who are appropriate for specific roles (e.g., Administrator), who shall have elevated role permissions. Notwithstanding anything to the contrary in this Security Exhibit, Customer understands and acknowledges that Customer will be solely responsible for implementing and maintaining access and security controls on its own devices and systems used to access the Service (including protection of login credentials for its Accounts) and for any Security Breach involving Customer Data resulting from its failure to maintain such controls. If Customer suspects that login credentials for its account(s) have been compromised, it shall promptly notify redIQ’s Support Desk.
7. Security Breach Management
7.1. Notice. For this Agreement, a “Security Breach” means the unauthorized use, access, or disclosure of Customer Data. Processor will promptly notify Customer of any confirmed Security Breach, subject to contrary instructions from law enforcement or forensic investigators. Processor will cooperate with Customer’s reasonable requests for information regarding any such Security Breach. Processor will provide regular updates on the Security Breach and the investigative action and corrective action taken. Processor will deliver notification to the Administrator(s) of Customer’s redIQ Service Account (“Notification Email Address”). Customer is solely responsible for ensuring that the Notification Email Address associated with Customer’s account is current and valid.
7.2. Remediation. In the event Processor knows or has reason to know of a Security Breach, Processor will, at its own expense: (a) investigate the actual or suspected Security Breach; (b) provide Customer with a remediation plan to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, upon Customer’s written request; (c) remediate the effects of the Security Breach following such remediation plan; and (d) reasonably cooperate with Customer and any law enforcement or regulatory official investigating such Security Breach. If Customer violates Section 6.9 (User Security Controls), Processor shall investigate any resulting Security Breach, but Customer shall be responsible for all costs of remediation relating to the Security Breach of Customer Data.
8. Business Continuity and Disaster Recovery
Processor implements and maintains business continuity and disaster recovery capabilities designed to minimize disruption of providing the redIQ Service to Customer in the event of a disaster or similar event. Processor shall review its business continuity and disaster recovery plans on at least an annual basis and update such plans, as needed, per generally accepted industry standards. Further, Processor or a qualified third party will perform at least annual testing of its business continuity and disaster recovery capabilities. Upon written request, Processor will provide Customer with a summary of Processor’s business continuity and disaster recovery capabilities, including related testing performed during the last year.
9. Subcontractors
Processor will make reasonable efforts to ensure that subcontractors are under contractual obligations that meet Processor’s security and privacy standards, to the extent applicable to their scope of performance, including contractual requirements that all persons authorized to perform services on behalf of Processor have agreed to an appropriate obligation of confidentiality.
10. Background Checks
Where legally permitted and following local law and custom, Processor shall perform the following background checks: on hire, Processor’s background checks for U.S. personnel include SSN Trace, Criminal County Search (7-Year Address History), Multi-State Instant Criminal Check, Nationwide Sex Offender Registry Check, OFAC Check, OIG/GSA Combined Search. Processor also uses E-Verify and confirms employment eligibility via the Form I-9 for all employees.