Security and Privacy Policy

SECURITY & PRIVACY DOCUMENTATION FOR ITDEFENSESHIELD.COM

(last updated May 6, 2022)

 ITDS’ Commitment to Security & Privacy

ITDS is committed to achieving and preserving the trust of our customers, by providing a comprehensive security and privacy program that carefully considers data protection matters across our suite of products and services, including data submitted by customers to our online service (“Customer Data”).

 Covered Services

This documentation describes the security-related and privacy-related audits and certifications received for, and the

administrative, technical, and physical controls applicable to, the ITDS online services branded as the ITDefenseShield.com Service (hereinafter, the “Service” or “ITDS Service”). For the avoidance of doubt, except for the Customer Eligibility and Additional Customer Data Requirements sections, the Service and this documentation do not apply to Professional Services, Non-ITDS Applications, or Free Trial Services made available by ITDS.

 Customer Eligibility

The ITDefenseShield.com is available only to: (1) U.S. Department of Defense entities (a bureau, office, agency, department, or other entity managed by the U.S. Department of Defense) or (2) non-Department of Defense entities that upload U.S. Department of Defense-controlled data to ITDS’s Service in the form of Customer Data in fulfillment of a government contract.

 Additional Customer Data Requirements

As of the date this documentation was last updated, ITDS does not have a FedRAMP Authority to Operate for the

ITDS Service. Customers may not submit Customer Data to the Service that is categorized as Department of Defense Impact Level 2 or higher. Customers may not submit Customer Data to the ITDS Service that is either (1) subject to International Traffic in Arms Regulations (ITAR) or (2) classified data. A customer will be responsible for all sanitization costs incurred by ITDS if the customer introduces data subject to ITAR or classified data into the ITDS Service, and such liability of customer shall be exempt from the limitation of liability set forth in the customer’s agreement.

 Architecture, Data Segregation, and Data Processing

The hosted Service is operated in a multitenant architecture that is designed to segregate and restrict Customer Data

access based on business needs. The ITDS architecture provides an effective logical data separation for different

customers via customer-specific "Tenant Portals" and allows the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, such

as for testing and production. ITDS has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by ITDS and its sub processors.

 Retrieval of Customer Data

Upon request by a customer made prior to the effective date of termination of the customer’s agreement, ITDS will

make available to the customer, at no cost, for thirty (30) days following the end of the agreement’s term, for download of Customer Data (other than personal confidential information such as, but not limited to, User passwords which may not be included except in hashed format) in an industry standard format. After such 30-day period, ITDS shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data by deletion of Customer’s unique instance of the Service. ITDS will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; provided further that in all cases ITDS will continue to protect the Customer Data in accordance with the customer’s agreement. Additionally, during the term of the agreement, Customer may extract Customer Data from the ITDS Service using ITDS’s standard functionality.

 Security Controls

The hosted Service includes a variety of configurable security controls that allow ITDS customers to tailor the security of the Service for their own use. ITDS strongly encourages all customers, where applicable in their configuration of the Service’s security settings, to use the optional multi-factor authentication features made available by ITDS or by another identity provider.

 Information Security Management Program (“ISMP”)

ITDS maintains a comprehensive information security management program that contains administrative, technical,

and physical safeguards that are appropriate to (a) the size, scope and type of ITDS’s business; (b) the amount of

resources available to ITDS; (c) the type of information that ITDS will store and process; and (d) the need for security and protection from unauthorized disclosure of such Customer Data. The ISMP is documented and updated based on changes in legal and regulatory requirements related to privacy and data security practices and industry standards applicable to the Service.

ITDS’s ISMP is designed to:

• Protect the integrity, availability, and prevent the unauthorized disclosure by ITDS or its agents, of Customer Data in ITDS’s possession or control;

• Protect against any anticipated threats or hazards to the integrity, and availability, and prevention of unauthorized disclosure of Customer Data by ITDS or its agents;

• Protect against unauthorized access, use, alteration, or destruction of Customer Data;

• Protect against accidental loss or destruction of, or damage to, Customer Data; and

• Safeguard information as set forth in any local, state or federal regulations by which ITDS may be regulated.

 1. Security Standards

ITDS’s ISMP includes adherence to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing may include:

a) Internal risk assessments;

b) NIST guidance; and

c) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit Report”).

 2. Security Audit Report. 

ITDS provides its customers, upon their request, with a copy of ITDS’s then-current Audit Report, including information as to whether the Security Audit revealed any material findings in the Service; and if so, the nature of each finding discovered.

 3. Assigned Security Responsibility. 

ITDS assigns responsibility for the development, implementation, and maintenance of its Information Security Management Program, including:

a) Designating a security official with overall responsibility; and

b) Defining security roles and responsibilities for individuals with security responsibilities.

 4. Relationship with Sub-processors. 

ITDS conducts reasonable due diligence and security assessments of subprocessors engaged by ITDS in the storing and/or processing of Customer Data (“Sub-processors”), and enters into agreements with Sub-processors that contain provisions similar or more stringent than those provided for in this security and privacy documentation.

 5. Background Check. 

ITDS performs background checks on any employees who are to perform material aspects of the Service or have access to Customer Data.

 6. Security Policy, Confidentiality. 

ITDS requires all personnel to acknowledge in writing, at the time of hire, that they will comply with the ISMP and protect all Customer Data at all times.

 7. Privacy & Security Awareness and Training. 

ITDS has annual, mandatory privacy awareness and training programs for all ITDS personnel that address their obligations related to the processing of personal data that is contained within Customer Data. ITDS has annual, mandatory security awareness and training programs for all ITDS personnel that address their implementation of and compliance with the ISMP.

 8. Disciplinary Policy and Process. 

ITDS maintains a disciplinary policy and process in the event ITDS personnel violate the ISMP.

 9. Access Controls. 

ITDS has in place policies, procedures, and logical controls that are designed:

a) To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;

b) To prevent personnel and others who should not have access from obtaining access; and

c) To remove access in a timely basis in the event of a change in job responsibilities or job status.

 ITDS institutes:

a. Controls to ensure that only those ITDS personnel with an actual need-to-know will have access to any Customer Data;

b. Controls to ensure that all ITDS personnel who are granted access to any Customer Data are based on least-privilege principles;

c. Controls to require that user identifiers (User IDs) shall be unique and readily identify ITDS person to whom it is assigned, and no shared or group User IDs shall be used for ITDS personnel access to any Customer Data;

d. Password and other strong authentication controls that are made available to ITDS customers, so that customers can configure the Service to be in compliance with NIST guidance addressing locking out, uniqueness, reset, expiration, termination after a period of inactivity, password reuse limitations, length, expiration, and the number of invalid login requests before locking out a user;

e. Periodic (no less than quarterly) access reviews to ensure that only those ITDS personnel with access to Customer Data still require it.

 10. Physical and Environmental Security. 

ITDS maintains controls that provide reasonable assurance that access to physical servers at the production data center is limited to properly-authorized individuals and that environmental controls are established to detect, prevent, and control destruction due to environmental extremes. 

These controls include:

a) Logging and monitoring of unauthorized access attempts to the data center by the data center security personnel;

b) Camera surveillance systems at critical internal and external entry points to the data center;

c) Systems that monitor and control the air temperature and humidity at appropriate levels for the computing equipment; and

d) Uninterruptible Power Supply (UPS) modules and backup generators that provide back-up power in the event of an electrical failure.

 11. Data Encryption.

a) Encryption of Transmitted Data: ITDS uses Internet-industry-standard secure encryption methods designed to encrypt communications between its server(s) and the customer browser(s), and between its servers and customer’s server(s).

b) Encryption of At-Rest Data: ITDS uses Internet-industry standard secure encryption methods designed to protect stored Customer Data at rest. Such information is stored on server(s) that are not accessible from the Internet.

c) Encryption of Backups: All offsite backups are encrypted. ITDS uses disk storage that is encrypted at rest.

 12. Disaster Recovery. 

ITDS maintains policies and procedures for responding to an emergency or a force majeure event that could damage Customer Data or production systems that contain Customer Data. Such procedures include:

a) Data Backups: A policy for performing periodic backups of production file systems and databases to meet the Recovery Point Objective described below;

b) Disaster Recovery: A formal disaster recovery plan for the production environment designed to minimize disruption to the Service, which includes requirements for the disaster plan to be tested on a regular basis.

c) RPO / RTO: Recovery Point Objective is no more than 1 hour and Recovery Time Objective is no more than 24 hours;

d) Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.

 13. Secure Development Practices. 

ITDS adheres to the following development controls:

a) Development Policies: ITDS follows secure application development policies, procedures, and standards

that are aligned to industry-standard practices and security controls;

b) Training: ITDS provides employees responsible for secure application design, development, configuration, testing, and deployment appropriate (based on role) training by the security team regarding ITDS’s secure application development practices.

 14. Malware Control. 

ITDS employs then-current industry-standard measures to test the Service to detect and remediate viruses, Trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact the operation or performance of the Service.

 15. Data Integrity and Management. 

ITDS maintains policies that ensure the following:

a) Segregation of Data: The Service includes logical controls, including encryption, to segregate each customer’s Customer Data from that of other customers; and

b) Back Up/Archival: ITDS performs full backups of the database(s) containing Customer Data no less than once per day and archival storage on no less than a weekly basis on secure server(s) or on other commercially acceptable secure media.

 16. Vulnerability Management. 

ITDS maintains security measures to monitor the network and production systems, including error logs on servers, disks and security events for any potential problems. Such measures include:

a) Infrastructure Scans: ITDS performs quarterly vulnerability scans on all infrastructure components of its production and development environment. Vulnerabilities are remediated on a risk basis. ITDS installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible;

b) Application Scans: ITDS performs quarterly (as well as after making any major feature change or architectural modification to the Service) application vulnerability scans. Vulnerabilities are remediated on a risk basis. ITDS installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible;

c) External Application Vulnerability Assessment: ITDS engages third parties to perform network vulnerability assessments and penetration testing on an annual basis (“Vulnerability Assessment”). Reports from ITDS’s then-current Vulnerability Assessment, together with any applicable remediation plans, will be made available to customers on written request. Vulnerabilities are remediated on a risk basis. ITDS installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible.

 17. Change and Configuration Management. 

ITDS maintains policies and procedures for managing changes to production systems, applications, and databases. Such policies and procedures include:

a) A process for documenting, testing and approving the promotion of changes into production;

b) A security patching process that requires patching systems in a timely manner based on a risk analysis; and

c) A process for ITDS to perform security assessments of changes into production.

18. Secure Deletion. 

ITDS maintains policies and procedures regarding the deletion of Customer Data in compliance with applicable NIST guidance and data protection laws, taking into account available technology so that Customer Data cannot be practicably read or reconstructed. Customer Data is deleted using secure deletion methods including digital shredding of encryption keys and hardware destruction in accordance with NIST SP800-88 guidelines.

19. Intrusion Detection & Performance Assurance. 

ITDS monitors the Service generally for unauthorized intrusions using traffic and activity-based monitoring systems, and may analyze and share data, such as data collected by users’ web browsers (for example, device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) and authentication event data (collectively, “Threat Information”) for security purposes, including to detect compromised browsers and to help customers detect fraudulent authentications, and to ensure that the Service functions properly. For clarity, Threat Information: (1) is only shared if it is derived from evidenced unauthorized attempt(s) to access and/or use the Service; and (2) does not constitute Customer Data.

20. Incident Management. 

ITDS has in place a security incident response plan that includes procedures to be followed in the event of any unauthorized disclosure of Customer Data by ITDS or its agents of which ITDS becomes aware to the extent permitted by law (such unauthorized disclosure defined herein as a “Security Breach”). 

The procedures in ITDS’s security incident response plan include:

a) Roles and responsibilities: formation of an internal incident response team with a response leader;

b) Investigation: assessing the risk the incident poses and determining who may be affected;

c) Communication: internal reporting as well as a notification process in the event of a Security Breach;

d) Recordkeeping: keeping a record of what was done and by whom to help in subsequent analyses; and

e) Audit: conducting and documenting a root cause analysis and remediation plan.

ITDS typically notifies customers of significant system incidents by email to the listed admin contact, and for availability incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident and ITDS’s response. 

21. Security Breach Management.

a) Notification: In the event of a Security Breach, ITDS notifies impacted customers of such Security Breach.

ITDS cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and ITDS provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.

b) Remediation: In the event of a Security Breach, ITDS, at its own expense, (i) investigates the actual or suspected Security Breach, (ii) provides any affected customer with a remediation plan, to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, (iii) remediates the effects of the Security Breach in accordance with such remediation plan, and (iv) reasonably cooperates with any affected customer and any law enforcement or regulatory official investigating such Security Breach.

22. Logs. 

ITDS provides procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports. ITDS (i) backs-up logs on a daily basis, (ii) implements commercially reasonable measures to protect such logs from unauthorized modification or erasure, and (iii) retains such logs in compliance with ITDS’s data retention policy. If there is suspicion of inappropriate access to the hosted Service, ITDS has the ability to provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis.

23. Communications with Administrators. 

Separate from and as a complement to the Service, we may also communicate with ITDS administrator users (“Admins”), from time to time, including to send announcements and details about our products, services, or other relevant information that Admins’ organizations may find useful. Admins who do not want to receive such communications on behalf of their organizations may update their communications preferences by visiting our subscription center, which is available through their admin panel.