Technical and Organizational Measures Addendum

This Technical and Organizational Measures Addendum (“Addendum”) sets forth the minimum-security controls that AutoRABIT shall implement and maintain when Processing Personal Data on behalf of Customer. “Agreement” means the Master Software Agreement located at www.autorabit.com/agreement, unless there is a signed agreement between the parties, in which case the signed agreement will be the Agreement.

Except as modified below, the terms of the Agreement shall remain in full force and effect. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control.

The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by the Agreement, whichever is broader. If the Agreement does not contain the exact capitalized terms as this Addendum, then the Agreement’s like terms are to be interpreted with any necessary and conforming changes in relation to capitalized terms found herein.

1.1 AutoRABIT implements and maintains a comprehensive information security program that is aligned with prevailing industry practices and appropriate to the nature and scope of activities and services.

1.2 The information security program includes policies and procedures that include, but are not limited to, the following: information classification, data handling, encryption, acceptable use, change management, and network security.

1.3 AutoRABIT implements and maintains appropriate organizational, administrative, and technical controls that meet or exceed applicable and currently accepted industry standards to protect Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to such data.

2.1 AutoRABIT maintains formal written policies and procedures for the administration of information security throughout its organization.

2.2 AutoRABIT documents and maintains information security policies and procedures, which are kept up to date, and revised whenever relevant changes are made that impact the security, confidentiality, or integrity of the services provided.

3.1 AutoRABIT communicates its information security policies and responsibilities to all AutoRABIT employees, officers, directors, agents, authorized system users and contractors and throughout its organization (“Personnel”).

3.2 AutoRABIT requires its Personnel to complete regular information security training, which includes training on how to identify and report suspected security weaknesses and incidents.

4.1 AutoRABIT facilities used to store Personal Data shall have physically secure perimeters and all external entry points shall be suitably protected against unauthorized access.

4.2 Access to all such facilities shall be limited to Personnel and authorized visitors.

4.3 AutoRABIT stores customer data on AutoRABIT servers housed within independently verified SSAE-16/SOC 1 Type II, ISO 27001, PCI certified authorized data centers (including Amazon Web Services and Microsoft Azure facilities).

4.4 The data centers’ physical and environmental security includes industry-leading network hardening and active monitoring, digital security video surveillance and 24/365 on-site security staff. AutoRABIT’s customer data at rest is encrypted with FIPS 140-2 approved algorithms (AES-256). 

5.1 AutoRABIT maintains an asset management inventory.

5.2 AutoRABIT uses trusted devices that are configured with security software (e.g.., anti-virus, anti-malware, encryption, etc.) and protected against corruption, loss, or disclosure

6.1 AutoRABIT adheres to a role-based, least privileged access model for granting its Personnel access to systems containing Personal Data. AutoRABIT grants the minimum access rights necessary for its Personnel to perform their respective duties in support of AutoRABIT’s obligations under the Agreement on a “need to know” basis, and AutoRABIT shall grant its Personnel access to Personal Data for only as long as such access is required for such Personnel’s performance and done using an individual account with multi-factor authentication. 

6.2 AutoRABIT periodically reviews and reassesses such access privileges.

6.3 AutoRABIT maintains a documented authentication and authorization policy that covers all applicable systems that process Personal Data. Such policy shall include multi-factor authentication, password provisioning requirements, password complexity requirements, password resets, thresholds for lockout attempts, and thresholds for inactivity.

6.4 AutoRABIT maintains commercially reasonable and appropriate physical and technical access controls to prevent unauthorized access and disclosure of Personal Data, which shall follow prevailing industry practices such as least privilege principle and segregation of duties. AutoRABIT performs access reviews for all employees and contractors in accordance with their policy.

6.5 AutoRABIT implements processes which have timely removal of access for Personnel no longer affiliated with Services.

6.6 Authentication credentials shall be encrypted, including in transit to and from suppliers’ environments or when stored by suppliers.

6.7 AutoRABIT utilizes HTTPS for securing data in transit and web server to web browser communications using a Transport Layer Security (TLS 1.2) or higher connection

6.8 In shared environments, AutoRABIT implements physical and/or logical access controls designed to prevent unauthorized access to Personal Data.

7.1 AutoRABIT deploys and maintains reasonable antivirus/malware software on all servers and workstations involved in providing services. AutoRABIT will configure the antivirus software to perform periodic endpoint scans and promptly remediate any findings.

7.2 AutoRABIT maintains a vulnerability management program, which adheres to prevailing industry practices. At minimum, the program:

7.2.1 Classifies the vulnerabilities using an industry standard vulnerability scoring system.

7.2.2 Conducts scans for known vulnerabilities.

7.2.3 Validates critical and high patches so that they are implemented in a timely manner to the extent that a stable patch is made available by the supplier.

7.2.4 Regularly updates antivirus programs with the latest antivirus definitions and similar server-side antivirus programs where appropriate.

8.1 AutoRABIT secures networks by utilizing a defense-in-depth approach that utilizes commercially available equipment and industry standard techniques, including without limitation: firewalls, intrusion detection systems, intrusion prevention system, and access control lists, on any AutoRABIT controlled network used to process, store, transmit, or access Personal Data.

8.2 AutoRABIT networks used to access or store Personal Data shall have security controls that are designed to detect and prevent attacks in a risk-based manner.

8.3 AutoRABIT utilizes firewalls for the isolation of all environments, including but not limited to physical, virtual, network devices, production and non-production, and application/presentation layers.

9.1 AutoRABIT deploys endpoints that are encrypted (i.e., full disk encryption, endpoint encryption).

9.2 AutoRABIT endpoints are scanned and adverse findings are remediated per AutoRABIT‘s vulnerability management program.

9.3 AutoRABIT validates that endpoints are configured to apply operating system (OS) patches and that application security patches are installed in a timely manner.

9.4 AutoRABIT utilizes an endpoint detection and response (EDR) to monitor activity on the endpoint.

10.1 AutoRABIT retains industry standard information classification, handling, and retention/destruction policies and procedures.

10.2 AutoRABIT data classification standard considers the relative importance and sensitivity of data.

11.1 AutoRABIT implements technical controls that Personal Data is encrypted at rest and when transferred over public networks (such as the internet).

11.2 AutoRABIT enforces procedures for disposal or reuse of equipment used for logical and physical storage to ensure secure destruction of Personal Data

11.3 AutoRABIT maintains a data loss prevention program that aims to identify and prevent the unintended disclosure of data as attributed within the data classification policy.

13.1 AutoRABIT utilizes industry standard change management procedures.

13.2 AutoRABIT applies practices and principles which limit the use of Personal Data within non-production environments.

14.1 AutoRABIT’s systems and networks are constantly monitored for security incidents, system health, network and traffic anomalies, and availability.

14.2 AutoRABIT monitors the effectiveness of its security program by conducting self-audits and risk assessments against its information systems at minimum every 12 months.

14.3 AutoRABIT uses commercially reasonable efforts to remediate any items rated as high or critical (or similar rating indicating commensurately similar risk) resulting from any audit or assessment of information systems.

14.4 AutoRABIT performs vulnerability assessments on information systems and performs periodic internal web application vulnerability assessments to ensure application security controls are properly applied and operating effectively as designed.

14.5 AutoRABIT reviews third-party reviews annually for sub-processors.

14.6 On a quarterly basis, AutoRABIT performs external vulnerability assessments using third-party web application and penetration testing assessors. The scope of these external audits assesses compliance with the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities.

15.1 AutoRABIT maintains practices for remote work arrangements and all Personnel are required to adhere to AutoRABIT’s acceptable use policy.

15.2 AutoRABIT requires the use of multi-factor authentication (MFA) during the login process for Personnel when working remotely.

15.3 AutoRABIT maintains a mobile device management (MDM) program for Personnel utilizing bring your own devices. 

16.1 AutoRABIT utilizes industry standard log review policy or procedures.

16.2 AutoRABIT logs and reviews material security-relevant events associated with the Service and information systems.

17.1 AutoRABIT shall undergo independent penetration testing of systems (e.g. Web and mobile) that maintain Personal Data.

17.2 AutoRABIT performs application security scans that analyze code for security vulnerabilities (e.g. IAST).