This Data Security Policy describes the measures Mena Software takes to protect Customer Data when Customer uses the Subscription Service. This Data Security Policy forms a part of any legal agreement into which this Data Security Policy is explicitly incorporated by reference (the “Agreement”) and is subject to the terms and conditions of the Agreement. Capitalized terms that are not otherwise defined herein shall have the meaning given to them in the Agreement.
While providing the Subscription Service, Mena Software shall maintain a written information security program of policies, procedures and controls (“Security Program”) governing the processing, storage, transmission and security of Customer Data. The Security Program includes industry standard practices designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction. Mena Software may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the commitments, protections or overall level of service provided to Customer as described herein.
PHYSICAL, TECHNICAL AND ADMINISTRATIVE SECURITY MEASURES
The Security Program shall include the following physical, technical and administrative measures designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction:
2.1. Physical Security Measures (a) Data Center Facilities: (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (for example, Contract Number: fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor. (b) Systems, Machines and Devices: (i) Physical protection mechanisms; and (ii) entry controls to limit physical access. (c) Media: (i) Industry standard destruction of sensitive materials before disposition of media; (ii) secure safe for storing damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Customer Data.
2.2. Technical Security Measures (a) Access Administration. Access to the Subscription Service by Mena Software employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationship. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, complex passwords with expiration dates, and a two-factored authenticated connection) and is accessible for administration. (b) Logging and Monitoring. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team. (c) Firewall System. An industry-standard firewall is installed and managed to protect Mena Software systems by residing on the network to inspect all ingress connections routed to the Mena Software environment. (d) Vulnerability Management. Mena Software conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Mena Software will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Mena Software's then current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems. (e) Antivirus. Mena Software updates anti-virus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software. (f) Change Control. Mena Software ensures that changes to platform, applications and production infrastructure are evaluated to minimize risk and are implemented following Mena Software’s standard operating procedure.
2.3. Administrative Security Measures (a) Data Center Inspections. Mena Software performs routine reviews at each data center to ensure that it continues to maintain the security controls necessary to comply with the Security Program. (b) Personnel Security. Mena Software performs background and drug screening on all employees and all contractors who have access to Customer Data in accordance with Mena Software’s then current applicable standard operating procedure and subject to applicable law. (c) Security Awareness and Training. Mena Software maintains a security awareness program that includes appropriate training of Mena Software personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at Mena Software. (d) Vendor Risk Management. Mena Software maintains a vendor risk management program that assesses all vendors that access, store, process or transmit Customer Data for appropriate security controls and business disciplines.
3. DATA PROTECTION AND SERVICE CONTINUITY
3.1. Data Centers; Data Backup. Mena Software shall host Customer’s instances in a Cloud based service. Mena Software encrypts the whole HTTP traffic between the Customer and the Subscription Service with TSL 1.3 certificates issued by the Cloud service provider. Mena Software shall encrypt the internal traffic between Mena Software’s applications with TSL 1.3 certificates issued by the Cloud service provider. Mena Software is using Cloud based private networks and the application services which store sensitive information are not exposed outside those networks. All Customer Data information is transferred through SSL encrypted connection. Mena Software performs automated daily snapshot backups of Customer Data as well as full weekly backup. Backups are implemented by the Cloud service provider Backup and Restore functionality.
3.2. Personnel. In the event of an emergency that renders the customer support telephone system unavailable, all calls are routed to an answering service that will transfer to a Mena Software telephone support representative, geographically located to ensure business continuity for support operations.
4. INCIDENT MANAGEMENT AND BREACH NOTIFICATION
4.1. Incident Monitoring and Management. Mena Software shall monitor, analyze and respond to security incidents in a timely manner in accordance with Mena Software’s standard operating procedure. Depending on the nature of the incident, Mena Software security group will escalate and engage response teams necessary to address an incident.
4.2. Breach Notification. Unless notification is delayed by the actions or demands of a law enforcement agency, Mena Software shall report to Customer the unauthorized acquisition, access, use, disclosure or destruction of Customer Data (a “Breach”) promptly following determination by Mena Software that a Breach occurred. The initial report shall be made to Customer security contact(s) designated in Mena Software’s customer support portal. Mena Software shall take reasonable measures to promptly mitigate the cause of the Breach and shall take reasonable corrective measures to prevent future Breaches. As information is collected or otherwise becomes available to Mena Software and unless prohibited by law, Mena Software shall provide information regarding the nature and consequences of the Breach that are reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus.
4.3. Customer Cooperation. Customer agrees to cooperate with Mena Software in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, identify its root cause(s) and prevent a recurrence.
5. PENETRATION TESTS
Mena Software pennant and security tests are part of the testing environment. During development and testing, Mena Software is are using tools like https://brakemanscanner.org/docs/introduction/.
6. SHARING THE SECURITY RESPONSIBILITY
6.1. Product Capabilities. The Subscription Service has the capabilities to: (i) authenticate users before access; (ii) encrypt passwords; (iii) allow users to manage passwords; and (iv) prevent access by users with an inactive account. Customer manages each user’s access to and use of the Subscription Service by assigning to each user a credential and user type that controls the level of access to the Subscription Service.
6.2. Customer Responsibilities. Mena Software provides, through the Cloud the cloud environment that permits Customer to use and process Customer Data in the Subscription Service. The architecture in the Subscription Service includes, without limitation, column level encryption functionality and the access control list engine. Customer shall be responsible for using the column level encryption functionality and access control list engine for protecting all Customer Data containing sensitive data, including without limitation, credit card numbers, social security numbers, financial and health information, and sensitive personal data. Customer is solely responsible for the results of its decision not to encrypt such sensitive data. Mena Software protects all Customer Data in the Mena Software cloud infrastructure equally in accordance with this Data Security Policy, regardless of the classification of the type of Customer Data. Customer shall be responsible for protecting the confidentiality of each user’s login and password and shall manage each user’s access to the Subscription Service.
6.3. Customer Cooperation. Customer shall promptly apply any application upgrade that Mena Software determines is necessary to maintain the security, performance or availability of the Subscription Service.
6.4. Limitations. Notwithstanding anything to the contrary in the Agreement or this Data Security Policy, Mena Software’s obligations extend only to those systems, networks, network devices, facilities and components over which Mena Software exercises control. This Data Security Policy does not apply to: (i) information shared with Mena Software that is not data stored in its systems using the Subscription Service; (ii) data in Customer’s virtual private network (VPN) or a third party network; or (iii) any data processed by Customer or its users in violation of the Agreement or this Data Security Policy.