Information Protection and Security Standards Addendum
DOUBLE THE DONATION
INFORMATION PROTECTION AND SECURITY STANDARDS
This document constitutes the Information Protection and Security Standards schedule (the “IPSS”) attached to that certain Master Terms and Conditions (the “MSA”) made by and between Impact Ventures, LLC (d/b/a Double the Donation) (the “Provider”) and the client organization listed on the signature page to the MSA (the “Client”). All terms used and not otherwise defined herein, shall have the meanings ascribed to them in the MSA.
The Provider relies on Microsoft Azure and Double the Donation leverages the comprehensive and state-of-the-art security capabilities provided by Microsoft.
The Provider has defined an information security program implementing, in accordance with International Organization for Standardization (ISO), policies, procedures, administrative and technical safeguards to minimize security risks, through risk assessment, and to protect its customers’ data against accidental or unlawful loss, access or disclosure or other misuse.
As used herein, “Customer Data” means any personal data that Provider processes on behalf of the Client via the Services, as more particularly described in the MSA.
For more information on our security practices and reporting, see our Trust Center, which is subject to change, from time to time, by notice.
The information security program includes the following measures:
INFORMATION SECURITY ORGANIZATION AND POLICIES
The Provider has implemented and maintains an Information Security Management System (ISMS) and a comprehensive information security program which is documented, available, and communicated to employees and subcontractors.
The effectiveness of the information security program is regularly monitored and reviewed, and, in any event, at least annually. Adjustments and strengthening are applied as appropriate, based on the results of such monitoring, as well as in response to operational changes that may affect the ISMS.
HUMAN RESOURCES SECURITY
The Provider has implemented and maintains appropriate measures to ensure that personnel (employees and contractors) involved in the processing of Customer Data are authorized with a need to access the data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection and handling of Customer Data.
The Provider has implemented and maintains an acceptable use policy for Provider personnel usage of the Provider’s devices, systems, and infrastructure, as well as management of customer information, including Customer Data. The Provider monitors policy compliance and will take appropriate action in response to violations.
An Information Security Awareness Program (ISAP) is defined in relation to the handling and protection of Customer Data and to compliance with the ISMS so that personnel are aware of established information security policies and security rules. Such ISAP provides initial education, on-going awareness and addresses the evolving non-technical security threats introduced by human behavior as well as data protection regulations.
The Provider ensures that access to Customer Data is revoked immediately upon termination or when access is no longer required for personnel involved in the processing of Customer Data.
The Provider ensures that personnel involved in the Customer Data processing are screened, to the extent permitted under applicable law, in accordance with industry best practices for performing criminal background screening.
PHYSICAL SECURITY
Policies and procedures, and supporting business processes, are in place for maintaining a safe and secure working environment in the Provider’s offices and to control physical access.
The Provider relies on Microsoft who is responsible, in accordance with Azure facilities, premises, and physical security policies (available at https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security), for implementing controls for physical security of data center facilities, backup media, and other physical systems, providing comprehensive and state-of-the-art security capabilities.
ACCESS CONTROL
The Provider has implemented and maintains access control processes and mechanisms to prevent unauthorized access to Customer Data and to limit access only to authorized personnel with a business need to know. Such processes and mechanisms are supported by an enterprise-grade password manager centrally managed for the most relevant Provider systems and internal applications and include password configuration and management procedures for all end user and system accounts related to the processing environment following recognized industry best practices for password length, structure and rotation.
The access to Customer Data is achieved by means of authenticated individual accounts and is limited solely to personnel which need access to perform specific responsibilities or functions in support of the Services.
Administrator accounts are used only for the purpose of performing administrative activities, and each account is traced to a uniquely-identifiable individual and two-factor authentication is required for access to the Provider platforms’ control plane and other critical resources.
Accounts are disabled upon personnel termination or change of roles and responsibilities, and it is an established and maintained process to periodically review access controls.
APPLICATION USER ACCESS
The Provider provides advanced access mechanisms with appropriate control over application features and data allowing configuring user access restrictions as stated in the specific Provider service documentation.
Users are required to verify their login using unique credentials (username and password) and anonymous logins are not permitted.
The Provider allows the configuration of different levels of password complexity, following National Institute of Standards and Technology (NIST) best practice recommendations.
DATA SEGMENTATION
The Provider has implemented and maintains logical data segregation to ensure Customer Data is not viewable by unauthorized users and that the Client can access its data set only.
DATA DESTRUCTION
The Provider relies on Azure for data destruction and can only perform logical deletion.
Deleted Customer Data is rendered unreadable or disabled by Azure and the underlying storage areas on the Azure network that were used to store the content are wiped, prior to being reclaimed and overwritten, in accordance with Azure standard policies and deletion timelines.
Azure procedures also include a secure decommissioning process conducted prior to disposal of storage media used to provide the Azure services. As part of that process, storage media is degaussed or erased and physically destroyed or disabled in accordance with industry standard practices.
DATA ENCRYPTION
Cryptography: The Provider utilizes encryption key management services and encryption algorithms which are auditable, aligned with industry standards, in wide use and meet the following minimums:
- For symmetric encryption: key length of at least 256 bits;
- For asymmetric encryption: key length of at least 2048 bits;
- Elliptic curve systems 224-bit ECC or higher; and
- Hashing algorithms: SHA2 or SHA256 or better.
Data in transit: Access to the Provider’s platform can be limited to connecting only through SSL/HTTPS secure connections.
Data at rest: Encryption at the storage level is provided by leveraging the capability of Azure to store the file with 256-bit AES encryption and by leveraging Azure for the RDS database volume encryption.
MALICIOUS CODE PROTECTION
The Provider has implemented and maintains an antivirus solution on all workstations.
BACKUP
The Provider provides a state-of-art backup policy for Customer Data.
The frequency of the backup policies vary, based on the specific Provider Service and the service type subscribed for in the Agreement, and may range from a daily basis up to three (3) or more complete backup jobs per day.
Backups are subject to recurring integrity tests, performed at least once per year, in order to ensure that the backups are correct, complete, and recoverable.
Backups are kept for varying lengths of time depending on service requirements and are encrypted at rest.
DESKTOP AND LAPTOP SECURITY
The Provider has implemented and maintains desktop and laptop system administration procedures that meet or exceed industry standards including automatic operating system patching and upgrading, anti-virus software and hard drive encryption.
SERVER AND SYSTEM SECURITY
The Provider has implemented and maintains system administration procedures that meet or exceed industry standards including system and device patching processes and system hardening based on pre-configured virtual machine image secured baseline.
NETWORK SECURITY
The Provider relies on Azure WAF v2 IDS/IPS who is responsible for implementing data center network security providing comprehensive and state-of-the-art security capabilities.
The Provider has implemented and maintains technical measures designed to meet or exceed industry standards aimed to monitor, detect, and prevent malicious network activity on the network infrastructures under its control and management responsibility.
The Provider ensures that firewalls, network routers, switches, load balancers, domain name servers, mail servers, and other network components of the network infrastructures under its control and management responsibility are configured and secured in accordance with commercially reasonable industry standards.
EVENT LOGGING AND MONITORING
The Provider has implemented and maintains systems event logging procedures designed to meet or exceed industry standards in the detection, investigation and response to suspicious activity in a timely manner. The Provider relies on Azure Security Center for these capabilities.
THREATS AND VULNERABILITIES MANAGEMENT
The Provider has implemented and maintains a threat and vulnerability management program to continuously monitor for vulnerabilities in the Provider’s platform that are acknowledged by vendors, reported by researchers, or discovered through the scheduling and execution of internal and external vulnerability scans and penetration tests.
Identified vulnerabilities are assessed to evaluate the associated risks, and the appropriate remediation actions are carried out according to the established change management policy with the assigned priority.
PATCH MANAGEMENT
The Provider has implemented and maintains patch management procedures that meet or exceed industry standards and that require patches to be prioritized, tested and installed based upon criticality for all systems which are part of the Provider’s platform.
Patches will be installed according to the Provider’s change management policy with the assigned priority and scheduling based on assessed risk and operational criteria defined by the Provider, after being previously tested and evaluated to avoid adverse side effects.
SYSTEM DEVELOPMENT AND MAINTENANCE
The Provider has implemented and maintains a secure development lifecycle (SDLC) methodology to govern the acquisition, development, implementation, configuration, maintenance, modification, and management of infrastructure and software components of the Provider’s platform.
The SDLC includes procedures for user involvement, testing, conversion, and management approvals of system features that are designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications, NIST) and at minimum address OWASP top 10 vulnerabilities.
The developed code is reviewed and validated by at least one other developer against the security requirements and coding guidelines and a static and dynamic code/program analysis are conducted as appropriate or when and if available prior the release on production.
CHANGE MANAGEMENT
The Provider has implemented and maintains a change management program that meets or exceeds industry standards including, without limitation, maintenance, patches, data formatting changes, new deployments of code or systems, or for any work to restore services as the result of an Incident, where as “incidents” are intended events that are not part of the standard operation of the Services and cause an interruption to, or a reduction in, the quality of the Services, or events causing integrity or confidentiality issues on Customer Data or security incidents.
A systematic approach with a division of roles and responsibilities is applied to managing change and ensuring that changes of any Provider functionality are reviewed, tested and approved. Development, testing and implementation are segmented functions within the process and a dedicated environment separate from production is maintained for development and testing activities. Change management standards are based on established guidelines and tailored to the specifics of each change request.
INCIDENT MANAGEMENT
The Provider has implemented and maintains policies and procedures for identifying, acting upon, remediating and reporting incidents, where as “incidents” are intended events that are not part of the standard operation of the Services and cause an interruption to, or a reduction in, the quality of the Services, or events causing integrity or confidentiality issues on Customer Data or security breaches. All incidents that are required by law to be reported by the Provider to the Client will be so reported within the timeframes that are required by applicable law, and, in any event, promptly and without undue delay.
BUSINESS CONTINUITY AND DISASTER RECOVERY
The Provider has implemented and maintains a Business Continuity and Disaster Recovery Program that meets or exceeds industry standards and that provides a formal framework and methodology, including without limitation, a business impact analysis, risk assessment process to identify and prioritize critical business functions and define appropriate contingency plans.
The Provider will update the operability of any applicable contingency plan and test its Disaster Recovery Plan at least annually.
VULNERABILITY ASSESSMENT AND PENETRATION TEST
The Provider will conduct at least once per year an application vulnerability assessment and penetration tests (“VAPT”) by use of an external company and have a process in place to manage and remediate any newly found vulnerabilities.
The Provider will provide the details of its VAPT report to the Client, upon the Client’s request.