Exponent Partners Data Security Policy
Exponent Partners takes the security and confidentiality of our customers’ data seriously. We have developed and implemented this data security policy (the “Policy”) to help protect our customers’ confidential information and personal information (collectively “Customer Data”).
The Policy includes the following key elements:
Preventing unauthorized persons from gaining access to data processing systems (physical access control)
- Exponent Partners uses reputable third party providers of cloud infrastructure services whose data centers offer robust physical security controls including, as appropriate, perimeter controls such as fencing, walls, security staff, video surveillance, and intrusion detection systems, as well as electronic means such as two-factor authentication to access data center floors.
- Access to the premises of Exponent Partners is only authorized to personnel with a business need.
- Visitors to the premises of Exponent Partners are required to be escorted at all times.
Preventing Customer Data processing systems from being used without authorization (logical access control)
- Exponent Partners maintains a separate authentication system for accessing production systems, and access to production systems is controlled and maintained by Exponent Partners.
- Access is role based and granted after demonstrated business need and must be approved by the employee´s manager and the operations team.
- Account login parameters follow these rules:
- Accounts are not shared
- Accounts are locked after 3 failed log-in attempts
- Strong password configurations adhere to the following rules:
- Must be at least 8 characters in length
- Has at least one numerical character
- Has at least one lower case character
- Has at least one upper case character
- May not include part of the login username
- Must be different than the previous 10 passwords
Ensuring that persons entitled to use a data processing system gain access only to such Customer Data as they are entitled to access in accordance with their access rights and that, in the course of processing or use and after storage, Customer Data cannot be read, copied, modified or deleted without authorization (data access control)
- For production access, Exponent Partners maintains segmented development and production environments, using technical and physical controls to limit network and application-level access to live systems. Employees must have specific authorizations to access development and production systems.
- Exponent Partners identifies, periodically reviews, and as needed, expands storage capacity to ensure that sufficient capacity always exists and is never exceeded.
Ensuring that Customer Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage (data transfer control)
- All connections to the servers occur over encrypted Secure Shell (SSH), Secure Sockets Layer (SSL) or Transport Layer Security (TLS) channels.
- Remote access by administrators always requires multi-factor authentication.
Ensuring that Customer Data is processed solely in accordance with customer instructions (control of instructions)
- Anyone who is found to violate Exponent Partner security policies will be subject to disciplinary action including termination of employment or contract.
- Employees and contractors are required to sign a non-disclosure agreement or other confidentiality agreement upon employment or retention.
- Exponent Partners conducts ongoing security training within development teams to enhance security knowledge throughout the company and improve the overall security of our products and services.
- Exponent Partners maintains segmented development and production environments for all its services, using technical controls to limit network and application-level access to live production systems. Employees must have specific authorizations to access development and production systems, and employees with no legitimate business purpose are restricted from accessing these systems.
Ensuring that Customer Data is protected against accidental destruction or loss (availability control)
- Exponent Partners’ cloud infrastructure service providers monitor all servers 24/7 to ensure the integrity of the data.
- Exponent Partners uses multiple layers of network and host-based security.
- Exponent Partners’ cloud infrastructure service providers maintain disaster recovery processes to allow for continuation of data collection and to provide an effective and accurate recovery.
Ensuring that Customer Data collected for different purposes can be processed separately (separation control)
- Exponent Partners’ cloud infrastructure service providers provide a multi-tenant architecture with Customer Data logically segregated. The only access to these servers and databases is via secure access by the application.
- Exponent Partners maintains testing environments separate from production environments to avoid use of Customer Data in testing environments.