This Security Exhibit (“Security Exhibit”) will become part of the executed agreement between Hireku, Inc. d/b/a JazzHR (“JazzHR” and Customer that references this document. JazzHR’s performance of the services must be in accordance with the Agreement and this Security Exhibit. Terms used here but not defined here are defined in the Agreement.
This Security Exhibit was last updated April 1, 2022. JazzHR reserves the right to periodically modify this Security Exhibit to reflect current security practices, and such modification will automatically become effective in the next Service Term.
Purpose:
JazzHR will make commercially reasonable efforts to prevent loss, theft, or damage to Customer Data from the Services. This Exhibit establishes the requirements necessary to maintain a security program and ensure that sufficient physical, operational, and technical security measures are in place for the protection of Customer Data in the Services. This Security Exhibit applies when JazzHR provides the Services and Support to Customer.
1. Information Security Management
1.1 Information Security Management System. JazzHR shall maintain and continually make improvements to a documented information security management system in accordance with industry standard practices and accepted frameworks for the delivery of JazzHR Services and Support which its personnel are to be made aware of and comply with (“Information Security Management System”).
1.2 Testing. JazzHR will conduct at least annual third-party security tests on applications and infrastructure used to support the provision of Services and Support to identify security vulnerabilities.
2. Organizational Security
2.1 Information Security Responsibilities. JazzHR must have dedicated roles with clearly defined responsibilities for the administration of the Information Security Management System.
2.2 Security Policies. As part of administration of the Information Security Management System, JazzHR will create information security policies that will define responsibility for the protection of JazzHR and Customer Data (“Information Security Policies”). The Information Security Policies will include requirements to designed to monitor for compliance with privacy/information security policies and procedures.
3. Asset Classification
3.1 Asset Management. JazzHR will maintain an asset management policy, including asset classification (e.g. information, software, hardware) and an inventory of devices and systems that administer the Services and Support to enable JazzHR to protect Customer Data and assets.
3.2 Asset Controls. JazzHR will establish physical, organizational, and technical security controls to protect Customer Data from unauthorized access and disclosure.
4. People Security
4.1 JazzHR Employees. JazzHR employees must behave consistently with this Security Exhibit to ensure effective security. JazzHR will make its employees aware of their responsibilities for maintaining effective security controls, particularly regarding the use of passwords, disposal of information, social engineering attacks, incident reporting, and the physical and technical security of users and company equipment through security awareness/onboarding trainings. JazzHR will issue documented security policies, update them as necessary, provide security training, and obtain acknowledgement of these policies by all employees at least annually.
4.2 Background Checks. JazzHR must ensure that its employees involved in providing the Services and Support have passed basic background checks designed to validate the completeness and accuracy of resumes, confirmation of professional qualifications, and verification of identity where permitted by law these checks should also include checks of criminal history.
5. Physical Security
Where JazzHR maintains a physical office location, JazzHR shall ensure that only authorized users have physical access to the network, critical systems and applications, server rooms, communication rooms and work environments it is required that and that JazzHR shall provide secure protection for its physical facilities (e.g. through card readers, key cards or a manned reception area) from which JazzHR provides the Services and Support. JazzHR will maintain controls to monitor for attempts at unauthorized access. Additional controls will be maintained to prevent or detect the removal of any such equipment.
6. Communications and Operations Management
6.1 Vulnerability/Patch Management. JazzHR will establish a vulnerability/patch management process that ensures systems used to provide the Services and Support services, including network devices, servers, and desktop/laptop computers, are patched against known security vulnerabilities in a reasonable period of time based on the criticality of the patch and sensitivity of the Customer Data accessed through the systems.
6.2 Secure System Configuration. JazzHR will establish controls to ensure that systems used to provide Services and Support are securely configured. This involves changes to default settings to improve system security, changes to default account passwords and removal of unnecessary software or services/daemons. Additionally, employee devices used to interact or manage systems that provide the Services and Support are to also be configured in a repeatable manner. Specific additional requirements beyond what also exists in this Exhibit include:
6.2.1 Full/whole disk encryption on corporate devices; and
6.2.2 Remote data wipe and lock capability in case of lost/stolen corporate device.
6.3 Malware Prevention. JazzHR will implement detection and prevention controls to protect against malicious software and appropriate user awareness procedures. JazzHR will keep and update technical controls and must regularly evaluate all systems for the existence of malware. JazzHR will run real-time or regular scans of JazzHR’s owned devices to detect viruses, malware, and possible security incidents.
6.4 Logging and Auditing. JazzHR will have in place a comprehensive log management program defining the scope, generation, transmission, storage, analysis and disposal of logs based on then current industry practices. The systems and the services will provide logging capabilities in accordance with the following principles:
6.4.1 the scope of logging and the retention policy will be based on a risk-based approach, with minimum retention of six (6) months;
6.4.2 logs will be collected to permit forensic analysis on information security incidents;
6.4.3 logs will record administrative changes to the Services;
6.4.4 log records will be kept virtually secured to prevent tampering;
6.4.5 passwords and other sensitive data elements will not be logged under any circumstances;
6.4.6 will perform regular log analysis to evaluate security; and
6.4.8 protect logs from unauthorized access or modification.
7. Disaster Recovery and Business Continuity Planning
7.1 Programs. JazzHR must establish disaster recovery and business continuity programs, and must ensure that the plans are capable of ensuring confidentiality and integrity of Customer Data during recovery operations. JazzHR will ensure the programs do not allow any reduction of security.
7.2 Backups. JazzHR must ensure the availability of Customer Data stored or processed by JazzHR that is stored locally through the use of backups.
8. Security Incidents
8.1 Incident Detection. JazzHR must establish and maintain an operational incident detection capability and a clearly documented incident response program for responding to suspected or known security incidents or system breaches. Incident response plans must include methods to protect evidence of activity from modification or tampering, and to properly allow for the establishment of a chain of custody for evidence.
8.2 Incident Response. In the event of an incident that affects Customer Data, JazzHR will utilize industry standard efforts to respond to the incident and mitigate the risk to Customer and Customer Data.
8.3 Incident Notification. In the event of an incident that affects Customer Data, JazzHR will provide notice of the security incident to Customer within seventy-two (72) hours of detection.
9.Access Control
9.1 Authentication. JazzHR must support Single sign on (SSO) mechanisms for Customer to interact with JazzHR assets (e.g., SAML 2.0, OKTA).
9.2 Centralization. JazzHR must have centralized authentication management mechanisms.
9.3 Administrative Access. JazzHR will use reasonable authentication practices to ensure JazzHR employees with administrative access are properly authenticated.
9.4 Brute-force Protection. JazzHR must implement controls to limit the capability of attackers to brute-force authentication endpoints.
9.5 Support Access. If JazzHR allows JazzHR employees to access Customer Data through an application support interface, that interface, at a minimum must (a) uniquely identify the JazzHR employee who used it, and (b) record all interactions in a log.
9.6 User Passwords. JazzHR will provide training to employees reasonably designed to ensure employees have sufficient complexity and expiration requirements or require an additional layer of security with multi- factor authentication.
9.6.1 Inactivity. All JazzHR devices must be locked after a reasonable period of inactivity.
9.6.2 Employee or Consultant Termination. At the time of the termination of an employee, contractor, or any third-party consultant, the terminated person’s access to the networks, systems, and accounts used to provide the Services and Support, and access to any Customer Data, must be terminated.
9.6.3 Authorization. JazzHR alone will control and provide JazzHR employee and contractor access to Customer Data. Access will be granted only on a need-to-know basis and following the principles of least privilege.
9.6.4 Network Access Controls. All networks JazzHR uses to provide the Services and Support must be protected through the use of controls capable of blocking unauthorized network traffic, both inbound (ingress) and outbound (egress). JazzHR will maintain capabilities to monitor network traffic.
10. Data Security
10.1 Data Segregation. JazzHR logically separate, secure, and monitor production environments.
10.2 Credential Hashing. JazzHR must have appropriate algorithms in place for hashing secrets, including passwords and API tokens, both for JazzHR’s accounts and for Customer accounts to access JazzHR’s system.
10.3 Encryption.
10.3.1 Data in Transit. JazzHR must ensure that HTTPS is enabled in any web interface related to the product or service. JazzHR must disable non-encrypted transmission services (e.g., Telnet, FTP). JazzHR must have commercial certificates to provide Customer the option to utilize TLS 1.2 or greater for web facing applications.
10.3.2 Data at Rest. Customer Data on JazzHR virtual servers both at rest and in-transit must be encrypted at all times using industry accepted cryptography standards. JazzHR must have key management in place for high sensitivity data (e.g. key rotation, key encryption, access control, etc.). At a minimum, this includes:
10.3.2.1 Use Advanced Encryption Standard (AES) defined in FIPS 197.
10.3.2.2 Where different algorithms are used, they are to have comparable strengths e.g. if an AES-128 key is to be encrypted, an AES-128 key or greater, or RSA-3072 or greater could be used to encrypt it.
11. Privacy
11.1 JazzHR represents and warrants that:
11.1.1 as of the date of this contract, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C.§ 1881a (“FISA Section 702”).
11.1.2 no court has found Vendor to be the type of entity eligible to receive process issued under FISA Section702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
11.1.3 it is not the type of provider that is eligible to be subject to Upstream collection (“bulk” collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the judgment in the EU Court of Justice CaseC-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), and that therefore the only FISA Section 702 process it could be eligible to receive, if it is an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4), would be based on a specific “targeted selector” i.e., an identifier that is unique to the targeted endpoint of communications subject to the surveillance.
11.2 Where possible JazzHR will use all reasonably available legal mechanisms to challenge any request under FISA Section 702 for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance). JazzHR will use all reasonably available legal mechanisms to challenge any demands for data access through national security process it receives as well as any non-disclosure provisions attached thereto.
11.3 All employees are required to comply with JazzHR security and privacy policies and standards. Noncompliance is subject to disciplinary action, up to and including termination of employment.
11.4 JazzHR regularly reviews our collection, storage, and processing practices to prevent unauthorized access to JazzHR’s system.
11.5 JazzHR will promptly notify Customer if JazzHR can no longer comply with the Standard Contractual Clauses or the clauses in this section 11. JazzHR shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law.
Please contact JazzHR at 610 Lincoln St #205, Waltham, MA 02451 with any questions regarding these terms.
