This Data Processing Addendum including any documents referenced via URLs, which are incorporated herein by reference, (“DPA”) forms part of the Hosted Software and Services Agreement, the software and services agreement, order form or statement of work (the “Agreement”) between Cority Software Inc. or its Affiliate (“Cority”) and the Client collectively identified in the Agreement (“Client“). If the Agreement is between an Affiliate of Cority and Client, all references to “Cority” in this DPA will refer to the Cority Affiliate. By entering into an order form or an Agreement that references and incorporates these Terms and Conditions, Client accepts the terms and conditions set forth herein.

Unless otherwise defined herein, capitalized terms have the meaning given to them in the Agreement.

1. DEFINITIONS
   • 1.1. The terms “controller”, “data protection impact assessment” “processor”, and “processing” shall have the meanings given to them in applicable European Data Protection Laws; and the terms “business”, “business purpose”, “commercial purpose”, “consumer”, “personal information”, “service provider”, “sell”, and “share” shall have the meanings given to them in applicable US Privacy Laws.
   • 1.2. “Affiliates” means any entity (now existing or hereafter formed or acquired), which directly, through one or more intermediaries, controls, is controlled by or is under common control with, another entity. Ownership of fifty percent (50%) or more of the voting stock, membership interests, or other equity of an entity shall be deemed to be control over such entity.
   • 1.3. “Data Protection Laws” means the European Data Protection Laws, US Data Privacy Laws, and any other applicable data privacy or data protection laws.
   • 1.4. “Data Security Standards” means the data security standards and procedures set out in this DPA.
   • 1.5. “EEA” means the countries that are parties to the agreement on the European Economic Area, and Switzerland.
   • 1.6. “European Data Protection Laws” means: (i) EU General Data Protection Regulation (“GDPR”); (ii) any applicable national implementations of the GDPR; (iii) the Swiss Federal Data Protection Act (“Swiss DPA“); and (iv) in respect of the United Kingdom (“UK”), the UK GDPR (“UK GDPR“); in each case as may be amended, superseded or replaced.
   • 1.7. “GDPR” means the EU General Data Protection Regulation 2016/679.
   • 1.8. “Personal Data” means any “personal data”, “personal information”, or “personally identifiable information” as defined under Applicable Data Protection Laws, which includes, without limitation, information concerning an identified or identifiable natural person.
   • 1.9. “Personal Data Breach” means any confirmed security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data processed under this DPA.
   • 1.10. “Regulated Transfers” mean: (i) where the GDPR applies, a transfer of Client Personal Data from the EEA to a country outside of the EEA which does not benefit from an adequacy decision by the European Commission (an “EEA Regulated Transfer“); (ii) where the UK GDPR applies, a transfer of Client Personal Data from the UK to any other country which does not benefit from adequacy regulations under the UK GDPR (a “UK Regulated Transfer“); and (iii) where the Swiss DPA applies, a transfer of Client Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner (a “Swiss Regulated Transfer”).
   • 1.11. “Services” means the Software and services provided by Cority pursuant to the Agreement.
   • 1.12. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021, as amended, superseded, or replaced from time to time.
   • 1.13. “Sub-processor” means any processor engaged by Cority or its Affiliates to assist in fulfilling its obligations with respect to providing the hosted software and services under the Agreement or this DPA. Sub-processors may include third parties or Cority’s Affiliates.
   • 1.14. “Supervisory Authority” means a regulatory or other governmental body or authority with jurisdiction or oversight over Data Protection Laws.
   • 1.15. “UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office under S.119(A) of the UK Data Protection Act 2018.
   • 1.16. “US Data Privacy Laws” means, as applicable: the California Consumer Privacy Act of 2018 as amended (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Connecticut Data Privacy Act (“CTDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”), as of January 1, 2026, the Indiana Consumer Data Protection Act (“INCDPA”), as of January 1, 2026, the Iowa Consumer Data Protection Act (“ICDPA”), the Montana Consumer Data Privacy Act (“MCDPA”), the Tennessee Information Protection Act (“TIPA”), the Texas Data Privacy and Security Act (“TDPSA”), and any other US state privacy or data protection laws that have been enacted at the time of the parties execution of this DPA.
2. CONTEXT
   • 2.1. Context. This DPA governs the processing of any personal data by Cority, as a processor or service provider, for Client when providing Services under the Agreement.
3. PROCESSING OF CLIENT PERSONAL DATA
   • 3.1. Processing. Cority is acting as a Processor or a sub-processor for Client. Client is acting as the Controller for its own Personal Data and if applicable, processor for the Personal Data of its Affiliates or of other Controllers that have appointed Client as a processor and, in such case, Client has authorization to engage Cority as sub-processor. Client will serve as a single point of contact for Cority on behalf of its Affiliates and any other Controllers. Cority will be discharged of any obligation to inform or notify another Controller when Cority has informed or notified Client.
   • 3.2. Instructions. Cority shall process Client Personal Data as required to provide the Services and in accordance with Client’s documented lawful instructions. The Agreement and applicable order form(s) (including this DPA) outline Client’s written instructions to Cority regarding the processing of Client Personal Data (“Written Instructions”). Additional instructions outside the scope of the Written Instructions (if any) require prior written agreement between Cority and Client, including agreement on any additional fees payable by Client to Cority for carrying out such instructions. To the extent that Cority believes an instruction is contrary to any Data Protection Laws, Cority shall inform Client, and Cority may suspend the performance of the instruction until Client has modified or confirmed its lawfulness to Cority’s reasonable satisfaction. Notwithstanding the foregoing, Cority is not obligated to evaluate whether an instruction issued by Client complies with Data Protection Laws and Client acknowledges that Client Personal Data may be processed on an automated basis in accordance with Client’s use of the Services, which Cority does not monitor.
   • 3.3. Details of Processing. A list of categories of Data Subjects, types of Client Personal Data, and Processing activities is set out in Appendix 1 – Personal Data Processing. The duration of the Processing corresponds to the Term, unless otherwise stated in Appendix 1 – Personal Data Processing. Cority’s provision of the Services is the purpose and subject matter of the Processing.
   • 3.4. Client Obligations. Client is responsible for its lawful use of the Services and for the lawfulness of its own processing of Personal Data under or in connection with the Services. Accordingly, Client shall:
     • (a) provide all notices and obtain all consents, permissions and rights necessary under Data Protection Laws for Cority to lawfully process Client Personal Data under the Agreement and this DPA;
     • (b) comply with all Data Protection Laws applicable to the collection, provision and contemplated processing of Client Personal Data to and by Cority and/or its Sub-processors; and
     • (c) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws).
   • 3.5. Cority Compliance with Data Protection Laws. In carrying out its activities under this Agreement, Cority will observe and comply with all applicable Data Protection Laws supported by Cority’s operations and applicable to Cority’s activities in connection with this Agreement. For the sake of clarity, Cority supports compliance with European Data Protection Laws, US Data Privacy Laws, Canadian data privacy laws, and Australia data privacy laws.
   • 3.6. Review of Client Data. Cority is not required to assess the contents or accuracy of Client Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Client is responsible for determining whether its use of the Services will meet Client’s requirements and legal obligations under Data Protection Laws.
   • 3.7. Third-Party Requests and Confidentiality. Unless prohibited by applicable law or a legally binding request of law enforcement, Cority shall promptly notify Client of any request by a government or supervisory authority for access to Client Personal Data.
4. DATA PROTECTION
   • 4.1. Data Security Standards. Cority shall use, process, retain, and disclose Client Personal Data only as necessary to provide the Services and in compliance with the Data Security Standards. Client acknowledges and agrees that Cority may modify the Data Security Standards from time to time in Cority’s sole discretion provided that any modified Data Security Standards must be, except to the extent required to comply with applicable law, no less protective of the Client Personal Data than the Data Security Standards in place as of the Effective Date.
   • 4.2. Client Personal Data. Cority shall implement appropriate technical and organizational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, as set out in Appendix 2 – Technical and Organizational Measures (“Technical and Organizational Measures”). Cority shall treat all of Client Personal Data as confidential by not using, maintaining, or disclosing Client Personal Data except for purposes of providing the Services pursuant to the Agreement or as otherwise required by applicable law.
5. DATA SUBJECT RIGHTS AND REQUESTS
   • 5.1. Data Subject Requests. Cority shall inform Client of requests from Data Subjects exercising their Data Subject rights (including access, rectification, deletion, and blocking of data) addressed directly to Cority. Client is responsible for handling requests from Data Subjects and using the functionality that forms part of the Services to give effect to such requests. To the extent that Client cannot handle Data Subject requests using self-service functionality provided as part of the Services, Cority shall reasonably assist Client in handling Data Subject requests in accordance with section 12.
   • 5.2. Data Subject Claims. If a Data Subject brings a claim directly against Cority in relation to their Data Subject rights, Client shall reimburse Cority for any cost, charge, damages, expenses, or loss arising from the claim to the extent that Cority has notified Client about the claim and given Client the opportunity to cooperate with Cority in the defense and settlement of the claim. Subject to the terms of the Agreement, Client may claim from Cority direct damages resulting from Data Subject claims for a violation of their Data Subject rights caused by Cority’s breach of its obligations under this DPA.
   • 5.3. Legal Disclosure Requests. If Cority receives a demand to disclose or provide access to Client Personal Data from a third-party or government authority including, without limitation, a government agency or public authority (“Legal Demand”), then Cority will attempt to redirect the Legal Demand to Client. If Cority cannot redirect the Legal Demand, Cority will promptly notify Client and provide a copy of the Legal Demand to allow Client to seek a protective order or other appropriate remedy, to the extent permitted by law. Cority will only disclose or provide access to Client Personal Data as required by law.
6. SUB-PROCESSORS
   • 6.1. List of Authorized Sub-processors. Client authorizes Cority to engage other Processors to Process Client Personal Data (“Sub-processors”), including Cority’s Affiliates. A list of the third-party Sub-processors is set out on Cority’s website at: https://www.cority.com/legal-center/, which may be updated from time to time.
   • 6.2. New Sub-Processors. Cority shall notify Client in advance of any addition of Sub-processors via email. Within 30 days after Cority’s notification, Client can object to the addition of a Sub-processor. Client’s objection must be in writing and include Client’s specific reasons for its objection and options to mitigate. If Client does not object, the Sub-processor may be engaged to Process Client Personal Data. To the extent required under Data Protection Laws, Cority shall impose substantially similar but no less protective data protection obligations as set out in this DPA, as required under Data Protection Laws, on any Sub-processor prior to the Sub-processor initiating any Processing of Client Personal Data, as deemed appropriate by Cority considering factors such as the nature, scope, context, purposes. If Client legitimately objects to the addition of a Sub-processor and Cority cannot reasonably accommodate Client’s objection, Cority shall notify Client and Client may terminate the order form within 14 days of Cority’s notification to the Client; otherwise, the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.
   • 6.3. Sub–processor Obligations. Cority shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Client Personal Data to the extent required by Data Protection Laws and this DPA; and (ii) remain liable for the acts and omissions of its Sub-processors to the same extent that Cority would be liable if performing the services of each Sub-processor under the terms of this DPA.
7. RETURN OR DELETION OF CLIENT DATA
   • 7.1. During the term of the Agreement, Client retains full control over the Client Personal Data input into the Software and has the right to delete any such Client Personal Data. Furthermore, Client may download its data at any time through the Services.
   • 7.2. Upon termination or expiration of the Agreement, Cority shall:
     • (a) return Client data in accordance with a statement of work, which outlines the fees and format of return, executed by Client and Cority; or
     • (b) delete all Client Personal Data stored in Client’s production environment in accordance with the Agreement, except any Personal Data that Cority is required to retain under applicable law. Any data stored in electronic backups shall be put beyond use and deleted in accordance with Cority’s backup retention policy.

8. TRANSFERS OF PERSONAL DATA
   • 8.1. Regions. Cority will host Client data in the region identified on the order form (“Hosting Region”). Client is solely responsible for the regions from which it accesses the Services, and for any transfer or sharing of Client Personal Data by Client and if applicable, its Affiliates. Once Client has selected a Hosting Region, Cority will not process Client Personal Data from outside the Hosting Region except as required to provide the Services in accordance with the Agreement, which may include transfers of Client Personal Data to the regions where Sub-processors maintain data processing operations, or as necessary to comply with the law or binding order of a governmental entity.
   • 8.2. EU Transfers. If any transfer of Client Personal Data from Client to Cority constitutes an EEA Regulated Transfer, Cority agrees to abide by and process Client Personal Data in compliance with the Standard Contractual Clauses, which shall be deemed incorporated into this DPA as follows:
     • (a) Applicable Modules. Where Client is a controller of the Client Personal Data, Module Two (controller to processor transfers) shall apply, or where Client is a processor of the Client Personal Data, Module Three (processor to processor transfers) shall apply;
     • (b) Docking Clause. Regarding Clause 7, the optional docking clause will apply;
     • (c) Sub-Processing. Regarding Clause 9, Option 2 (General Written Authorisation) will apply and the time period for prior notice of Sub-processor changes shall be as set out in this DPA;
     • (d) Redress. Regarding Clause 11, the optional language will not apply;
     • (e) Governing Law. Regarding Clause 17, Option 2 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland;
     • (f) Choice of Forum and Jurisdiction. Regarding Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; and Annex I and II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annexes I and II attached hereto; and
     • (g) Appendix. Annex I Standard Contractual Clauses will be deemed populated with the information set forth in Appendix 2 and Annex II of the Standard Contractual Clauses will be deemed populated with the information set forth in Appendix 2.
   • 8.3. UK Transfers. If any transfer of Client Personal Data from Client to Cority constitutes a UK Regulated Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2 above, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 through 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II attached hereto, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
   • 8.4. Swiss Transfers. If any transfer of Client Personal Data from Client to Cority constitutes a Swiss Regulated Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2 above, but with the following modifications:
     • (a) any references in the Standard Contractual Clauses to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein;
     • (b) any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be;
     • (c) any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and
     • (d) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.

9. US PRIVACY LAWS
   • 9.1. For any processing of Client Personal Data subject to US Privacy Laws, the parties agree that:
     • (a) Client is a business; and
     • (b) Client appoints Cority as its service provider (or processor) to process Client Personal Data for the specific business purpose described in and otherwise permitted by the Agreement and US Privacy Laws (the “Permitted Purposes“).
   • 9.2. To the extent required under applicable US Privacy Laws, Client and Cority agree that:
     • (a) Cority shall not sell or share Client Personal Data;
     • (b) Client is not sharing or selling Client Personal Data to Cority;
     • (c) Cority shall comply with its applicable obligations under US Privacy Laws, shall provide the level of privacy protection required by US Privacy Laws, and shall notify Client if it decides it can no longer meet its obligations under US Privacy Laws with respect to its processing Client Personal Data under the Agreement;
     • (d) Cority shall not retain, use, or disclose Client Personal Data outside of the direct business relationship between Client and Cority, or for any purpose other than for the Permitted Purposes, including retaining, using, or disclosing Client Personal Data for a commercial purpose other than the Permitted Purposes;
     • (e) Client has the right to take reasonable and appropriate steps to ensure Cority processes Client Personal Data in a manner consistent with Client’s obligations under US Privacy Laws, and in compliance with the Agreement in accordance with the audit parameters set forth in Section 3.4 (Audits) of this DPA, and shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Data;
     • (f) Cority engages other service providers to assist in the processing of Client Personal Data for the Permitted Purposes under the Agreement on behalf of Client, as detailed in Section 4.2 (Authorized Sub-processors) of this DPA pursuant to a written contract(s) binding such additional service providers to observe the applicable requirements of US Privacy Laws; and
     • (g) Cority shall not combine the Client Personal Data that Cority receives from or on behalf of Client, with Personal Data that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, except as permitted under US Privacy Laws.

10. SECURITY INCIDENTS
    • 10.1. Incidents. Cority shall investigate unauthorized access and unauthorized use of Client Personal Data in connection with or through the Services, including Personal Data Breaches (“Security Incidents”). Client may notify Cority of a suspected incident or Security Incident.
    • 10.2. Notifications. Cority shall notify Client without undue delay upon confirmation (and in any event within 48 hours of becoming aware) of a Security Incident that is known or reasonably suspected by Cority to affect Client Personal Data and shall provide Client with reasonably requested information about each Security Incident and the status of any remediation and restoration activities. Cority’s notification of or response to a Security Incident will not be construed as an acknowledgement by Cority of any fault or liability with respect to the Security Incident. Client will be responsible for (a) determining if there is any resulting notification or other obligation to data protection authorities and/or Data Subjects and (b) taking necessary action to comply with those obligations. Cority will provide Client with reasonable assistance.
11. AUDIT
    • 11.1 Requests. Cority will permit audits conducted by Client or a third-party auditor engaged by Client solely on Client’s behalf to determine whether Cority is processing Client Personal Data in accordance with the Agreement, as follows:
      • (a) Upon Client’s written request, Cority will provide Client or its mandated auditor with the most recent certifications and/or summary audit report(s) that Cority has obtained to regularly test, assess, and evaluate the effectiveness of Cority’s Technical and Organizational Measures.
      • (b) Cority will reasonably cooperate with Client by providing available additional information concerning the Technical and Organizational Measures as reasonably required by Client to help Client better understand them.
      • (c) If further information is needed by Client (acting reasonably) to comply with its own or other Controllers’ audit obligations or a competent Supervisory Authority’s request, Client shall inform Cority in writing to enable Cority to provide such information or to grant access to it. For the avoidance of doubt, Cority will be under no obligation to disclose confidential or commercially sensitive information as part of an audit.
    • 11.2. Formal Audit.In the event that the audit request isn’t satisfied by the options offered in Section 11.1, Client may request a formal audit. In such case, the audit shall be undertaken: (a) on a date agreed upon by the parties; (b) no more than once per calendar year, unless further audits are required to comply with applicable Data Protection Laws; (c) in a manner that minimizes the disruption to the operations of Cority; and (d) in accordance with industry standards. The scope of any audit shall be agreed upon by the parties in advance. Cority is not required to provide access to the data hosting center for such an audit. Cority may, at its sole and entire discretion, charge Client on a time and materials basis at its standard hourly rate for the efforts employed during the audit. Upon completion of the audit, Cority will issue the invoice for any applicable charges and such invoice will be payable within thirty (30) days of receipt.
    • 11.3. Confidentiality. All audits will be subject to the auditing party’s execution of a confidentiality agreement acceptable to Cority and will be conducted at Client’s expense.
12. ASSISTANCE
    • 12.1. Assistance. Cority will assist Client in the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Client’s obligations relating to the security of Processing, the notification and communication of a Personal Data Breach, and any required Data Protection Impact Assessments, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the Processing and the information available to Cority.
    • 12.2. Requests. Client shall make a written request for any assistance referred to in these Data Security Requirements. Cority may charge Client no more than a reasonable charge to provide assistance and any charges to be set forth in a SOW. If Client does not agree to the SOW, the parties will reasonably cooperate to find a feasible solution.
13. LIMITATION OF LIABILITY
    • 13.1. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability set forth in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement.

APPENDIX 1 – Personal Data Processing

A. LIST OF PARTIES

Data exporter(s):

1. Name:Client

Address: As stated in the order form

Contact person’s name, position and contact details: The primary contact by Client

Activities relevant to the data transferred under these Clauses: Client’s use of the Services

Signature and date: Same as the effective date of the order form

Role (controller/processor): Controller or Processor, as applicable.

Data importer(s):

1. Name: Cority

Address: As stated in the order form

Contact person’s name, position and contact details: Kamran Chaudhry, General Counsel, Kamran.Chaudhry@cority.com with a copy to legal@cority.com and cpo@cority.com

Activities relevant to the data transferred under these Clauses: The performance and provision of Services

Signature and date: Same as the effective date of the order form

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The applicable categories of data subjects are determined and controlled by Client and may include, without limitation:

• Client employees and independent contractors

Categories of personal data transferred

The applicable categories of personal data are determined and controlled by Client and may include, without limitation:

• First/Last Name
• Contact information
• User Identification Number
• Employment details
• Demographic characteristics
• Health information
• Safety (injury/illness)
• Any other personal data input into the Services by Client

Sensitive data transferred (if applicable)

The applicable types of Sensitive Personal Data are determined and controlled by Client, and may include, without limitation:

• Demographic Characteristics
• Health information

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature and purpose of the processing

The nature and purpose of the processing will be to provide the services set out under the Agreement relating to Cority’s occupational health, safety, industrial hygiene, environmental, quality, sustainability or ergonomics software solution.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Term of the Agreement and until deletion of all backups containing Client data.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Same as above.

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of the Republic of Ireland shall act as competent supervisory authority.

Appendix 2 – Technical and Organizational Measures

1. Corporate Information Security Policy
   • 1.1. Cority ISP (Information Security Policy) documents are developed based on ISO framework.
2. Information Risk Management
   • 2.1. Third-party risk assessments are conducted before authorizing any third-party services and/or software.
   • 2.2. Organizational level risk assessment and reviews are conducted on annual basis for the evaluation on potential risks to the organization including hosting services.
   • 2.3. Centralized risk management system for risk tracking and monitoring.
3. Organization of Information Security
   • 3.1. CSMC (Corporate Security Management Committee) is established to proactively, develop, maintain, improve, and promote the Information Security Management System and IT security needs to meet business requirements.
4. Policy Maintenance Policy
   • 4.1. Centralized policy documents management system for policy documents version control and approval.
5. Human Resources Security
   • 5.1. Criminal and background checks are conducted before onboarding new employees.
   • 5.2. Employee contracts and Rules of Behavior documents are required for signature and/or acknowledgment before authorizing access for new employees.
   • 5.3. Employee onboarding procedure and employee termination procedure are defined and updated on regular basis.
   • 5.4. Information security awareness and data privacy trainings are conducted for new employees.
   • 5.5. Information security awareness and data privacy refreshment trainings are conducted for all existing employees on an annual basis.
6. Asset Management
   • 6.1. Centralized information asset management system to track and monitor information assets, including physical and digital (software) assets. Regular reviews are conducted to ensure the information assets are up to date.
7. Access Control
   • 7.1. Centralized user identity management system to enforce password policy, and user authorization & authentication policy.
   • 7.2. Separate sets of regular user credentials and privileged user credentials.
   • 7.3. Strong authentication such as MFA is enforced on privileged user credentials and enforced on regular user credentials for remote access such as VPN.
   • 7.4. Privileged user credentials and activities are reviewed on regular basis for auditing.
8. Cryptography
   • 8.1. Client data encryption at rest is enforced with AES256.
   • 8.2. Client data encryption in transit is enforced with TLS1.2 (or higher).
   • 8.3. File encryption at rest is supported with PGP and/or WinZip (AES256).
   • 8.4. File encryption in transit is supported with SFTP.
   • 8.5. Remote VPN tunnels encryption are enforced with AES256.
   • 8.6. User endpoint disk encryption is enforced with AES256.
9. Physical and Environmental Security Policy
   • 9.1. Physical and environmental controls are inherited from cloud hosting service providers.
10. Operations and Network Security
    • 10.1. Centralized SIEM system to capture activities and audit events.
    • 10.2. Vulnerability monitoring system to continuously scan and monitor the potential vulnerabilities within the SaaS application hosting environment.
    • 10.3. Segregated internal and external networks, client hosting and corporate networks. Network access rules are enforced to limit only necessary network traffic in/out of the SaaS application hosting environment.
    • 10.4. Network boundary protection such WAF (Web Application Firewall).
    • 10.5. Security hardening procedure defined and enforced to secure server endpoints.
    • 10.6. Anti-virus protection systems are deployed on server and user endpoints for protection against both signature-based and behavior-based attacks.
    • 10.7. Data encryption (see Cryptography).
    • 10.8. Data backup (see Information Security Aspects of Business Continuity Management).
    • 10.9. Internal and external monitoring system for monitoring on internal components and external SaaS application instances.
11. Communications Security
    • 11.1. Email system is hosted on Microsoft Office 365 (O365). TLS encryption is enabled by default in O365.
    • 11.2. Access to SaaS applications is enforced with HTTPS/443.
    • 11.3. Strong authentication such as MFA is enforced for remote connection to internal networks through VPN tunnel.
12. System Acquisition, Development and Maintenance
    • 12.1. Centralized source code repository is established for securing source code with version control.
    • 12.2. Software engineering principal is established as guideline for secure engineering best practices.
    • 12.3. Role-based training for software development team on topics such as OWASP Top 10 are conducted on an annual basis.
    • 12.4. CMP (Change Management Procedure) is established to govern the lifecycle management on configuration changes and application deployment activities. Changes must be approved and validated before implementation in client live production sites.
    • 12.5. Static code analysis system to continuously scan for vulnerabilities within source code.
    • 12.6. Dynamic web application system to continuously scan for vulnerabilities within the SaaS application.
    • 12.7. Application penetration tests are conducted by certified third-party penetration testers.
13. Supplier Relationship
    • 13.1. Third-party risk assessments are conducted before authorizing any third-party services and/or software.
14. Information Security Incident Management
    • 14.1. IRP (Incident Response Plan) document is established to define the scope and lifecycle process on responding to security incidents.
    • 14.2. CSIRT (Computer Security Incident Response Team) is established and is responsible for incident response activities.
    • 14.3. Third-party security retainer for handling data breach incident and conduct forensic investigation.
15. Information Security Aspects of Business Continuity Management
    • 15.1. Client data backup process is established for securing data backup at both onsite and offsite locations.
    • 15.2. Client data backup is encrypted at rest and in transit.
    • 15.3. Members of the CSIRT is responsible for BCP/DRP activities and are trained for BCP/DRP activities on regular basis.
    • 15.4. DRP is tested and evaluated through functional testing.
16. Compliance
    • 16.1. Cority is ISO27001/27017/27018 certified.
17. Cloud Security
    • 17.1. Cority is 27017/27018 certified.
18. Security Roles and Responsibilities
    • 18.1. Security R&R (Roles and Responsibilities) are documented in the ISP (Information Security Policy) documents.