Cord Security Standard
Cord Information Security Program
Cord will maintain a comprehensive information security program (“Cord Security Program”) which includes administrative, technical and physical safeguards to protect the data of our customers who have purchased our services (“Customer”, “you”, “your”). Cord safeguards are maintained to appropriately protect your data based on commercially reasonable and industry standard resources available to Cord and the type of the data. The Cord Security Program is designed to:
- (a) Protect the availability, integrity and confidentiality of your data;
- (b) Protect against any anticipated threats or hazards to the confidentiality, integrity, availability of your data;
- (c) Protect against any unlawful unauthorized access, unlawful use, disclosure, alteration, or destruction by us of your data; and
- (d) Protect against any accidental loss, destruction, damage to your data.
Cord will also monitor, evaluate and modify the Cord Security Program to ensure:
- (a) Use of industry standard technology pertinent to the protection of data;
- (b) Commercially reasonable updates to our services and systems, based on relevant changes in internal procedures or as necessary to comply with applicable law; and
- (c) Cord relevant internal changes to our technical environment including third parties, outsourcing arrangements, infrastructure and information systems.
Governance. Cord will maintain a governance program which includes:
- (a) Compliance with the baseline of security controls for a Software as a Service (SaaS) Cloud Service Provider
- (b) Data classification;
- (c) Risk management; and
- (d) Third party security risk management.
Access Controls. Cord will maintain policies, procedures and logical controls designed to:
- (a) Limit access to Cord facilities and systems where those systems are limited to authorized persons;
- (b) Limit Cord employees’ access to your data by enforcing segregation of duties;
- (c) Protect from unauthorized access to your data;
- (d) Remove or restrict Cord employees’ access to your data in a timely manner when access thereto is no longer required to perform Services, or upon your request;
- (e) Require multi-factor authentication through Federated Service for Cord access to your data for the provision of Services; and.
- (f) Maintain a password policy within NIST guidelines (i.e., 12 character, alpha, special, numeric with two factor).
Human Resource Security. Cord will maintain security and privacy policies and procedures for Human Resource including:
- (a) Performing pre-employment background screening commensurate with such employee’s level of access to data, subject to applicable law;
- (b) Requiring all employees sign non-disclosure agreements;
- (c) Annual security and privacy role based training (including requirements of the Cord Security Program, the importance of security of customer data, and how to diagnose phishing attacks); and
- (d) Promoting a culture of security awareness through periodic trainings, blogs and programs which reward security best practices.
Physical and Environmental Security. Cord will maintain controls that are designed to protect from unauthorized access and against environmental hazards, including:
- (a) Controlled access to Cord facilities;
- (b) Logging and monitoring of access and unauthorized access to Cord facilities and systems;
Secure Development Lifecycle. Cord will maintain policies and procedures which will reasonably assure that development is done with commercially reasonable security practices including:
- (a) Secure development policies;
- (b) Secure development training;
- (c) Development with code review for releases;
- (d) Vulnerability management and remediation within timelines within the policy;
- (e) Segregation of duties for development review and release management;
- (f) Cord has and will maintain a formal change management program with segregation of duties.
Monitoring. Cord will maintain network, system and application monitoring including servers, disks and Security events for any potential problems designed to:
- (a) Review changes to systems and infrastructure;
- (b) Review changes which handle systems, authentication authorization and auditing;
- (c) Review privileged access to Cord systems;
- (d) Review access to Cord production environment including abnormal access; and
- (e) Engage third party vulnerability and penetration testing for Cord systems environment on a regular basis with a report available for customers.
Encryption. Cord will provide reasonable assurance of the protection of your data through encryption algorithms within NIST guidelines, which includes:
• Transmission encryption using AES 256 bits with TLS 1.3 or higher;
Incident Response. Cord will maintain an incident response policy with procedures to provide you with reasonable assurances that Cord can respond to any type of security event or breach, and which includes:
- (a) Roles and responsibilities with a team and a dedicated leader which is tested annually;
- (b) Methods for investigation and escalation assessing the event to determine the risk the event poses including proper escalation;
- (c) Processes regarding internal communications, reporting and notification and external reporting and notification to customers within forty-eight (48) hours of unauthorized disclosure of or access to Customer Data;
- (d) Appropriate documentation of the event, incident and investigation of what was done and by whom with authorization for later analysis and possible legal action; and
- (e) An audit of the incident conducting root cause analysis and remediation.
Contingency Planning. Cord will maintain policies and procedures for the response and or recovery of an emergency or other occurrence either natural or pandemic that could damage or affect systems, and environment of customer data. Such procedures include:
- (a) Data resiliency through redundancy to recover data;
- (b) Business Continuity and Disaster Recovery plan which is communicated and made available within an event to minimize the impact and or loss of vital resources;
- (c) Annual testing of the Business Continuity Plan and Disaster Recovery Plan (Executive Summary available to customers upon request); and
- (d) Auditing of the Disaster Recovery test.
Audit and Testing. For no additional fees once annually upon your request Cord will provide you with reasonable assurances of its environments including by providing:
- (a) SOC 2 Type II report;
Disposal. Cord has policies and procedures to provide reasonable assurance to the appropriate return and/or disposal of your data including:
- (a) Secure shredding of printed documents and your confidential information; and
- (b) Secure destruction of your data with a certificate of destruction provided by Cord.
Endpoint Devices. Cord has policies, procedures and technical controls to protect endpoint devices including:
- (a) Regular updates and patching of the subscription services, Cord’s systems and browsers; and
- (b) Malware and Patching (below).
Malware and Patching. Throughout the term of any subscription and in accordance with standard industry practice, Cord will:
- (a) Perform regular monitoring for security patches;
- (b) Apply patches in a timely manner after testing through change control; and
- (c) Regularly update systems and networks with new releases.
Shared Security Model. Customer acknowledges the security of the subscription services is a shared responsibility between Cord and Customer. Accordingly Customer will administer controls as recommended by commercially reasonable security frameworks (e.g., NIST, ISO, Cord’s security recommendations). Administrative security within the subscription services is the responsibility of the Customer. Technical security, as outlined in this Exhibit, is the responsibility of Cord.
Apr 2nd, 2023