Security measures

Technical and organisational measures to ensure the security of data

Below are our standard technical and organisational measures to ensure the security of our customers’ personal data:

Organisation of information security

Security ownership

We appoint one or more security officers responsible for coordinating and monitoring its security rules and procedures.

Security roles and responsibilities

Our personnel with access to customer data are subject to appropriate confidentiality obligations.

Risk management program

We have a risk management program in place to identify, assess and take appropriate actions with respect to risks related to the processing of the customer data in connection with our services.

Asset management

Asset inventory

We maintain an asset inventory of our infrastructure, network, applications, and cloud environments. We also maintain an inventory of our media on which customer data is stored. Access to the inventories of such media is restricted to personnel authorised in writing to have such access.

Data handling

• We classify customer data to help identify such data and to allow for access to it to be appropriately restricted
• We limit printing of customer data from our systems to what is minimally necessary to perform services and have procedures for disposing of printed materials that contain customer data
• We require our personnel to obtain appropriate authorization prior to storing customer data outside of contractually approved locations and systems, remotely accessing customer data, or processing customer data outside the Parties’ facilities

Human resources security

Security training

• We inform our personnel about relevant security procedures and their respective roles
• We inform our personnel of possible consequences of breaching the security rules and procedures
• We only use anonymous data in our training environments

Physical and environmental security

Physical access to facilities

We implement and maintain procedures to limit authorised access to our facilities where information systems that process customer data are located.

Physical access to components

We maintain records of the incoming and outgoing media containing customer data, including the kind of media, the authorized sender/recipients, date and time, the number of media, and the types of customer data they contain.

Component disposal

We use industry standard (e.g., ISO 27001, Azure CIS 1.3.0, and/or NIST Cyber-Security Framework, as applicable) processes to delete customer data when it is no longer needed.

Communications and operations management

Operational policy

We maintain security documents describing our security measures and the relevant procedures and responsibilities of our personnel who have access to customer data.

Mobile Device Management (MDM)/Mobile Application Management (MAM)

We maintain a policy for our mobile devices that:

• Enforces device encryption
• Prohibits use of blacklisted apps
• Prohibits enrolment of mobile devices that have been “jail broken”

Data recovery procedures

• We have specific data recovery procedures with respect to our systems in place designed to enable the recovery of customer data being maintained in our systems
• We review our data recovery procedures at least annually
• We log data restoration efforts with respect to our systems, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process

Malicious software

We have anti-malware controls to help avoid malicious software gaining unauthorised access to customer data, including malicious software originating from public networks.

Data beyond boundaries

• We encrypt customer data that it transmits over public networks
• We protect customer data in media leaving our facilities (e.g. through encryption)
• We implement automated tools where practicable to reduce the risks of misdirected email, letters, and / or faxes from our systems

Event logging

For our systems containing customer data, we log events consistent with our stated policies or standards.

Access control

Access policy

We maintain a record of security privileges of individuals having access to customer data via our systems.

Access authorization

• We maintain and update a record of personnel authorised to access customer data via our systems
• When responsible for access provisioning, promptly provision authentication credentials
• Deactivate authentication credentials where such credentials have not been used for a period of time (such period of non-use not to exceed 30 days)
• Deactivate authentication credentials upon notification that access is no longer needed (e.g. employee termination, project reassignment, etc.) within two business days
• Identify those personnel who may grant, alter, or cancel authorised access to data and resources
• Ensure that where more than one individual has access to our systems containing customer data, the individuals have unique identifiers/logins (i.e. no shared ids)

Least privilege

• We only permit our technical support personnel to have access to customer data when needed
• We maintain controls that enable emergency access to productions systems via, temporary ids or ids managed by a Privileged Identity Management System (PIMS)
• We restrict access to customer data in our systems to only those individuals who require such access to perform their job function
• We limit access to customer data in our systems to only that data minimally necessary to perform the services
• We support segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest (e.g. developer/ reviewer, developer/tester)

Integrity and confidentiality

We instruct our personnel to disable administrative sessions when leaving premises or when computers are otherwise left unattended.

Authentication

• We use industry standard (e.g., ISO 27001, Azure CIS 1.3.0, and/or NIST Cyber-Security Framework, as applicable) practices to identify and authenticate users who attempt to access our information systems
• Where authentication mechanisms are based on passwords, we require that the passwords be renewed every 70 days
• where authentication mechanisms are based on passwords, we require the password to contain at least eight characters and three of the following four types of characters: numeric (0-9), lowercase (a-z), uppercase (A-Z), special (e.g., !, *, &, etc.)
• We ensure that de-activated or expired identifiers are not granted to other individuals
• We monitor repeated attempts to gain access to our information systems using an invalid password
• We maintain industry standard (e.g., ISO 27001, Azure CIS 1.3.0, and/or NIST Cyber-Security Framework, as applicable) procedures to deactivate passwords that have been corrupted or inadvertently disclosed
• We use industry standard (e.g., ISO 27001, Azure CIS 1.3.0, and/or NIST Cyber-Security Framework, as applicable) password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, as well as during storage

Multi Factor Authentication

We implement Multi-Factor Authentication for internal access and remote access over virtual private network (VPN) to our systems or to cloud hosted applications.

Penetration testing and vulnerability scanning of Unily systems

• At least annually, we perform penetration and vulnerability assessments on our IT environments in accordance with our internal security policies and standard practices
• Perform at least quarterly testing of our application at the current latest release
• Agree to share with our customers summary level information related to such tests as conducted by us, to the extent applicable to the services
• For clarity, as it relates to such penetration and vulnerability testing, customer is not to be entitled to
  • data or information of our other customers of Unily
  • test third party IT environments except to the extent Unily has the right to allow such testing
  • any access to or testing of shared service infrastructure or environments or any other confidential Information of Unily that is not directly relevant to such tests and the services
• For any Unily IT systems that are physically dedicated to the customer, the parties may agree to separate, written testing plans and such testing will not to exceed two tests per year

Network and application design and management

• We have controls to avoid individuals gaining unauthorised access to customer data in our systems
• We use data loss prevention to monitor or restrict movement of sensitive data
• We use network-based web filtering to prevent access to unauthorised sites
• We use Distributed denial of service (DDoS) protection
• We use MFA protected least privilege accounts and PIMs for production access
• We use network intrusion detection and / or prevention in our systems
• We use a cloud native SIEM\SOAR for monitoring, detection, and automation
• We use secure coding standards
• We scan for and remediate OWASP vulnerabilities in our systems
• To the extent technically possible, we will work with our customers to limit the ability of our personnel to access non-customer and non-Unily environments from customers’ systems
• We maintain up to date server, network, infrastructure, application, and cloud security configuration standard
• We scan our environments to ensure identified configuration vulnerabilities have been remediated

Patch management

We have a patch management procedure that deploys security patches for our systems used to process customer data that includes:

• Defined time allowed to implement patches (not to exceed 14 business days) for patches as defined by Unily’s standard)
• Established process to handle emergency or critical patches as soon as practicable

Workstations

We implement controls for workstations we provide that are used in connection with service delivery/receipt incorporating the following:

• MDM\MAM that manages overall compliance of workstation and reports at a minimum on a weekly basis to a central system
• Encrypted OS and Fixed Drives
• Patching process so that workstations are patched within the documented patching schedule
• Ability to prevent blacklisted software from being installed
• Antivirus with continuous monitoring and Advanced Threat Detection with a minimum full weekly scan and firewalls installed, enabled, and enforced on all profiles

Information security breach management security breach response process

Unily will maintain a record of its own security breaches in its systems with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the process for recovering data.

Service monitoring

Unily’s security personnel will review their own logs as part of their security breach response process to propose remediation efforts if necessary.

Business continuity management

We have processes and programs that are aligned to ISO27001:2013 to enable recovery from events that impact our ability to perform in accordance with our service agreements with customers.

Supplementary measures for international data transfers

In addition to the measures set out above, in accordance with regulatory guidance following the European Court of Justice “Schrems II” decision, we further commit to maintaining the following additional technical, organisational, and legal/contractual measures with respect to customer data, including personal data.

Technical supplementary measures

The customer data in transit between our entities will be strongly encrypted with encryption that:

• Is state of the art
• Secures the confidentiality for the required time period
• Is implemented by properly maintained software
• Is robust and provides protection against active and passive attacks by public authorities, including crypto analysis
• Does not contain back doors in hardware or software, unless otherwise agreed with the applicable customer

The customer data at rest and stored by any our entities will be strongly encrypted with encryption that:

• Is state of the art
• Secures the confidentiality for the required time period
• Is implemented by properly maintained software
• Is robust and provides protection against active and passive attacks by public; authorities, including crypto analysis
• Does not contain back doors in hardware or software, unless otherwise agreed with the applicable customer

Organisational supplementary measures

The customer data transferred between our entities and the processing by any of our entities will be in accordance with:

• Our internal policies and procedures to manage requests from public authorities to access personal data
• Our internal data access and confidentiality policies and procedures
• Our internal data minimisation policies and procedures
• Our internal data security and data privacy policies and procedures

We will maintain a documented log of requests for access to personal data received from public authorities and the response provided, along with the legal reasoning and the involved parties.

We will regularly provide reports of public authority requests for personal data, if any, to our Chief Technology Officer and Board.

Legal/Contractual supplementary measures

• Where such country is not formally recognised as providing a level of protection essentially similar to UK/EU countries. We endeavour to maintain assessment reports with respect to applicable surveillance laws and privacy practices for the countries in which we process customer data. We will provide copies of applicable reports to our customers upon request
• Our entity processing customer data certifies that, unless otherwise agreed with the applicable customer:
  • We have not purposefully created back doors or similar programming that could be used to access the system and/or personal data
  • We have not purposefully created or changed our business processes in a manner that facilitates access to personal data or systems; and
  • To the best of our knowledge, applicable national law or government policy does not require our entity to create or maintain back doors, or to facilitate access to personal data or systems, or for our entity to be in possession, or to hand over the encryption key without a legally valid order and following an appropriate legal review
• To the extent permitted under applicable law, our entity/s processing customer data will inform the customer of government requests relating to personal data that we are processing on behalf of the customer. If, under applicable law, we are not permitted to inform the customer of a government request, we will take reasonable steps to either:
  • Obtain administrative or judicial leave to inform the customer at the earliest possible time; or
  • Request that the respective government authority directly informs the customer. In any event, we will take reasonable steps before the courts or in administrative proceedings to challenge government requests we deem unlawful
• We will advise our customer of any change in applicable law that would affect our ability to comply with the data transfer mechanism relied on
• Our entity/s processing customer data will allow the customer to verify if its personal data was disclosed to public authorities via agreed audit procedures as set out in the applicable service agreement(s) with the customer
• The Unily entity/s processing Customer data will not engage in any onward transfer of Customer data, or suspend ongoing transfers, without the customer’s approval as set out in the applicable customer agreement(s) or as otherwise required by law
• We address the statutory rights of individuals to claim for compensation in case of a violation of their rights granted by the UK and/or EU GDPR