Prophetic AI LLC Technical and Organizational Security Measures
Information Security Policy
1.1. Processor has a documented information security policy that is reviewed and updated yearly, approved by management and which is published and communicated to all persons involved in the Processing of Personal Data, such as its personnel.
Organization of Information Security
2.1. Processor has, and shall ensure its Sub-Processors have, appointed senior personnel with the necessary authority, skills and experience, to lead the information security function. This senior personnel is responsible for the organization's information security program.
2.2. Access to all Personal Data by personnel of Processor or its Sub-Processors shall be in accordance with the principle of “least privilege” ensuring that only the most minimal level of access needed for a given function is granted.
2.3. Processor and its Sub-Processors shall have appropriate segregation of duties in place for all job functions and roles performed by their personnel to ensure that no individual has conflicting duties that could jeopardize the Personal Data.
Human resource security
3.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, procedures to ensure the reliability of its personnel such as their employees and other person acting under their supervision, that may come into contact with, or otherwise have access to and Process, Personal Data.
3.2. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement and apply, appropriate procedures to ensure that their personnel is aware of the requirements under the applicable Data Processing Agreement. Processor shall further instruct and train, and shall ensure that its Sub-Processors instruct and train, all persons they authorize to have access to the Personal Data, on confidentiality requirements, the requirements of the Data Processing Agreement, and the requirements of applicable law. Processor shall, and shall ensure its Sub-processors shall, impose obligations to comply with these requirements in writing on their personnel that has access to or otherwise Processes the Personal Data.
3.3. Processor shall, and shall ensure that its Sub-Processors shall, promptly revoke access to Personal Data in case of termination of employment, a change in job function or extended user inactivity and/or absence.
Access control to systems
4.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, appropriate safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of the Personal Data. In this respect, Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, appropriate access control measures, including, but not necessarily limited to the following access control measures:
4.1.1. access to Personal Data or systems with Personal Data will only be granted to personnel through documented access request procedures. The relevant person’s manager or other responsible individuals must authorize or validate access before it is given;
4.1.2. access controls are enabled at the appropriate levels such as the operating system, database, or application level;
4.1.3. privileged access rights will be restricted to prevent changes to systems or applications with Personal Data;
4.1.4. users will be assigned a single account and prohibited from sharing accounts and/or their account details.
4.2. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, as a minimum, commercially reasonable security measures with respect to mobile devices and laptops that are used to Process the Personal Data.
4.3. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, technology and processes designed to minimize access and unlawful Processing. This shall include applying appropriate encryption technology based on information security best practices with respect to the Personal Data that are Processed.
4.4. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, an appropriate password policy based on information security best practices.
4.5. Users, once authenticated, will be authorized for access to systems with Personal Data in accordance with the need-to-have and data minimization principles which means that such access will be limited to the access that is necessary to perform their job functions.
Physical Security
5.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, reasonable physical security systems for all their sites and datacenters where Personal Data are Processed.
5.2. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, appropriate physical access controls for all their sites and datacenters where Personal Data are Processed. Such access controls may include, but not necessarily be limited to, biometric scanning and/or security camera monitoring at all times (24 hours per day, seven days per week)
5.3. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, appropriate procedures for issuing identification badges to authorized personnel and controlling physical access to systems under their control.
5.4. To control physical access to all sites and datacenters where Personal Data are Processed, Processor shall use integrated access controls requiring personnel to present a photo identity card prior to entering any such site or datacenter. Processor shall ensure that its Sub-Processors shall also comply with this requirement with respect to the Sub-Processor’s sites and datacenters where Personal Data are Processed.
5.5. Processor shall ensure, and shall ensure that its Sub-Processors ensure, that all visitors are preapproved before visiting a site or datacenter where Personal Data are Processed and that such visitors will be required to present appropriate identification and sign a visitor log before being granted access to such a site or datacenter and that such visitors are escorted at all times while at the site or datacenter.
Change management
6.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, documented change management procedures for information systems which shall include, but not necessarily be limited to, the following change management procedures and/or requirements:
6.1.1. an appropriate information security business impact assessment shall be performed before any change is implemented;
6.1.2. all changes shall be formally documented in a change request and shall require prior approval by authorized users;
6.1.3. all changes shall be tested and all results of such testing shall be documented and formally approved prior to bringing a change into production;
6.1.4. segregation of duties is implemented and applied with respect to change requests, change authorizations and change implementations.
6.1.5. for all changes a ‘recover position’ shall be defined, so that IT systems can recover from failed changes or changes with unexpected results;
6.1.6. all changes shall be verified after their implementation to determine appropriate functioning of the changes and related information systems.
6.1.7. the impact of a change on the security shall be evaluated and security measures shall be adapted where needed to meet and maintain the agreed security level.
Logging and Monitoring
7.1. Processor shall maintain, and shall ensure that its Processors maintain, system and database logs for access to all Personal Data.
7.2. Processor shall configure its systems used to Process Personal Data, and shall ensure that its SubProcessors configure their systems used to Process Personal Data, such that these systems provide event logging to identify a system compromise, unauthorized access, or any other security violation. Such logs must be available for at least 180 days and must be protected from unauthorized access or modification.
Malware
8.1. With respect to the Personal Data and systems used to Process these Personal Data, Processor shall ensure, and Processor shall ensure that its Sub-Processors ensure, that anti-malware procedures to prevent, detect and recover from the effects of malware are implemented and kept current.
8.2. Processor shall secure and protect, and shall ensure that its Sub-Processors secure and protect, Personal Data against accidental destruction or loss. In this respect the following requirements shall apply as a minimum:
8.2.1. Workstations shall be protected by commercial anti-virus and malware prevention software receiving regular definition updates;
8.2.2. Servers will be protected by commercial firewalls and intrusion protection prevention systems.
8.2.3. Upon detection of a virus or malware, immediate steps will be taken to stop the spread and damage of the virus or malware and to eradicate the virus or malware.
Patch Management
9.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, procedures to monitor and analyze threats to the Personal Data and to ensure that critical security patches are implemented without undue delay after becoming available.
Incident management
10.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, an appropriate security incident management procedure. Such procedure must ensure that Processor can inform Controller of such security incidents within the required time frame, taking into account notice terms applicable under the Applicable Legislation and/or agreed between Processor and Controller.
10.2. If a security incident affects Personal Data, Processor must notify Controller in accordance with the Data Processing Agreement.
10.3. The security incident management procedure shall include periodic evaluation of recurring security incidents that might indicate a security breach.
10.4. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, an appropriate process to learn from security incidents and improve their existing security levels.
Backup and recovery
11.1. Processor shall provide, and shall ensure that its Sub-Processors provide adequate backup services to support the recovery of Personal Data in case of disasters or data loss, in accordance with applicable service levels for data recovery requests, including but not limited to the applicable Return Time Objectives (RTO’s) and Return Point Objectives (RPO’s).
Communications Security (encryption)
12.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, information security best practice encryption algorithms and key-lengths to protect the Personal Data from being read, copied, modified or removed without authorization during electronic transmission or transport.
12.2. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, information security best practice encryption algorithms and key-lengths to protect the Personal Data at rest which in any event includes Personal Data on laptops, workstations, PC’s and in the cloud.
Business continuity management
13.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, an appropriate business continuity plan.
13.2. The business continuity plans referred to in 13.1 shall be regularly evaluated and updated where necessary.
Procedures
14.1. Processor shall implement, apply and maintain, and shall ensure that its Sub-Processors implement, apply and maintain, procedures to ensure that Personal Data are Processed only in accordance with Controller's instructions, which must be in writing if it concerns Personal Data.
Regular testing of security measures
15.1. Processor shall, and shall ensure that its Sub-Processors shall, periodically (i.e. at least every 12 months) test, assess and evaluate the effectiveness of their technical and organizational security measures. The findings and resulting actions such as mitigating measures taken or additional security measures implemented, shall, where appropriate, be shared with Controller upon request.