Data Security Requirements
Portal Labs, Inc maintains a comprehensive,written information security program that contains administrative, technical,and physical safeguards that are appropriate to (a) the size, scope, and typeof Portal Labs, Inc’s business; (b) the type of information that PORTAL LABS,INC will store; and (c) the need for security and confidentiality of suchinformation.
PortalLabs, Inc’s security program includes:
1. Security Awareness and Training.
Amandatory security awareness and training program for all members of PortalLabs, Inc’s workforce (including management), which includes:
- Training onhow to implement and comply with its Information Security Program; and
- Promoting aculture of security awareness through periodic communications from seniormanagement with employees.
2. Access Controls.
Policies, procedures,and logical controls:
• To limitaccess to its information systems and the facility or facilities in which theyare housed to properly authorized persons;
• To preventthose workforce members and others who should not have access from obtainingaccess; and
• To removeaccess in a timely basis in the event of a change in job responsibilities orjob status.
3. Physical and Environmental Security.
Controls that provide reasonable assurance that access to physicalservers at the production data center, if applicable, is limited to properlyauthorized individuals and that environmental controls are established todetect, prevent, and control destruction due to environmental extremes. These controls are implemented by Render and they are listed here:https://render.com/security. Specific to Portal Labs, Inc:
- Logging and monitoring of unauthorized accessattempts to the data center by the data center security personnel;
- Camera surveillance systems at critical internaland external entry points to the data center, with retention of data per legalor compliance requirements;
- Systems that monitor and control the airtemperature and humidity at appropriate levels for the computing equipment; and• Redundant power supply modules and backupgenerators that provide backup power in the event of an electrical failure, 24hours a day.
4. Security Incident Procedures.
A securityincident response plan that includes procedures to be followed in the event ofany Security Breach. Such procedures include:
- Roles and responsibilities: formation of aninternal incident response team with a response leader;
- Investigation: assessing the risk the incidentposes and determining who may be affected;
- Communication: internal reporting as well as anotification process in the event of unauthorized disclosure of Customer Data;
- Recordkeeping: keeping a record of what was done and by whomto help in later analysis and possible legal action; and
- Audit:conducting and documenting root cause analysis and remediation plan.
5. Contingency Planning.
Policies andprocedures for responding to an emergency or other occurrence (for example,fire, vandalism, system failure, pandemic flu, and natural disaster) that coulddamage Customer Data or production systems that contain Customer Data. Suchprocedures include:
- DataBackups: A policy for performing periodic backups of production data sources,as applicable, according to a defined schedule;
- DisasterRecovery: A formal disaster recovery plan for the production data center,including:
• Requirements for the disaster plan to be tested on a regular basis,currently twice a year; and
• A documented executive summary of the DisasterRecovery testing, at least annually, which is available upon request tocustomers.
- BusinessContinuity Plan: A formal process to address the framework by which anunplanned event might be managed in order to minimize the loss of vitalresources.
6. Audit Controls.
Hardware, software,and/or procedural mechanisms that record and examine activity in informationsystems that contain or use electronic information.
7. Data Integrity.
Policies and proceduresto ensure the confidentiality, integrity, and availability of Customer Data andprotect it from disclosure, improper alteration, or destruction.
8. Storage and Transmission Security.
Security measures to guard against unauthorized access to Customer Datathat is being transmitted over a public electronic communications network orstored electronically. Such measures include requiring encryption of anyCustomer Data stored on desktops, laptops or other removable storage devices.
9. Secure Disposal.
Policies and proceduresregarding the secure disposal of tangible property containing Customer Data,taking into account available technology so that Customer Data cannot bepracticably read or reconstructed.
10. Assigned Security Responsibility.
Assigning responsibility for the development, implementation, and maintenanceof Portal Labs, Inc’s security program, including:
- Designatinga security official with overall responsibility;
- Definingsecurity roles and responsibilities for individuals with securityresponsibilities; and
- Designatinga Security Council consisting of cross-functional management representatives tomeet on a regular basis.
Regularly testing the keycontrols, systems and procedures of its information security program tovalidate that they are properly implemented and effective in addressing thethreats and risks identified. Where applicable, such testing includes:
- Internalrisk assessments;
- ServiceOrganization Control 1 (SOC1) and Service Organization Control 2 (SOC2) auditreports (or industry-standard successor reports).
Network and systemsmonitoring, including error logs on servers, disks and security events for anypotential problems. Such monitoring includes:
- Reviewingchanges affecting systems handling authentication, authorization, and auditing;
- Reviewingprivileged access to Portal Labs, Inc production systems; and
- Engagingthird parties to perform network vulnerability assessments and penetrationtesting on a regular basis.
13. Change and Configuration Management.
Maintaining policies and procedures for managing changes Portal Labs, Incmakes to production systems, applications, and databases. Such policiesand procedures include:
- process fordocumenting, testing and approving the patching and maintenance of the PortalLabs, Inc Product;
- A securitypatching process that requires patching systems in a timely manner based on arisk analysis; and
- A processfor Portal Labs, Inc to utilize a third party to conduct application levelsecurity assessments. Theseassessments generally include testing, where applicable, for:
• Cross-site request forgery
• Services scanning
• Improper input handling (e.g. cross-site scripting, SQL injection, XMLinjection, cross-site flashing)
• XML and SOAP attacks
• Weak session management
• Data validation flaws and data model constraint inconsistencies
• Insufficient authentication
• Insufficient authorization
14. Program Adjustments.
Monitoring,evaluating, and adjusting, as appropriate, the security program in light of:
- Any relevantchanges in technology and any internal or external threats to Portal Labs, Incor the Customer Data;
- Security anddata privacy regulations applicable to Portal Labs, Inc; and • Portal Labs,Inc’s own changing business arrangements, such as mergers and acquisitions,alliances and joint ventures, outsourcing arrangements, and changes toinformation systems.
Ensuring that all laptop and desktopcomputing devices utilized by Portal Labs, Inc when accessing Customer Data:
- will beequipped with a minimum of AES 128 bit full hard disk drive encryption;
- will have upto date virus and malware detection and prevention software installed withvirus definitions updated on a regular basis; and
- will maintain virus and malware detection and prevention software so as to remain ona supported release. This will include, but not be limited to, promptly implementing any applicable security-related enhancement or fix made availableby the supplier of such software.