Issue link: http://read.uberflip.com/i/1481076
Information Security Program Summary Exhibit 1. Scope. Built is committed to maintaining the security and availability of its products and services consistent with prevailing industry standards. The Information Security Program Summary ("IS Summary") describes the administrative, physical and technical safeguards Built maintains to protect data defined as Confidential Data, Participant Data, and Client Data in the Agreement ("Protected Data") from unauthorized access, use or disclosure that would violate the Agreement. 2. Information Security Program. Built maintains and complies with its InfoSec Program that requires commercially reasonable policies to remain aligned with an industry recognized security framework (e.g., CIS Top 20, ISO27001, NIST, etc.). The InfoSec Program includes and addresses administrative, technical, and physical safeguards, including at a minimum: 1. proper disposal of data after it is no longer needed; 2. access controls on electronic systems used to maintain, store, access, or transmit Protected Data; 3. access restrictions at physical locations containing Protected Data; 4. strong encryption (i.e., secure protocols and algorithms) protecting electronic Protected Data in motion and at rest; 5. business continuity, disaster recovery and incident management; 6. testing and monitoring of electronic systems; 7. procedures to detect actual and attempted attacks on, or intrusions into networks where Protected Data traverses and systems containing or accessing Protected Data; 8. compliance with applicable laws and regulations related to information security; 9. application security and risk assessment; and 10. annual data privacy and security refresher training for all employees, contractors, and agents. Built reviews its InfoSec Program and all other Protected Data security precautions no less than annually, and updates and maintains the same as necessary to comply with applicable laws, regulations, technology changes, industry best practices, and to support Built's data privacy program and policy. 3. Security Protocols. Pursuant to the InfoSec Program, Built maintains the following specific security protocols: a. Encryption. Built employs strict encryption processes for all data in transit and at rest. For example, data is required to be transmitted only via secure means (HTTP over TLS, or "HTTPS"). If transmission of files between a Client and Built is applicable as part of a Client's chosen service offering, Built requires that the file(s) be transmitted via secure means (e.g., SFTP). All databases and backups containing Client Data are encrypted via AES 256-bit encryption. b. Physical Security. Built utilizes Amazon Web Services ("AWS") as its Infrastructure-as-a-Service provider. The production environment where Client Data is securely stored at-rest is cloud-hosted in AWS and Built additionally maintains a backup disaster recovery/failover site within a separate AWS region. AWS is renowned for rigorous physical security measure and those can be referenced at the following site: https://aws.amazon.com/compliance/data-center/data-centers/. Built may updates it Infrastructure-as-a-Service provider with prior notice to Client. c. Management, Control, and Protection of Networks. Built maintains and employs identity access management ("IAM") policies and procedures that are founded on the principles of least privilege to ensure access to systems containing Client Data is restricted to authorized personnel only including the following controls: i. Access to firewalls are restricted to a limited number of authorized personnel; ii. All connections to the external network terminate at a firewall; iii. Network devices deny all access by default; iv. Security patches are regularly reviewed and applied to network devices; v. Critical network segments are isolated; vi. Insecure protocols are prohibited from being used to access network devices; vii. Access to diagnostic/maintenance ports on network devices are restricted; and viii. Network intrusion prevention and detection methods are utilized. Information Security Program Summary Exhibit v.10.22