Security Policy

For the purposes of TelmarHelixa’s Security Policy:

Customer Data means any Datasets (including any personal data therein, if any) and/or Customer Confidential Information, stored and/or processed by TelmarHelixa.

Industry Standards” shall mean commonly accepted information security best practices for service providers providing technology services.

Capitalised terms shall have the meanings set forth in the Master Subscription Agreement between Customer and TelmarHelixa.

  1. 1. Governance & Management
    1.  1. TelmarHelixa will implement security controls, policies and procedures according to ISO/IEC 27001 and be consistent with Industry Standards.
    2.  2. In accordance with ISO/IEC 27001, appropriate controls detailed in Annex A of ISO/IEC 27001 will be adopted where appropriate by TelmarHelixa and       reviewed on a regular basis.
    3.  3. TelmarHelixa will continually improve the effectiveness of its Security Policy.
    4.  
  2. 2. Physical and Environmental Security
    1.  1. TelmarHelixa will ensure appropriate security controls for all physical entry points to locations containing systems that host the Services (each a “Site”),   including the following:
    2.     1. access to Sites by authorized personnel will be controlled and restricted by use of appropriate security measures including security cameras, entry.          controls and authentication controls;
          2. where relevant, electronic and written access logs will be maintained for a reasonable period of time;
    3.     3. TelmarHelixa maintains a clear desk and clear screen policy at TelmarHelixa premises and in respect of TelmarHelixa Users (as defined in section 4,          below); and
    4.    4. visitors without access-rights to a Site will be escorted at all times by authorized personnel.
    5.  
  3. 3. Human Resources
    1. 1. Background Checks. Subject to Applicable Law, TelmarHelixa shall carry out background verification checks, at its expense, on employees and  contractors that are involved in the provision of Services.
    2. 2. Adherence. TelmarHelixa will ensure that employees and contractors are bound by appropriate confidentiality terms and to TelmarHelixa’s security policies.
    3. 3. Training. TelmarHelixa employees and contractors involved in the provision of the Services will receive periodic training in respect of data privacy/data protection. confidentiality and measures to protect Confidential Information.
    4. 4. Segregation of Duties. TelmarHelixa will ensure necessary segregation of duties to limit conflicting duties and areas of responsibility and measures to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organisation’s assets.
    5. 5. Security Management. TelmarHelixa shall allocate dedicated security roles, responsibilities and resources.
    6.  
  4. 4. Access Controls & Monitoring
    1. 1. Logical Security. To protect against unauthorized access to the Services, TelmarHelixa adopts a defense in depth (using multiple controls), least privilege, need to know, and need to use strategy to its security. TelmarHelixa will:
      1.     1. employ a formal procedure for granting and revoking access and access rights to TelmarHelixa employees and/or contractors (each a “TelmarHelixa            User”) to the TelmarHelixa Technology used to provide the Services;
      2.     2. review each TelmarHelixa User’s access rights to confirm they are appropriate for their role (need to know, need to use); and
      3.     3. have security practices and controls regarding: (i) the selection and use of strong passphrases in line with Industry Standards and as defined by              TelmarHelixa’s password policy; and (ii) closure of inactive application sessions when technically possible, after a defined period of inactivity.
    2. 2. Network Access Control. TelmarHelixa will employ network access controls with respect to internal, external and public network services that allow access to the TelmarHelixa Technology used to provide the Services.
    3. 3. Minimum Access Rights (least privilege). TelmarHelixa will provide TelmarHelixa Users with the minimum access rights and privileges needed to perform a particular function or transaction. TelmarHelixa User access reviews will be conducted at least annually and updated as necessary.
    4. 4. Availability Monitoring. TelmarHelixa will employ multiple levels of system monitoring including server fault monitoring, service functionality monitoring, API functionality monitoring, user functionality monitoring and service availability monitoring.
    5. 5. Logging &  Monitoring. TelmarHelixa ensures appropriate logging and monitoring is in place and is auditable for a defined period.
    6.  
  5. 5. Asset Management
    1. 1. TelmarHelixa will implement rules for the acceptable use of Customer Data and assets which comply with Industry Standards.
    2. 2. All media and assets that contain Customer Data transferred from TelmarHelixa’s custody shall be encrypted, sanitized, destroyed, or purged of Customer Data in accordance with Industry Standards and applicable data retention policies. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.
    3.  
  6. 6. Encryption & Cryptographic Controls
  7. TelmarHelixa will use encryption and cryptography to protect the confidentiality, authenticity and/or integrity of Customer Data. Such controls will include:
  8. 1. where feasible, Customer Data in transit and at rest will be encrypted whether on TelmarHelixa’s own systems or third party systems; and
  9. 2. access to systems storing Customer Data will be via Virtual Private Network (VPN) using transport layer security.
  1. 7. Security Patches
  2. TelmarHelixa will establish processes to keep up to date with emerging security threats and vulnerabilities and ensure that the relevant security controls are implemented. TelmarHelixa will implement security patches within a prudent timeframe as determined by TelmarHelixa. Particular consideration is given to:
  3. 1.  the severity of any identified security vulnerability;
  4. 2. the extent to which a vulnerability may affect any specific system or subsystem;
  5. 3. the extent to which a system may be insulated from particular attack vectors; and
  6. 4. a holistic consideration of the security implications that could arise in respect of the introduction of a particular security patch.
  1. 8. Vulnerability Management and Testing
    1. 1. TelmarHelixa shall arrange for a suitably-qualified, independent Third Party (“External Tester”) to conduct penetration testing of the Services at least once in any twelve (12) month period(“Penetration Testing”).
    2. 2. TelmarHelixa shall scan the Services for known vulnerabilities periodically (each a “Vulnerability Scan”).
    3. 3. TelmarHelixa will remediate any material deficiencies in the security of the Services identified by the External Tester from the Penetration Testing and/or      Vulnerability Scan within a reasonable timeframe.
    4. 4. TelmarHelixa applications will be tested against OWASP criteria (https://www.owasp.org) to ensure that they are not vulnerable to the OWASP top ten          risks.
    5.  
  2. 9. Third Party Vendor Assessment
  3. Where TelmarHelixa makes use of a Third Party in support of the provision of the Services, TelmarHelixa will ensure the following:
  4. 1. appropriate due diligence is exercised in the selection and approval of such Third Party vendor;
  5. 2. a formal contract is in place between TelmarHelixa and the Third Party vendor;
  6. 3. access to Customer Data will be limited where possible according to clear business needs. Basic information security principles such as least privilege,     separation of duties and defence in depth will be applied;
  7. 4. where possible, TelmarHelixa will have the right to audit the information security practices of the Third Party vendor and, where appropriate its                      contractors; and
  8. 5. to the extent that a Third Party vendor is a subprocessor of Customer personal data, TelmarHelixa will comply with section 4.7 of the Data Processing          Agreement.
  1. 10. Business Continuity & Security Incidents
    1. 1. TelmarHelixa has in place and shall maintain a business continuity and disaster recovery plan (the “Plan”) that will enable TelmarHelixa to recover from an incident or event whether natural or manmade which prevents TelmarHelixa from providing access to the Services (“Disaster”), and continue providing the Services as set forth in the MSA and/or an applicable Order.
    2. 2. The Plan is documented in written form and includes details appropriate for the Services, the complexity of the environment and probability of occurrence, including:
      1.     1. a description of the facilities, employees, roles, responsibilities, procedures and processes required to provide a coordinated approach to managing             Disaster response activities at the time of any Disaster;
      2.    2. actions to be taken before, during and after TelmarHelixa’s reasonable determination that an incident or event is a Disaster (“Disaster Declaration”);           and
      3.    3. the recovery time objective and recovery point objective for the Services.
      4.  
    3. 3. TelmarHelixa will review and, if necessary, update the Plan at least once annually.
    4. 4. TelmarHelixa has a security incident management process in place to identify and address potential security breaches and compliance failures.
    5. 5. In the case of a Security Incident (as defined in the Data Processing Agreement), TelmarHelixa shall notify Customer in accordance with section 4.10 of the Data Processing Agreement.