This Data Management and Security Policy (this “Policy”) describes the controls Oversight has implemented and maintains to protect information or data provided to Oversight directly or indirectly by a customer or a third party, or that Oversight directly or indirectly collects on behalf of a customer, or that Oversight otherwise has access to in connection with the provision of the services under the applicable arrangement (“Data”). This Policy may be updated by Oversight from time to time; such updates will be posted at www.oversightsystems.com/exhibit-2.
Oversight complies with applicable privacy, data security, encryption, and other laws and rules, regulations, directives and requirements of government or regulatory agencies, as may be applicable to the use, unauthorized access, confidentiality, protection and security of any Data (collectively, “Data Laws”). The Parties acknowledge that in relation to any Data controlled and owned by a customer and Processed by Oversight in connection with the Services Agreement: (a) Oversight is acting solely as a Data Processor and has no discretion regarding the purpose(s) for which such Data is Processed; and (b) Oversight will only access, use, disclose, retain or otherwise Process such Data in accordance with the provisions of the applicable agreement. Oversight will provide cooperation and assistance to its customers as may be reasonably required for purposes of compliance with the applicable Data Laws.
As between Oversight and its customers, each customer owns and retains all right, title, and interest in and to its Data, and Oversight will only use and possess Data for purposes of providing the applicable services.
Oversight will not disclose Data to any person or entity except as required by applicable Data Laws or permitted by the applicable agreement, this Policy or with the affected customer’s written consent. Furthermore, Oversight will not sell, assign, lease, or otherwise make Data available to third parties except as necessary to provide the Service.
Oversight and their vendors comply with:
- SSAE-16/SOC2 Type 2
- EU data protection directive (Directive 95/46/EC)
Oversight complies with applicable portions of the following standards:
- PCI/DSS v3 – Self-certified
- ISO 27001/2 and NIST – ISMS and controls based on these standards
2 INTERNATIONAL TRANSFERS
Personal Data means Data that, alone or in combination with other information, is about, related to, or can be used to identify an identifiable natural person, (i.e., name, physical or e-mail address, government issued identification number, credit card or other financial account number, date of birth, gender, employer issued identification number, telephone number, vehicle registration number, benefits eligibility and election information). For clarity purposes, hashed, truncated, or encrypted versions of the foregoing that are unusable to uniquely identify an individual are not “Personal Data” for purposes of this Policy. Oversight will not transfer Personal Data across international borders other than to Oversight facilities without first notifying our affected customers.
In connection with the provision of Services under the applicable Agreement, if Oversight will access and Process Personal Data from the European Economic Area (“EU Personal Data”) that is subject to E.U. Data Laws, Oversight will maintain certification in the EU-US Privacy Shield program. At Client’s request, Oversight will alternatively enter into applicable EU model clauses.
If Oversight is required to access and Process Personal Data from jurisdictions outside of the U.S. and the European Economic Area that are subject to Data Laws restricting, regulating, or otherwise controlling the transfer of Personal Data outside of such jurisdiction, Oversight will take the actions reasonably necessary for compliance with such Data Laws as further specified in the applicable agreement.
3 SECURITY MEASURES
Oversight has implemented physical, technical, and organizational measures and safeguards with respect to Data and the Processing of the same against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosures or access, and against all other unlawful forms of Processing, consistent with this Policy and with the Data Laws. Oversight will provide Client with information regarding Oversight’s security measures upon request from Client. Oversight limits access to Data to those personnel who have a business need to access the Data in the provision of services under the applicable services agreement.
Oversight and its suppliers follow industry standards and this Policy when transmitting Data, which include the following minimum precautions when transmitting Personal Data:
- Personnel. Background checks that cover criminal, financial and work history are completed before a person is allowed to start work. Each employee and contractor is required to sign a Non-Disclosure Agreement and an Acceptable Use Policy for all Oversight and Client assets before starting work.
- Encryption. Transmissions of Personal Data shall use a minimum of industry standard 128 bit encryption.
- Portable Media. Transfers or transmissions of Data on recordable or portable media must be encrypted at all times while in transit, with encryption keys transported or transmitted separately. Portable media includes laptop computers, thumb drives, portable disc drives, CDs or DVDs, or any other portable device used to store and transfer electronic information.
- E-mail Transmission Prohibited. Data sent by or on behalf of any customer or by or on behalf of Oversight will not be sent by e-mail. All such Data must be sent using a secured and encrypted storage device or file transfer mechanism, with encryption keys sent separately.
- Storage. All Data shall be encrypted using a minimum of industry standard 256 bit encryption at rest.
- Passwords. Privileged user passwords will meet the following complexity and age requirements:
- Minimum 15 characters including 2 upper, 2 lower, 2 numbers, 2 special
- Expire every 30 days
- Access Control. Oversight implements role-based access control such that the permissions each individual is granted are based on what is required for them to perform the role(s) they are assigned by management. Exceptions require management approval.
- Workstations. Workstations used by Oversight to access Data use the following or similar minimum security controls:
- Regularly updated antivirus and other anti-malicious software and programs and firewalls; and
- Weekly Operating System patching; and
- Password and screensaver controls with automatic lock of workstation upon idleness.
- Hosting. Oversight operates a cloud-based Software as a Service platform:
- The primary production is located at an Atlanta GA data center.
- The disaster recovery location is located at a US-based data center located in a different geographic area.
- Only SSAE-16-certified data centers are used for primary and disaster recovery sites.
- Servers. Servers used by Oversight to process Data use the following or similar minimum security controls:
- Regularly updated antivirus and other anti-malicious software and programs and firewalls; and
- Quarterly patching of Operating System, Database, and Application; and
- Encrypted management access.
- Backups. Backups are taken regularly to facilitate business continuity and disaster recovery:
- Daily snapshots are stored locally
- Weekly backups are securely copied via network to the disaster recovery site
- Network Security. Oversight’s network security has the following or equivalent minimum capabilities:
- Access control lists;
- All Network traffic passes through firewalls. Oversight has implemented intrusion prevention systems that allow traffic flowing through firewalls to be protected 24x7;
- Access to network devices for administration require a minimum of 256 bit, industry standard encryption;
- Network, application, and server authentication passwords meet minimum complexity guidelines;
- Firewalls are deployed to protect the perimeter Oversight network;
- Virtual Private Networks (“VPN”) are deployed for the remote access to the Oversight network, which include (i) connections with a minimum of 256 bit encryption; and (ii) split tunneling is disabled; and
- Patches and updates are evaluated and applied as defined in the Patch Management Policy.
- Physical Security. For all Oversight locations where Data is Processed, Oversight has the following minimum physical security requirements in place:
- A clean desk policy requiring that personnel do not leave Data exposed at the end of their work day;
- Access to the facility or areas where Data is stored or accessible are controlled through key card and/or appropriate sign-in procedures;
- All Personnel with access to the facility or areas where Data is stored or accessed will be required to have appropriate identification;
- All Personnel are required to lock PCs with access to Data when not in use;
- All monitors for such PCs are equipped with a privacy screen as necessary;
- Oversight employees or contractors appropriately secure all third party assets in their possession. This includes use of laptop locks (whether in the office, at home, or traveling) and storing secure access tokens in locked location; and
- Roles and Responsibilities. Oversight maintains separation of duties in security, compliance, and audit operations:
- Operational Security – operational security is the responsibility of the IT team.
- Risk and Compliance – information security policy, audit, and compliance is the responsibility of the compliance team.
- Governance – Oversight maintains a Risk and Information Security Committee to govern its Risk Management and Information Security initiatives led by the CFO and sponsored by the CEO. The Oversight Board of Directors is regularly briefed on security and risk issues.
- Operations – operation of production systems is the responsibility of the IT and operations teams.
- Development – development and quality assurance of the Oversight solution is performed by development team members.
- Customer Segmentation. Oversight processes information from multiple customers in its Software as a Service platform. Each customer’s data is logically separated from other customer’s data but is processed on shared infrastructure. Client users only have access to their company’s information.
4 DISCLOSURE OF DATA
Oversight will not rent, sell disclose, store, retain, use, or otherwise Process any Data except as necessary and proper to perform the Services under the applicable agreement. Oversight will disclose Data to its personnel and any third parties who have a need to know such Data only to the extent as is necessary for the performance of Services under the applicable agreement so long as Oversight informs such personnel and third parties of their obligations under this Policy. Oversight is liable for all acts and omissions of such personnel and third parties.
In addition, with respect to disclosure to third parties: (i) if required, Oversight will obtain Client’s prior written consent to disclose Data; (ii) Such disclosures will be made in properly secured and encrypted formats, as may be applicable given the nature of the transmission, disclosure, and Data at issue; and (iii) Oversight will require any such third parties to agree in writing to assume the same obligations under this Policy as Oversight.
If Oversight is required to disclose Data by law, including Data Laws, or by mandatory order of a governmental authority having jurisdiction over Oversight, Oversight will notify the affected customer(s) in advance of such disclosure where permissible and reasonably cooperate with the affected customer(s)’ effort to minimize the extent of such disclosure and maintain the confidentiality of such Data.
5 DATA BREACH
Oversight will notify the affected customer(s) in writing promptly but no later than 48 hours after any actual or reasonably suspected Data Breach. In the event of a Data Breach, Oversight shall (a) promptly take all reasonable measures to remediate any such Data Breach; (b) provide the affected customers with a written report of what Oversight did to remediate; (c) provide all necessary cooperation to the affected customers with respect to the notification, investigation, and prosecution of such Data Breach; (d) provide the affected customers with a written plan identifying the measures Oversight will implement to avoid any subsequent Data Breach of similar nature; and (e) comply with all Data Laws. Oversight’s written notice will include all known details of the Data Breach as of the time it is provided, and the notice will be supplemented as new information becomes available. Oversight will provide the foregoing notices only if a Data Breach directly arises from Oversight’s Processing of Data.
6 AUDIT AND VERIFICATION
At least once each calendar year, Oversight will retain a third-party auditor of national reputation (a) to perform audits of the Oversight’s Information Security Management System that include Oversight’s Data management systems and (b) to produce audit reports. Oversight will provide a summary copy of such reports to its customers upon request.
Oversight performs internal scans, audits, and compliance checks and will provide an Executive Summary upon request.
Oversight will make available a simulated, sample customer scan target upon request.
Customers who require audits of Oversight’s third-party suppliers or vendors must pay any costs or fees those vendors charge for participating in customer-requested security evaluations, scans, or security evaluations.
7 VULNERABILITY MANAGEMENT
Oversight maintains a Vulnerability Management Program, as part of the greater Risk Management program. Vulnerability Management includes systems hardening, patching, internal scanning, external scanning, and penetration testing.
8 DATA AND RECORD RETENTION
Oversight will retain Data as required to comply with applicable data protection laws and the Agreement. Upon termination or expiration of the Agreement with respect to particular Data not required by Oversight to perform its obligations under the Agreement, Oversight shall promptly and securely remove, erase and destroy the Data from its applications, databases and computer systems, such that no copy of the Data remains or can be accessed in any way. Oversight shall certify such removal, erasure and destruction of Data in writing to Client upon request.
9 SUPPLIER AND SUBCONTRACTOR SECURITY
Oversight maintains a comprehensive Vendor Management Program that includes evaluating the security posture of suppliers and subcontractors before work is performed and then annually based on risk assessment by Oversight.
10 SYSTEMS DEVELOPMENT LIFECYCLE
Oversight’s “Systems Development Lifecycle” process utilizes control standards related to various aspects of the development process such as securing the development environment, source code control, as well as standards around requirements definition, release and deployment, testing and training according to SSAE16 requirements. Oversight uses test systems that exactly duplicate production for the most efficient problem resolution and highest quality testing.
Effort required for Oversight personnel to conform to customer-specific security policies such as initial/annual training may be billable on a time and materials basis.
 The terms “Process” and “Processing” mean any activity performed on or using Data including but not limited to collection, transfer, disclosure, handling, storage, access, or any other use.