Orgvue security provisions
Home > Legal > Terms and conditions > Orgvue security provisions
1.1 These Security Provisions apply to the provision of Orgvue when ordered by the Client.
1.2 The Client acknowledges that the Software together with the Client Data is, at the Client’s selection, hosted by the Subcontractor in the European Economic Area (“EEA”), North America or Australia. Supplier will not transfer Client Data outside of the Client’s selected region without prior written instruction from the Client.
1.3 The Software is multi-tenanted. Each Client shares the same software and physical architecture. Client Data is logically segregated and independently Encrypted using Client dedicated encryption keys.
Unless specified otherwise below, capitalised words and expressions contained with this document have the same meaning as set out in the Terms and Conditions:
2.1 Business Continuity Plan: Documented strategy identifying risk scenarios which could impact the ability of Supplier to maintain normal business operation, while defining Supplier’s response to managing those scenarios.
2.2 CREST: A not-for-profit accreditation and certification body providing internationally recognised accreditation for providers of penetration testing services.
2.3 Data Breach: A compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data transmitted, stored, or otherwise processed.
2.4 Disaster Recovery Plan: Supplier procedures to enable the recovery or continuation of technology infrastructure and systems required to deliver the Software.
2.5 Encrypted or Encryption: The process by which Client Data is converted into ciphertext to ensure secure transmission or storage.
2.6 IP Whitelisting: a security feature used to limit and control access from trusted IP addresses only.
2.7 Logs: logs record the outcome of every operation, inclusive of authentication and authorisation failures, by user identity, time and IP address, providing its owner or admin with an audit log of all changes, identifying who made each change, when, and the content of the change.
2.8 Multi-factor authentication: an authentication method in which a user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.
2.9 Multi-Tenanted: A single database architecture is shared by multiple Clients, in which encryption methods are used to logically segregate and independently encrypt Client Data, using Client dedicated encryption keys.
2.10 OWASP Top 10: is an awareness document for software developers and web application security, identifying the most critical security risks to web applications.
2.11 SAML 2.0: Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authentication and authorisation identities between security domains
2.12 Supplier Administrators: Supplier workers administering and supporting the infrastructure in provision of the Software.
2.13 Virtual Private Cloud (VPC): A cloud computing service that provides users with a virtual private cloud through the provision of a logically isolated section of a public cloud service provider’s network.
- Information Security Policies
3.1 Supplier maintains a suite of information security policies which together form an Information Security
Management System (“ISMS”). These policies are reviewed at least annually.
3.2 Supplier has an established management framework to initiate and control the implementation and operation of information security within the organization. This includes the allocation of resources necessary to operate, govern and continually improve the Information Security Management System.
- Human Resource Security
4.1 Supplier ensures all new employees and contractors are subject to background checks. These include:
4.1.1 A criminal record check;
4.1.2 Identity and right to work checks;
4.1.3 Professional references from at least two previous employers;
4.1.4 Proof of education and professional certifications.
4.2 Supplier ensures its employment contract includes confidentiality and intellectual property clauses as standard.
4.3 Supplier ensure all employees are assigned mandatory information security training at the start of their employment and are subject to formal annual information security refresher training.
4.4 Supplier maintains a formal employee disciplinary policy, the scope of which includes breach of information security policies.
- Asset Management
5.1 All Client Data is processed within the Client’s Tenant, unless otherwise agreed in writing from the Client.
5.2 Supplier will not remove Client Data from the Tenant without prior written instruction from the Client.
5.3 Supplier will not process Client Data on USB media.
5.4 Supplier maintains an asset inventory of all component systems used to process Client Data.
5.5 Supplier maintains an Information Classification, Labelling and Handling Policy. This policy applies the most sensitive classification to all Client Data.
5.6 Within three (3) months of the Agreement termination date, Supplier will securely delete all Client Data, in such a way that Client Data will no longer be recoverable.
5.7 Supplier will provide written confirmation of the destruction of Client Data on written request.
5.8 The Client may export or delete Client Data at any time through the Software.
5.9 The following controls will be in place at all times at Subcontractor data centre facilities:
5.10 All decommissioned hardware utilized in the processing of Client Data will be sanitized and physically destroyed in accordance with industry-standard practices.
5.11 Fire detection systems will utilize smoke detection sensors in all data centre environments.
5.12 Data centre electrical systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. Uninterruptible Power Supply (UPS) units will provide back-up power in the event of an electrical
failure for critical and essential loads in the facilities.
- Access Control
6.1 Supplier maintains an organisational access control policy to govern access to Supplier systems, including those
which process or support the processing of Client Data.
6.2 Access right authorisation will be subject to a formal process, following the principle of least privilege.
6.3 Supplier ensures that Supplier employee accounts are disabled within 24 hours of employment termination date.
6.4 Supplier ensures that Multi-factor authentication is in place for all access by Supplier Administrators to Supplier systems processing Client Data.
6.5 Supplier provides support for SAML 2.0, to enable Clients to implement Single Sign-On (SSO) for authentication to their Tenant.
6.6 The Software supports role-based and attribute-based access control models. The allocation of user privileges to the Software must be managed via the Software and is not supported through SAML integration.
6.7 Supplier employees will not access Client Data without the prior written authorisation of the Client. In combination with this written authorisation, a Client Administrator will also be required to provision a Supplier User account within the Tenant, to enable Supplier access. Such permissions may be revoked by the Client at any time.
6.8 The Client is responsible for all User Management including:
6.9 The set up and ongoing management of all users access to the Tenant.
6.10 Ensuring users are granted appropriate permission to access the Software and Client Data.
6.11 Ensuring access privileges are removed from those users who are no longer authorised to access the Software, for example as a consequence of leaving the Client’s employment or moving department.
6.12 Managing and assigning workers from Supplier who may be required by the Client to assist on specific engagements. Such Supplier worker access is solely the responsibility of the Client to control.
7.1 All Client Data transmitted over any network is Encrypted using TLS 1.2 or better.
7.2 All Client Data is Encrypted at rest using AES-256 (GCM) at the file system level.
7.3 For management of encryption keys used to encrypt Client Data, Supplier will use the AWS Key Management Service (KMS ) which stores and generates master keys on FIPS 140-2 validated Hardware Security Modules (HSMs).
7.4 Master keys will only be used inside these HSM devices and the master keys will never leave such devices unencrypted.
7.5 Master keys will be rotated annually.
7.6 Neither Supplier nor Supplier subcontractor(s) will have access to Client Data master encryption keys.
- Physical and Environmental Security
8.1 In relation to the subcontractor’s datacentres, Supplier shall ensure that the subcontractor:
8.2 Controls and restricts physical access to areas where Client Data is stored to authorised personnel, utilising full authentication controls to validate access (e.g. access control cards).
8.3 Promptly revokes physical access rights when no longer required.
8.4 Requires authorised personnel to utilise multi-factor authentication mechanisms to access hosting data centre floors.
8.5 Securely maintains audit trails (including access dates and times) of all access to data centre floors.
8.6 Monitors all physical ingress and egress points of data centre points utilising video cameras and recording devices. Recordings shall be stored by the subcontractor for a minimum of 10 working days.
- Operations Security
9.1 Supplier shall ensure that:
9.2 Weekly reviews of operating system and web application vulnerability scans are conducted.
9.3 Production, testing and development environments are logically separated.
9.4 Production Client Data is never processed in non-production environments.
9.5 Server instances processing Client Data will have active anti-malware services and host-based IDS (Intrusion Detection Services).
9.6 Anti-malware and host-based IDS services are updated daily.
9.7 Client Data will be subject to daily backup and retained for 30 days, within the same geographical region as the Client’s Tenant.
9.8 Client Data processed in backup services will be encrypted at rest via AES-256 (GCM).
9.9 Software Logs are retained within the Tenant, with access to the Logs controlled by the Client . These Logs are retained for the lifetime of the Tenant.
9.10 Supplier will collect, consolidate, and review security event Logs from server instances and infrastructure services involved in the provision of the Software. These Logs will not contain Client Data and shall be retained for a minimum of 12 months. Such Logs are not available to the Client due to the multi-tenant architecture of the
Software. Appropriate summary information may be made available in the event of a Data Breach.
9.11 Server instances processing Client Data will have security patch installed within two weeks of vendor release.
9.12 Security patches which Supplier deems emergency and/or critical will be installed to address immediate threats on an expedited basis, according to the severity of the threat.
- Communication Security
10.1 The Supplier shall ensure that:
10.2 The public cloud service provider network for the Software is isolated via multiple independent VPCs (Virtual Private Clouds) interconnected via VPC endpoints and exposing only HTTPS TLS 1.2 to the public internet for Client facing services.
10.3 A threat detection service with automated alerting to Supplier Administrators operates on the Software within the VPC using machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
10.4 Client Data is not transferred via Email.
10.5 IP Whitelisting is supported to restrict traffic to Orgvue from trusted source networks as identified by the Client.
- System Acquisition, Development and Maintenance
11.1 Supplier maintains an organisational software development policy to govern the development and maintenance
of Software. This policy is available to the Client on written request.
11.2 Supplier Administrators have access only to the necessary source code repositories to support the work they are active on. Identity and Access Management (IAM) roles are used by the build and configuration management services for provisioning and maintenance.
11.3 Supplier shall complete static and dynamic source code analysis in combination with manual code reviews and approval.
11.4 Supplier shall ensure all Software releases pass through logically separate quality assurance and staging environments, before being released into production.
11.5 Supplier shall subject = Software to independent web application penetration testing at least annually. Tests are conducted by CREST certified external resources. An executive summary of these reports is available to the Client on written request.
11.6 All Software development is aligned to OWASP Top 10 documentation and guidance.
- Supplier Relationships
12.1 All third party suppliers are subject to information security risk assessments and approval before onboarding. Supplier shall monitor and reassess all third-party suppliers on an on-going basis.
12.2 Formal agreements including confidentiality obligations, are included in all Supplier agreements.
- Information Security Incident Management
13.1 Supplier maintains a formal incident management policy incorporating root cause analysis and corrective action remediation.
13.2 In the event that Supplier experiences a Data Breach affecting Client Data, Supplier shall notify the Client within
24 hours after Supplier becomes aware of the Data Breach. In the event of any Data Breach, Client shall have sole control over the timing, content and method of notification to its employees, Clients and third parties.
- Information Security Aspect of Business Continuity Management
14.1 Supplier shall maintain a Business Continuity Plan for restoring critical business functions, including availability of Software and Client Data. This policy is available to Clients on request.
14.2 Supplier shall test its Business Continuity Plan on an annual basis.
14.3 The Software is hosted in a highly resilient public cloud service provider infrastructure, providing geographical data centre fault tolerance. Failover between data centres is automated.
14.4 Supplier will be responsible for backup and preservation of Client Data. All backup copies of Client Data shall be treated as Client Confidential Information and will be encrypted at rest via AES-256 (GCM).
14.5 Supplier will maintain a Disaster Recovery Plan and perform disaster recovery restore testing on a six-monthly basis.
15.1 Supplier is ISO 27001, ISO 27018 and CSA STAR Level 2 certified. These certifications require annual independent audit of Supplier’s ISMS by the certification bodies.
15.2 Supplier agrees the Client may, upon reasonable prior written notice, perform vulnerability assessments using industry standard tools and manual techniques to assess the security of Software provided by Supplier in connection with the services provided to the Client. Client agrees, in relation to vulnerability assessments it
conducts, that the following shall apply. Assessments:
15.3 Shall be limited to the Software and not the underlying public cloud service provider services or infrastructure.
15.4 Will be performed by authorised cyber security professionals agreed between the parties in advance of the vulnerability assessment taking place.
15.5 Results or other related information shall be treated as Usage Data, unless disclosure is otherwise required by Applicable Law.
15.6 The authorised cyber security professionals may work with Supplier to manually validate findings on production
and test systems in order to reduce false positives. The authorised cyber security professional(s) may also contact Supplier’s designated IT security program manager should any additional information or work be required as part of vulnerability assessment.
15.7 Supplier will be notified by Client of any major security vulnerabilities without undue delay.
15.8 Upon at least twenty (20) Working Days advanced written notice from the Client and written confirmation from the Supplier, Supplier shall grant to the Client (or a third party on Client’s behalf and reasonably approved by Supplier) permission to perform a remote or on-site assessment of Supplier’s information security management system, in order to ensure compliance with these Security Provisions. Such compliance assessment will be performed at the Client’s expense, conducted in a way to minimise disruption to the Supplier’s business and under the supervision of the Supplier.