This Data Security Policy is an attachment to, is incorporated into and is governed by the ProcessUnity Master Subscription Agreement which can be found here . In the event of conflict, this Data Security Policy supersedes the Master Subscription Agreement.

1. Policies and Procedures. ProcessUnity will document and enforce all policies and procedures that regulate the use of information in the normal course of its business, including the processing, receipt, transmission, storage, distribution, access, and deletion of such information. All policies and procedures must be approved by management and reviewed and updated to remain compliant with applicable law and current industry practices.

2. Physical Access Controls

2.1 Electronic physical access control (e.g., by badge or card readers) must be implemented at all ingress/egress points to ProcessUnity office facilities.

2.2 Visitors must be escorted and are prohibited from entering restricted areas in the facility.

2.3 Monitoring cameras must cover sensitive areas within the facility, including ingress/egress points.

2.4 Security guards must be deployed at the main entrance to the building in which the ProcessUnity office facilities are located.

2.5 A clean desk/clear screen policy must be implemented such that workstations are secured with inactivity screen locks, and confidential documents are secured in a locked file cabinet or office with access granted to only those individuals with a business need for such information.

3. Logical Access Controls

3.1 Authentication and authorization controls are appropriately robust for the specific levels of risk to the applicable information, data, application, and platform.

3.2 Wherever possible, multi-factor authentication (MFA) is enforced, with FIDO2 protocol being the preferred mechanism, followed by TOTP.

3.3 Access rights are monitored to ensure access adheres to the ‘least privilege’ principle commensurate with the user’s job responsibilities, logs all access and security events, and uses software that enables rapid analysis of user activities.

3.4 User access reviews are performed on a scheduled basis for each application, database, or system housing ProcessUnity data to confirm access and privilege levels.

3.5 Procedures are documented for the timely onboarding and off-boarding of users who have joined, left, or changed roles within ProcessUnity.

3.6 Remote control of desktop is restricted to a specific role (e.g., helpdesk admin) and remote control is not permitted unless and until the end user gives permission.

3.7 A documented password policy covers all applicable systems, applications, and databases.

3.8 Authorizations must be linked to a unique user ID and account. This excludes the use of group IDs/passwords used by multiple people, with limited exceptions where necessary.

4. Communication and Connectivity

4.1 Data flow is documented for all ProcessUnity data, from origination to end-point. ProcessUnity Confidential Information is encrypted when in transit outside of ProcessUnity’s network.

4.2 Firewall management processes are documented. All changes to the firewall are performed via change management processes. Firewall access is restricted to a small set of super users/administrators with appropriate approvals.

4.3 Periodic network vulnerability scans are performed, and any critical vulnerabilities identified are promptly remediated.

4.4 Defined Access Control Lists (ACLs) to restrict traffic on routers and/or firewalls are reviewed and approved by network administrators. IP addresses in the ACLs are specific and anonymous connections are not allowed.

4.5 Unauthorized remote connections from devices are disabled as part of standard configuration.

4.6 The data flow in the remote connection is encrypted and multi-factor authentication is used during the login process.

4.7 Remote connection settings limit the ability of remote users to access both initiating network and remote network simultaneously.

4.8 Dependent third party service provider remote access adheres to the same or similar controls, and any subcontractor remote access has valid business justification.

4.9 Emails are encrypted via opportunistic TLS if leaving ProcessUnity’s network. ProcessUnity employees are trained to use manual encryption or an alternate, secure sharing mechanism if they are unsure whether encryption is available. If an external organization is sending emails on behalf of ProcessUnity, additional controls are implemented to restrict spam and phishing emails.

5. Mobile Computing.

Mobile computing (where permitted) is performed exclusively over encrypted channels. Wireless Access Points (WAP) only allows authorized users to connect.

6. Encryption/Data Protection.

6.1 ProcessUnity Confidential Information is encrypted while in transit over any public network or wireless network. In addition, ProcessUnity Confidential Information is encrypted at rest on any server or device that is removed from ProcessUnity’s controlled premises for backup or off-site storage. Key management procedures are employed that promote the confidentiality, integrity, and availability of cryptographic key material. Use of encryption products comply with local restrictions and regulations.

6.2 Data security policy that dictates encryption use and applicable encryption standards is documented. Where applicable, ProcessUnity employs AES 256 bits or greater as acceptable encryption algorithms.

6.3 Email messages between ProcessUnity and external recipients are encrypted leveraging Opportunistic Transport Layer Security (TLS).

6.4 Laptops containing ProcessUnity Confidential Information are encrypted. Any personally identifiable information (PII) and ProcessUnity sensitive data is encrypted at rest including any backups.

6.5 Cryptographic key management procedures are documented and automated. Products or solutions are deployed to keep the data encryption keys encrypted.

6.6 Confidential paper records are stored in secure bins. Access to bins is limited to selected staff only. Document destruction or shredding is performed in a secure manner. If a third party is used for secure shredding/destruction, a services contract with confidentiality and security terms will be in place.

7. Vulnerability Monitoring

7.1 ProcessUnity continuously gathers and analyzes information regarding new and existing threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. Monitoring controls include related policy and procedure, virus and malicious code, intrusion prevention and detection, and event and state monitoring. Related logging process provides an effective control to highlight and investigate security events.

7.2 Penetration testing of the internal/external networks and/or specific hosts is performed at least annually. The tests are performed externally by reputable external organizations. Customer environments are covered as part of the test scope.

7.3 Automated vulnerability scans of any assets deployed in the ProcessUnity environment containing ProcessUnity Confidential Information is performed periodically to identify, mitigate, and remediate any vulnerabilities. Assets include any servers, applications, endpoint desktops, laptops, and network devices.

7.4 All issues identified from the penetration tests and vulnerability scans rated as critical, high, or medium risks are evaluated and remediated within appropriate timelines.

7.5 Servers, workstations, and internet gateway devices are updated periodically with latest antivirus definitions that include zero day anti-malware protection. Defined procedure highlights all anti-virus updates. Anti-virus tools are configured to run daily or weekly scans, virus detection, real time file write activity, and signature files updates. Laptops and remote users are covered under virus protection.

7.6 Security events are logged (log files), monitored (appropriate individuals) and addressed (timely action documented and performed). Network components, workstations, applications, and any monitoring tools are enabled to monitor user activity. Organizational responsibilities for responding to events are defined.

8. Incident Response

8.1 ProcessUnity documents a plan and associated procedures in the event of a security incident. The incident response plan clearly articulates the responsibilities of personnel and identifies relevant parties for notification. Incident response personnel are trained, and execution of the incident response plan is tested at least annually.

8.2 The incident management policy and/or procedures include the following attributes:
(a) Organizational structure is defined;
(b) Response team is identified;
(c) SLAs, RTO, and RPO are documented;
(d) Timelines for incident detection and disclosure are documented; and
(e) Annual, at minimum, exercises are conducted with appropriate teams.

8.3 The Incident response process is executed as soon as ProcessUnity is aware of the incident (irrespective of time of day).

9. Recovery

9.1 ProcessUnity has a backup policy and associated procedures for performing backup and restoration of data in a scheduled and timely manner. Controls are established to help safeguard backed up data (off-site). ProcessUnity conducts frequent, periodic tests to ensure that data can be safely recovered from backup devices.

9.2 Backup and offsite storage procedures are documented. Procedures encompass ability to fully restore applications and operating systems.

9.3 Periodic testing of successful restoration from back-up media is demonstrated.

10. End of Life and Faulty Equipment. Procedures exist for disposal/reuse of retired or failed equipment including proper removal of ProcessUnity Confidential Information. Notification of any lost or misplaced assets are made to ProcessUnity internal management in all cases.

11. Change Management

11.1 Changes to the system, network, applications, data files structures, other system components, and physical/environmental changes are monitored and controlled through a formal change control process. Changes are tested, reviewed, approved, and monitored during post-implementation to ensure that expected changes are operating as intended.

11.2 Emergency change procedures exist and include post-change implementation validation.

12. System Development

12.1 ProcessUnity has an established software development lifecycle for the purpose of defining, acquiring, developing, enhancing, modifying, testing, and implementing information systems.

12.2 Software Development Life Cycle (SDLC) methodology is documented and includes version control and release management procedures. SDLC testing methodology also includes validation of security requirements. Code certification is performed to include security review for all code before it is pushed to production. Software vulnerability assessments are conducted using industry standard solutions. Any vulnerability gaps identified are evaluated and remediated in a timely manner. Where ProcessUnity production data is used in a test environment, the level of control must be consistent with production controls. Developer access to production environment must be restricted by policy and in implementation.

12.3 Penetration testing of the external perimeter is performed at least annually. For most recent testing results/report, follow-up is performed to eliminate or mitigate any issues rated as critical, high, and medium risk.

12.4 Tools/processes are in place to perform vulnerability monitoring, penetration testing, antivirus definitions, firewalls, application gateway (proxy) and guard testing.