Security Program Addendum
as of January 17,
Power Accelerate has implemented and shall maintain a
commercially reasonable information security program, which shall include
technical and organizational measures designed to ensure an appropriate level
of security for Customer and Other Data taking into account the risks presented by the
processing, in particular from accidental or unlawful destruction, loss,
alteration, or unauthorized disclosure of, or access to Customer or
and the nature of the Customer or Other Data to be protected having regard to the state of the
art and the cost of implementation. This document communicates the security
program applicable to the Power Accelerate Service, in accordance with Power
Terms of Service or Master Service Agreement as applicable (collectively, the
“Agreement”). Except as otherwise modified or defined herein, capitalized terms
shall have the same meaning as in the Agreement.
Information Security Management System (ISMS). Power
Accelerate shall maintain an ISMS
risk-based security program to systematically manage and protect the
organization’s business information and the information of its customers and
Security Governance Committee. Power Accelerate shall maintain a security committee
comprised of leaders across business units that oversees the company’s security
program. This committee shall meet regularly to review the operational status
of the ISMS (including risks, threats, remediation actions, and other
security-related issues) and drive continuous security improvement throughout
Security Incident Response Policy. Power Accelerate shall maintain policies
and procedures to (1) investigate and respond to security incidents, including
procedures to assess the threat of relevant vulnerabilities or security
incidents using defined incident classifications and categorizations and (2) establish
remediation and mitigation actions for events, including artifact and evidence
collection procedures and defined remediation steps.
Policy Maintenance. All security and privacy related policies shall be
documented, reviewed, updated, and approved by management at least
Communication and Commitment. Security and privacy policies and procedures
shall be published and communicated to all relevant and applicable personnel
and subcontractors. Security shall be addressed at the highest levels of the
company with executive management regularly discussing security issues and
leading company-wide security initiatives.
Background Screening. Personnel who have access to Customer Data shall be
subject to background screening (as allowed by local laws) that shall include
verification of identity, right to work and academic degrees and a check of
criminal records, and sex offender registries.
Confidentiality Obligations. Personnel who have access to Customer Data shall
be subject to a binding contractual obligation with Power
keep the Customer Data confidential.
Security Awareness Training. Personnel shall receive training upon hire and at
least annually thereafter covering security practices and privacy
Code of Conduct. Power Accelerate shall maintain a code of conduct and
business ethics policy requiring ethical behaviour and compliance with
applicable laws and regulations.
3. Third-Party Security.
Screening. Power Accelerate shall maintain policies and
procedures designed to ensure that all new sub-processors, SaaS applications,
IT software, and IT service solutions are subject to reasonable due diligence
to confirm their ability to meet corporate security and compliance requirements
as well as business objectives.
Contractual Obligations. Power Accelerate shall maintain controls designed to
ensure that contractual agreements with sub-processors include confidentiality
and privacy provisions as appropriate to protect Power
interests and to ensure Power Accelerate can meet its security and privacy
obligations to customers, partners, employees, regulators, and other
Monitoring and Review. As practicable, Power
shall periodically review existing third-party sub-processors in a manner
designed to ensure the sub-processor’s compliance with contractual terms,
including any security and availability requirements. This review program shall
review sub-processors at least annually (regardless of length of contractual
term) to determine whether the sub-processor/solution is still meeting the
company’s objectives and the sub-processor’s performance, security, and
compliance postures are still appropriate given the type of access and
classification of data being accessed, controls necessary to protect data, and
applicable legal and regulatory requirements.
4. Physical Security.
Center Security. Power Accelerate’s systems used to process Customer Data
shall be protected by measures designed to control logical or physical access;
equipment used to process Customer Data cannot be upgraded or reconfigured
without appropriate authorization and protection of the information; and
Customer Data shall be disposed of in a manner that would prevent its
Service Data Center Security. Power Accelerate leverages Microsoft
centers for hosting the Power Accelerate Service. Microsoft follows industry best
practices and complies with numerous standards.
5. Solution Security.
Software Development Life Cycle (SDLC). Power
shall maintain a software development life cycle policy that defines the
process by which personnel create secure products and services and the
activities that personnel must perform at various stages of development
(requirements, design, implementation, verification, documentation and
Secure Development. Product management, development, test and deployment teams
are required to follow secure application development policies and procedures
that are aligned to industry-standard practices, such as the OWASP Top 10.
Vulnerability Assessment. Power Accelerate shall conduct risk assessments,
vulnerability scans and audits. Identified product solution issues shall be
scored using the Common Vulnerability Scoring System (CVSS) risk-scoring
methodology based on risk impact level and the likelihood and potential consequences
of an issue occurring. Vulnerabilities are remediated on the basis of assessed
6. Operational Security.
Access Controls. Power Accelerate shall maintain policies, procedures,
and logical controls to establish access authorizations for employees and third
parties. Such controls shall include:
requiring unique user IDs to identify any user who accesses systems or Customer
managing privileged access credentials in a privileged account management (PAM)
requiring that user passwords are (a) of sufficient length; (b) stored in an
encrypted format; (c) subject to reuse limitations; and
automatically locking out users’ IDs when a number of erroneous passwords have
Least Privilege. Personnel shall only be permitted access to systems and data
as required for the performance of their roles; only authorized personnel are
permitted physical access to infrastructure and equipment; authorized access to
production resources for the Power Accelerate Service is restricted to employees
requiring access; and access rights are reviewed and certified at least
Malware. Power Accelerate shall utilize measures intended to
detect and remediate malware, viruses, ransomware, spyware, and other
intentionally harmful programs that may be used to gain unauthorized access to
information or systems.
Encryption. Power Accelerate shall use Internet industry-standard
encryption methods to protect data in transit and at rest as appropriate to the
sensitivity of the data and the risks associated with loss; all laptops and
other removable media, including backups shall be encrypted.
Business Continuity and Disaster Recovery (BCDR). Power
shall maintain formal BCDR plans designed to ensure Power
systems and services remain resilient in the event of a failure, including
natural disasters or system failures, and such plans shall be reviewed,
updated, and approved by management at least annually.
Data Backups. Power Accelerate shall backup data and systems using
alternative site storage available for restore in case of failure of the
primary system. All backups shall use Internet industry-standard encryption
methods to protect backups in transit and at rest.
Change Management. Power Accelerate shall maintain change management
policies and procedures to plan, test, schedule, communicate, and execute
changes to the infrastructure, systems, networks, and applications applicable
to the Power Accelerate Service.
Network Security. Power Accelerate shall implement industry-standard
technologies and controls designed to protect network security, including
firewalls, intrusion detection systems, monitoring, and network segmentation.
Networks shall be designed and configured to restrict connections between
trusted and untrusted networks, and network designs and controls shall be
reviewed at least annually.
Data Segregation. Power Accelerate shall implement logical controls,
including logical separation, access controls and encryption, to segregate
Customer’s Personal Data from other Customer and Power
data in the Power Accelerate Service. Power
shall additionally ensure that production and non-production data and systems