Security Addendum

Last Updated: 21June2024

1. Scope

This document describes the Information Security Measures(“Measures”) that Unified Calling has in place when processing Protected Data through Unified Calling Services.

2. Definitions

For purposes of this Security Addendum only, capitalized terms, not otherwise defined herein, have the meaning set forth in the Agreement.

a. “Unified Calling Services”, or “Services”, means services offered by Unified Calling and acquired by the Customer.

b. “Customer” means the entity that entered into the Agreement with Unified Calling.

c. “Protected Data” means Customer and partner data processed by Unified Calling Services, as defined in the applicable Unified Calling DPA or Agreement, including “personal data” and “personal information” as defined by applicable privacy laws, confidential data as defined in the Agreement, account data, configuration data, communication content including messages, voicemail, and video recording.

d. “Agreement” means the agreement in place between Unified Calling and the Customer for the provision of the Services.

e. “Personnel” means Unified Calling employees, contractors or subcontracted Professional Services staff.

3. Information Security Management

a. Security Program

Unified Calling maintains a written information security program that:

i. Includes documented policies or standards appropriate to govern the handling of Protected Data in compliance with the Agreement and with applicable law.

ii. Is managed by a senior employee responsible for overseeing and implementing the program.

iii. Includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Protected Data.

iv. Is appropriate to the nature, size, and complexity of Unified Calling’s business operations.

b. Security Policy Management

Unified Calling’s security policies, standards and procedures:

i. Align with information security established industry standards.

ii. Are subject to ongoing review.

iii. May be revised to reflect changes in industry best practices.

c. Risk Management

Unified Calling:

i. Performs cybersecurity risk assessments to identify threats to their business or operations at least annually.

ii. Updates Unified Calling policies, procedures and standards as needed to address threats to Unified Calling’s business or operations.

4. Independent security assessments

a. External Audit

Unified Calling:

i. Uses qualified independent third-party auditors to perform security audits covering systems, environments and networks where Protected Data is processed, including

  • SOC2 Type II
  • IES/ISO 27001.

ii. maintains additional audits and compliance certifications as appropriate for Unified Calling’s business

b. Distribution of Reports.

Copies of relevant audit reports and certifications

  1. Will be provided to Customer on request,
  2. Are subject to Non-Disclosure Agreement.

c. Annual Risk Assessment Questionnaire

Customer may, on one (1) occasion within any twelve (12) month period, request that Unified Calling complete a third-party risk assessment questionnaire within a reasonable time frame.

In case of conflict between this section and the equivalent section in the Unified Calling DPA, the DPA takes precedence.

5. Human Resource Security

A. Background Checks

Unified Calling requires pre-employment screenings of all employees. Unified Calling ensures criminal background searches on its employees to the extent permitted by law. Each background check in the US includes:

  1. An identity verification (SSN trace).
  2. Criminal history checks for up to seven (7) years for felony and misdemeanors at the local, state, and federal level, where appropriate.
  3. Terrorist (OFAC) list search, as authorized by law.

Internationally, criminal history checks are conducted as authorized by local law.

Background checks are conducted by a member of the National Association of Professional Background Screeners or a competent industry-recognized company in the local jurisdiction.

B. Training

Unified Calling will ensure that all employees including contractors:

  1. Complete annual training to demonstrate familiarity with Unified Calling’ssecurity policies.
  2. Complete annual training for security and privacy requirements, including Cyber Security awareness, GDPR, and CCPA.
  3. Have the reasonable skill and experience suitable for employment and placement in a position of trust within Unified Calling.

C. Workstation Security

Unified Calling ensures that:

  1. Unified Calling employees either use Unified Calling owned and managed devices in the performance of their duties or Bring Your Own Device (BYOD) device.
  2. All devices, whether Unified Calling owned and managed or Bring Your Own Device (BYOD) device, are enrolled in the full Unified Calling managed device program.

D. Data Loss Prevention

Unified Calling employs a comprehensive system to prevent the inadvertent or intentional compromise of Unified Calling data and Protected Data.

E. Due Diligence over Sub-Contractors

Unified Calling will:

  1. maintain a security process to conduct appropriate due diligence prior to engaging sub-contractors.
  2. assess the security capabilities of any such sub-contractors on a periodic basis to ensure subcontractors’ ability to comply with the Measures described in this document.
  3. apply written information security requirements that oblige sub-contractors to adhere to Unified Calling’s key information security policies and standards consistent with and no less protective than these Measures.

F. Non-disclosure

Unified Calling ensures that employees and contractors/sub-contractors who process Protected Data are bound in writing by obligations of confidentiality.

6. Physical Security

A. General

Unified Calling:

  1. Restricts access to controls, and monitors all physical areas where Unified Calling Services process Protected Data (“Secure Areas”).
  2. Maintains appropriate physical security controls on a 24-hours-per-day, 7-days-per-week basis (“24/7”).
  3. Revokes any physical access to Secure Areas promptly after the cessation of the need to access buildings and system(s).
  4. Performs review of access rights on at least an annual basis

B. Access and Authorization Processes

Unified Calling maintains a documented access authorization and logging process. The authorization and logging process will include at minimum:

  1. Reports detailing all access to Secure Areas, including the identities and dates and times of access.
  2. Reports to be maintained for at least one year as allowed by law.
  3. Video surveillance equipment to monitor and record activity at all Secure Areas entry and exit points on a 24/7 basis to the extent permitted by applicable laws and regulations.
  4. Video recording to be maintained for at least 30 days or per physical location provider’s policies.

C. Data Centers

To the extent that Unified Calling is operating or using a data center, Unified Calling ensures that physical security controls are in alignment with industry standards such as ISO 27001 and SSAE 16 or ISAE 3402 or similar standard including:

  1. Perimeter security including fencing/barriers and video surveillance.
  2. Secure access including security guard/reception.
  3. Interior access controlled through RFID cards, 2FA, anti-tailgating controls.
  4. Redundant utility feeds and support for continuous delivery through backup systems.
  5. Redundant network connection from multiple providers.

Physical access to the data centers housing Unified Calling’s production servers, backup media, and related hardware is restricted to operations employees with specific job functions to address operational needs.

7. Logical Security

A. User Identification and Authentication

Unified Calling:

  1. Maintains a documented user management lifecycle management process that includes manual and/or automated processes for approved account creation, account removal and account modification for all Information Resources and across all environments.
  2. Ensures that Unified Calling users have an individual accounts for unique traceability.
  3. Ensures that Unified Calling users do not use shared accounts; where shared accounts are technically required controls are in place to ensure traceability.
  4. Unified Calling user passwords are configured aligned with current NIST guidance.

For the customer facing applications, Customers may choose to integrate with SSO (Single Sign on) so that Customer retains control over their required password settings including Customer’s existing MFA/2FA solutions.

B. User Authorization and Access Control

Unified Calling:

  1. Configures remote access to all networks storing or transmitting Protected Data to require multi-factor authentication for such access.
  2. Revokes access to systems and applications that contain or process Protected Data promptly after the cessation of the need to access the system(s) or application(s).
  3. Has the capability of detecting, logging, and reporting access to the system and network or attempts to breach security of the system or network.

Unified Calling employs access control mechanisms that are intended to:

  1. Limit access to Protected Data to only those Personnel who have a reasonable need to access said data to enable Unified Calling to perform its obligations under the Agreement.
  2. Prevent unauthorized access to Protected Data.
  3. Limit access to users who have a business need to know.
  4. Follow the principle of least privilege, allowing access to only the information and resources that are necessary; and
  5. Perform review access controls on a minimum annual basis for all Unified Calling’s systems that transmit, process, or store Protected Data.

8. Telecommunication and Network Security

A. Network Management

Unified Calling:

  1. Maintains network security program that includes industry standard firewall protection and two-factor authentication for access to Unified Calling’s networks.
  2. Deploys an Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS) to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.
  3. Monitors web traffic from the Internet and from internal sources to detect cyber-attacks including Distributed Denial of Service (DDoS) attacks against web sites / services and to block malicious traffic.

B. Network Segmentation

Unified Calling:

  1. Implements network segmentation between the corporate enterprise network and hosting facilities for Services.
  2. Ensures separation between environments dedicated to development, staging, and production.
  3. Restricts access between environments to authorized devices.
  4. Controls configuration and management of network segregation and firewall rules through a formal request and approval process

C. Network Vulnerability Scanning

Unified Calling:

  1. Runs internal and external network vulnerability scans against information processing systems at least quarterly.
  2. Evaluates findings based on (where applicable) CVSS score and assessment of impact, likelihood and severity.
  3. Remediates findings following industry standard timelines.

9. Operations Security

A. Asset Management

Unified Calling:

  1. Maintains an accurate and current asset register covering hardware and software assets used for the delivery of services.
  2. Maintains accountability of assets throughout their lifecycle.
  3. Maintains processes to wipe or physically destroy physical assets prior to their disposal.

B. Configuration Management

Unified Calling:

  1. Maintains baseline configurations of information systems and applications based on industry best practices including a. Removal of all vendor-provided passwords b. Remove/disable unused services and settings c. Anti-malware/endpoint protection as technically feasible.
  2. Enforces security configuration settings for systems used in the provision of the Services.
  3. Ensures that clocks of all information processing systems are synchronized to one of more reference time sources

C. Malicious Code Protection

  1. To the extent practicable, Unified Calling has endpoint protection in place, in the form of Endpoint Detection and Response (EDR) and/or antivirus software, installed and running on servers and workstations.
  2. EDR alerts are monitored and immediate action is taken to investigate and remediate any abnormal behavior.
  3. Where used, antivirus software will be current and running to scan for and promptly remove or quarantine viruses and other malware on Windows servers and workstations.

D. Vulnerability, Security Patching

Unified Calling:

  1. Monitors for publicly disclosed vulnerabilities and exposures for impact to Supplier’s information systems and products.
  2. Ensures quality assurance testing of patches prior to deployment.
  3. Ensures that all findings resulting from network vulnerability scanning and relevant publicly disclosed vulnerabilities and exposures are remediated according to industry best practices, including CVSS score and assessment of impact, likelihood and severity and are remediated following industry standard timelines.

E. Logging and Monitoring.

Unified Calling shall ensure that:

  1. All systems, devices or applications associated with the access, processing, storage, communication and/or transmission of Protected Data, generate audit logs.
  2. Access to Protected Data is logged.
  3. Logs include sufficient detail that they can be used to detect significant unauthorized activity.
  4. Logs are protected against unauthorized access, modification and deletion.
  5. Logs are sent to a centralized location for aggregation and monitoring.

10. Software Development and Maintenance

A. Secure development lifecycle

Unified Calling:

  1. Applies secure development lifecycle practices, including, during design, development and test cycles.
  2. Ensures that products are subject to security design review including threat considerations and data handling practices.
  3. Ensures that Services are subject to a secure release review prior to promotion to production.

B. Security Testing

As part of the secure development lifecycle, Unified Calling:

  1. Performs rigorous security testing, including, as technically feasible, a. static code analysis, b. source code peer reviews, c. dynamic and interactive security testing and d. security logic, or security “QA” testing.
  2. Ensures that Internet-facing applications are subject to application security assessment reviews and testing to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities, CWE/SANS Top 25 vulnerabilities).
  3. For all mobile applications (i.e. running on Android, iOS) that collect, transmit or display Protected Data, conducts an application security assessment review to identify and remediate industry-recognized vulnerabilities specific to mobile applications.
  4. Does NOT use Protected Data for testing.
  5. Makes all reasonable effort to identify and remediate software vulnerabilities prior to release.

C. Annual Penetration Testing

Unified Calling:

  1. Engages qualified, independent third-party penetration testers to perform annual penetration test against its Products and environments where Protected Data is hosted.
  2. Requires sub-processors to perform similar penetration testing against their systems, environments and networks.
  3. Ensures remediation of all findings in a commercially reasonable period of time.

D. Product Vulnerability Management

Unified Calling:

  1. Uses commercially reasonable efforts to regularly identify software security vulnerabilities in Unified Calling Services.
  2. Provides relevant updates, upgrades, and bug fixes for known software security vulnerabilities, for any software provided or in which any Protected Data is processed.
  3. Ensures that all findings resulting from internal and external testing are evaluated according to industry best practices, including CVSS score and assessment of impact, likelihood and severity and are remediated following industry standard timelines.

E. Open Source and Third-Party Software

Unified Calling:

  1. Uses commercially reasonable efforts to ensure the secure development and security of open source software and third-party software used by Unified Calling.
  2. Uses commercially reasonable efforts to evaluate, track and remediate vulnerabilities of open source software (OSS) and other third party libraries that are incorporated into the Services

11. Data Handling

A. Data Classification

Unified Calling maintains data classification standards including:

  1. Public data, data that is generally available or expected to be known to the public.
  2. Confidential data, data that is not available to the general public.

Protected Data is classified as Unified Calling Confidential Data

B. Data Segregation

Unified Calling:

  1. Ensures physical or logical segregation of Protected Data from other customers’ data.
  2. Ensures physical separation and access control to segregate Protected Data from Unified Calling data.

C. Encryption of Data

Unified Calling:

  1. Shall ensure encryption of Protected Data in electronic form in transit over all public wired networks (e.g., Internet) and all wireless networks (excluding communication over Public Switch Telephone Networks).
  2. Excepting the Engage Communities feature of Engage Digital, shall ensure encryption of Protected Data in electronic form when stored at rest.
  3. Uses industry standard encryption algorithms and key strengths to encrypt Protected Data in transit over all public wired networks (e.g., Internet) and all wireless networks.

D. Destruction of Data.

Unified Calling shall:

  1. Ensure the secure deletion of data when it is no longer required.
  2. Ensure that electronic media that has been used in the delivery of Services to the Customer will be sanitized before disposal or repurposing, using a process that assures data deletion and prevents data from being reconstructed or read.
  3. Destroy any equipment containing Protected Data that is damaged or non-functional.

12. Incident Response

Unified Calling’s incident response capability is designed to comply with statutory and regulatory obligations governing incident response. As such, Unified Calling

  1. Maintains an incident response capability to respond to events potentially impacting the confidentiality, integrity and/or availability of Services and/or data including Protected Data.
  2. Has a documented incident response plan based on industry best practices.
  3. Has a process for evidence handling that safeguards the integrity of evidence collected to including allowing detection of unauthorized access to, and
  4. Will take appropriate steps and measures to comply with statutory and regulatory obligations governing incident response.

When Unified Calling learns of or discovers a security event which impacts Protected Data, Unified Calling will notify Customer without undue delay and will take commercially reasonable steps to isolate, mitigate, and/or remediate such event.

13. Business Continuity and Disaster Recovery

A. Business Continuity

Unified Calling:

  1. Ensures that responsibilities for service continuity are clearly defined and documented and have been allocated to an individual with sufficient authority.
  2. Has a business continuity plan (BCP) in place designed to provide ongoing provision of the Services to Customer.
  3. Develops, implements, and maintains a business continuity management program to address the needs of the business and Services provided to the Customer. To that end, Unified Calling completes a minimum level of business impact analysis, crisis management, business continuity, and disaster recovery planning.
  4. Ensures that the scope of the BCP encompasses all relevant locations, personnel and information systems used to provide the Services.
  5. Ensure that its BCP includes, but is not limited to, elements such location workarounds, application workarounds, vendor workarounds, and staffing workarounds, exercised at minimum annually. vi. Reviews, updates and tests the BCP at least annually.

B. Disaster Recovery

Unified Calling:

  1. Maintains a disaster recovery plan, which includes, but is not limited to, infrastructure, technology, and system(s) details, recovery activities, and identifies the people/teams required for such recovery, exercised at least annually.
  2. Ensures that the disaster recovery plan addresses actions that Unified Calling will take in the event of an extended outage of service.
  3. Ensures that its plans address the actions and resources required to provide for (i) the continuous operation of Unified Calling, and (ii) in the event of an interruption, the recovery of the functions required to enable Unified Calling to provide the Services, including required systems, hardware, software, resources, personnel, and data supporting these functions.