This Data Management and Security Policy (this “Policy”) describes the controls Oversight has implemented and maintains to protect information or data provided to Oversight directly or indirectly by a customer or a third party, or that Oversight directly or indirectly collects on behalf of a customer, or that Oversight otherwise has access to in connection with the provision of the services under the applicable arrangement (“Data”). This Policy may be updated by Oversight from time to time but only in a manner that retains or increases the stringency of Oversight’s security obligations; such updates will be posted at http://www.oversightsystems.com/exhibit-2.
Oversight complies with applicable privacy, data security, encryption, and other laws and rules, regulations, directives and requirements of government or regulatory agencies, as may be applicable to the use, unauthorized access, confidentiality, protection and security of any Data (collectively, “Data Laws”). The Parties acknowledge that in relation to any Data controlled and owned by a customer and Processed by Oversight in connection with the Services Agreement: (a) each customer owns and retains all right, title, and interest in and to its Data; (b) Oversight is acting solely as a Data Processor and has no discretion regarding the purpose(s) for which such Data is Processed; and (c) Oversight will only access, use, disclose, retain or otherwise Process such Data in accordance with the provisions of the applicable agreement to provide the applicable services. Oversight will provide cooperation and assistance to its customers as may be reasonably required for purposes of compliance with the applicable Data Laws.
Oversight will not disclose Data to any person or entity except as required by law, applicable Data Laws or permitted by the applicable agreement, this Policy or with the affected customer’s written consent. Furthermore, Oversight will not sell, assign, lease, or otherwise make Data available to third parties except as necessary to provide the Service.
If Oversight is required to disclose Data by law, including Data Laws, or by mandatory order of a governmental authority having jurisdiction over Oversight, Oversight will notify the affected customer(s) in advance of such disclosure where permissible and reasonably cooperate with the affected customer(s)’ effort to minimize the extent of such disclosure and maintain the confidentiality of such Data.
Oversight complies with:
 The terms “Process” and “Processing” mean means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- SSAE-18 / SOC2 Type 2
- EU-U.S. and Swiss-U.S. Privacy Shield Framework
- Applicable Data Laws including the EU General Data Protection Regulation (GDPR)
Oversight complies with applicable portions of the following standards:
- PCI/DSS v3 – Self-certified
- ISO 27001/2 and NIST – ISMS and controls based on these standards
Oversight’s primary and DR colocation data facilities are:
- SSAE-18 / SOC2 Type 2
- Geographically separated
2 CROSS-BORDER DATA TRANSFERS AND PROCESSING
Personal Data means Data that, alone or in combination with other information, is about, related to, or can be used to identify an identifiable natural person. For clarity purposes, hashed, truncated, or encrypted versions of the foregoing that are unusable to uniquely identify an individual are not “Personal Data” for purposes of this Policy. Oversight will not transfer Personal Data outside the U.S. without first requesting approval from our affected customers.
In connection with the provision of Services under the applicable Agreement, if Oversight will Process Personal Data from either the European Economic Area (EEA) or Switzerland, Oversight will enter into applicable data transfer contractual clauses as part of the Agreement on request.
If Oversight is required to access and Process Personal Data from jurisdictions outside of the U.S. and the European Economic Area that are subject to Data Laws restricting, regulating, or otherwise controlling the transfer of Personal Data outside of such jurisdiction, Oversight will take the actions reasonably necessary for compliance with such Data Laws as further specified in the applicable Agreement.
3 SECURITY MEASURES
Oversight has implemented physical, technical, and organizational measures and safeguards with respect to Data and the Processing of the same against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosures or access, and against all other unlawful forms of Processing, consistent with this Policy and with the Data Laws. Oversight will provide Client with information regarding Oversight’s security measures upon request. Oversight limits access to Data to those personnel who have a business need to access the Data in the provision of services under the applicable services agreement.
Oversight follows industry standards and this Policy which include the following minimum controls:
- Personnel. Background checks that cover criminal, financial and work history are completed before a person is allowed to start work. Each employee and contractor is required to sign a Non-Disclosure Agreement and an Acceptable Use Policy before starting work.
- Encryption. Transmissions of Data shall use a minimum of industry standard 128 bit encryption.
- Portable Media. Transfers or transmissions of Data on recordable or portable media is prohibited. Portable media includes thumb drives, portable disc drives, CDs or DVDs, or any other portable device used to store and transfer electronic information.
- E-mail Transmission of Data Prohibited. Data transferred by or on behalf of any customer or by or on behalf of Oversight will not be sent by e-mail. All such Data must be transferred using a secured file transfer mechanism.
- Encrypted Storage. All Data at rest shall be encrypted using a minimum of industry standard 256 bit.
- Passwords. Privileged user passwords will meet the following complexity and age requirements:
- Minimum 15 characters including 2 upper, 2 lower, 2 numbers, 2 special
- Expire every 30 days
- Access Control. Oversight implements role-based access control such that the permissions each individual is granted are based on what is required for them to perform the role(s) they are assigned by management. Exceptions require management approval.
- Workstations. Workstations used by Oversight to access Data use the following or similar minimum security controls:
- Encrypted hard drives; and
- Regularly updated antivirus and other anti-malicious software and programs and firewalls; and
- Weekly Operating System patching; and
- Password and screensaver controls with automatic lock of workstation upon idleness.
- Hosting. Oversight operates a cloud-based Software as a Service platform:
- The primary production is located at an Atlanta GA data center.
- The disaster recovery location is located at a US-based data center located in a different geographic area.
- Only SSAE-18-certified colocation data centers are used for primary and disaster recovery sites.
- Servers. Servers used by Oversight to process Data use the following or similar minimum security controls:
- Regularly updated antivirus and other anti-malicious software and programs and firewalls; and
- Quarterly patching of Operating System, Database, and Application; and
- Encrypted management access.
- Backups. Backups are taken regularly to facilitate business continuity and disaster recovery:
- Daily snapshots are stored locally
- Weekly backups are securely copied via network to the disaster recovery site
- Network Security. Oversight’s network security has the following or equivalent minimum capabilities:
- Access control lists;
- All Network traffic passes through firewalls. Oversight has implemented intrusion prevention systems that allow traffic flowing through firewalls to be protected 24x7;
- Access to network devices for administration require a minimum of 256 bit, industry standard encryption;
- Network, application, and server authentication passwords meet minimum complexity guidelines;
- Firewalls are deployed to protect the perimeter Oversight network;
- Virtual Private Networks (“VPN”) are required for the remote access to the Oversight client data environment, which include (i) connections with a minimum of 256 bit encryption; and (ii) split tunneling is disabled; and
- Regular patches and updates.
- Physical Security. For all Oversight locations where Data is processed, Oversight has the following minimum physical security requirements in place:
- A clean desk policy requiring that personnel do not leave Data exposed at the end of their work day;
- Access to the facility or areas where Data is stored or accessible are controlled through key card and/or appropriate sign-in procedures;
- All Personnel with access to the facility or areas where Data is stored or accessed will be required to have appropriate identification;
- All Personnel are required to lock PCs with access to Data when not in use;
- All monitors for such PCs are equipped with a privacy screen as necessary;
- Oversight employees or contractors appropriately secure all third-party assets in their possession. This includes use of laptop locks (whether in the office, at home, or traveling) and storing secure access tokens in locked location; and
- Roles and Responsibilities. Oversight maintains separation of duties in security, compliance, and audit operations:
- Operational Security – operational security is the responsibility of the IT team.
- Risk and Compliance – information security policy, audit, and compliance is the responsibility of the compliance team.
- Privacy – personal data privacy is the responsibility of the privacy team.
- Governance – Oversight maintains a Risk and Information Security Steering Committee to govern its Risk Management and Information Security initiatives. The Oversight Board of Directors is regularly briefed on security and risk issues.
- Operations – operation of production systems is the responsibility of the IT and operations teams.
- Development – development and quality assurance of the Oversight solution is performed by development team members.
- Customer Segmentation. Oversight processes information from multiple customers in its Software as a Service platform. Each customer’s data is logically separated from other customer’s data but is processed on shared infrastructure. Client users only have access to their company’s information.
4 DATA BREACH
Oversight will notify the affected customer(s) in writing promptly and without undue delay after any actual or reasonably suspected loss of or unauthorized access to Data (“Data Breach”). In the event of a Data Breach, Oversight shall (a) promptly take all reasonable measures to remediate any such Data Breach; (b) provide the affected customers with a written report of what Oversight did to remediate; (c) provide all necessary cooperation to the affected customers with respect to the notification, investigation, and prosecution of such Data Breach; (d) provide the affected customers with a written plan identifying the measures Oversight will implement to avoid any subsequent Data Breach of similar nature; and (e) comply with all Data Laws. Oversight’s written notice will include all known details of the Data Breach as of the time it is provided, and the notice will be supplemented as new information becomes available. Oversight will provide the foregoing notices only if a Data Breach directly arises from Oversight’s Processing of Data.
5 AUDIT AND VERIFICATION
At least once each calendar year, Oversight will retain a third-party auditor of national reputation (a) to perform audits of the Oversight’s Information Security Management System that include Oversight’s Data management systems and (b) to produce audit reports. Oversight will provide a summary copy of such reports to its customers upon request.
Oversight performs internal scans, audits, and compliance checks and will provide an Executive Summary upon request.
Oversight will make available a simulated, sample customer scan target upon request.
Customers who require audits of Oversight’s colocation facilities must pay any costs or fees those vendors charge for participating in customer-requested security evaluations, scans, or security evaluations.
6 VULNERABILITY MANAGEMENT
Oversight maintains a Vulnerability Management Program, as part of the greater Risk Management program. Vulnerability Management includes systems hardening, patching, internal scanning, external scanning, and penetration testing.
7 DATA AND RECORD RETENTION
Oversight will retain Data as required to comply with applicable data protection laws and the Agreement. Upon termination or expiration of the Agreement with respect to particular Data not required by Oversight to perform its obligations under the Agreement, Oversight shall securely remove, erase and destroy the Data from its applications, databases and computer systems in accordance with the Agreement, such that no copy of the Data remains or can be accessed in any way. Oversight shall certify such removal, erasure and destruction of Data in writing to Client upon request.
8 SUPPLIER AND SUBCONTRACTOR SECURITY
Oversight maintains a comprehensive Vendor Management Program that includes evaluating the security posture of suppliers and subcontractors before work is performed and then annually based on risk assessment by Oversight.
9 SYSTEMS DEVELOPMENT LIFECYCLE
Oversight’s “Systems Development Lifecycle” process utilizes control standards related to various aspects of the development process such as securing the development environment, source code control, as well as standards around requirements definition, release and deployment, testing and training according to SSAE-18 requirements. Oversight uses test systems that exactly duplicate production for the most efficient problem resolution and highest quality testing.
 The terms “Process” and “Processing” mean any activity performed on or using Data including but not limited to collection, transfer, disclosure, handling, storage, access, or any other use.