SUPPLEMENTAL TERMS AND CONDITIONS
SECTION 1: How We Protect Service Data
Chartlytics is committed to providing a robust and comprehensive security program including the security measures set forth in these Supplemental Terms (“Security Measures”). During the Subscription Term, these Security Measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as We deem reasonably necessary.
Security Measures Utilized by Us
As provided for in Section 3.2 of the Agreement, We will abide by these Security Measures to protect Service Data as is reasonably necessary to provide the Services:
- Security Policies and Personnel. We have and will maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is and will be reviewed on a regular basis to provide for continued effectiveness and accuracy. We have, and will maintain, a full-time information security team responsible for monitoring and reviewing security infrastructure for Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.
- Data Transmission. We will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Service Data. These safeguards include encryption of Service Data in transmission (using TLS or similar technologies) over the internet, except for any Third Party Services that does not support encryption, which You may link to through the Services at Your election.
- Access Control and Privilege Management. We restrict administrative access to subscriber production systems to operational personnel. We require such personnel to have unique IDs and passwords. These unique IDs are used to authenticate and identify each person’s activities on Our systems, including access to Service Data. Upon hire, Our operational personnel are assigned unique IDs. Upon termination, these unique IDs are revoked. Access rights and levels are based on Our employees’ job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
- Network Management and Security. The data centers utilized by Us maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our security team utilizes industry standard utilities to provide defense against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular external vulnerability audits.
- Data Center Environment and Physical Security. Our network, database, and Application Software are securely hosted by Amazon Web Services (https://aws.amazon.com/). Amazon AWS provides multiple layers of security to increase privacy and control network access.
5.1 Application and network firewalls protect all connectivity into our application and database servers. We utilize Amazon AWS Security Groups and Virtual Private Clouds to limit access to servers based on application access needs.
5.2 We encrypt all our data both at rest and in transit in compliance with HIPAA guidelines. For at-rest encryption we use AES256 disk level encryption on our database servers. For transit, all of our server connections are secured by SSL/TLS using TLS 1.0 and RSA 2048 bit encryption using the SHA256 signature algorithm. Additionally we provide audit logs of Performer and data access and actions.