SECURITY

Security Standards

Mar 5, 2023

The following describes Theary’s security standards with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms shall have the meaning assigned to them in the Agreement unless otherwise defined herein.

1. Security Program

1.1 Security Program. Theary will implement and maintain a risk-based information security program that includes administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of Customer Data.

1.2 Security Framework. The information security framework will be based on the ISO 27001 Information Security Management System and will cover the following areas: security risk management, policies and procedures, security incident management, access controls, vulnerability management, physical security, operational security, corporate security, infrastructure security, product security, business continuity disaster recovery, personnel security, security compliance, and vendor security.

1.3 Security Organization. Theary will have a dedicated security team responsible for implementing, maintaining, monitoring, and enforcing security safeguards aligned with the information security management system.

2. Security Assessments, Certifications, and Attestations

2.1 Security Program Monitoring. Theary performs periodic assessments to monitor its information security program to identify risks and ensure controls are operating effectively by performing internal audits, and risk assessments.

2.2 Audits. Theary will engage qualified external auditors to perform assessments of its information security program against the SOC 2 AICPA Trust Services Criteria for Security to obtain a SOC 2 Type 1 report. Assessments will be conducted annually thereafter to result in a SOC 2 Type 2 report which will be made available to the Customer pursuant to Section 2.5.

2.3 Penetration Tests. Theary will engage a qualified third-party to perform penetration tests covering the scope of the services at least annually. Theary will make available to its customers an executive summary of the most recently completed penetration test pursuant to Section 2.5.

2.4 Bug Bounty Program. Theary must maintain a bug bounty program that enables independent security researchers to report security threats and vulnerabilities on an ongoing basis. Identified findings must be addressed and mitigated based on risk and within a timely manner.

2.5 Security Artifacts. Theary will make available to customer security artifacts that demonstrate its compliance with these data security standards and the frameworks listed in Section 2.2. Artifacts will include the SOC 2 Audit Report, completed industry standard questionnaires, an executive summary of penetration test results when performed, and a summary of the Business Continuity and Disaster Recovery Plan.

2.6 Customer Audits. To the extent that Customer cannot reasonably confirm Theary’s compliance of these data security standards with the information provided by Theary, Customer may make a written request to conduct a remote audit at Customer’s cost with at least thirty days’ notice. The written request must specify the areas that cannot be confirmed through the artifacts made available to Customer. The audit must be conducted during the Agreement Term and the scope must be mutually agreed upon between Customer and Theary prior to the commencement of the audit. The audit must be carried out during regular business hours with minimal disruption to Theary’s business operations and will occur no more than once annually.

3. Security Incident Management

3.1 Security Monitoring. Theary will monitor its information systems to identify unauthorized access, unexpected behavior, certain attack signatures, and other indicators of a security incident.

3.2 Incident Response. Theary will maintain a Security Incident Response Plan that is reviewed and tested at least annually to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored, or otherwise processed by Theary.

3.3 Incident Notification. Theary will promptly investigate a Security Incident upon becoming aware of such an incident. To the extent permitted by applicable law, Theary will notify customers of a Security Incident in accordance with its obligations under the Data Processing Addendum. Customer is responsible for providing Theary with updated security contact information.

4. Security Controls

4.1 Access Control

  • 4.1.1 Restricted Access. Access to Customer Data is restricted to authorized Theary personnel who are required to access Customer Data to perform functions as part of the delivery of services. Access is granted based on the principle of least privilege and access granted is commensurate with job function. Access to Customer Data must be through unique usernames and passwords and multi-factor authentication must be enabled. Access is disabled within one business day after an employee’s termination.

  • 4.1.2 Passwords. Theary will maintain a password policy that follows the NIST 800-63b memorized secret password requirements.

4.2 Application Security

  • 4.2.1 SDLC. Theary will maintain a formal Change Management Policy that ensures security is embedded throughout the software development lifecycle that takes into account the OWASP Top 10 Web Application Security Risks.

  • 4.2.2 Code Review and Testing. All changes to code that impact Customer Data will be reviewed and tested prior to being deployed to production.

  • 4.2.3 Vulnerability Management. Theary will maintain a vulnerability management program that ensures identified vulnerabilities are prioritized, addressed, and mitigated based on risk. Theary will use commercially reasonable efforts to address critical vulnerabilities within 30 days.

  • 4.24 Third-party Software Dependencies. Theary must ensure that third-party libraries and components are appropriately managed and that updates are installed in a timely manner when it is determined that there is a potential to affect the security posture of our product.

4.3 Encryption. Theary will encrypt Customer Data in transit and at rest using industry-standard encryption algorithms that are appropriate for the mechanism of transfer (e.g. TLS 1.2, AES-256).

4.4 Availability and Disaster Recovery. Theary will implement and maintain a documented set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. Additionally, Theary will perform annual tests of its disaster recovery plan and will make available a summary of the results to its customers.

4.5 Backups. Theary will perform regular backups of Customer Data and ensure that backups have the same protections in place as production databases.

4.6 Device Security. Theary devices that access Customer Data must be centrally managed and the following security settings must be enabled: hard drive encryption, local password enabled, and anti-virus and/or anti-malware software must be installed, continuously enabled, and automatically updated.

4.7 Physical Security. Theary will ensure that all physical locations that process, store, or transmit Customer Data are located in a secure physical facility. Theary must review third-party security certifications of its third-party cloud hosting providers on at least an annual basis to ensure that appropriate physical security controls are in place.

4.8 Vendor Risk Management. Theary must maintain a formal vendor risk management program that ensures all third-party vendors who have access to Customer Data undergo a risk assessment prior to being onboarded. Vendors with access to customer data must enter into a vendor data processing agreement with Theary to ensure that they are contractually required to protect our information and meet minimum information security and privacy requirements, including reporting of security incidents and breaches.

4.9 Risk Assessment. Theary will maintain a risk management program to identify, monitor, and manage risks that may impact the confidentiality, integrity, and availability of Customer Data.

4.10 Security Training. Theary will provide its personnel with information security and privacy training upon hire and on at least an annual basis thereafter. Additionally, all employees are required to sign and acknowledge Theary’s Information Security and Data Protection policy upon hire.

4.11 Personnel Security. Theary will perform background verification checks on employees that have access to Customer Data in accordance with relevant laws, regulations, ethical requirements, and/or accepted local practices for non-US jurisdictions for each individual at least upon initial hire (unless prohibited by law). The level of verification shall be appropriate according to the role of the employee, the sensitivity of the information to be accessed in the course of that person’s role, the risks that may arise from misuse of the information, and the accepted local practices in non-US jurisdictions. The following checks shall be performed for each individual at least upon initial hire, unless prohibited by law or inconsistent with accepted local practices for non-US jurisdictions: (i) identity verification and (ii) criminal history.

5. Updates to Data Security Standards

Customer acknowledges that Theary may update or modify the Data Security Standards from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service.

Intelligent Automation for

Intelligent Automation for

Intelligent Automation for

Contact