VIANAI SYSTEMS, INC.
Data Security Addendum

Vianai maintains policies, procedures, and processes to protect the security, confidentiality, and integrity of Customer Content processed by Vianai in providing the Services, which includes technical, organizational, and physical safeguards as described below:

1.     Information Security Policies and Procedures.

Vianai maintains written policies and procedures that are designed to protect Customer Content against unauthorized access, use, disclosure, modification, or destruction (“Security Policies”). Vianai periodically reviews and updates its information security policies and procedures. Vianai Business Continuity and Disaster Recovery plans are reviewed annually.

2.     Technical Measures.

Vianai maintains technical measures designed to prevent unauthorized access to Vianai’s network and systems used to store or process Customer Content, including deployment of:

(a)     Platform Controls.

(i)     Firewalls. Firewalls are implemented as network access control lists or security groups within the Cloud Service Provider’s account.

(ii)     Hardening.

(A)     Vianai employs industry standards to harden images and operating systems under its control that are deployed within the Platform Services, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.

(B)     For systems under Vianai control supporting the production data processing environment, Vianai tracks security configurations against industry standard baselines.

(iii)     Encryption.

(A)     Encryption of data-in-transit. Customer Content is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit when being uploaded to the Platform Service.

(B)     Encryption of data-at-rest. Depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt Customer Content at rest within a Workbench.

(C)     Review. Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.

(D)     Customer Options. Customers may choose to leverage additional encryption options for data in transit. Customer shall, based on the sensitivity of the Customer Content, configure the Platform Services and Customer cloud environment to encrypt Customer Content where appropriate (e.g., by enabling encryption at rest for data stored within AWS S3).

(iv)     Monitoring & Logging.

(A)     Intrusion Detection Systems. Vianai leverages security capabilities provided natively by Cloud Service Providers for security detection.

(B)     Audit Logs.

(1)     Generation. Vianai generates audit logs from Customer’s use of the Platform Services. The logs are designed to store information about material events within the Platform Services.

(2)     Delivery. Customer may, depending on the entitlement tier of the Platform Services, enable delivery of audit logs. It is Customer’s responsibility to configure this option.

(3)     Integrity. Vianai stores audit logs in a manner designed to protect the audit logs from tampering.

(4)     Retention. Vianai stores audit logs for at least one (1) year.

(v)     Penetration Testing. Vianai conducts third-party penetration tests at least annually.

(vi)     Vulnerability Management & Remediation. Vianai regularly runs authenticated scans against representative hosts in the development pipeline to identify vulnerabilities and emerging security threats that may impact the Platform Services.

(vii)     Patching. Vianai deploys new code related to the Platform Services on an ongoing basis.

(viii)     Vianai Personnel Login to Customer Workbenches. Vianai utilizes an internal tool that permits Vianai personnel to log in to a Customer Workbench to provide support to Customers and permits limited Vianai engineering personnel to log in to certain Platform Services infrastructure. Customer may optionally configure certain limitations on the ability for Vianai personnel to access Customer Workbenches.

(b)     Corporate Controls.

(i)     Access Controls.

(A)     Authentication. Vianai personnel are authenticated through single sign-on (SSO), 802.1x (or similar) where applicable, and use a unique user ID and password combination and multi-factor authentication. Privileges are consistent with least privilege principles. Security Policies prohibits personnel from sharing or reusing credentials, passwords, IDs, or other authentication information. If your identity provider supports the SAML 2.0 protocol, you can use Vianai’s SSO to integrate with your identity provider.

(B)     Role-Based Access Controls. Only authorized roles are allowed to access systems processing Customer Content. Vianai enforces rule-based access controls, and restricts access to Customer Content based on the principle of ‘least privilege’ and segregation of responsibilities and duties.

(1)     Pseudonymization. Information stored in activity logs and databases are protected where appropriate using a unique randomized user identifier to mitigate risk of re-identification of data subjects.

(2)     Machine Controls. Vianai enforces certain security controls on its laptops and computers used by personnel, including:

·     Full-disk encryption

·     Anti-malware software

·     Automatic screen lock after a period of inactivity

 

(c)     Incident Detection & Response.

(i)     Detection & Investigation. Vianai’s engineering team, in conjunction with outside consultants and vendors deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team for triage and response. The Security Incident Response Team employs an incident response framework to manage and minimize the effects of unplanned security events.

(ii)     Security Incidents; Data Breaches. Vianai maintains a record of known security incidents. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed security incidents, Vianai will take appropriate, reasonable steps to minimize service and Customer damage or unauthorized disclosure.

(iii)     Communications & Cooperation. In accordance with applicable data protection laws, Vianai will notify Customer of a data breach for which that Customer is impacted without undue delay after becoming aware of the data breach, and take appropriate measures to address the data breach, including measures to mitigate any adverse effects resulting from the data breach.

(d)     Data Deletion.

The Platform Services provide Customers with functionality that permit Customers to delete Customer Content. Customer Content contained within a Customer Workbench is permanently deleted within thirty (30) days following cancellation of the Customer Workbench.

3.     Organizational Measures.

Vianai maintains administrative and organizational measures designed to prevent unauthorized access or processing of Customer Content, including access control measures to restrict access to Customer Content to personnel who have a legitimate business need for such access and security awareness training for such personnel.

(a)     Governance.

Vianai’s VP of Operations leads the Vianai’s Information Security Program and develops, reviews, and approves Vianai’s Security Policies together with other stakeholders, such as Legal, Human Resources, Finance, and Engineering.

(b)     Personnel Training.

Personnel receive security training upon hire and refresher trainings are given annually. Personnel are required to certify and agree to the Security Policies and personnel who violate the Security Policies are subject to disciplinary action, including warnings, suspension and up to (and including) termination.

(c)     Personnel Screening & Evaluation.

All new personnel undergo background checks prior to onboarding (as permitted by local law). Vianai uses a third-party provider to conduct screenings, which vary by jurisdiction and comply with applicable local law. Personnel are required to sign confidentiality agreements.

(d)     Monitoring & Logging.

Vianai employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.

(e)     Access Review.

Active users with access to the Platform Services are promptly removed upon termination of employment. As part of the personnel offboarding process, all accesses are revoked and data assets are securely wiped.

(f)     Third-Party Risk Management.

Vianai assesses the security compliance of applicable third parties, including vendors and subprocessors, in order to measure and manage risk.

(g)     Software Development Lifecycle.

(i)     Security Design Review. Feature designs are assessed by security personnel for their security impact to the Vianai Platform, for example, additions or modifications to access controls, data flows, and logging.

(ii)     Security Training. Engineers are required to take security training.

(iii)     Peer Code Review. All production code must be approved through a peer code review process.

(iv)     Change Control. Vianai’s controls are designed to securely manage assets, configurations, and changes throughout development.

(v)     Code Scanning. Static and dynamic code scans are regularly run and reviewed.

(vi)     Penetration Testing. As part of the Security Design Review process, certain features are identified and subjected to penetration testing prior to release.

(vii)     Code Approval. Functional owners are required to approve code in their area of responsibility prior to the code being merged for production.

(viii)     Multi-Factor Authentication. Accessing the Vianai code repository requires Multi-Factor Authentication.

(ix)     Code Deployment. Production code is deployed via automated continuous integration / continuous deployment pipeline processes.

(x)     Production Separation. Vianai separates production Platform Services systems from testing and development Platform Services systems.

4.     Physical Measures.

Vianai maintains physical security measures designed to prevent unauthorized persons from gaining physical access to Vianai facilities that contain information systems used to store or process Customer Content.

(a)     Vianai Corporate Offices.

Vianai has implemented safeguards for its corporate offices. These include, but are not limited to, the below:

1.     Physical entry points have locks at every door, allowing only authorized employees to enter the office premises.

2.     Equipment and other Vianai-issued assets are inventoried and tracked.

3.     Office Wi-Fi networks are protected with encryption and Network Access Control.

 

(b)     Cloud Service Provider Data Centers.

Vianai regularly reviews Cloud Service Provider audits. Security controls include, but are not limited to the list below:

1.     Biometric facility access controls

2.     Visitor facility access policies and procedures

3.     24-hour armed physical security

4.     CCTV at ingress and egress

5.     Intrusion detection

6.     Business continuity and disaster recovery plans

7.     Smoke detection sensors and fire suppression equipment

8.     Mechanisms to control temperature, humidity and water leaks

9.     Power redundancy with backup power supply