Does Cloud Software Group have a documented information security policy and program, approved by management and based upon an IT Governance framework such as ISO 27001?

Yes. Our company's security and compliance framework leverages the suite of information security controls found within the Industry Standards Organization (ISO) 27001 and 27002, National Institute of Standards and Technology (NIST) Special Publication 800-53, and Center for Internet Security (CIS) standards. This framework provides a consistent and unified approach to securing the assets of the corporation, while protecting the interests of the company, shareholders, customers and employees. Our company reviews our security and compliance policies and standards at least annually. These policies and standards are available to all employees via the Intranet site.

Employees must accept and acknowledge understanding of these policies and procedures as well as potential implications of not adhering to them. It is the responsibility of every employee with access to corporate information and information systems to know what behaviors are expected and to conduct their activities accordingly. Cloud Software Group Code of Business Conduct and Acceptable Use Policy (AUP) inform employees of what is acceptable and expected behaviors and conduct.

Does Cloud Software Group maintain any independent security audits and / or certifications?

Yes. Our company has achieved certifications for many of our products. Please see: https://www.cloud.com/trust-center/certifications {no-icon}

Has a designated person/function been appointed to be accountable for overseeing the information security and privacy program management, maintenance, and compliance?

Yes. Our company employs a full-time Chief Information Security Officer (CISO) and maintains a Security and Trust Organization. Our company’s Privacy team, headed by the Chief Privacy Officer, is responsible for data privacy.

For additional information regarding our privacy management program, please see our Privacy Policy {no-icon}.

Does Cloud Software Group maintain a formal Access Management policy/program?

Yes. The Access Management Policy ensures the security and integrity of Cloud Software Group's information assets. This policy specifies the requirement to limit access to non-public information, ensure authorized user access, prevent unauthorized access to systems and services, and make users accountable for safeguarding their authentication information and preventing unauthorized access to systems and applications.

A formal user access provisioning process is used to assign access based on least privilege. Access, including privileged access, is granted based on job function or role. Segregation of duties is part of the overall process of creating job roles and functions. New user access, new access for existing users, or user access change requests follow a formal request process and are tracked through the internal ticketing system. Management approves access prior to access being granted or changed. User accounts follow predefined naming schemas and password requirements.

Technologies must be used to Authenticate, Authorize and Audit organization users, devices and third party systems before establishing a connection. MFA is invoked for remote network access; third-party systems, applications and/or services access to critical systems. Single Sign On (SSO) authentication service is implemented

Password complexity and management are defined by the Cloud Software Group Password Policy. Unique user IDs enforce accountability within the system components (operating system, application, and database). Role based access restricts access to particular functions, in compliance with the security principle of least-privilege.

Our company performs quarterly reviews over user accounts and assigned permissions for key systems. New access to systems is reviewed and approved by management prior to being granted. As part of the termination process, user access is disabled/deleted in a timely manner.

Does Cloud Software Group maintain a formal Asset Management and data classification policy/program?

Yes. Our company has an Asset Management Policy, which addresses how hardware and software assets are managed.

We maintain a risk-rated inventory of our company's owned software and hardware assets. Assets in the inventory are assigned an owner, have rules for acceptable use, labeled, and are classified. The asset classifications are measured in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification.

Products that have reached the end of their life and are no longer supported by a vendor will be assigned a sunset date. The sunset date is when the product is scheduled to be removed from production and set far enough in advance to give management time to fund and plan for replacements.

Our company has documented a formal Information Classification and Handling policy which contains a classification control matrix. This matrix defines the required security controls based on the type of data. The matrix covers data in motion and at rest.

Does Cloud Software Group maintain a formal Information Security Risk Management program?

Yes. The Cybersecurity Risk Management Standard describes the process of managing security risks for the Cloud Software Group Information Security Policy and applies to all departments and business units within Cloud Software Group’s Information Security Policy.

Does Cloud Software Group maintain a formal Physical Security policy/program?

soc-item

Yes. Our company maintains a Physical Security and Control of Entry Policy which is designed to enable the protection of Cloud Software group employees, guests, information systems, infrastructure and other assets located at Cloud Software Group facilities from damage, compromise and unauthorized access.

Does Cloud Software Group maintain a formal Physical Security policy/program?

Access to sites and to restricted areas within Sites is driven by need - only those who need access to the site in order to do their job shall be allowed access.

Our company's control of entry systems are designed to control and manage access to Sites and restrict access to high risk areas within a building to authorized personnel only.

Our company requires physical access control systems at each site. Every access control system requires the prior approval of the Cloud Software Group Global Risk Services.

Does Cloud Software Group conduct a Business Impact Analysis?

Yes. Our company assesses all assets and business functions in real time through the Business Impact Analysis (BIA). To validate the recoverability of assets and business functions, quarterly technology drills and annual business function exercises are executed with issues tracked to closure. The BIA provides information necessary to develop Disaster Recovery and Business Continuity plans for each of our locations globally. BIA results are analyzed and recovery strategies are developed, ensuring Recovery Time and Recovery Point Objectives are calculated based on risk and impact criteria.

Does Cloud Software Group maintain a formal Business Continuity and Disaster Recovery Policy/Program?

Yes. A Business Continuity Program Management structure is in place that includes a dedicated full-time team with a focus on Incident Response and Business Continuity.

Business Continuity goals include maintaining business-critical functions and services during and after a wide range of disruptive events, as well as limiting the impact a major event has on our customers, operations and overall company well-being. Our purpose is to ensure rapid recovery and timely resumption of company operations to protect employees, customers, shareholders, and our company's reputation.

The Business Continuity Program operates globally and spans across every line of business. Each business is taken through a life cycle of events to ensure it has been properly analyzed, measured, documented and ultimate resiliency tested.

A recovery strategy has been developed for our work campuses globally for all critical locations. Technology recovery for critical business units is provided via contracted services. A command and control center for coordination of events has been determined.

Table top exercises are conducted on a yearly basis to ensure plans are kept up to date and the team is familiar with the response and recovery processes.

During a major event, our company activates its Incident Response Team (IRT) to execute any of its various plans. The IRT is made up of smaller teams that have specific roles in the recovery process. The core team mission is to provide overall direction in responding to any event and enabling business while ensuring staff safety.

Based on our global presence, our company uses the follow the sun framework for areas such as Tech Support and Customer Care. Utilizing this framework on a daily basis provides us with the ability to quickly reroute mission critical services to an alternate location.

An IT Disaster Recovery Plan has been developed and is tested on a quarterly basis. Quarterly exercises of the IT Disaster Recovery Plan have been conducted over the past several years. These exercises involve the restoration of critical production processing using the DR Data Center.

Does Cloud Software Group regularly test the Business Continuity and Disaster Recovery Policy/Program?

Yes. Table top exercises are conducted on a yearly basis to ensure plans are kept up to date and the team is familiar with the response and recovery processes. Formal testing of these plans is conducted annually. The IT Disaster Recovery Plan is tested on a quarterly basis.

Does Cloud Software Group maintain security incident and privacy event management policies and procedures?

Yes.Our company's Incident Response Plan governs the response, documentation and reporting of incidents affecting computerized and electronic communication resources, such as theft, intrusion and misuse of data. The purpose of the plan is to ensure a rapid response to a suspected security event, and the timely investigation of the event in order to protect our customers, employees, shareholders and company reputation. The plan provides guidance to ensure our company meets its notification requirements and legal obligations to affected individuals, customers, government agencies and other entities.

Will the Customer be notified of security incidents affecting the Customer resources?

Yes. Our company maintains an Incident Response Standard and has established a Cybersecurity Incident Response Team (CSIRT). The CSIRT is led by Security with functional stakeholders as core team members. The Legal team manages Incident Communications and the Internal Communications Team is part of the IR extended team. Internal Communications and PR are the same team.

If our company determines that any data uploaded to Customer’s account for storage or data in Customer’s computing environment to which our company is provided access in order to perform Services has been subject to a Security Incident, Customer will be notified within the time period required by applicable law.

Are all employees required to formally acknowledge they have received new hire and refresher information security and privacy awareness training?

Yes. Our employees sign Non-Disclosure Agreements (NDA) which identifies our company's confidentiality obligations.

Training is required upon hire and then annual for privacy and security training. Employees must accept and acknowledge understanding of the Security and Compliance Policies as well as potential implications of not adhering to them. It is the responsibility of every user with access to corporate information and information systems to know what behaviors are expected and accepted and to conduct their activities accordingly. At the end of each course, an assessment is required to verify understanding of the training.

Our company’s Code of Business Conduct and Acceptable Use Policy inform employees of what is acceptable and expected behaviors and conduct.

Does Cloud Software Group perform background checks on new employees?

Yes. Based on the sensitivity of the underlying job, various levels of background checks are performed on applicants prior to or following their employment.

Background verification checks on candidates for employment are carried out in accordance with relevant laws, regulations and ethics and are thereby proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Are Cloud Software Group’s suppliers and subcontractors contractually required to comply with the company's information security and privacy policies, standards, and practices?

Yes. Our company maintains a Third-party Management Policy that list the technical and organizational measures and security controls that our company's vendors and partners are required to adopt when (a) accessing our company or our customer's Facilities, Networks and/or Information Systems, or (b) accessing, processing, or storing our company's Confidential Information.

We perform periodic security risk assessments designed to ensure security measures remain in place throughout the supplier relationship. Changes to services provided or changes to existing contracts require a security risk assessment to confirm that the changes do not present additional or undue risk.

Onboarding

Our Third-Party Risk Management Program provides a systematic approach to managing security risks posed by the use of third-party suppliers. We work to identify, analyze and mitigate security risks prior to engaging in the procurement of such third parties.

Cloud Software Group executes agreements with suppliers to document relevant security measures and obligations consistent with those specified in this Exhibit.

For more information, please reference the Supplier Security Standards {no-icon} [external-blue-link.svg].

Does Cloud Software Group maintain a formal software development life cycle (SDLC) policy/program?

Yes. Our company maintains a Software Development Lifecycle Policy (SDLC) which promotes a Secure by Design approach which includes security training, threat modeling, design reviews, code reviews, and penetration testing.

Our company uses a suite of commercial and in-house developed testing tools. The Engineering Security Team’s testing includes, but is not limited to exploit development, cloud hardening tests, fuzzing, and manual/assisted source code reviews. The Security team assesses the product for CWE-Top-25 as well as OWASP-Top-10 as per its applicability on the target application.

Does Cloud Software Group maintain a Patch Management standard/program?

Yes. Our Vulnerability and Patch Management Policy outlines the process for evaluating and applying patches and notes that changes to system software and critical software may require additional vulnerability testing to determine if there is any risk exposure. Security related patches or fixes are tested and applied following the established change management process (testing, acceptance and final sign-off).

Does Cloud Software Group regularly conduct vulnerability assessment and penetration testing of its infrastructure and applications?

Yes.Our company performs periodic internal reviews and assessments based on assessed risk, and will contract with independent parties to do so when as required by certifications and standards, and as appropriate. These reviews include IT controls assessments, vulnerability assessments, and penetration tests. Results are reviewed by qualified security personnel and remediated according to threat & vulnerability management processes.

We use qualified external assessors and an internal security testing team to perform threat modeling, vulnerability scanning, and penetration testing for our cloud services.

Each distinct cloud service currently adheres to its own individual testing and evaluation schedule.

Each release of our cloud services requires security assessments by our internal testing team prior to new releases.

Are network boundary controls and logging in place?

Yes. Our company manages the externally facing attack surface using processes such as monitoring, automation, and security testing. Cloud platform providers provide a significant number of native security capabilities as well including host-based and perimeter firewalls, intrusion detection and prevention systems, anti-DDoS capabilities, and centralized visibility using services like Azure Security Center. Further, the products, services, and components hosted within public clouds ship logs to our company’s security information and event management system (SIEM), which provides alerting and event correlation capabilities.

Firewall devices are configured to restrict access to the Cloud Software Group environment by limiting the types of activities and service requests that can be performed from external connections.

Firewall rules follow an established standard that leverages least privilege permissions approach, among other leading practices.

Are network boundary controls and logging in place?

Yes. Our company requires multi-factor authentication (TOTP) to access the network remotely. In addition, multifactor is required to log into the Cloud Consoles remotely. For remote access directly into production machines, a user requires the VPN configuration file, the VPN management username and password, and their Production systems username and password.