Cloud Security Policy

This Cloud Security Policy (“Security Policy”) is incorporated into the Services Agreement and forms part of the written agreement between you and Edsembli.  The Security Policy defines the security policies and measures that apply to the Hosted Services that you subscribed for in the Services Agreement.  The Security Policy may reference other Edsembli agreements or policy documents. 

Terms not otherwise defined herein shall have the meaning ascribed to such term in the General Terms and Conditions applicable to your Order.

1. General Security Practices

1.1. Purpose.  Edsembli’s security controls, practices and procedures are designed to protect the confidentiality, integrity, and availability of Customer Data within the Hosted Services environment.  This includes the protection of Customer Data from any loss, destruction or unauthorized processing activities.

1.2. Codes and Standards.  Hosted Services are compliant with the following recognized codes and standards: 

• ISO/IEC 27002 Code of Practice for information security controls, from which a comprehensive set of controls are selected; and 
• National Institute of Standards and Technology 800- 53 and 800-171.

1.3. Applicability.  This Security Policy is applicable to your use of the Hosted Services.  Edsembli personnel (including employees, contractors, and temporary employees) are subject to internal Edsembli information security controls, practices, procedures and any additional policies that govern their employment or services they provide to Edsembli. 

1.4. Approach.  The Security Policy is part of a comprehensive approach to data and information security, that encompasses complementary network, operating system, database, and software security controls, practices and procedures for the purpose of establishing a foundation of strong internal controls, governance, and oversight. 

1.5. Your Responsibilities.  You are responsible for maintaining appropriate security, protection, and backup of Customer Data, which may include the use of encryption technology to protect Customer Data from unauthorized access and routine archiving. 

1.6. Maintenance of Security Polices.  Edsembli evaluates its security controls, practices and procedures on a continual basis and will update the Security Policy as required.

2. Physical Security Measures

2.1. Internal and External Measures.  Physical security measures applicable to Edsembli controlled locations and third-party data centres utilized by Edsembli may include:

• the restriction of physical access to certain personnel;
• physical and video monitoring of the premises;
• the use of employee identification and access cards and visitor access cards; and
• The use of biometric safeguards to control access to hardware, software and sensitive information.

2.2. Edsembli Controlled Locations.  Edsembli employs measures designed to prevent unauthorized persons from gaining access to computing facilities within Edsembli office locations.  These measures may include the use of:

• office building security measures such as timed locks on entrance doors; 
• designated secured areas; 
• security personnel; and
• video monitoring.

2.3. Third Party Data Centres.  Edsembli ensures that any third-party data centres that it utilizes employ physical safeguards such as:

• video monitoring;
• security personnel to monitor building entrances;
• network cables protected from public areas; and
• physical barriers on building grounds.

2.4. Your Locations.  The Security Policy does not apply to your locations.  You are responsible for the security of your own facilities and network connections used to access the Hosted Services.

3. System Access Controls

The following system access controls may be utilized as part of the Edsembli’s security controls, practices and procedures:

• User authentication via passwords and/or multi-factor authentication;
• documented authorization and change management processes; and 
• logging of access.

For service components managed by Edsembli, Edsembli’s access to Customer Data is restricted to authorized staff.

4. User Encryption

Your access to Hosted Services is through a secure communication protocol provided by Edsembli.  If access is through a Transport Layer Security (TLS) enabled connection, that connection is negotiated for at least 128 bit encryption. The private key used to generate the cipher key is at least 2048 bits.  TLS is implemented or configurable for all web-based TLS-certified applications deployed at Edsembli.  It is recommended that the latest available browsers certified for Edsembli programs, which are compatible with higher cipher strengths and have improved security, be utilized for connecting to web enabled programs.  The list of certified browsers for each version of Hosted Services will be made available via a portal accessible to you or in the corresponding Service Description for the Hosted Services. In some cases, a third party site that you wish to integrate with the Hosted Services, such as a social media service, may not accept an encrypted connection.  For Hosted Services where HTTP connections with the third party site are permitted by Edsembli, Edsembli will enable such HTTP connections in addition to the HTTPS connection.

5. Input Control

The collection and storage of Customer Data is under your control and responsibility.  You are also responsible for the transfer of Customer Data into the Hosted Services environment.

6. Data and Network Segregation

Customer Data is logically or physically segregated from the content of other customers processed within the Hosted Services environment.

7. Confidentiality and Training

All Edsembli personnel that have access to Customer Data are subject to confidentiality agreements and are required to complete information-protection awareness training.  Thereafter, all Edsembli personnel that have access to Customer Data are required to act in accordance with applicable Edsembli security and privacy controls, policies and procedures.

8. Internal Security Reviews and Enforcement

Edsembli employs internal processes for regularly testing, assessing, evaluating and maintaining the effectiveness of the technical and organizational security measures described in the Security Policy.

9. External Audits

Edsembli may conduct independent audits of the Hosted Services environment in the following areas:

• SOC 1 (based on Statement on Standards for Attestation Engagements (SSAE) No 18) and/or SOC 2 reports; and 
• Other independent third-party security testing to review the effectiveness of administrative and technical controls.  The reports resulting from the reviews or audits may be made available to customers.

10. Security Logs

Security Logs are generated for security-relevant activities on operating systems.  Edsembli systems are configured to log default security activities, access to information or programs, system events such as alerts, console messages, and system errors.  Edsembli reviews the Security Logs for forensic purposes and incidents.  The Security Logs are retained online for a minimum of ninety (90) days, or as otherwise required by an applicable regulatory framework.

11. Your Other Security Related Obligations

You are responsible for:

• implementing your own comprehensive system of security and operational policies, controls, practices and procedures that are appropriate for your organization and industry; 
• ensuring that User devices meet web browser requirements and minimum network bandwidth requirements for accessing the Hosted Services;
• managing customer device security controls, so that antivirus and malware checks are performed on Customer Data or files before importing or uploading them into the Hosted Services environment; and
• maintaining User accounts according to your policies and security best practices.