Alianza Information Security Policy

Alianza Information Security Policy

At Alianza, Inc. (“Alianza,” “we,” “our,” or “us”), we are committed to protecting information that our customers entrust us to handle. This Alianza Information Security Policy (the “Policy”) sets forth the security measures that Alianza takes to protect Customer Information as part of our information security program. This Policy forms part of the Master Services Agreement or other agreement (the “Agreement”) between Customer and Alianza governing Alianza’s provision of services to Customer. To the extent there is a conflict between the terms of the Agreement and this Policy, this Policy will control.

1. Definitions.

  1. “Applicable Laws” means all applicable laws or regulations relating to the processing and protection of Personal Information, including, as applicable, the European Union’s General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act and implementing regulations (“CCPA”), each as may be amended or replaced from time to time.
  2. “Customer Information” means any information provided to Alianza by Customer (or accessed by Alianza in the course of providing services under the Agreement), which constitutes internal business information of Customer that is not generally known to the public, including trade secrets, policies, procedures, customers lists, business plans, financial information, and Personal Information.
  3. “Personal Information” means any information provided to Alianza by Customer (or accessed by Alianza in the course of providing services under the Agreement) that identifies or can be used to identify an individual or household.
  4. “Security Incident” means any unauthorized access to or acquisition of Customer Information that compromises the security, confidentiality, or integrity of Customer Information.
  5. Attempted Security Incident” means any known or repeated attempt to create, cause or inflict a Security Incident.

2. Information Security Program.

  1. Alianza maintains an information security program that uses administrative, technical, and physical safeguards designed to prevent Security Incidents and is designed to protect the confidentiality, integrity, and availability of Customer Information against any anticipated threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss, destruction, or damage. Alianza’s information security is designed in line with best practices and industry standards.
  2. Alianza maintains administrative, technical, and organizational safeguards that meet the requirements under Applicable Laws and apply best practices and industry standards based on: (i) the nature, size, and complexity of Alianza’s business; (ii) the resources available to Alianza; (iii) the type of Customer Information that Alianza maintains; and (iv) the need for security and confidentiality of such Customer Information.
  3. Alianza’s information security program is reviewed at least annually and revised as necessary or appropriate to address evolving threats and vulnerabilities.
  4. Alianza has designated the Vice President of Operations and Security to lead Alianza’s information security program and develop, review, and approve the Policy. Alianza will provide contact information for this person to Customer.
  5. Alianza will notify Customer anytime this Policy is updated and will send to Customer upon request.

3. Access Controls.

  1. Alianza has defined and implemented policies to enforce appropriate role-based access controls based on the principle of least privilege (meaning access is denied unless specifically granted) for access to Customer Information.
  2. Identity and access services are inventoried, monitored, and maintained. In addition, Alianza uses programmatic or automatic methods of deploying, maintaining, configuring, fixing, and updating the service/software/infrastructure.
  3. Identification and secure user authentication controls have been implemented, which include technologies, such as single-sign-on and multi-factor authentication, where available.
  4. Alianza has policies in place to block a particular user identifier’s access after multiple unsuccessful attempts to gain access or placing limitations on access for the particular System.
  5. Alianza may update this Policy to reflect changes in Alianza’s information security program, provided such changes do not materially diminish the level of security provided in this Policy. Alianza will notify Customer anytime this Policy is updated and will send to Customer upon request.

4. Storage and Transmission Security.

  1. Customer Information is encrypted in transit over public or wireless networks using TLS 1.2 or higher encryption.
  2. Customer Information is isolated, logically, or physically, and not mixed with information of other customers.

5. Secure Destruction.

  1. Alianza maintains policies and procedures regarding the disposal of tangible and intangible property containing Customer Information.
  2. Non-removable electronic media is cleared and purged in line with industry standard requirements, such as NIST SP 800-88.
  3. Physical records containing Customer Information, such as paper records, is shredded in line with industry standard requirements.

6. Background Checks and Security Training.

  1. Alianza has implemented appropriate employee security and integrity procedures and practices. All employees with access to Customer Information have been subject to background checks and are subject to contractual obligations of confidentiality.
  2. Alianza provides reasonable security training to all of our employees, contractors and agents who have access to Customer Information to help maintain compliance with Alianza’s information security program.

7. Threat and Vulnerability Management.

  1. Alianza maintains reasonable system monitoring for preventing, detecting, and responding to intrusions or abnormal operations, interference with safe operations, and unauthorized use of or access to Customer Information or other attacks or system failures.
  2. Alianza utilizes an appropriate patch management procedure to secure against potential vulnerabilities.
  3. Alianza deploys EDR software, anti-malware solutions, and proactive security patching to secure employee and contractor endpoints.

8. Vendor Management.

  1. Alianza assesses third-party vendors with access to Customer Information to determine that such third-party vendors maintain appropriate security measures, consistent with Alianza’s information security program and all Applicable Laws.
  2. Alianza requires third-party vendors by contract to implement and maintain appropriate security measures.
  3. Alianza may monitor a third-party vendor’s performance to verify the third-party vendor continues to maintain appropriate security measures.

9. Audits.

  1. Alianza engages a third party to perform an annual SOC 2 audit. The audit will include a review of compliance with the provisions of this document. Should the SOC 2 Audit find issues, Alianza will implement changes required to satisfy the SOC 2 audit.
  2. Upon Customer’s request, Alianza will provide Customer with a summary of the most recent audit report and other documentation to demonstrate Alianza’s compliance with this Policy and Applicable Laws. Any such audit reports and documentation will be confidential information of Alianza.

10. Incident Response Procedures.

  1. Alianza maintains policies and procedures to manage and minimize the effects of Security Incidents or Attempted Security Incidents.
  2. Alianza shall notify Customer of any Security Incident impacting Customer, including any suspected or known data breach of Alianza systems, as soon as possible but no later than 24 hours after discovery.
  3. Alianza will provide Customer with the name and contact information for the response team member who will serve as Customer’s primary contact and will be available to Customer for purposes of investigating the Security Incident.
  4. Alianza agrees to provide Customer with a copy of any Security Incident report prepared, either by a third party or internally, within 30 calendar days after such document is distributed within Alianza. Such document shall specify any remedial measures related to the Security Incident.

11. Business Continuity and Disaster Recovery.

  1. Alianza has defined and implemented policies designed to properly identify, retain, and test the recoverability of Customer Information.
  2. These policies and procedures cover cases where the current production facility becomes unusable with partial or total loss of access to the existing production site equipment.
  3. Alianza maintains real-time data replication across geographically diverse sites and also conducts nightly data backups.
  4. Backups are tested on a regular basis to validate the ability to successfully restore a backup, completeness and integrity of the Customer Information, and accessibility.

12. Deletion of Customer Information.

  1. Upon the termination of the Agreement, Alianza will securely dispose of all copies of Customer Information, other than any Customer Information maintained in archives or that Alianza is required to maintain by applicable law.

13. Effective Date.

This Policy is effective as of November 2, 2022.