Skip to content

orgvue security provisions

  1. Introduction
    1.1 These Security Provisions apply to the provision of orgvue when ordered by the Client.
    1.2 The Client acknowledges that the Software together with the Client Data is, at the Client’s selection, hosted by the
    Subcontractor in the European Economic Area (“EEA”), North America or Australia. Supplier will not transfer
    Client Data outside of the Client’s selected region without prior written instruction from the Client.
    1.3 The Software is multi-tenanted. Each Client shares the same software and physical architecture. Client Data is
    logically segregated and independently Encrypted using Client dedicated encryption keys.
  2. Definitions
    Unless specified otherwise below, capitalised words and expressions contained with this document have the same
    meaning as set out in the Terms and Conditions:
    2.1 Business Continuity Plan: Documented strategy identifying risk scenarios which could impact the ability of
    Supplier to maintain normal business operation, while defining Supplier’s response to managing those scenarios.
    2.2 CREST: A not-for-profit accreditation and certification body providing internationally recognised accreditation for
    providers of penetration testing services.
    2.3 Data Breach: A compromise of security that leads to the accidental or unlawful destruction, loss, alteration,
    unauthorized disclosure of, or access to, Client Data transmitted, stored, or otherwise processed.
    2.4 Disaster Recovery Plan: Supplier procedures to enable the recovery or continuation of technology infrastructure
    and systems required to deliver the Software.
    2.5 Encrypted or Encryption: The process by which Client Data is converted into ciphertext to ensure secure
    transmission or storage.
    2.6 IP Whitelisting: a security feature used to limit and control access from trusted IP addresses only.
    2.7 Logs: logs record the outcome of every operation, inclusive of authentication and authorisation failures, by user
    identity, time and IP address, providing its owner or admin with an audit log of all changes, identifying who made
    each change, when, and the content of the change.
    2.8 Multi-factor authentication: an authentication method in which a user is granted access only after successfully
    presenting two or more pieces of evidence (or factors) to an authentication mechanism.
    2.9 Multi-Tenanted: A single database architecture is shared by multiple Clients, in which encryption methods are
    used to logically segregate and independently encrypt Client Data, using Client dedicated encryption keys.
    2.10 OWASP Top 10: is an awareness document for software developers and web application security, identifying the
    most critical security risks to web applications.
    2.11 SAML 2.0: Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging
    authentication and authorisation identities between security domains
    2.12 Supplier Administrators: Supplier workers administering and supporting the infrastructure in provision of the
    Software.
    2.13 Virtual Private Cloud (VPC): A cloud computing service that provides users with a virtual private cloud through
    the provision of a logically isolated section of a public cloud service provider’s network.
    OrgVue – Page 2 of 6
  3. Information Security Policies
    3.1 Supplier maintains a suite of information security policies which together form an Information Security
    Management System (“ISMS”). These policies are reviewed at least annually.
    3.2 Supplier has an established management framework to initiate and control the implementation and operation of
    information security within the organization. This includes the allocation of resources necessary to operate, govern
    and continually improve the Information Security Management System.
  4. Human Resource Security
    4.1 Supplier ensures all new employees and contractors are subject to background checks. These include:
    4.1.1 A criminal record check;
    4.1.2 Identity and right to work checks;
    4.1.3 Professional references from at least two previous employers;
    4.1.4 Proof of education and professional certifications.
    4.2 Supplier ensures its employment contract includes confidentiality and intellectual property clauses as standard.
    4.3 Supplier ensure all employees are assigned mandatory information security training at the start of their
    employment and are subject to formal annual information security refresher training.
    4.4 Supplier maintains a formal employee disciplinary policy, the scope of which includes breach of information
    security policies.
  5. Asset Management
    5.1 All Client Data is processed within the Client’s Tenant, unless otherwise agreed in writing from the Client.
    5.2 Supplier will not remove Client Data from the Tenant without prior written instruction from the Client.
    5.3 Supplier will not process Client Data on USB media.
    5.4 Supplier maintains an asset inventory of all component systems used to process Client Data.
    5.5 Supplier maintains an Information Classification, Labelling and Handling Policy. This policy applies the most
    sensitive classification to all Client Data.
    5.6 Within three (3) months of the Agreement termination date, Supplier will securely delete all Client Data, in such a
    way that Client Data will no longer be recoverable.
    5.7 Supplier will provide written confirmation of the destruction of Client Data on written request.
    5.8 The Client may export or delete Client Data at any time through the Software.
    5.9 The following controls will be in place at all times at Subcontractor data centre facilities:
    5.10 All decommissioned hardware utilized in the processing of Client Data will be sanitized and physically destroyed
    in accordance with industry-standard practices.
    5.11 Fire detection systems will utilize smoke detection sensors in all data centre environments.
    5.12 Data centre electrical systems are designed to be fully redundant and maintainable without impact to operations,
    24 hours a day. Uninterruptible Power Supply (UPS) units will provide back-up power in the event of an electrical
    failure for critical and essential loads in the facilities.
    OrgVue – Page 3 of 6
  6. Access Control
    6.1 Supplier maintains an organisational access control policy to govern access to Supplier systems, including those
    which process or support the processing of Client Data.
    6.2 Access right authorisation will be subject to a formal process, following the principle of least privilege.
    6.3 Supplier ensures that Supplier employee accounts are disabled within 24 hours of employment termination date.
    6.4 Supplier ensures that Multi-factor authentication is in place for all access by Supplier Administrators to Supplier
    systems processing Client Data.
    6.5 Supplier provides support for SAML 2.0, to enable Clients to implement Single Sign-On (SSO) for authentication
    to their Tenant.
    6.6 The Software supports role-based and attribute-based access control models. The allocation of user privileges to
    the Software must be managed via the Software and is not supported through SAML integration.
    6.7 Supplier employees will not access Client Data without the prior written authorisation of the Client. In combination
    with this written authorisation, a Client Administrator will also be required to provision a Supplier User account
    within the Tenant, to enable Supplier access. Such permissions may be revoked by the Client at any time.
    6.8 The Client is responsible for all User Management including:
    6.9 The set up and ongoing management of all users access to the Tenant.
    6.10 Ensuring users are granted appropriate permission to access the Software and Client Data.
    6.11 Ensuring access privileges are removed from those users who are no longer authorised to access the Software,
    for example as a consequence of leaving the Client’s employment or moving department.
    6.12 Managing and assigning workers from Supplier who may be required by the Client to assist on specific
    engagements. Such Supplier worker access is solely the responsibility of the Client to control.
  7. Cryptography
    7.1 All Client Data transmitted over any network is Encrypted using TLS 1.2 or better.
    7.2 All Client Data is Encrypted at rest using AES-256 (GCM) at the file system level.
    7.3 For management of encryption keys used to encrypt Client Data, Supplier will use the AWS Key Management
    Service (KMS ) which stores and generates master keys on FIPS 140-2 validated Hardware Security Modules
    (HSMs).
    7.4 Master keys will only be used inside these HSM devices and the master keys will never leave such devices
    unencrypted.
    7.5 Master keys will be rotated annually.
    7.6 Neither Supplier nor Supplier subcontractor(s) will have access to Client Data master encryption keys.
  8. Physical and Environmental Security
    8.1 In relation to the subcontractor’s datacentres, Supplier shall ensure that the subcontractor:
    8.2 Controls and restricts physical access to areas where Client Data is stored to authorised personnel, utilising full
    authentication controls to validate access (e.g. access control cards).
    8.3 Promptly revokes physical access rights when no longer required.
    8.4 Requires authorised personnel to utilise multi-factor authentication mechanisms to access hosting data centre
    floors.
    OrgVue – Page 4 of 6
    8.5 Securely maintains audit trails (including access dates and times) of all access to data centre floors.
    8.6 Monitors all physical ingress and egress points of data centre points utilising video cameras and recording
    devices. Recordings shall be stored by the subcontractor for a minimum of 10 working days.
  9. Operations Security
    9.1 Supplier shall ensure that:
    9.2 Weekly reviews of operating system and web application vulnerability scans are conducted.
    9.3 Production, testing and development environments are logically separated.
    9.4 Production Client Data is never processed in non-production environments.
    9.5 Server instances processing Client Data will have active anti-malware services and host-based IDS (Intrusion
    Detection Services).
    9.6 Anti-malware and host-based IDS services are updated daily.
    9.7 Client Data will be subject to daily backup and retained for 30 days, within the same geographical region as the
    Client’s Tenant.
    9.8 Client Data processed in backup services will be encrypted at rest via AES-256 (GCM).
    9.9 Software Logs are retained within the Tenant, with access to the Logs controlled by the Client . These Logs are
    retained for the lifetime of the Tenant.
    9.10 Supplier will collect, consolidate, and review security event Logs from server instances and infrastructure services
    involved in the provision of the Software. These Logs will not contain Client Data and shall be retained for a
    minimum of 12 months. Such Logs are not available to the Client due to the multi-tenant architecture of the
    Software. Appropriate summary information may be made available in the event of a Data Breach.
    9.11 Server instances processing Client Data will have security patch installed within two weeks of vendor release.
    9.12 Security patches which Supplier deems emergency and/or critical will be installed to address immediate threats
    on an expedited basis, according to the severity of the threat.
  10. Communication Security
    10.1 The Supplier shall ensure that:
    10.2 The public cloud service provider network for the Software is isolated via multiple independent VPCs (Virtual
    Private Clouds) interconnected via VPC endpoints and exposing only HTTPS TLS 1.2 to the public internet for
    Client facing services.
    10.3 A threat detection service with automated alerting to Supplier Administrators operates on the Software within the
    VPC using machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize
    potential threats.
    10.4 Client Data is not transferred via Email.
    10.5 IP Whitelisting is supported to restrict traffic to orgvue from trusted source networks as identified by the Client.
  11. System Acquisition, Development and Maintenance
    11.1 Supplier maintains an organisational software development policy to govern the development and maintenance
    of Software. This policy is available to the Client on written request.
    11.2 Supplier Administrators have access only to the necessary source code repositories to support the work they are
    active on. Identity and Access Management (IAM) roles are used by the build and configuration management
    OrgVue – Page 5 of 6
    services for provisioning and maintenance.
    11.3 Supplier shall complete static and dynamic source code analysis in combination with manual code reviews and
    approval.
    11.4 Supplier shall ensure all Software releases pass through logically separate quality assurance and staging
    environments, before being released into production.
    11.5 Supplier shall subject = Software to independent web application penetration testing at least annually. Tests are
    conducted by CREST certified external resources. An executive summary of these reports is available to the
    Client on written request.
    11.6 All Software development is aligned to OWASP Top 10 documentation and guidance.
  12. Supplier Relationships
    12.1 All third party suppliers are subject to information security risk assessments and approval before onboarding.
    Supplier shall monitor and reassess all third-party suppliers on an on-going basis.
    12.2 Formal agreements including confidentiality obligations, are included in all Supplier agreements.
  13. Information Security Incident Management
    13.1 Supplier maintains a formal incident management policy incorporating root cause analysis and corrective action
    remediation.
    13.2 In the event that Supplier experiences a Data Breach affecting Client Data, Supplier shall notify the Client within
    24 hours after Supplier becomes aware of the Data Breach. In the event of any Data Breach, Client shall have
    sole control over the timing, content and method of notification to its employees, Clients and third parties.
  14. Information Security Aspect of Business Continuity Management
    14.1 Supplier shall maintain a Business Continuity Plan for restoring critical business functions, including availability of
    Software and Client Data. This policy is available to Clients on request.
    14.2 Supplier shall test its Business Continuity Plan on an annual basis.
    14.3 The Software is hosted in a highly resilient public cloud service provider infrastructure, providing geographical
    data centre fault tolerance. Failover between data centres is automated.
    14.4 Supplier will be responsible for backup and preservation of Client Data. All backup copies of Client Data shall be
    treated as Client Confidential Information and will be encrypted at rest via AES-256 (GCM).
    14.5 Supplier will maintain a Disaster Recovery Plan and perform disaster recovery restore testing on a six-monthly
    basis.
  15. Compliance
    15.1 Supplier is ISO 27001, ISO 27018 and CSA STAR Level 2 certified. These certifications require annual
    independent audit of Supplier’s ISMS by the certification bodies.
    15.2 Supplier agrees the Client may, upon reasonable prior written notice, perform vulnerability assessments using
    industry standard tools and manual techniques to assess the security of Software provided by Supplier in
    connection with the services provided to the Client. Client agrees, in relation to vulnerability assessments it
    conducts, that the following shall apply. Assessments:
    15.3 Shall be limited to the Software and not the underlying public cloud service provider services or infrastructure.
    OrgVue – Page 6 of 6
    15.4 Will be performed by authorised cyber security professionals agreed between the parties in advance of the
    vulnerability assessment taking place.
    15.5 Results or other related information shall be treated as Usage Data, unless disclosure is otherwise required by
    Applicable Law.
    15.6 The authorised cyber security professionals may work with Supplier to manually validate findings on production
    and test systems in order to reduce false positives. The authorised cyber security professional(s) may also contact
    Supplier’s designated IT security program manager should any additional information or work be required as part
    of vulnerability assessment.
    15.7 Supplier will be notified by Client of any major security vulnerabilities without undue delay.
    15.8 Upon at least twenty (20) Working Days advanced written notice from the Client and written confirmation from the
    Supplier, Supplier shall grant to the Client (or a third party on Client’s behalf and reasonably approved by
    Supplier) permission to perform a remote or on-site assessment of Supplier’s information security management
    system, in order to ensure compliance with these Security Provisions. Such compliance assessment will be
    performed at the Client’s expense, conducted in a way to minimise disruption to the Supplier’s business and under
    the supervision of the Supplier.

Printer-friendly PDF

Click to open PDF in a new tab in your browser