Security

Summary of Web Application Penetration Test

Gustav Technologies, Inc. shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, Gustav Technologies, Inc. shall provide a summary of the findings to Customer. Gustav Technologies, Inc. shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Gustav Technologies, Inc. shall provide Customer with this initial evidence of compliance within thirty (30) days of written request.

‍

Security Awareness Training

Gustav Technologies, Inc. shall provide annual Security Training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials should address industry standard topics which include, but are not limited to:

• The importance of information security and proper handling of personal information.  

• Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction.

• Logical controls related to strong password selection/best practices.

• How to recognize social engineering attacks such as phishing.

‍

Vulnerability Scan

Gustav Technologies, Inc. shall ensure that vulnerability scans are performed on servers continuously and network security scans are completed at a minimum annually, in each case using an industry standard vulnerability scanning tool.

‍

Process-Level Requirements

a. Gustav Technologies, Inc. shall implement user termination controls that include access removal / disablement promptly upon termination of staff.

‍

b. Documented change control process will be used to record and approve all major releases in Gustav Technologies, Inc.’s environment.

‍

c. Gustav Technologies, Inc. shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.

‍

Network Requirements

Gustav Technologies, Inc. shall use firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Customer Personal Data.

‍

Hosting Requirements

Where Gustav Technologies, Inc. handles Customer Personal Data, servers shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Salesforce and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.

Cloud Environment Data Segregation: Gustav Technologies, Inc. will virtually segregate all Customer Personal Data in accordance with its established procedures. The Customer instance of Service may be on servers used by other non-Customer instances.

‍

Application-Level Requirements

a. Gustav Technologies, Inc. shall maintain documentation on overall application architecture, process flows, and security features for applications handling Customer Personal Data.

‍

b. Gustav Technologies, Inc. shall employ secure programming techniques and protocols in the development of applications handling Customer Personal Data.

‍

c. Gustav Technologies, Inc. shall employ industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities prior to release.

‍

Data-Level Requirements

a. Encryption and hashing protocols used for Customer Personal Data in transit and at rest shall support NIST approved encryption standards (e.g. SSH, TLS).

‍

b. Gustav Technologies, Inc. shall ensure laptop disk encryption.

‍

c. Gustav Technologies, Inc. shall ensure that access to information and application system functions is restricted to authorized personnel only.

‍

d. Customer Personal Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems.

‍

End User Computing Level Requirements

a. Gustav Technologies, Inc. shall employ an anti-virus solution with daily signature updates for end-user computing devices which connect to the Customer network or handle Customer Personal Data.

‍

b. Gustav Technologies, Inc. will have a policy to prohibit the use of removable media for storing or carrying Customer Personal Data. Removable media include flash drives, CDs, and DVDs.

‍

Compliance Requirements

a. Gustav Technologies, Inc. will, when and to the extent legally permissible, perform criminal background verification checks on all of its employees that provide Services to Customer prior to obtaining access to Customer Personal Data. Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.

‍

b. Gustav Technologies, Inc. will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level.

‍

Shared Responsibility

Gustav Technologies, Inc.’s Service requires a shared responsibility model. For example, Customer must maintain controls over Customer user accounts (such as disabling/removing access when a Customer employee is terminated, establishing password requirements for Customer users, etc.).