Accuracy Data Security Management Policy

1.1 Confidentiality

Accuracy places strict controls over Accuracy’s employees’ access to the data Client and Client’s authorised users (“Authorised Users”) make available via Accuracy’s Services, as more specifically defined in Client’s agreement with Accuracy covering the use of Accuracy’s Services (“Client Data”), and are committed to ensuring that Client Data is not seen by anyone who should not have access to it.  The operation of Accuracy’s Services requires that some employees have access to the systems which store and process Client Data.  These employees are prohibited from using these permissions to view Client Data unless it is reasonably necessary to do so.  Accuracy has technical controls and audit policies in place to ensure that any access to Client Data is logged.  All of Accuracy’s employees and contract personnel are bound to Accuracy’s policies regarding Client Data and Accuracy treats these issues as matters of the highest importance within Accuracy.

 

1.2 Compliance

The environment that hosts the Accuracy services maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification and SOC reports.

 

1.3 Security Features for Team Members and Administrators

In addition to the work Accuracy does at the infrastructure level, Accuracy provides different administrator teams with defined levels of access to its IT infrastructure and systems.  These administrator teams comprise:

  • Accuracy’s IT Hotline
  • Accuracy’s IT Support Services
  • Accuracy’s IT Administrators

 

1.4. Access Logging

Detailed access logs are available to Authorised IT Administrators.  Accuracy logs every time an account signs in, noting the media access control (MAC) address (for the type of device used) and the IP address of the connection.

 

1.5. Two-Factor Authentication

Accuracy IT Administrators can enable two-factor authentication for instances.

 

1.6 Single Sign On

Accuracy employees can access Accuracy applications and solutions with a variety of single sign-ons.

 

1.7. Data Retention

Accuracy IT Administrators can configure custom retention policies.

 

1.8 Deletion of Client Data

Accuracy provides the option for clients to delete Client Data at any time.

 

1.9 Return of Client Data

Accuracy IT Administrators of any instance can be granted access to export Client Data.

 

1.10 Data Encryption In-Transit

At the option of the Client, the Accuracy services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.  Accuracy monitors the changing cryptographic landscape closely and works promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve, while also balancing the need for compatibility for older clients.

 

1.11 Availability

Accuracy understands that Clients rely on Accuracy’s services to work.  Accuracy is committed to making the platform a highly-available service that the Client can count on.  Accuracy’s infrastructure runs on systems that are fault tolerant for failures of individual servers.  Accuracy’s operations team tests disaster-recovery measures regularly and staffs an around-the-clock on-call team to quickly resolve unexpected incidents.

 

1.12 Disaster Recovery

Client Data is stored redundantly in Accuracy’s hosting provider’s data centres to ensure availability.  Accuracy has well-tested backup and restoration procedures, which allow recovery from a major disaster.  Client Data and Accuracy’s source codes are automatically backed up nightly.  The Operations team is alerted in case of a failure with this system.

 

1.13 Network Protection

In addition to sophisticated system monitoring and logging, Accuracy has implemented check points for all server and network access across Accuracy’s production environment.  Firewalls are configured according to industry best practices and ports are blocked by configuration unless specifically opened.

 

1.14 Host Management

Accuracy performs automated vulnerability scans on Accuracy’s production hosts and re-mediates any findings that present a risk to Accuracy’s environment.  Accuracy enforces screen lockouts.

 

1.15 Logging

Accuracy maintains an extensive, centralised logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Accuracy services.  These logs are analysed for security events via automated monitoring software, overseen by the IT Administrators.

 

1.16 Product Security Practices

New features, functionality, and design changes go through a security review process facilitated by the IT Administrators.    The IT Administrators work closely with development teams to resolve any additional security concerns that may arise during development.

 

1.17 Incident Management & Response

In the event of a security breach, Accuracy will promptly notify Client of any unauthorised access to Client Data.  Accuracy has incident management policies and procedures in place to handle such an event.

 

1.18 Personnel Practices

Accuracy conducts background checks on all employees before employment, and employees receive security training during on boarding as well as on an ongoing basis.  All employees are required to read and sign Accuracy’s comprehensive information security policy covering the security, availability, and confidentiality of the Accuracy services.