Issue link: http://read.uberflip.com/i/1481076
d. Secure Development Practices. Built's development environments are separated into Local, Test, Quality Assurance ("QA"), and Production. Each environment is on a different AWS account and cannot communicate with each other and cannot access any data or secure content in another environment. Built's software development life cycle process includes a formalized request and approval process for changes, multi-peer code review, static code analysis, and separation of concerns for promoting changes to production. All environment promotion processes are controlled by non-development personnel. e. Employee Access. Built will not give any of its employees access to Protected Data without a written nondisclosure agreement between the employee and Built protecting Protected Data. Prior to allowing any Built employee to perform Services for Client, Built will conduct a background check on employee consistent with the following: ● SSN validation confirms the SSN is valid and identifies both the state and the year of issuance. The search also covers the national death index. ● Search of sex offender registries in all 50 states and the District of Columbia. ● Search of various US and international government watch lists, such as the Office of Foreign Asset Control, Interpol and Specially Designated Nationals. ● National criminal search is a multi-jurisdictional search that encompasses numerous sources. It includes national security sources, numerous federal databases, and arrest and criminal data from various local, county and state agencies. ● County criminal checks for all counties returned for that applicant over the last 7-year period. This includes any legally reportable felony and misdemeanor convictions, pending cases and dismissed records. No employee will be assigned to provide Services to Client if that employee's background check includes a felony conviction of any criminal offense involving dishonesty, breach of trust, or money laundering, or who has entered into a pretrial diversion or similar program in connection with such an offense, within the five years prior to the start date of the proposed assignment. f. Significant Subcontractor Access. Built requires all Significant Subcontractors who will access Protected Data to enter into written agreements including substantially similar confidentiality and data security terms as those described in this IS Summary. 4. Data Backup. Built's databases containing Protected Data are backed up daily and stored within encrypted secure backup storage. Built conducts daily differential backups and weekly full backups. Additionally, there is live, near-real-time database synchronization happening across our primary and failover data centers within AWS. These secondary copies are also backed up in the same manner. 5. Data Breaches. In the event of exposure of Protected Data due to an intrusion by an untrusted third party ("Data Breach"), Built will (i) notify Client within two business days of Built's confirmation of the Data Breach; and (ii) cooperate with Client and law enforcement and/or regulatory agencies, where applicable, to investigate and resolve the Data Breach, including without limitation by providing reasonable assistance to Client in notifying third parties impacted or injured by the same. Built will give Client prompt access to such records related to a Data Breach as Client may reasonably request; provided such records shall be treated as Built's confidential information pursuant to the confidentiality and non-disclosure terms of the Agreement and Built shall not be required to provide Client with records belonging to, or compromising the security of, its other customers. Information Security Program Summary Exhibit v.10.22