Security Program Addendum

Effective as of January 17, 2023

Power Accelerate has implemented and shall maintain a commercially reasonable information security program, which shall include technical and organizational measures designed to ensure an appropriate level of security for Customer and Other Data taking into account the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Customer or Other Data, and the nature of the Customer or Other Data to be protected having regard to the state of the art and the cost of implementation. This document communicates the security program applicable to the Power Accelerate Service, in accordance with Power Accelerate’s Terms of Service or Master Service Agreement as applicable (collectively, the “Agreement”). Except as otherwise modified or defined herein, capitalized terms shall have the same meaning as in the Agreement.

1. Security Program.

1.1. Information Security Management System (ISMS). Power Accelerate shall maintain an ISMS risk-based security program to systematically manage and protect the organization’s business information and the information of its customers and partners.

1.2. Security Governance Committee. Power Accelerate shall maintain a security committee comprised of leaders across business units that oversees the company’s security program. This committee shall meet regularly to review the operational status of the ISMS (including risks, threats, remediation actions, and other security-related issues) and drive continuous security improvement throughout the business. 

1.3. Security Incident Response Policy. Power Accelerate shall maintain policies and procedures to (1) investigate and respond to security incidents, including procedures to assess the threat of relevant vulnerabilities or security incidents using defined incident classifications and categorizations and (2) establish remediation and mitigation actions for events, including artifact and evidence collection procedures and defined remediation steps.

1.4. Policy Maintenance. All security and privacy related policies shall be documented, reviewed, updated, and approved by management at least annually. 

1.5. Communication and Commitment. Security and privacy policies and procedures shall be published and communicated to all relevant and applicable personnel and subcontractors. Security shall be addressed at the highest levels of the company with executive management regularly discussing security issues and leading company-wide security initiatives.

2. Personnel Security.

2.1. Background Screening. Personnel who have access to Customer Data shall be subject to background screening (as allowed by local laws) that shall include verification of identity, right to work and academic degrees and a check of criminal records, and sex offender registries. 

2.2. Confidentiality Obligations. Personnel who have access to Customer Data shall be subject to a binding contractual obligation with Power Accelerate to keep the Customer Data confidential. 

2.3. Security Awareness Training. Personnel shall receive training upon hire and at least annually thereafter covering security practices and privacy principles. 

2.4. Code of Conduct. Power Accelerate shall maintain a code of conduct and business ethics policy requiring ethical behaviour and compliance with applicable laws and regulations.

3. Third-Party Security.

3.1. Screening. Power Accelerate shall maintain policies and procedures designed to ensure that all new sub-processors, SaaS applications, IT software, and IT service solutions are subject to reasonable due diligence to confirm their ability to meet corporate security and compliance requirements as well as business objectives.

3.2. Contractual Obligations. Power Accelerate shall maintain controls designed to ensure that contractual agreements with sub-processors include confidentiality and privacy provisions as appropriate to protect Power Accelerate’s interests and to ensure Power Accelerate can meet its security and privacy obligations to customers, partners, employees, regulators, and other stakeholders.

3.3. Monitoring and Review. As practicable, Power Accelerate shall periodically review existing third-party sub-processors in a manner designed to ensure the sub-processor’s compliance with contractual terms, including any security and availability requirements. This review program shall review sub-processors at least annually (regardless of length of contractual term) to determine whether the sub-processor/solution is still meeting the company’s objectives and the sub-processor’s performance, security, and compliance postures are still appropriate given the type of access and classification of data being accessed, controls necessary to protect data, and applicable legal and regulatory requirements.

4. Physical Security.

4.1. Corporate Data Center Security. Power Accelerate’s systems used to process Customer Data shall be protected by measures designed to control logical or physical access; equipment used to process Customer Data cannot be upgraded or reconfigured without appropriate authorization and protection of the information; and Customer Data shall be disposed of in a manner that would prevent its reconstruction.

4.2. Power Accelerate Service Data Center Security. Power Accelerate leverages Microsoft Azure data centers for hosting the Power Accelerate Service. Microsoft follows industry best practices and complies with numerous standards.

5. Solution Security.

5.1. Software Development Life Cycle (SDLC). Power Accelerate shall maintain a software development life cycle policy that defines the process by which personnel create secure products and services and the activities that personnel must perform at various stages of development (requirements, design, implementation, verification, documentation and delivery).

5.2. Secure Development. Product management, development, test and deployment teams are required to follow secure application development policies and procedures that are aligned to industry-standard practices, such as the OWASP Top 10.

5.3. Vulnerability Assessment. Power Accelerate shall conduct risk assessments, vulnerability scans and audits. Identified product solution issues shall be scored using the Common Vulnerability Scoring System (CVSS) risk-scoring methodology based on risk impact level and the likelihood and potential consequences of an issue occurring. Vulnerabilities are remediated on the basis of assessed risk.

6. Operational Security.

6.1. Access Controls. Power Accelerate shall maintain policies, procedures, and logical controls to establish access authorizations for employees and third parties. Such controls shall include:

6.1.1. requiring unique user IDs to identify any user who accesses systems or Customer Data;

6.1.2. managing privileged access credentials in a privileged account management (PAM) system; 

6.1.3. requiring that user passwords are (a) of sufficient length; (b) stored in an encrypted format; (c) subject to reuse limitations; and 

6.1.4. automatically locking out users’ IDs when a number of erroneous passwords have been entered.

6.2. Least Privilege. Personnel shall only be permitted access to systems and data as required for the performance of their roles; only authorized personnel are permitted physical access to infrastructure and equipment; authorized access to production resources for the Power Accelerate Service is restricted to employees requiring access; and access rights are reviewed and certified at least annually. 

6.3. Malware. Power Accelerate shall utilize measures intended to detect and remediate malware, viruses, ransomware, spyware, and other intentionally harmful programs that may be used to gain unauthorized access to information or systems. 

6.4. Encryption. Power Accelerate shall use Internet industry-standard encryption methods to protect data in transit and at rest as appropriate to the sensitivity of the data and the risks associated with loss; all laptops and other removable media, including backups shall be encrypted.

6.5. Business Continuity and Disaster Recovery (BCDR). Power Accelerate shall maintain formal BCDR plans designed to ensure Power Accelerate’s systems and services remain resilient in the event of a failure, including natural disasters or system failures, and such plans shall be reviewed, updated, and approved by management at least annually.

6.6. Data Backups. Power Accelerate shall backup data and systems using alternative site storage available for restore in case of failure of the primary system. All backups shall use Internet industry-standard encryption methods to protect backups in transit and at rest. 

6.7. Change Management. Power Accelerate shall maintain change management policies and procedures to plan, test, schedule, communicate, and execute changes to the infrastructure, systems, networks, and applications applicable to the Power Accelerate Service. 

6.8. Network Security. Power Accelerate shall implement industry-standard technologies and controls designed to protect network security, including firewalls, intrusion detection systems, monitoring, and network segmentation. Networks shall be designed and configured to restrict connections between trusted and untrusted networks, and network designs and controls shall be reviewed at least annually. 

6.9. Data Segregation. Power Accelerate shall implement logical controls, including logical separation, access controls and encryption, to segregate Customer’s Personal Data from other Customer and Power Accelerate data in the Power Accelerate Service. Power Accelerate shall additionally ensure that production and non-production data and systems are separated.