DEAR Systems is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing robust security and data protection mechanisms that provide both DEAR Systems and the customer with mechanisms to ensure the security of data across our Products and Services.
This Customer Data Protection Policy (“Policy”) provides customers with a standard set of security safeguards used in the performance of DEAR Systems Products and Support Services purchased under the Subscription Agreement (“Agreement”).
a) Definition. For purposes of this Policy, the term “Data” shall mean Confidential Information and any data or other information provided by customer to which DEAR Systems has or has had access in connection with the Software as a Service Offerings (“SaaS Products”) and professional consulting services and support and maintenance (“Support Services”) purchased under the Agreement.
b) Security and Data Protection Obligations. This Policy applies to:
(i) DEAR Systems and its personnel who may access Data in the course of providing the SaaS Products and Support Services;
(ii) all Data collected, stored, processed or transmitted by customer using the SaaS Products;
(iii) all information systems owned or operated by DEAR Systems that are used in connection with the provision of the Support Services; and
(iv) all information hosting facilities used in connection with the provision of the SaaS Products. This Policy applies to any subcontractors and their personnel to the same extent as it applies to DEAR Systems.
Information Security Controls
a) Security Control Program. DEAR Systems represents and warrants that it developed, implemented, and maintains a comprehensive written information security control program (“Program”) applicable to the SaaS Products, that contains administrative, technical, and physical safeguards that are appropriate to the need for security and confidentiality of the Data. The safeguards contained in such Program are and shall remain consistent with the safeguards set forth in any state applicable to the Products and practiced by top tier providers of services similar to those provided by DEAR Systems.
b) Information Security Controls. At customer’s request, DEAR Systems shall provide customer with written evidence of its Program covering all information systems, equipment and facilities used in connection with the provision of the Products.
c) Hosting Facility. DEAR Systems use Microsoft Azure platform as a hosting provider for its SaaS Products. Microsoft provides robust physical and perimeter facility of its data centres with a strong combination of controls, including physical, technical and administrative. DEAR Systems has reviewed appropriate documentation provided by Microsoft to validate those controls.
Personnel, Communications and Operations Management
a) Without limiting the generality of the foregoing, DEAR Systems Program includes:
i) A designated team responsible to maintain DEAR Systems information security controls.
ii) Identifying, assessing and promptly correcting reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any Data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
(1) ongoing employee (including temporary and contract employee) training;
(2) employee compliance with policies and procedures; and
(3) means for detecting and preventing security system failures.
iii) Security policies for employees relating to the access of Data.
iv) Imposing and enforcing disciplinary measures for violations of the comprehensive information security controls.
v) Preventing terminated employees from accessing any Data.
vi) Overseeing subcontractors by taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect Data consistent with these Information Security and Data Protection obligations.
vii) Provides regular monitoring to ensure that the Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Data and upgrading information safeguards as necessary to limit risks.
viii) Reviews the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Data.
ix) Notifies customers of any breach, or actual non-compliance by DEAR Systems of any applicable Data protection law or any provision of this Policy as soon as reasonably possible after becoming aware of such breach or actual non-compliance.
x) Documents and records responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of Data.
Computer System Security Requirements
DEAR Systems Program includes commonly requested security protocols that include the following elements:
a) Secure user authentication protocols including:
i) Adherence to the principles of “Deny all”, “Need to know” and “Least privilege”;
ii) Strong control of user IDs and other identifiers;
iii) Secure method of assigning and selecting passwords, with appropriately strong parameters, as well as the use of unique identifier technologies;
iv) Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
v) Access is restricted to active users and active user accounts only; and
vi) Access is blocked to user after multiple unsuccessful attempts to gain access to a system.
b) Secure access control measures that:
i) Restrict access to records and files containing Data to only those who need such information to perform their job duties; and
ii) Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
c) Encryption is used to:
i) Protect transmitted records and files containing Data that will travel across public networks, and, if applicable, encryption of all Data to be transmitted wirelessly, with encryption in all cases at a strength that is commercially reasonable given the nature of the data transmitted and the transmission method(s).
d) Systems are monitored for unauthorized use of or access to Data.
e) Encryption is in place on all Data stored on laptops or other portable devices.
f) For files containing Data on a system that is connected to the Internet, there must be up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Data.
g) Up-to-date versions of system security agent software, which must include malware protection and up-to-date patches, or a version of such software that can still be supported with up-to-date patches, and is set to receive the most current security updates on a regular basis.
h) Education and training of employees on the proper use of the computer security system and the importance of Data security.