orgvue security provisions
Home > legal > terms and conditions > orgvue security provisions
1.1 These Security Provisions apply to the provision of orgvue when ordered by the Client.
1.2 The Client acknowledges that the Software together with the Client Data is, at the Client’s selection, hosted by the
Subcontractor in the European Economic Area (“EEA”), North America or Australia. Supplier will not transfer
Client Data outside of the Client’s selected region without prior written instruction from the Client.
1.3 The Software is multi-tenanted. Each Client shares the same software and physical architecture. Client Data is
logically segregated and independently Encrypted using Client dedicated encryption keys.
Unless specified otherwise below, capitalised words and expressions contained with this document have the same
meaning as set out in the Terms and Conditions:
2.1 Business Continuity Plan: Documented strategy identifying risk scenarios which could impact the ability of
Supplier to maintain normal business operation, while defining Supplier’s response to managing those scenarios.
2.2 CREST: A not-for-profit accreditation and certification body providing internationally recognised accreditation for
providers of penetration testing services.
2.3 Data Breach: A compromise of security that leads to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, Client Data transmitted, stored, or otherwise processed.
2.4 Disaster Recovery Plan: Supplier procedures to enable the recovery or continuation of technology infrastructure
and systems required to deliver the Software.
2.5 Encrypted or Encryption: The process by which Client Data is converted into ciphertext to ensure secure
transmission or storage.
2.6 IP Whitelisting: a security feature used to limit and control access from trusted IP addresses only.
2.7 Logs: logs record the outcome of every operation, inclusive of authentication and authorisation failures, by user
identity, time and IP address, providing its owner or admin with an audit log of all changes, identifying who made
each change, when, and the content of the change.
2.8 Multi-factor authentication: an authentication method in which a user is granted access only after successfully
presenting two or more pieces of evidence (or factors) to an authentication mechanism.
2.9 Multi-Tenanted: A single database architecture is shared by multiple Clients, in which encryption methods are
used to logically segregate and independently encrypt Client Data, using Client dedicated encryption keys.
2.10 OWASP Top 10: is an awareness document for software developers and web application security, identifying the
most critical security risks to web applications.
2.11 SAML 2.0: Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging
authentication and authorisation identities between security domains
2.12 Supplier Administrators: Supplier workers administering and supporting the infrastructure in provision of the
2.13 Virtual Private Cloud (VPC): A cloud computing service that provides users with a virtual private cloud through
the provision of a logically isolated section of a public cloud service provider’s network.
OrgVue – Page 2 of 6
- Information Security Policies
3.1 Supplier maintains a suite of information security policies which together form an Information Security
Management System (“ISMS”). These policies are reviewed at least annually.
3.2 Supplier has an established management framework to initiate and control the implementation and operation of
information security within the organization. This includes the allocation of resources necessary to operate, govern
and continually improve the Information Security Management System.
- Human Resource Security
4.1 Supplier ensures all new employees and contractors are subject to background checks. These include:
4.1.1 A criminal record check;
4.1.2 Identity and right to work checks;
4.1.3 Professional references from at least two previous employers;
4.1.4 Proof of education and professional certifications.
4.2 Supplier ensures its employment contract includes confidentiality and intellectual property clauses as standard.
4.3 Supplier ensure all employees are assigned mandatory information security training at the start of their
employment and are subject to formal annual information security refresher training.
4.4 Supplier maintains a formal employee disciplinary policy, the scope of which includes breach of information
- Asset Management
5.1 All Client Data is processed within the Client’s Tenant, unless otherwise agreed in writing from the Client.
5.2 Supplier will not remove Client Data from the Tenant without prior written instruction from the Client.
5.3 Supplier will not process Client Data on USB media.
5.4 Supplier maintains an asset inventory of all component systems used to process Client Data.
5.5 Supplier maintains an Information Classification, Labelling and Handling Policy. This policy applies the most
sensitive classification to all Client Data.
5.6 Within three (3) months of the Agreement termination date, Supplier will securely delete all Client Data, in such a
way that Client Data will no longer be recoverable.
5.7 Supplier will provide written confirmation of the destruction of Client Data on written request.
5.8 The Client may export or delete Client Data at any time through the Software.
5.9 The following controls will be in place at all times at Subcontractor data centre facilities:
5.10 All decommissioned hardware utilized in the processing of Client Data will be sanitized and physically destroyed
in accordance with industry-standard practices.
5.11 Fire detection systems will utilize smoke detection sensors in all data centre environments.
5.12 Data centre electrical systems are designed to be fully redundant and maintainable without impact to operations,
24 hours a day. Uninterruptible Power Supply (UPS) units will provide back-up power in the event of an electrical
failure for critical and essential loads in the facilities.
OrgVue – Page 3 of 6
- Access Control
6.1 Supplier maintains an organisational access control policy to govern access to Supplier systems, including those
which process or support the processing of Client Data.
6.2 Access right authorisation will be subject to a formal process, following the principle of least privilege.
6.3 Supplier ensures that Supplier employee accounts are disabled within 24 hours of employment termination date.
6.4 Supplier ensures that Multi-factor authentication is in place for all access by Supplier Administrators to Supplier
systems processing Client Data.
6.5 Supplier provides support for SAML 2.0, to enable Clients to implement Single Sign-On (SSO) for authentication
to their Tenant.
6.6 The Software supports role-based and attribute-based access control models. The allocation of user privileges to
the Software must be managed via the Software and is not supported through SAML integration.
6.7 Supplier employees will not access Client Data without the prior written authorisation of the Client. In combination
with this written authorisation, a Client Administrator will also be required to provision a Supplier User account
within the Tenant, to enable Supplier access. Such permissions may be revoked by the Client at any time.
6.8 The Client is responsible for all User Management including:
6.9 The set up and ongoing management of all users access to the Tenant.
6.10 Ensuring users are granted appropriate permission to access the Software and Client Data.
6.11 Ensuring access privileges are removed from those users who are no longer authorised to access the Software,
for example as a consequence of leaving the Client’s employment or moving department.
6.12 Managing and assigning workers from Supplier who may be required by the Client to assist on specific
engagements. Such Supplier worker access is solely the responsibility of the Client to control.
7.1 All Client Data transmitted over any network is Encrypted using TLS 1.2 or better.
7.2 All Client Data is Encrypted at rest using AES-256 (GCM) at the file system level.
7.3 For management of encryption keys used to encrypt Client Data, Supplier will use the AWS Key Management
Service (KMS ) which stores and generates master keys on FIPS 140-2 validated Hardware Security Modules
7.4 Master keys will only be used inside these HSM devices and the master keys will never leave such devices
7.5 Master keys will be rotated annually.
7.6 Neither Supplier nor Supplier subcontractor(s) will have access to Client Data master encryption keys.
- Physical and Environmental Security
8.1 In relation to the subcontractor’s datacentres, Supplier shall ensure that the subcontractor:
8.2 Controls and restricts physical access to areas where Client Data is stored to authorised personnel, utilising full
authentication controls to validate access (e.g. access control cards).
8.3 Promptly revokes physical access rights when no longer required.
8.4 Requires authorised personnel to utilise multi-factor authentication mechanisms to access hosting data centre
OrgVue – Page 4 of 6
8.5 Securely maintains audit trails (including access dates and times) of all access to data centre floors.
8.6 Monitors all physical ingress and egress points of data centre points utilising video cameras and recording
devices. Recordings shall be stored by the subcontractor for a minimum of 10 working days.
- Operations Security
9.1 Supplier shall ensure that:
9.2 Weekly reviews of operating system and web application vulnerability scans are conducted.
9.3 Production, testing and development environments are logically separated.
9.4 Production Client Data is never processed in non-production environments.
9.5 Server instances processing Client Data will have active anti-malware services and host-based IDS (Intrusion
9.6 Anti-malware and host-based IDS services are updated daily.
9.7 Client Data will be subject to daily backup and retained for 30 days, within the same geographical region as the
9.8 Client Data processed in backup services will be encrypted at rest via AES-256 (GCM).
9.9 Software Logs are retained within the Tenant, with access to the Logs controlled by the Client . These Logs are
retained for the lifetime of the Tenant.
9.10 Supplier will collect, consolidate, and review security event Logs from server instances and infrastructure services
involved in the provision of the Software. These Logs will not contain Client Data and shall be retained for a
minimum of 12 months. Such Logs are not available to the Client due to the multi-tenant architecture of the
Software. Appropriate summary information may be made available in the event of a Data Breach.
9.11 Server instances processing Client Data will have security patch installed within two weeks of vendor release.
9.12 Security patches which Supplier deems emergency and/or critical will be installed to address immediate threats
on an expedited basis, according to the severity of the threat.
- Communication Security
10.1 The Supplier shall ensure that:
10.2 The public cloud service provider network for the Software is isolated via multiple independent VPCs (Virtual
Private Clouds) interconnected via VPC endpoints and exposing only HTTPS TLS 1.2 to the public internet for
Client facing services.
10.3 A threat detection service with automated alerting to Supplier Administrators operates on the Software within the
VPC using machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize
10.4 Client Data is not transferred via Email.
10.5 IP Whitelisting is supported to restrict traffic to orgvue from trusted source networks as identified by the Client.
- System Acquisition, Development and Maintenance
11.1 Supplier maintains an organisational software development policy to govern the development and maintenance
of Software. This policy is available to the Client on written request.
11.2 Supplier Administrators have access only to the necessary source code repositories to support the work they are
active on. Identity and Access Management (IAM) roles are used by the build and configuration management
OrgVue – Page 5 of 6
services for provisioning and maintenance.
11.3 Supplier shall complete static and dynamic source code analysis in combination with manual code reviews and
11.4 Supplier shall ensure all Software releases pass through logically separate quality assurance and staging
environments, before being released into production.
11.5 Supplier shall subject = Software to independent web application penetration testing at least annually. Tests are
conducted by CREST certified external resources. An executive summary of these reports is available to the
Client on written request.
11.6 All Software development is aligned to OWASP Top 10 documentation and guidance.
- Supplier Relationships
12.1 All third party suppliers are subject to information security risk assessments and approval before onboarding.
Supplier shall monitor and reassess all third-party suppliers on an on-going basis.
12.2 Formal agreements including confidentiality obligations, are included in all Supplier agreements.
- Information Security Incident Management
13.1 Supplier maintains a formal incident management policy incorporating root cause analysis and corrective action
13.2 In the event that Supplier experiences a Data Breach affecting Client Data, Supplier shall notify the Client within
24 hours after Supplier becomes aware of the Data Breach. In the event of any Data Breach, Client shall have
sole control over the timing, content and method of notification to its employees, Clients and third parties.
- Information Security Aspect of Business Continuity Management
14.1 Supplier shall maintain a Business Continuity Plan for restoring critical business functions, including availability of
Software and Client Data. This policy is available to Clients on request.
14.2 Supplier shall test its Business Continuity Plan on an annual basis.
14.3 The Software is hosted in a highly resilient public cloud service provider infrastructure, providing geographical
data centre fault tolerance. Failover between data centres is automated.
14.4 Supplier will be responsible for backup and preservation of Client Data. All backup copies of Client Data shall be
treated as Client Confidential Information and will be encrypted at rest via AES-256 (GCM).
14.5 Supplier will maintain a Disaster Recovery Plan and perform disaster recovery restore testing on a six-monthly
15.1 Supplier is ISO 27001, ISO 27018 and CSA STAR Level 2 certified. These certifications require annual
independent audit of Supplier’s ISMS by the certification bodies.
15.2 Supplier agrees the Client may, upon reasonable prior written notice, perform vulnerability assessments using
industry standard tools and manual techniques to assess the security of Software provided by Supplier in
connection with the services provided to the Client. Client agrees, in relation to vulnerability assessments it
conducts, that the following shall apply. Assessments:
15.3 Shall be limited to the Software and not the underlying public cloud service provider services or infrastructure.
OrgVue – Page 6 of 6
15.4 Will be performed by authorised cyber security professionals agreed between the parties in advance of the
vulnerability assessment taking place.
15.5 Results or other related information shall be treated as Usage Data, unless disclosure is otherwise required by
15.6 The authorised cyber security professionals may work with Supplier to manually validate findings on production
and test systems in order to reduce false positives. The authorised cyber security professional(s) may also contact
Supplier’s designated IT security program manager should any additional information or work be required as part
of vulnerability assessment.
15.7 Supplier will be notified by Client of any major security vulnerabilities without undue delay.
15.8 Upon at least twenty (20) Working Days advanced written notice from the Client and written confirmation from the
Supplier, Supplier shall grant to the Client (or a third party on Client’s behalf and reasonably approved by
Supplier) permission to perform a remote or on-site assessment of Supplier’s information security management
system, in order to ensure compliance with these Security Provisions. Such compliance assessment will be
performed at the Client’s expense, conducted in a way to minimise disruption to the Supplier’s business and under
the supervision of the Supplier.