These “Eccentex Cloud Security Terms” are incorporated by this reference into Customer’s Eccentex Cloud Service Terms and Conditions agreement with Eccentex and describe the contractual requirements for information security provided by Eccentex to Customer related to the provision of Eccentex Cloud Services Customer has licensed from Eccentex pursuant to an agreement executed by both parties governing such provision and use of Eccentex Cloud Services (the “Agreement”).  These terms are applicable to the extent that Eccentex has access to and control over Customer Data.

1.      Security Program

• Security Standards. Eccentex has implemented and will maintain an information security program that follows generally accepted system security principles embodied in the ISO 27001 standard designed to protect Customer Data, as appropriate to the nature and scope of the Eccentex Cloud Services provided.
• Security Awareness and Training. Eccentex has developed and will maintain an information security and awareness program delivered to all employees and appropriate contractors at the time of hire or contract commencement and annually thereafter.  With regard to Customer Data access, this includes information security, privacy, HIPAA security & privacy, GDRP, and PCI training.
• Policies and Procedures. Eccentex will maintain appropriate policies and procedures to support the information security  Policies and procedures will be reviewed annually and updated as necessary.
• Change Management. Eccentex will use a change management process based on Industry Standards to ensure all changes to the Eccentex Cloud Services environment are appropriately reviewed, tested, and approved.
• Data Storage and Backup. Eccentex will create backups of Customer Data.  Customer Data will be stored and maintained solely in Azure Cloud with AES-256 Server-Side Encryption (SSE).  Backup data will not be stored on portable media.  Customer Data backups will be protected from unauthorized access.
• Anti-virus and Anti-malware. Industry Standard anti-virus and anti-malware protection solutions are used on systems commonly affected by malware to protect infrastructure supporting Eccentex Cloud Services against malicious software, such as trojan horses, viruses, and worms.  Eccentex deploys File Integrity Management (FIM) solutions on all production systems, as well as robust monitoring of system access and command use.
• Vulnerability and Patch Management. Eccentex will maintain a vulnerability management program that ensures compliance with Industry  Eccentex will assess all critical vulnerabilities to the Eccentex Cloud Services environment for access/vector complexity, authentication, impact, and integrity.  If the resulting risk is deemed to be “Critical” to Customer Data by Eccentex, Eccentex will endeavor to patch or mitigate affected systems within three (3) working days.
• Data Deletion and Destruction. Eccentex will, and will ensure that sub-processors will, follow Industry Standard processes to delete obsolete data and sanitize or destroy retired equipment that formerly held Customer Data.
• Penetration Testing. On at least an annual basis, Eccentex will conduct a vulnerability assessment and penetration testing engagement with an independent qualified vendor.  Issues identified during the engagement will be appropriately addressed within a reasonable time-frame commensurate with the identified risk level of the issue.

2.      Product Architecture Security

• Logical Separation Controls. Eccentex will employ effective logical separation controls based on Industry Standards to ensure that Customer Data is logically separated from other customer data within the Azure Cloud storage.
• Firewall Services. Eccentex uses Azure Security Groups to protect the Eccentex Cloud Services  Eccentex maintains granular ingress and egress rules, and changes must be approved through Eccentex change management procedures.
• Intrusion Detection System. Eccentex has implemented intrusion detection across the Eccentex Cloud Services environment.
• No Wireless Networks. Eccentex will not use wireless networks in its Cloud Services environments.
• Data Connections between Customer and the Eccentex Cloud Services Environment. All connections to browsers, mobile apps, and other components are secured via Hypertext Transfer Protocol Secure (HTTPS), Secure Real-time Transport Protocol (SRTP), Secure File Transfer Protocol (SFTP) and Transport Layer Security (TLS v1.2 or higher) over public Internet.
• Data Connections between Eccentex Cloud Services Environment and Third Parties. Transmission or exchange of Customer Data with Customer and any Eccentex Vendor will be conducted using secure methods (e.g. TLS 1.2, HTTPS, SFTP).
• Encryption Protection. Eccentex uses Industry Standard methods to support encryption of content at rest, with AES meeting FIPS 197, TLS 2 and above and Azure Server Side Encryption.
• Logging and Monitoring. Eccentex will log security events from the operating perspective for all infrastructure providing Eccentex Cloud Services to Customer. Eccentex will monitor and investigate events that may indicate a Security Incident or  Event records will be retained at least one year.  Certain audit data is accessible to customers via the User Interface (UI).

3.       User Access Control

• Access Control. Eccentex will implement appropriate access controls to ensure only authorized Users have access to Customer Data within the Eccentex Cloud Services environment.
• Customer User Access. Customer is responsible for managing User access controls within the application.  Eccentex Cloud Services application password requirements are configurable by Customer for minimum length, minimum letters, minimum numerals, minimum special characters, password expiration, and minimum age.  Customer defines user names and roles in a granular access permissions model.  Customer is entirely responsible for any failure by itself, its agents, contractors or employees (including without limitation all its users) to maintain the security of all usernames, passwords and other account information under its control.  Except in the event of a security lapse arising from gross negligence or willful action or inaction by Eccentex, Customer is entirely responsible for all use of Eccentex Cloud Services through Customer’s usernames and passwords, whether or not authorized by Customer, and all charges resulting from such use.  Customer will immediately notify Eccentex if Customer becomes aware of any unauthorized use of Eccentex Cloud Services.
• Eccentex User Access. Eccentex will create individual user accounts for each Eccentex employee or contractor that has a business need to access Customer’s systems within the Eccentex Cloud Services environment.  The following guidelines will be followed regarding Eccentex user account management:
  • User accounts are requested and authorized by Eccentex.
  • Strong password controls are systematically.
  • Connections are required to be made via secure VPN using multi-factor authentication and strong passwords that expire every ninety (90) days.
  • Session time-outs are systematically enforced.
  • User accounts are promptly disabled upon employee termination or role transfer that eliminates a valid business need for access.

4.     Business Continuity and Disaster recovery

• Disruption Protection. Eccentex Cloud Services will be deployed and configured in a high-availability design.  The Eccentex Cloud Services environment is physically separated from Eccentex’ corporate network environment so that a disruption event involving the corporate environment does not impact the availability of Eccentex Cloud Services.
• Business Continuity. Eccentex will maintain a corporate business continuity plan designed to ensure ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.
• Disaster Recovery. The Eccentex Cloud Services Azure platform takes advantage of the distributed nature of the Azure infrastructure to enable full multi-site disaster recovery by operating in multiple availability zones, which are distinct locations that are engineered to be insulated from one another.

5.      Security Incident Response

• Security Incident Response Program. Eccentex will maintain a Security Incident response program based on Industry Standards, which is designed to identify and respond to suspected and actual Security Incidents involving Customer  The program will be reviewed, tested and, if necessary, updated on at least an annual basis.  “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.
• Notification. In the event of a Security Incident or other security event requiring notification under applicable law, Eccentex will notify Customer within twenty-four (24) hours and cooperate reasonably so Customer can make any required notifications relating to such event, unless Eccentex is requested specifically by law enforcement or a court order to not do so.
• Notification Details. Eccentex will provide the following details to Customer regarding any Security Incidents: (i) dates Security Incident was identified and confirmed; (ii) nature and impact of the Security Incident; (iii) actions Eccentex has already taken; (iv) corrective measures to be taken; and (v) evaluation of alternatives and next steps.
• Ongoing Communications. Eccentex will continue providing appropriate status reports to Customer regarding the resolution of the Security Incident and continually work in good faith to correct the Security Incident and prevent future such Security Incidents.  Eccentex will cooperate, as reasonably requested by Customer, to further investigate and resolve the Security Incident.

6.      Data Center Productions

• Eccentex contracts with MS Azure for Platform as a Service (PaaS).  Security and compliance certifications and/or attestation reports for Azure must be obtained directly from MS Azure. Azure may require Customer to execute additional non-disclosure agreements.  Eccentex may facilitate certain documentation upon request to Eccentex.

7.      Use of Eccentex Cloud Services

• Use Restrictions. Customer will not, and will not permit or authorize others to, use Eccentex Cloud Services for any of the following: (i) to violate applicable law; (ii) to transmit malicious code; (iii) to interfere with, unreasonably burden, or disrupt the integrity or performance of the Cloud Services or third-party data contained therein; (iv) to attempt to gain unauthorized access to systems or networks; and (v) to provide Eccentex Cloud Services to non-User third parties, including, by resale, license, lend or lease.
• Customer Testing Restrictions. Customer will not perform any type of Penetration Testing, Denial of Service attack, or Vulnerability Assessment on Eccentex Cloud Services of any of the production, test, or development environments.  Authorized Penetration Testing in a test environment is available for a fee and must be coordinated with the Eccentex Sales and Cloud Services Security teams.
• Prohibited Use. Customer will use commercially reasonable efforts to prevent and/or block any prohibited use by Users.
• Customer Safeguards. Customer will maintain a reasonable and appropriate administrative, physical, and technical level of security regarding its account ID, password, antivirus and firewall protections, and connectivity with Eccentex Cloud Services.
• Security Features. If the Cloud Services are to be used to transmit or process Personal Data, Customer will ensure all Personal Data is captured and used via security features made available by Eccentex.

8.    Industry-Specific Standards

• Eccentex security and operational controls are based on Industry Standard practices.  Nevertheless, Customer is solely responsible for achieving and maintaining any industry-specific certifications required for Customer’s

9.   Privacy

• Eccentex has developed and will maintain a privacy program designed to respect and protect Customer Data under Eccentex control, and this is located at: https://www.eccentex.com/about-us/eccentex-policies.

10.   Customer Data

• Ownership and License. As between Eccentex and Customer, Customer retains ownership of and all intellectual property rights in Customer Data and grants to Eccentex a non-exclusive, non-sub-licensable (except to parties working on behalf of Eccentex), non-transferable, royalty-free license to access, process, store, transmit, and otherwise make use of the Customer Data as necessary to provide Eccentex Cloud Services and to otherwise fulfill Eccentex’ obligations under the Agreement.
• Processing Locations. Unless provided for specifically elsewhere in the Agreement, Customer agrees Customer Data may be transferred or stored outside the country where Customer and its customers are located in order to perform support and troubleshooting services under the Agreement.
• Consents. Customer represents and warrants it has obtained all consents necessary for Eccentex to collect, access, process, store, transmit, and otherwise use Customer Data in accordance with the Agreement.
• Quality. Customer acknowledges that Eccentex has no control over the content or quality of Customer Data submitted to Eccentex Cloud Services.  Customer shall comply with all applicable requirements of integrity, quality, legality and other similar aspects in respect of Customer Data.  Eccentex disclaims expressly any duty to review or determine the legality, accuracy or completeness of Customer Data.

11.   Definitions

• For the purposes of these Eccentex Cloud Security Terms, the following defined terms shall have the meaning set forth below.
  • Cloud Services: Eccentex’ proprietary cloud services made available to Customer in the Azure environment. If Eccentex provides cloud services in other environments, modified cloud service terms will apply to those environments accordingly.
  • Customer Data: Customer’s proprietary information and information about Customer’s customers (including Personal Data) submitted through the Eccentex Cloud Services by Customer or its Users.
  • Data Center: a data center where the Eccentex Cloud Services environment is housed.
  • Industry Standard(s): generally accepted cloud information security practices, and specifically SOC 2. Such standards may be updated from time to time by changes in applicable law and accepted industry practices.
  • Personal Data: any information relating to Customer’s customers that is protected by applicable privacy law.
  • User: An individual who (i) is authorized by Customer and has been supplied a user identification and password(s) by Customer to access the Eccentex Cloud Services on Customer’s behalf.