TQI Security Policy
A. Security of Data Processing
TQI has implemented and will maintain technical and organizational measures inclusive of administrative, technical and physical safeguards to ensure a level of security appropriate to the risk of the data processing for the TQI Services as described in this TQI Security Annex (the “Security Measures”). These Security Measures may be changed by TQI from time to time during the Term of the Agreement in order to take into account advancements in available security technologies. However, TQI will not materially decrease the overall security of the Services during the Term of the Agreement.
The Security Measures include, but will not be limited to, the following measures for ensuring the ongoing confidentiality, integrity and availability of CLIENT Data in order to prevent unauthorized access, use, modification or disclosure of CLIENT Data:
- Performance of background checks and/or Confidentiality Agreements on or with all personnel, as well as signature of non-disclosure commitments and business ethics prior to employment;
- Security and privacy awareness training, inclusive of acknowledgment and agreement to abide by organizational security policies, for all personnel upon hire and annually thereafter;
- Pseudonymization or encryption of CLIENT Data in transit and at rest utilizing industry-standard mechanisms for certain TQI Services;
- The ability to restore the availability and access to CLIENT Data in a timely manner in the event of an incident impacting the availability of CLIENT Data by maintaining a backup solution for disaster recovery purposes;
- Logging and monitoring of security logs via a system and alerting to an Incident Response Team upon the detection of suspicious system and/or user behaviors;
- Processes and tooling for regularly identifying, assessing and triaging vulnerabilities based on industry-standard guidelines;
- g)Maintenance of a comprehensive set of security and privacy policies, procedures and plans that are reviewed on at least an annual basis and provide guidance to the organization regarding security and privacy practices;
- Processes for evaluating prospective and existing sub processors to ensure that they have the ability and commitment to appropriate technical and organizational measures to ensure the ongoing confidentiality, integrity and availability of CLIENT Data; and,
- A process for regularly testing, assessing and evaluating the effectiveness of administrative, technical and physical safeguards for ensuring the security of the processing, transmission or storage of CLIENT Data through external and internal audits as further described in Section C below;
- Preventing access, use, modification or disclosure of CLIENT Data except by authorized TQI personnel (1) to provide the Subscription Services and prevent or address service or technical problems, (2) as compelled by law, or (3) as CLIENT expressly permits in writing.
By implementing the Security Measures detailed above TQI takes into account the risks that are related to data processing, in particular the ones resulting from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
B. TQI Shared Responsibility Model
TQI Responsibilities
TQI is responsible for the confidentiality, integrity and availability (the “security”) of the Services and internal TQI information technology systems. In addition to those measures detailed in “Security of Data Processing” above, Security Measures include, but are not limited to, server-level patching, vulnerability management, penetration testing, security event logging & monitoring, incident management, operational monitoring, 24/7 support, and ensuring CLIENT site availability in accordance with SLA’s.
TQI may use Sub-processors for the Services and to support TQI as a Processor of CLIENT data, As these Sub-processors are Authorized Contractors, TQI shall remain fully liable for their acts and omissions relating to the performance of the respective Services and shall be responsible for ensuring that obligations under this Security Annex and the Agreement are carried out in accordance with both.
CLIENT Responsibilities
The CLIENT is responsible for the security of their Client’s Application(s), for example the Omniweb system and/or the Drupal open source software, that are used in conjunction with the Services. This includes, but is not limited to, ensuring a secure configuration and coding of the applications, related application security monitoring activities, CLIENT user access management, password configurations, implementing multi-factor authentication, periodic penetration testing, appropriate Application-level DoS or DDoS protections, and/or vulnerability scanning of their applications, amongst others.
In addition, CLIENTs are also responsible for the secure management of their users that they manage and provision for the purpose of granting access to TQI’s Services and abiding by the Agreement and TQI’s Acceptable Use Policy in using TQI’s Services.
C. Third Party Audits, Certifications
The Security Measures for TQI’s platform offerings, are subject to periodic testing by independent third-party audit organizations, inclusive of the following audits and certifications:
-
- SOC 1 and 2
- CI-DSS
TQI will provide copies of current published audit reports for the Services to CLIENTs upon written request and under NDA. Such audit reports, and the information they contain, are TQI Confidential Information and must be handled by CLIENT accordingly. Such reports may be used solely by CLIENT to evaluate the design and operating effectiveness of defined controls applicable to the Services and are provided without any warranty.
D. CLIENT Audits
TQI may offer its Services in the cloud using AWS and/or the TQI Cloud and a one-to-many business model that relies on standardization of best practices and industry standards for the benefit of its CLIENTs. As a result, onsite audits by CLIENTs pose security and privacy risks to TQI, other TQI CLIENTs and TQI Sub processors. Moreover, AWS and TQI do not allow for physical audits of the data centers but instead provides third party audits and certifications. It is for these reasons, among others, that TQI’s security program consists of the audits, certifications and available documentation detailed in “Third Party Audits, Certifications” above as part of balancing transparency regarding the security and privacy safeguards that TQI has implemented, while also satisfying security and privacy requirements as part of security and privacy obligations to TQI CLIENTs, and its Sub-processors, including AWS.
Therefore, CLIENT agrees to exercise its right to conduct an audit or inspection of TQI’s processing of personal data within CLIENT Data by instructing and funding TQI to carry out the audits as described above in the section “Third Party Audits, Certification” using its current processes and timing. If CLIENT wishes to change this instruction regarding the audit or inspection, then CLIENT shall send such request by written notice to TQI and the parties agree to jointly discuss how to implement the changed instruction.