Data Protection and Information Security

This Data Protection and Information Security Exhibit (“Exhibit”) is an attachment to the Agreement and sets forth the data protection and information security requirements of 4ward USA, Inc. (“4ward”).

This Exhibit includes by reference the terms and conditions of the Agreement. In the event of any inconsistencies between this Exhibit and the Agreement, the parties agree that the terms and conditions of the Exibit will control. Throughout the term of the Agreement and for as long as 4ward controls, possesses, stores, transmits, or processes Personal Information as part of the Services provided to Client, 4ward will comply with the requirements set forth in this Exhibit.

The Parties agree that, all Data Protection and Information Security related to the Infrastructure System are exclusively regulated by the Microsoft AZURE DPA Standard Terms available at Microsoft Trust Center: https://www.microsoft.com/en-us/trustcenter/Security/default.aspx

1. DEFINITIONS

“Authorized Personnel” means 4ward’s employees or subcontractors who: (i) have a need to receive or access Personal Information to enable 4ward to perform its obligations under the Agreement; and (ii) are bound with 4ward by confidentiality obligations sufficient for the protection of Personal Information in accordance with the terms and conditions set forth in the Agreement and this Exhibit.
“Common Software Vulnerabilities” (CSV) are application defects and errors that are commonly exploited in software. This includes but is not limited to: (i) The CWE/SANS Top 25 Programming Errors – see http://cwe.mitre.org/top25/ and http://www.sans.org/top25-software-errors/; (ii) The Open Web Application Security Project’s (OWASP) “Top Ten Project” – see http://www.owasp.org

“Critical Infrastructure Information” (CII) means information about Client’s network architecture as well as that of its customers, including information about application access, remote access procedures, user ID’s and passwords, the location and capability of central offices, data centers, data warehouses, network access points, network points of presence and other critical network sites, as well as the network elements and equipment within them, and includes any information which Clients reasonably identifies as critical infrastructure information.
“Industry Standards” mean generally recognized industry standards, best practices, and benchmarks.

“Information Protection Laws” mean all applicable laws, standards, guidelines, policies, regulations and procedures applicable to 4ward pertaining to data security, confidentiality, privacy, and breach notification.
“Personal Information” also known as Personally Identifiable Information (PII), is information of Client customers, employees and subcontractors held or accessed by 4ward that can be used on its own or combined with other information to identify, contact, or locate a person, or to identify an individual in context. Examples of Personal Information include first and last name, address, social security number or national identifier, biometric records, geolocation information, driver’s license number, account number or username with password or PIN, either alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Personal Information includes those data elements defined under applicable state or federal law in the event of a Security Incident.
“Security Incident” is any actual occurrence of: (i) unauthorized access, use, alteration, disclosure, loss, theft of, or destruction of Personal Information or the systems / storage media containing Personal Information; (ii) illicit or malicious code, phishing, spamming, spoofing; (iii) unauthorized use of, or unauthorized access to, 4ward’s systems; (iv) inability to access Personal Information or 4ward systems as a result of a Denial of Service (DOS) or Distributed Denial of Service (DDOS) attack; and (v) loss of Personal Information due to a breach of security.
“Security Vulnerability” is an application, operating system, or system flaw (including but not limited to associated process, computer, device, network, or software weakness) that can be exploited resulting in a Security Incident.

2. ROLES OF THE PARTIES AND COMPLIANCE WITH INFORMATION PROTECTION LAWS

As between 4ward and Client, Client shall be the principal and 4ward shall be its agent with respect to the collection, use, processing and disclosure of all Personal Information. The Parties shall comply with their respective obligations as the principal (e.g., data owner/controller/covered entity) and agent (e.g., data processor/business associate/trading partner) under all applicable laws relating to data privacy, information security, or security breach notification (collectively, the “Information Protection Laws”). The Parties acknowledge that, with respect to all Personal Information processed by 4ward for the purpose of providing the Services under this Agreement:

    1. Client shall determine the scope, purpose, and manner in which such Personal Information may be accessed or processed by 4ward, and 4ward will limit its access to or use of Personal Information to that which is necessary to provide the Services, comply with applicable laws, or as otherwise directed by Client;
    2. Each party shall be responsible for compliance with Information Protection Laws in accordance with their respective roles; and
    3. 4ward and Client shall implement the technical and organizational measures specified in this Exhibit and any additional procedures agreed upon pursuant to a Statement of Work (“SOW”) to protect Personal Information against unauthorized use, destruction or loss, alteration, disclosure or access.

3. INFORMATION SECURITY EXPECTATIONS:

4ward has and maintains an information security program that has been developed, implemented and maintained in accordance with Industry Standards. At a minimum, 4ward’s information security program includes, but is not limited to, the following elements:

3.1 MANAGEMENT DIRECTION FOR INFORMATION SECURITY.

4ward shall either assign a qualified member of its workforce or commission a reputable third-party service provider with expertise in information security, to be responsible for the development.

    1. Policies and Standards. To protect Client Personal Information, 4ward implements and maintains reasonable security that complies with Information Protection Laws and meets data security Industry Standards.
    2. Security Policies and Standards. 4ward maintains information security policies and standards that: (i) define the administrative, physical, and technological controls to protect the confidentiality, integrity, and availability of Personal Information, Client systems, and 4ward systems (including mobile devices and removable media) used in providing Services to Client; (ii) encompass secure access, retention, and transport of Personal Information; (iii) provide for disciplinary or legal action in the event of violation of policy by employees or 4ward subcontractors and vendors; (iv) prevent unauthorized access to clients data, clients systems, and 4ward systems, including access by 4ward’s terminated employees and subcontractors; (v) employ the requirements for assessment, monitoring and auditing procedures and systems to ensure 4ward is compliant with the policies; and (vi) conduct an annual assessment of the policies, and upon Client written request, provide attestation of compliance.
    3. Monitoring and Enforcement. 4ward will monitor compliance with its privacy policies and procedures to address privacy related complaints and disputes.
    4. Independent Review of Information Security. The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. Independent reviews may include internal auditors or third party security or audit firms.
    5. In the SOW or other document, 4ward will identify to Client all third-party vendors involved in the provision of the Services to Client, and will specify those third-party vendors that will have access to Personal Information.


3.2 ORGANIZATION OF INFORMATION SECURITY

    1. Segregation of Responsibilities. 4ward will ensure that the responsibilities of their workforce are appropriately segregated to reduce opportunities for unauthorized or unintentional access, modification or misuse of the organization’s assets.
    2. Regulatory Contact: If applicable to 4ward’s business or required by law, 4ward will maintain contact with the governing regulatory authorities to ensure ongoing compliance with the mandated regulatory requirements.
    3. Monitoring of Special Interest Groups. 4ward will maintain appropriate contact with special interest groups, specialist security forums, and/or professional associations in order to remain abreast of evolving information security threats and trends.
    4. Project Management. As applicable, 4ward will ensure that Information security is addressed within its internal project management processes.

3.3 TELEWORKING

    1. Segregation of Responsibilities. 4ward will ensure that the responsibilities of their workforce are appropriately segregated to reduce opportunities for unauthorized or unintentional access, modification or misuse of the organization’s assets.
    2. Teleworking Requirements. If 4ward allows Authorized Personnel to work remotely in support of 4ward services, 4ward shall provide Authorized Personnel with one of the following technologies to mitigate the inherent security risks of remote access:
      1. A 4ward provided and controlled device (e.g., laptop or workstation) that is securely managed by the 4ward’s information technology team(s); OR
      2. A secure technology, service, or platform, that enables the 4ward to manage the security configuration of personally owned devices used to provide 4ward services, in order to meet the security requirements of both 4ward and Client, as defined within this Agreement.

3.4 HUMAN RESOURCES SECURITY

    1. Screening. Background verification checks on all candidates for employment is carried out in accordance with relevant laws, regulations and ethics and it is proportional to the business requirements, the classification of the Client information to be accessed and the perceived risks.
    2. Security and Privacy Training. 4ward trains new and existing employees and subcontractors to comply with the data security and data privacy obligations under this Agreement and this Exhibit. Ongoing training is to be provided at least annually. Client may provide specific training material to 4ward to include in its employee/subcontractor training.
    3. 4ward ensures that employees, contractors, other sub-contractors or vendors are required to sign a confidentiality or non-disclosure agreement to protect Client Personal Information.
    4. Termination or Change of Employment Responsibilities. Information security responsibilities and duties that remain valid after change of employment shall be defined, communicated to the employee or contractor, and enforced.

3.5 ASSET MANAGEMENT

    1. 4ward providing hosted services to Client, agrees to maintain an inventory of assets associated with information and information processing facilities.
    2. Assets maintained in the inventory must be assigned to an individual or group that is accountable and responsible for the assigned asset(s).
    3. Acceptable use of assets is defined within a formal policy or standard.
    4. The return of assets is clearly communicated, via policies and/or training, to all employees and external party users upon termination of their employment, contract or agreement. Return of assets shall be documented by 4ward.
    5. 4ward classifies data in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. Procedures for handling assets are developed and implemented in accordance with the information classification scheme adopted by the organization.

3.6 MEDIA HANDLING

    1. Procedures must be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.
    2. Data Destruction and Data Retention. Upon expiration or termination of this Agreement or upon Client’s written request, 4ward and its Authorized Personnel will promptly return to Client all Personal Information and/or securely destroy Client Personal Information. At a minimum, destruction of data activity is to be performed according to the standards enumerated by the National Institute of Standards, Guidelines for Media Sanitization – see http://csrc.nist.gov/. If destroyed, an officer of 4ward must certify to Client in writing within ten (10) business days of completed destruction that all Client Personal Information has been destroyed. If 4ward is required to retain any confidential information or metadata to comply with a legal requirement, 4ward shall provide notice to both the general notice contact in the Agreement as well as Client’s designated Security Contact.

3.7 ACCESS CONTROL

    1. 4ward ensures that Personal Information are accessible only by Authorized Personnel after appropriate user authentication and access controls that satisfy the requirements of this Exhibit.
    2. Two-factor authentication is required for remote connectivity into 4ward systems or networks.
    3. Each Authorized Personnel has unique access credentials and receives training which includes a prohibition on sharing access credentials with any other person.
    4. User Registration and De-registration. 4ward has a formal user registration and de-registration process for enabling assignment of access rights.
    5. User Access Provisioning. 4ward has a formal user access provisioning process to assign or revoke access rights for all user types to all systems and services.
    6. Management of Privileged Access Rights. The allocation and use of privileged access rights is restricted and controlled.
    7. Management of Secret Authentication Information of Users. The allocation of secret authentication information is controlled through a formal management process.
    8. Review of user access rights. User access rights must be reviewed at regular intervals but at a minimum on an annual basis.
    9. Removal or Adjustment of Access Rights. The access rights of all employees and external party users to information and information processing facilities is removed upon termination of their employment, contract or agreement, or adjusted as appropriate upon change in role or responsibilities.
    10. Password Management System. Password management systems is interactive and ensure strong passwords.

3.8 DATA SECURITY

    1. 4ward agrees to preserve the confidentiality, integrity and accessibility of Personal Information with administrative, technical and physical measures that conform to Industry Standards as applied to 4ward’s own systems and processing environment. Unless otherwise agreed to in writing by Client, 4ward agrees that any and all Personal Information is stored, processed, and maintained solely on designated systems located in the continental United States.
    2. 4ward logically segregates Personal Information from 4ward’s own data as well as from the data of 4ward’s other customers or third parties.

3.9 CRYPTOGRAPHY

    1. 4ward has a formal policy on the use of cryptographic controls for protection including the use, protection and lifecycle of cryptographic keys.
    2. 4ward agrees that all Personal Information are encrypted with a Federal Information Processing Standard (FIPS) compliant encryption product, also referred to as 140-2 compliant. Symmetric keys are encrypted with a minimum of 128-bit key and asymmetric encryption requires a minimum of 1024 bit key length. Encryption is utilized in the following instances:
      1. Personal Information that is stored on any portable computing device or any portable storage medium.
      2. Personal Information that is transmitted or exchanged over a public network.
    3. Encryption may also be required for confidential information depending upon the data

3.10 PHYSICAL AND ENVIRONMENTAL SECURITY

    1. Physical Security. Security perimeters shall be defined and used to protect areas that contain either sensitive, critical information or information processing facilities.
    2. Physical entry controls. Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
    3. Securing Offices, Rooms and Facilities. Physical security for offices, rooms and facilities shall be designed and applied.
    4. Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.
    5. Equipment. Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
    6. Secure Disposal or Reuse of Equipment. All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
    7. Clear Desk and Clear Screen Policy. A clear desk policy for papers and a clear screen policy for facilities processing Personal Information must be adopted and adhered to.

3.11 OPERATIONS SECURITY

    1. Change Management. Changes to the organization, business processes, information processing facilities and systems that affect information security shall be formally controlled.
    2. Separation of Development, Testing and Operational Environments. 4ward agrees that development and testing environments shall be separated from operational or production environments to reduce the risks of unauthorized access or changes to the operational or production environment.
    3. Malicious Code Protection. 4ward’s software development processes and environment is protected against malicious code being introduced into its product(s) future releases and/or updates.
    4. Vulnerability Management. Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
    5. Logging. 4ward software that controls access to Personal Information logs and tracks all access to the information.
      1. Logging facilities and log information are protected against tampering and unauthorized access.
      2. 4ward maintains access logs relevant to Personal Information for a minimum of six (6) months or other mutually agreed upon duration.
    6. Installation of Software on Operational Systems. Rules governing the installation of software by users shall be established and implemented on operational systems.
    7. Data Backup. The parties shall agree in an SOW or other document upon the categories of Personal Information that are required to be backed up by 4ward. Unless otherwise agreed to in writing by 4ward, backups of Personal Information shall reside solely in the United States. For the orderly and timely recovery of Personal Information in the event of a service interruption:
      1. 4ward stores a backup of Personal Information at a secure facility.
      2. 4ward encrypts all Personal Information backup data.

3.12 NETWORK SECURITY

4ward agrees to implement and maintain network security controls that conform to Industry Standards including but not limited to the following:

    1. Firewalls. 4ward utilizes firewalls to manage and restrict inbound, outbound and internal network traffic to only the necessary hosts and network resources.
    2. Network Architecture. 4ward appropriately segments its network to only allow authorized hosts and users to traverse areas of the network and access resources that are required for their job responsibilities.
    3. Demilitarized Zone (DMZ). 4ward ensures that publicly accessible servers are placed on a separate, isolated network segment typically referred to as the DMZ.
    4. Wireless Security. 4ward ensures that its wireless network(s) only utilize strong encryption, such as WPA2.
    5. Intrusion Detection/Intrusion Prevention (IDS/IPS) System – 4ward has an IDS and/or IPS in place to detect inappropriate, incorrect, or anomalous activity and determine whether 4ward’s computer network and/or server(s) have experienced an unauthorized intrusion.
    6. Segregation in Networks. As appropriate, groups of information services, users and information systems is segregated on networks.

3.13 COMMUNICATIONS SECURITY

4ward agrees to implement and maintain network security controls that conform to Industry Standards including but not limited to the following:

    1. Formal data transfer policies, procedures and controls shall be in place to protect the transfer of sensitive Personal Information within electronic messaging.
    2. 4ward executes a data protection and information security agreement with subcontractors/third party clients to ensure that security controls that meet 4ward requirements have been implemented.

3.14 SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE

    1. Security Requirements of Information Systems. Applicable information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.
    2. Securing Application Services on Public Networks. Personal Information involved in application services passing over public networks shall be protected from fraudulent activity, unauthorized disclosure and modification.
    3. Secure Development. 4ward has policies that govern the development of software and systems and how information security and integrity are established and applied during development.
    4. Secure System Engineering Principles. Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.
    5. Outsourced Development. The organization shall supervise and monitor the activity of any outsourced system development.

3.15 4WARD RELATIONSHIPS

    1. 4ward conducts thorough background checks and due diligence on any third and fourth parties which impact 4ward’s ability to meet the requirements of the Agreement and this Exhibit.
    2. Due diligence of third parties shall include, but is not limited to, addressing information security requirements within agreements between 4ward and its clients.
    3. 4ward will not outsource any work related to its products or services provided to Client to personnel located in countries outside the United States of America, unless disclosed in the Agreement and approved by Client Information Security. If 4ward desires to outsource certain work for Client during the Term of the Agreement, 4ward shall first notify Client so that the parties can ensure adequate security protections are in place with respect to the services provided to Client.

3.16 BUSINESS CONTINUITY PLANNING (BCP) AND DISASTER RECOVERY (DR)

      1. 4ward maintains an appropriate business continuity and disaster recovery plan to enable 4ward to adequately respond to, and recover from business interruptions involving services provided by 4ward to Client.

 

      1. At a minimum, 4ward tests the BCP & DR plan annually, in accordance with Industry Standards, to ensure that the business interruption and disaster objectives set forth in this Exhibit have been met and will promptly remedy any failures. Upon Client’s request, 4ward will provide Client with a written summary of the annual test results.
      2. In the event of a business interruption that activates the BCP & DR plan affecting the services, Personal Information of Client, 4ward will notify Client’s designated Security Contact as soon as possible.
      3. 4ward will allow Client or its authorized third party, upon a minimum of thirty (30) days’ notice to 4ward’s designated Security Contact, to perform an assessment of 4ward’s BCP and DR plans once annually. Following notice provided by Client, the parties will meet to determine the scope and timing of the assessment.

3.17 APPLICATION AND SOFTWARE SECURITY

If 4ward provides hosted services to Client, 4ward agrees that its product(s) will remain secure from Software Vulnerabilities and, at a minimum, incorporate the following:

    1. Application Level Security. 4ward will use a reputable 3rd party to conduct static/manual application vulnerability scans on the application(s) software provided to Client for each major code release or at the time of contract renewal. Results of the application testing if requested by Client, will be provided to Client in a summary report and vulnerabilities categorized as Very High, High or that have been identified as part of the OWASP top 10 and SANS top 25 within ten (10) weeks of identification.
    2. Vulnerability Management. 4ward agrees at all times to provide, maintain and support its software and subsequent updates, upgrades, and bug fixes such that the software is, and remains secure from Common Software Vulnerabilities.
    3. Updates and Patches. 4ward agrees to promptly provide updates and patches to remediate Security Vulnerabilities that are exploitable. Upon Client’s request, 4ward will provide information on remediation efforts of known Security Vulnerabilities.
    4. Security Testing. 4ward will conduct static, dynamic, automated, and/or manual security testing on its software products and/or services, hardware, devices, and systems to identify Security Vulnerabilities on an ongoing basis. Should any vulnerabilities be discovered, 4ward agrees to notify Client and create a mutually agreed upon remediation plan to resolve all vulnerabilities identified.
    5. Cooperation. In the event of existence of a Security Vulnerability that results in an inquiry from a regulatory agency, law enforcement agency, or Clients Business customer, 4ward will cooperate and assist Client in providing a response to said party, including making appropriate 4ward personnel available to participate in face to face or telephonic meetings as reasonably requested by Client.

3.18 DATA USE

    1. 4ward agrees that any and all Personal Information shall be used and disclosed solely and exclusively for the purposes set forth in the Agreement.
    2. Personal Information shall not be distributed, repurposed or shared across other application, environments, or business units of 4ward. 4ward further agrees that no Personal Information of any kind shall be transmitted, exchanged or otherwise passed to other parties except on a case-by-case basis as specifically agreed to by Client.

3.19 RIGHT TO AUDIT

    1. Upon a minimum of thirty (30) days’ written notice to 4ward, 4ward agrees to allow Client or a mutually agreed upon independent third party under a Non-Disclosure Agreement to perform an audit of 4ward’s policies, procedures, software, system(s), and data processing environment at Clients expenses to confirm compliance with this Exhibit. Unless critical issues are identified during the audit, such audits will be restricted to one audit per any twelve (12) month period.
    2. Prior to commencement of the audit, the parties will discuss the scope of the audit and the schedule. 4ward will provide reasonable support to the audit team.
    3. If issues are identified by 4ward, 4ward will provide a remediation plan to remedy such issues.

4. SECURITY INCIDENT / DATA BREACH

4.1 SECURITY CONTACT

The Security contacts identified in the Order shall serve as each party’s designated Security Contact for security issues under this Agreement.

4ward Security Contact:
4ward Information Security
4wardSecurityCommandCenter@4ward365.com

4.2 REQUIREMENTS

4ward takes commercially reasonable actions to ensure that Client is protected against any reasonably anticipated Security Incidents, including but not limited to: (i) 4ward’s systems are continually monitored to detect evidence of a Security Incident; (ii) 4ward has a Security Incident response process to manage and to take corrective action for any suspected or realized Security Incident; and (iii) upon request 4ward will provide Client with a copy of its Security Incident policies and procedures. If a Security Incident affecting 4ward products occurs, 4ward, in accordance with applicable Information Protection Laws, will take action to prevent the continuation of the Security Incident.

4.3 NOTIFICATION

Within forty-eight (48) hours of 4ward’s determination that a Security Incident has occurred, or other mutually agreed upon time period, 4ward will notify Client of the incident through the email address listed above.

4.4 INVESTIGATION AND REMEDIATION

Upon 4ward’s notification to Client of a Security Incident, the parties will coordinate to investigate the Security Incident. 4ward will be responsible for leading the investigation of the Security Incident, but will cooperate with Client to the extent Client requires involvement in the investigation. 4ward may involve law enforcement in its discretion. Depending upon the type and scope of the Security Incident, 4ward security personnel may participate in: (i) interviews with Client’s employees and subcontractors involved in the incident; and (ii) review of all relevant records, logs, files, reporting data, systems, Client devices, and other materials as otherwise required by 4ward.

In the event of a Security Incident that results in an inquiry from a regulatory agency, law enforcement agency, or Client Business customer, Client shall cooperate and assist 4ward in providing a response to said party, including making appropriate Client personnel available to participate in face to face or telephonic meetings as reasonably requested by 4ward. 4ward will cooperate with Client, at Client expenses, in any litigation or investigation deemed reasonably necessary by Client to protect its rights relating to the use, disclosure, protection and maintenance of Personal Information. 4ward will reimburse Client for reasonable costs incurred by Client in responding to, and mitigating damages caused by Security Incident that are under 4ward responsibility. 4ward will use reasonable efforts to prevent a recurrence of any such Security Incident.

4.5 REPORTING

If requested by Client 4ward will provide a final written incident report within twenty (25) business days after resolution of a Security Incident or upon determination that the Security Incident cannot be sufficiently resolved.

5. CHANGES

In the event of any change in 4ward’s data protection or privacy obligations due to legislative or regulatory actions, industry standards, technology advances, or contractual obligations, 4ward will work in good faith with Client to promptly amend this Exhibit accordingly.