I. Administrative and Organizational Safeguards
- ArborKnot maintains ISO 27001/27701 certifications (2022) and SOC 2 Type 2 Report (2022).
- ArborKnot maintains policies and procedures, including the following:
- Information Security Program, which sets forth ArborKnot’s procedures with regard to maintaining the safeguards set forth in this Addendum.
- Incident Response Plan, which sets forth ArborKnot’s procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
- Business Continuity and Disaster Recovery Plans, which set forth ArborKnot’s assessment of the criticality of its systems and data and establishes procedures for maintaining backups, recovering lost data, operating in emergency mode, and testing contingency and recovery procedures.
- ArborKnot regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
- ArborKnot has appointed a qualified individual to oversee and manage its Information Security Program and has a predefined incident response team for activation in the event of a Security Breach.
- ArborKnot maintains role-based access restrictions for its systems, including restricting access to only those ArborKnot employees or subcontractors that require access to perform the services described in the Agreement, or to facilitate the performance of such services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
- ArborKnot periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for ArborKnot employees that no longer need such access.
- ArborKnot assigns unique usernames to authorized ArborKnot employees and requires that ArborKnot employees’ passwords satisfy minimum length and complexity requirements and be changed periodically.
- ArborKnot provides training to ArborKnot employees, as relevant for their roles, at least annually on confidentiality and security, including on the topics of data protection, phishing and social engineering.
- ArborKnot requires ArborKnot employees to acknowledge ArborKnot’s Information Security Program.
- ArborKnot has a policy in place to address violations of its Information Security Program.
- ArborKnot implements HR security practices in accordance with ArborKnot Company Policy and Law.
- ArborKnot conducts annual assessments of the risks and vulnerabilities to the confidentiality and security of its’ clients Data.
II. Technical Security
- ArborKnot logs system activity—including authentication events, changes in authorization and access controls, and other system activities—and regularly reviews and audits such logs.
- ArborKnot maintains network security measures, including but not limited to firewalls to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert of suspicious network activity, and anti-virus and malware protection software.
- ArborKnot has implemented workstation protection policies for its systems, including automatic application logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
- ArborKnot requires multi-factor authentication for remote network and system access.
- ArborKnot conducts regular and periodic vulnerability scans and assessments on all systems storing, processing, or transmitting its’ clients Data to identify potential vulnerabilities and risks to Its’ clients’ Data.
- ArborKnot remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, processing, or transmitting Its’ clients Data.
- ArborKnot has implemented encryption controls to ensure that Its’ clients’ Data is not improperly modified without detection.
III. Physical Security
- ArborKnot restricts access to its facilities, equipment, and/or devices to ArborKnot employees with authorized access on a need-to-know basis.
- ArborKnot logs access to its facilities, equipment, and devices and regularly reviews and audits such logs.
- ArborKnot runs real-time database replication to ensure that Its’ clients Data is both backed up and available on redundant and geographically dispersed systems, physically separated from the primary ArborKnot application servers.
- ArborKnot has implemented policies and products regarding the proper disposal or re-use of equipment, devices, and electronic media.
- ArborKnot has disaster recovery and unscheduled incident plans and procedures in place in the event of an emergency, including maintaining disaster recovery infrastructure.
IV. Incident Response
- Consistent with its Incident Response Plan, ArborKnot takes steps in the aftermath of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Its’ clients’ Data to investigate, mitigate, remediate, and otherwise respond to such security incidents. ArborKnot will inform its’ clients of a confirmed security incident within 72 hours of becoming aware. ArborKnot will notify Its’ clients at the email address associated with Its’ clients’ administrator account, or at another email address that Its’ clients provide to ArborKnot in writing for purposes of security incident notifications.
- In the event that Its’ clients are subject to a regulatory inquiry or threatened litigation relating to a security incident, ArborKnot will provide its’ clients with reasonable assistance and support in responding to such investigation.
- ArborKnot conducts diligence of prospective subcontractors to ensure that they are capable of meeting the security standards herein and requires them to comply with terms substantially similar to those set forth herein.