VIANAI SYSTEMS, INC.
Data Security Addendum

Vianai maintains a comprehensive documented security program that is based on industry standard security frameworks including ISO 27001 (the “Security Program”). Pursuant to the Security Program, Vianai implements and maintains administrative, physical, and technical security measures to protect the Services and the security and confidentiality of Customer Content (each as defined in the Agreement) under Vianai’s control that is processed by Vianai in its provisioning of the Services (the “Security Measures”).

In accordance with its Security Program, Vianai will, when any Customer Content is under its control: (i) comply with the Security Measures identified below with respect to such Customer Content, and (ii) where relevant, keep documentation of such Security Measures.

Vianai regularly tests and evaluates its Security Program and may review and update this Security Addendum at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Content by these Security Measures.

1.     Vianai Audits & Certifications.

Vianai uses independent third-party auditors to assess the Vianai Security Program at least annually, as described in SOC 2 Type II (report available under NDA), and ISO 27001.

2.     Information Security Policies and Procedures.

Vianai maintains written policies and procedures that are designed to protect Customer Content against unauthorized access, use, disclosure, modification, or destruction (“Security Policies”). Vianai periodically reviews and updates its information security policies and procedures. Vianai Business Continuity and Disaster Recovery plans are reviewed annually.

3.     Technical Measures.

Vianai maintains technical measures designed to prevent unauthorized access to Vianai’s network and systems used to store or process Customer Content, including deployment of:

(a)     Platform Controls.

(i)     Firewalls. Firewalls are implemented as network access control lists or security groups within the Cloud Service Provider’s account.

(ii)     Hardening.

(A)     Vianai employs industry standards to harden images and operating systems under its control that are deployed within its infrastructure, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.

(iii)     Encryption.

(A)     Encryption of data-in-transit. Customer Content under Vianai's control is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit.

(B)     Encryption of data-at-rest. Depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt Customer Content at rest.

(C)     Review. Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.

(D)     Customer Options. Customers may choose to leverage additional encryption options for data in transit. Customer shall, based on the sensitivity of the Customer Content, configure the cloud environment to encrypt Customer Content where appropriate (e.g., by enabling encryption at rest for data stored within AWS S3).

(iv)     Monitoring & Logging.

(A)     Intrusion Detection Systems. Vianai leverages security capabilities provided natively by Cloud Service Providers for security detection.

(B)     Audit Logs.

(1)     Generation. Vianai generates audit logs from Customer’s use of the Services. The logs are designed to store information about material events within the Services.

(2)     Access. Customer may access audit logs through the Services.

(3)     Integrity. Vianai stores audit logs in a manner designed to protect the audit logs from tampering.

(v)     Penetration Testing. Vianai conducts third-party penetration tests at least annually.

(vi)     Vulnerability Management & Remediation. Vianai regularly runs authenticated scans against representative hosts in the development pipeline to identify vulnerabilities and emerging security threats that may impact the Services.

(vii)     Patching. Vianai deploys new code related to the Services on an ongoing basis.

(b)     Corporate Controls.

(i)     Access Controls.

(A)     Authentication. Vianai personnel are authenticated through single sign-on (SSO), 802.1x (or similar) where applicable, and use a unique user ID and password combination and multi-factor authentication. Privileges are consistent with least privilege principles. Security Policies prohibits personnel from sharing or reusing credentials, passwords, IDs, or other authentication information.

(B)     Role-Based Access Controls. Only authorized roles are allowed to access systems processing Customer Content. Vianai enforces rule-based access controls, and restricts access to Customer Content based on the principle of ‘least privilege’ and segregation of responsibilities and duties.

(1)     Pseudonymization. Information stored in activity logs and databases are protected where appropriate using a unique randomized user identifier to mitigate risk of re-identification of data subjects.

(2)     Machine Controls. Vianai enforces certain security controls on its laptops and computers used by personnel, including:

·     Full-disk encryption

·     Anti-malware software

·     Automatic screen lock after a period of inactivity

 

(c)     Incident Detection & Response.

(i)     Detection & Investigation. Vianai’s engineering team, in conjunction with outside consultants and vendors deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team for triage and response. The Security Incident Response Team employs an incident response framework to manage and minimize the effects of unplanned security events.

(ii)     Security Incidents; Data Breaches. Vianai maintains a record of known security incidents. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed security incidents, Vianai will take appropriate, reasonable steps to minimize service and Customer damage or unauthorized disclosure.

(iii)     Communications & Cooperation. In accordance with applicable data protection laws, Vianai will notify Customer of a data breach for which that Customer is impacted without undue delay after becoming aware of the data breach, and take appropriate measures to address the data breach, including measures to mitigate any adverse effects resulting from the data breach.

(d)     Data Deletion.

The Platform Services provide Customers with functionality that permit Customers to delete Customer Content. Customer Content contained within a Customer Workbench is permanently deleted within thirty (30) days following cancellation of the Customer Workbench.

4.     Organizational Measures.

Vianai maintains administrative and organizational measures designed to prevent unauthorized access or processing of Customer Content, including access control measures to restrict access to Customer Content to personnel who have a legitimate business need for such access and security awareness training for such personnel.

(a)     Governance.

Vianai’s VP of Operations leads the Vianai’s Information Security Program and develops, reviews, and approves Vianai’s Security Policies together with other stakeholders, such as Legal, Human Resources, Finance, and Engineering.

1.    Change Management. Vianai maintains a documented change management policy, reviewed annually, which includes but is not limited to, evaluating changes of or relating to systems authentication.

2.    ISMS; Policies and Procedures. Vianai has implemented a formal Information Security Management System (“ISMS”) in order to protect the confidentiality, integrity, authenticity, and availability of Vianai’s data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations. The Vianai Security Program implemented under the ISMS includes a comprehensive set of privacy and security policies and procedures developed and maintained by the security, legal, privacy, and information security teams (“Security Policies”). The Security Policies are aligned with information security standards (such as ISO 27001) and cover topics including but not limited to: security controls when accessing the Services; confidentiality of Customer Content; acceptable use of company technology, systems and data; processes for reporting security incidents; and privacy and security best practices. The Security Policies are reviewed and updated annually.

(b)     Personnel Training.

Personnel receive security training upon hire and refresher trainings are given annually. Personnel are required to certify and agree to the Security Policies and personnel who violate the Security Policies are subject to disciplinary action, including warnings, suspension and up to (and including) termination.

(c)     Personnel Screening & Evaluation.

All new personnel undergo background checks prior to onboarding (as permitted by local law). Vianai uses a third-party provider to conduct screenings, which vary by jurisdiction and comply with applicable local law. Personnel are required to sign confidentiality agreements.

(d)     Monitoring & Logging.

Vianai employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.

(e)     Access Review.

Active users with access to the Services are promptly removed upon termination of employment. As part of the personnel offboarding process, all accesses are revoked and data assets are securely wiped.

(f)     Third-Party Risk Management.

Vianai assesses the security compliance of applicable third parties, including vendors and subprocessors, in order to measure and manage risk. This includes, but is not limited to, conducting a security risk assessment and due diligence prior to engagement and reviewing external audit reports from critical vendors at least annually. In addition, applicable vendors and subprocessors are required to sign a data processing agreement that includes compliance with applicable data protection laws, as well as confidentiality requirements.

(g)     Software Development Lifecycle.

(i)     Security Design Review. Feature designs are assessed by security personnel for their security impact to the Vianai Platform, for example, additions or modifications to access controls, data flows, and logging.

(ii)     Security Training. Engineers are required to take security training.

(iii)     Peer Code Review. All production code must be approved through a peer code review process.

(iv)     Change Control. Vianai’s controls are designed to securely manage assets, configurations, and changes throughout development.

(v)     Code Scanning. Static and dynamic code scans are regularly run and reviewed.

(vi)     Penetration Testing. As part of the Security Design Review process, certain features are identified and subjected to penetration testing prior to release.

(vii)     Code Approval. Functional owners are required to approve code in their area of responsibility prior to the code being merged for production.

(viii)     Multi-Factor Authentication. Accessing the Vianai code repository requires Multi-Factor Authentication.

(ix)     Code Deployment. Production code is deployed via automated continuous integration / continuous deployment pipeline processes.

(x)     Production Separation. Vianai separates production Platform Services systems from testing and development Platform Services systems.

5.     Physical Measures.

Vianai maintains physical security measures designed to prevent unauthorized persons from gaining physical access to Vianai facilities that contain information systems used to store or process Customer Content.

(a)     Vianai Corporate Offices.

Vianai has implemented safeguards for its corporate offices. These include, but are not limited to, the below:

1.     Physical entry points have locks at every door, allowing only authorized employees to enter the office premises.

2.     Equipment and other Vianai-issued assets are inventoried and tracked.

3.     Office Wi-Fi networks are protected with encryption and Network Access Control.

 

(b)     Cloud Service Provider Data Centers.

Vianai regularly reviews Cloud Service Provider audits conducted in compliance with ISO 278001, SOC 1, and SOC 2. Security controls include, but are not limited to the list below:

1.     Biometric facility access controls

2.     Visitor facility access policies and procedures

3.     24-hour armed physical security

4.     CCTV at ingress and egress

5.     Intrusion detection

6.     Business continuity and disaster recovery plans

7.     Smoke detection sensors and fire suppression equipment

8.     Mechanisms to control temperature, humidity and water leaks

9.     Power redundancy with backup power supply