1.1 Federato will maintain a comprehensive information security program ("Federato Security Standards") which includes administrative, technical and physical safeguards to protect Customer Data. Federato safeguards are maintained to appropriately protect Customer Data based on commercially reasonable and industry standard resources available to Federato and the type of the Customer Data. The Federato security standards are designed to:
(a) Protect the availability, integrity and confidentiality of Customer Data;
(b) Protect against any anticipated threats or hazards to the confidentiality, integrity, availability of Customer Data;
(c) Protect against any unlawful unauthorized access, unlawful use, disclosure, alteration, or destruction by Federato of Customer Data; and
(d) Protect against any accidental loss, destruction, damage to Customer Data.
1.2 Federato will also monitor, evaluate and modify the Federato Security Standards to ensure:
(a) Use of industry standard technology pertinent to the protection of Customer Data;
(b) Commercially reasonable updates to the Services, Subscription Services, Federato Security Standards or Federato's systems, based on relevant changes in internal procedures for the protection of Customer Data, or as necessary to comply with applicable law;
(c) Federato relevant internal changes to Federato's technical environment including third parties, outsourcing arrangements, infrastructure and information systems.
2.1 Compliance with the baseline of security controls for a Software as a Service (SaaS) Cloud Service Provider
2.2 Policies and procedures based consistent with SOC2 requirements and other industry standard frameworks;
2.3 Data classification;
2.4 Geo-location options for storage of Customer Data;
2.5 Risk management; and
2.6 Third party security risk management.
3.1 Limit access to Federato facilities and systems where those systems are limited to authorized persons;
3.2 Limit Federato employees' access to Customer Data by enforcing segregation of duties;
3.3 Protect from unauthorized access to Customer Data;
3.4 Remove or restrict Federato employees' access to Customer Data in a timely manner when access thereto is no longer required to perform Services, or upon Customer request;
3.5 Require multi-factor authentication through Federated Service for Federato access to Customer Data for the provision of Services; and.
4.1 Performing pre-employment background screening commensurate with such employee's level of access to data, subject to applicable law;
4.2 Requiring all employees sign non-disclosure agreements;
4.3 Annual security and privacy role based training (including requirements of the Federato Security Standards, the importance of security Customer Data, and how to diagnose phishing attacks); and
4.4 Promoting a culture of security awareness through periodic trainings, blogs and programs which reward security best practices.
5.1 Controlled access to Federato facilities;
5.2 Inheritance of Physical and Environmental security controls from FedRAMP Moderate compliant Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) CSPs.
5.3 Logging and monitoring of access and unauthorized access to Federato facilities and systems;
5.4 Camera monitoring of Federato facilities;
5.5 Temperature, fire protection, humidity monitoring of Federato facilities; and
5.6 Uninterrupted power supplies to Federato facilities to maintain normal working conditions in compliance with our Business Continuity Plan.
6.1 Secure development policies;
6.2 Secure development training;
6.3 Vulnerability management and remediation within timelines within the policy;
6.4 Segregation of duties for development review and release management;
6.5 Federato has and will maintain a formal change management program with segregation of duties.
7.1 Review changes to systems and infrastructure;
7.2 Review changes which handle systems, authentication authorization and auditing;
7.3 Review privileged access to Federato systems;
7.4 Review access to Federato production environment including abnormal access; and
8.1 Transmission encryption using AES 128 with TLS 1.2 or higher;
8.2 Encryption at rest using AES 256; and
8.3 Full disk encryption on all hard drives with access to production data with AES 256.
9.1 Roles and responsibilities with a team and a dedicated leader which is tested annually;
9.2 Methods for investigation and escalation assessing the event to determine the risk the event poses including proper escalation;
9.3 Processes regarding internal communications, reporting and notification and external reporting and notification to customers within forty-eight (48) hours of unauthorized disclosure of or access to Customer Data;
9.4 Appropriate documentation of the event, incident and investigation of what was done and by whom with authorization for later analysis and possible legal action; and
9.5 An audit of the incident conducting root cause analysis and remediation.
10.1 Data resiliency through redundancy to recover data;
10.2 Business Continuity and Disaster Recovery plan which is communicated and made available within an event to minimize the impact and or loss of vital resources;
10.3 Annual testing of the Business Continuity Plan and Disaster Recovery Plan (Executive Summary available to Customer upon request); and
10.4 Auditing of the Disaster Recovery test.
11.1 For no additional fees once annually upon Customer request Federato will provide Customer with reasonable assurances of its environments by providing SOC 2 Type II auditing reports.
12.1 Federato has policies and procedures to provide reasonable assurance to the appropriate return and/or disposal of Customer Data including:
(a) Secure shredding of printed documents and Customer Confidential Information; and
(b) Secure destruction of Customer Data with a certificate of destruction provided by Federato.
12.2 For a period of thirty (30) days from expiration or termination of the Agreement, Federato will provide Customer with continued access to the Subscription Services so it may remove such Customer Data.
13.1 Malware protection which cannot be disabled on the machine, regular updates and patches;
13.2 Full Disk Encryption (mitigating control as Customer Data is not stored on endpoint devices);
13.3 Regular updates and patching of the Subscription Services, Federato's systems and browsers; and
13.4 No write to removable media (USB).
14.1 Perform regular monitoring for security patches;
14.2 Apply patches in a timely manner after testing through change control; and
14.3 Regularly update systems and networks with new releases.