Security Controls

Encryption key access restricted

The company restricts privileged access to encryption keys to authorized users with a business need.

Access control procedures established

The company's access control policy documents the requirements for the following access control functions:

• •Adding new users
• •Modifying users
• •Removing an existing user's access

Firewall access restricted

The company restricts privileged access to the firewall to authorized users with a business need.

Access revoked upon termination

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

Unique network system authentication enforced

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Remote access MFA enforced

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Remote access encryption enforced

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Intrusion detection system utilized

The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

Network segmentation implemented

The company's network is segmented to prevent unauthorized access to customer data.

Network firewalls reviewed

The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.

Network firewalls utilized

The company uses firewalls and configures them to prevent unauthorized access.

Asset disposal procedures utilized

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Portable media encrypted

The company encrypts portable and removable media devices when used.

Anti-malware technology utilized

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

Employee background checks performed

The company performs background checks on new employees.

Code of Conduct acknowledged by contractors

The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

Code of Conduct acknowledged by employees and enforced

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

Confidentiality Agreement acknowledged by contractors

The company requires contractors to sign a confidentiality agreement at the time of engagement.

Confidentiality Agreement acknowledged by employees

The company requires employees to sign a confidentiality agreement during onboarding.

Performance evaluations conducted

The company's managers are required to complete performance evaluations for direct reports at least annually.

Visitor procedures enforced

The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.

Security awareness training implemented

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Data encryption utilized

The company's datastores housing sensitive customer data are encrypted at rest using AES-256 encryption.

Control self-assessments conducted

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

Penetration testing performed

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Vulnerability and system monitoring procedures established

The company's formal policies outline the requirements for the following functions related to IT / Engineering:

• •Vulnerability management
• •System monitoring

Password policies enforced

The company has established password policies with minimum system password requirements. The system validates that requirements are met or provides an error message.

Processing issues automatically alerted

The company has automated transactions to move files and data between different system components. Errors that occur during the creation or transmission of critical data generate an alert to system administrators.

System activity logged

The company captures system activity, including user activity, in transaction logs.

Processed transactions verified

The company's system validates that completed customer transactions align with the customer's scheduled transaction. Customers and/or account managers are notified of any errors or delinquencies.

Continuity and Disaster Recovery plans established

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Continuity and disaster recovery plans tested

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Cybersecurity insurance in place

The company maintains cybersecurity insurance to help mitigate the financial impact of cyber incidents and business disruptions. Coverage has been in place since Dec 2025.

Configuration management system established

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Development lifecycle established

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Board oversight briefings conducted

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

Board charter documented

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

Board expertise developed

The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

Board meetings conducted

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

Incident response plan established

The company has established an incident response plan that outlines roles, responsibilities, and procedures for handling security incidents.

Incident response testing conducted

The company tests its incident response capabilities at least annually through tabletop exercises or simulations.

Risk assessment conducted

The company performs risk assessments at least annually to identify and evaluate risks that could affect the achievement of objectives.

Risk treatment plans established

The company has established risk treatment plans to address identified risks and track remediation efforts.

Security policies documented

The company has documented information security policies that are reviewed and approved by management at least annually.

Security roles and responsibilities defined

The company has defined and assigned information security roles and responsibilities to appropriate personnel.

Change management procedures established

The company has established change management procedures that govern the authorization, testing, and approval of changes before implementation.

Production changes tested

The company requires that production changes are tested in a non-production environment before deployment.

Production changes reviewed

The company requires that production changes are reviewed and approved before deployment.

Version control utilized

The company utilizes a version control system to track changes to code and configuration.

Code review performed

The company requires code reviews for all production code changes.

Automated testing implemented

The company has implemented automated testing as part of the software development lifecycle.

System hardening standards established

The company has established system hardening standards that are applied to production systems.

Patch management procedures established

The company has established patch management procedures to ensure timely application of security patches.

Logging and monitoring enabled

The company has enabled logging and monitoring for production systems and retains logs for an appropriate period.

Log review conducted

The company reviews logs for security events and anomalies on a regular basis.

Vendor management program established

The company has established a vendor management program to assess and monitor the security practices of third-party vendors.

Vendor security assessments conducted

The company conducts security assessments of vendors that process, store, or transmit customer data.

Physical access controls implemented

The company has implemented physical access controls to protect data center and office facilities.

Media handling procedures established

The company has established procedures for the secure handling, transport, and disposal of media containing sensitive data.

Asset inventory maintained

The company maintains an inventory of hardware and software assets.

Acceptable use policy established

The company has established an acceptable use policy that governs the use of company systems and data.

Data retention procedures established

The company has established data retention procedures that define retention periods for different types of data. Default retention for call recordings is 90 days, configurable by customer.

Customer data deleted upon leaving

The company deletes customer data upon account termination in accordance with data retention policies and applicable law. Customers have 30 days to export their data before deletion.

Data classification policy established

The company has established a data classification policy that defines categories of data and corresponding handling requirements.

Privacy policy published

The company has published a privacy policy that describes how personal data is collected, used, and shared.

Data subject rights procedures established

The company has established procedures to handle data subject rights requests (access, rectification, erasure, portability) in accordance with GDPR and other applicable regulations.

Data processing agreements in place

The company has data processing agreements (DPAs) in place with relevant vendors and offers a DPA to customers that incorporates Standard Contractual Clauses (SCCs).

International data transfer mechanisms implemented

The company has implemented appropriate mechanisms for international data transfers, including Standard Contractual Clauses (SCCs) and Data Privacy Framework (DPF) certifications.

AI training opt-out enforced

The company has opted out of data training with AI providers. Customer data and call data are NOT used to train general-purpose AI models. We do not share customer data with third parties for AI training purposes.