Imply Information Security Addendum

Effective: February 1, 2022

This Security Addendum is incorporated into and made a part of the written agreement between Imply and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.   

Imply maintains a comprehensive documented security program based on industry recognized best practices (or industry recognized successor framework), under which Imply implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of Imply’s hosted Software and Customer Data (the “Security Program”), including, but not limited to, as set forth below. Imply regularly tests and evaluates its Security Program, and may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

1. System & Network Security

1.1. Access Controls.

1.1.1. All Imply personnel access to the production environment is via a unique user ID, consistent with the principle of least privilege, requires a VPN, as well as multi-factor authentication and passwords meeting or exceeding CIS length and complexity requirements.

1.1.2. Imply personnel will not access Customer Data except (i) as reasonably necessary to provide services under the Agreement or (ii) to comply with the law or a binding order of a governmental body.

1.2. Endpoint Controls. For access to the production environment, Imply personnel use Imply-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint protection tools to monitor and alert for suspicious activities and malicious code.

1.3. Separation of Environments. Imply logically separates production environments from development environments. The production environment is both logically and physically separate from Imply’s corporate offices and networks.

1.4. Firewalls / Security Groups. Imply shall protect the production environment using security group technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.

1.5. Hardening. The production environment shall be hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this Security Addendum.

1.6. Monitoring & Logging.

1.6.1. Infrastructure Logs. Monitoring tools or services, such as host-based intrusion detection tools, are utilized to log certain activities and changes within the production environment. These logs are further monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one year.

1.7. Vulnerability Detection & Management.

1.7.1. Anti-Virus & Vulnerability Detection. The production environment leverages advanced threat detection tools, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code. Imply does not monitor Customer Data for malicious code.

1.7.2. Penetration Testing & Vulnerability Detection. Imply regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of Imply’s hosted Software at least annually. Imply also runs vulnerability scans for the production environment using updated vulnerability databases.

1.7.3. Vulnerability Management. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Imply’s hosted Software. Upon becoming aware of such vulnerabilities, Imply will use commercially reasonable efforts to address private and public (e.g. U.S. Cert announced) vulnerabilities. To assess whether a vulnerability is ‘critical’, ‘high’, or ‘medium’, Imply leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating.

2. Encryption

2.1. Encryption of Customer Data. All Customer Data will be encrypted in line with FIPS 140 requirements when in storage (at rest), unless Customer approved compensating controls are implemented. 

2.2. Encryption Key Management. Imply’s encryption key management conforms to best practices and involves regular rotation of encryption keys. 

3. Administrative Controls

3.1. Personnel Security. Imply requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.

3.2. Personnel Training. Imply maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding and on-going training.

3.3. Personnel Agreements. Imply personnel are required to sign confidentiality agreements. Imply personnel are also required to acknowledge responsibility for reporting security incidents involving Customer Data.

3.4. Personnel Access Reviews & Separation. Imply reviews the access privileges of its personnel to the production environment at least quarterly, and removes access on a timely basis for all separated personnel.

3.5. Imply Risk Management & Threat Assessment. Imply’s security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.

3.6. External Threat Intelligence Monitoring. Imply reviews external threat intelligence, including US-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation. 

3.7. Change Management. Imply maintains a documented change management program for the hosted Software.

3.8. Vendor Risk Management. Imply maintains a vendor risk management program for vendors that process Customer Data designed to ensure each vendor maintains security measures consistent with Imply’s obligations in this Security Addendum.

4. Physical & Environmental Controls

4.1. Production Environment Data Centers. To ensure the cloud infrastructure provider has appropriate physical and environmental controls for its data centers hosting the production environment,  Imply regularly reviews those controls as audited under the cloud infrastructure provider’s third-party audits and certifications. Each cloud infrastructure provider shall have a SOC 2 Type II annual audit, ISO 27001 certification, or industry recognized equivalent frameworks. Such controls, shall include, but are not limited to, the following:

4.1.1.   Physical access to the facilities is controlled at building ingress points;

4.1.2.   Visitors are required to present ID and are signed in;

4.1.3.   Physical access to servers is managed by access control devices;

4.1.4.   Physical access privileges are reviewed regularly;

4.1.5.   Facilities utilize monitor and alarm response procedures;

4.1.6.   Use of CCTV;

4.1.7.   Fire detection and protection systems;

4.1.8.   Power back-up and redundancy systems; and

4.1.9.   Climate control systems.

5. Incident Detection & Response

5.1. Security Incident Reporting. If Imply becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Imply shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware.

5.2. Investigation. In the event of a Security Incident as described above, Imply shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year. 

5.3. Communication and Cooperation. Imply shall provide Customer timely information about the Security Incident to the extent known to Imply, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Imply to mitigate or contain the Security Incident, the status of Imply’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Imply personnel may not have visibility to the content of Customer Data, it may be unlikely that Imply can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Imply with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Imply of any fault or liability with respect to the Security Incident.