Information Security Policy

Please read this document carefully.

Introduction

It has become common in today’s world for businesses to be under the attack of cybercriminals. An incident like this is very harmful when the organization is storing, transmitting and processing customer’s sensitive information. To address this issue, it is a standard practice for companies to maintain their own information security policy. This policy addresses the general overview of the various operations in the company. We at Paradiso take security consideration in mind and are committed and focused towards protecting the sensitive information of our customers and we maintain stringent security policies and procedures through which our goals and objectives would not be compromised in maintaining confidentiality, integrity and availability of the information assets at Paradiso.

Purpose

The purpose of this Policy is to establish and state the policy, practices, principles and procedures employed by Paradiso to protect the information received, collected, stored, processed or used by Paradiso’s software products or during the performance of technical support and consulting services. ThisPolicy covers the architecture of Paradiso’s products and services, the supporting systems and infrastructure and the administrative, technical and physical controls applied to those systems and the data they manage/handle. This Policy also applies to all Provider team members including all employees of any Provider subsidiary or affiliate. Compliance with this Policy is mandatory and conditional on employment, assignment or doing business with the Provider.

Policy Statements

1. Employment and Resource management

It is Paradiso’s policy to perform thorough background and reference checks for potential employees except where prohibited by law. All employees are bound by a written non‑disclosure obligation. All employees are required to acknowledge and sign this Policy and the Paradiso’s Code of Conduct which includes an express obligation of confidentiality and protection information resources and tools. As part of On‑boarding, all new members of staff are informed of security policies and trained on the importance of protection of information resources. Individuals contracting for Paradiso go through a similar background check and on-board process as employees. Paradiso personnel responsible for handling classified information from public sector sources must have government security clearance (country-specific).

Paradiso employees must complete mandatory training on an annual basis that explains their responsibility to uphold specific global policies and standards for Information Security, General Data Protection Regulation (GDPR), Ethics, Data Privacy, Anti-corruption and Global Trade and Sanctions. This training is delivered annually in the mandatory Code of Conduct training and occasionally through individual topical training exercises. In addition to this, certain employees are required to follow Paradiso’s Secure Source Code policy that covers corporate controls on proper data handling and source code control.

2. Physical Security

Paradiso’s physical security meets with the following guidelines: –

Access to buildings, facilities, and other physical premises shall be controlled based upon business necessity, sensitivity of assets, and each individual’s role and responsibilities.
Where possible, all facilities must be secured by card‑based access control.
All areas containing sensitive/critical information or information processing facilities must be secured at all times by keyed lock or access card control and monitored by centrally managed cameras.
Individuals requiring access to facilities and/or resources shall be issued appropriate and unique physical access credentials and instructed not to allow or enable other individuals to access the Paradiso’s facilities or resources using their unique credentials. Locations that do not have this system are required to have an alternative access security strategy.
Visitors who require access to Paradiso’s facilities must enter through a staffed and/or main facility entrance;
Most sites provide locked shred bins to enable the secure destruction of confidential information and/or personal data.
Where possible, Paradiso’s premises must be protected by security alarms with alarm contacts and motion sensors.
All visitors must sign in at reception and be issued with a visitor badge.
Visitors must be accompanied at all times.

3. Information Security

Paradiso complies with confidentiality undertakings under various standard legal agreements in place as a matter of doing business.

All employees and 3rd party contractors are required to sign an NDA before access to confidential information is granted.
Regular employment contractual agreements are required with all Paradiso’s personnel, which include a code of conduct and confidentiality policy undertakings. Personnel consists of all employees and contractors, both corporate and individual.

The above agreements include:

The protection of Customer Confidential Information within Paradiso’s environment and/or the protection of Customer Confidential Information by specific Paradiso personnel
A prohibition on disclosure of Confidential Information to any other party without specific and unambiguous consent and approval from the Customer before disclosure

In case a personnel member fails to comply with the above policy despite being notified of multiple warnings, he/she shall be removed from Paradiso at the direct instruction of management.

4. Security Incident and Response Plan

Security incident response plan

Paradiso maintains a security incident response policy, plan, and procedures that address the measures Paradiso will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access, or unauthorized acquisition of personal data. These measures include incident analysis, containment, response, remediation, reporting, and the return to normal operations.

Response controls

Controls are in place to detect and protect against malicious use of assets and malicious software. If a potential breach is identified, it is reported to the AWS infrastructure team. This team calls the legal department. If you must leave a message, indicate that you have an urgent matter to discuss, as well as your name and a number where you can be reached. Controlsmay include, but are not limited to information security policies and standards, restricted access, designated development and test environments, virus detection on servers, desktop and notebooks, virus email attachment scanning, system compliance scans, intrusion prevention monitoring and response, firewall rules, logging and alerting on key events, information handling procedures based on datatype, e‑commerce application and network security and system and application vulnerability scanning. Additional controls are implemented based on risk.

5. Data Transmission Control, and Encryption

Reasonable steps are taken to ensure that information transmissions or transfers over any public network or network not owned or maintained by Paradiso cannot be read, copied, altered or removed without proper authority during its transmission or transfer. These steps are included:

Implementing approved encryption practices when transmitting any of the following data:

Personal Identifiable Data
Confidential Data
Source Code Data

Whenever possible, applications are enabled to support OAuth 2.0 (or greater) for authentication.

6. Access Control

Access to Paradiso’s systems is restricted to authorized users only. Formal procedures and controls are implemented to govern how access is granted to authorized individuals and the level of access that is required and appropriate for that individual to perform their job duties. Such procedures must include admission controls (i.e., measures that prevent persons from unauthorized use of data within systems) and access controls (i.e., measures that prevent unauthorized access to systems). Where possible, multi‑factor authentication (MFA) controls are utilized to govern access to Paradiso’s environments. If key internal environments do not employ MFA or MFA is not feasible, layered approval access and role‑based security to protect the environment have been implemented. User access reviews are conducted regularly and if necessary, access controls are adjusted accordingly. Remote access to Paradiso’s network and systems is permitted only as described in Paradiso’s Remote Access VPN policy.

Additional controls include:

Only Paradiso-managed systems/ services can connect to Paradiso’s production network
If a Paradiso’s Information Services managed system cannot be utilized, a managed virtual desktop is used

7. Data Access Control

The following controls are adhered to regarding the access and use of personal data:

Only the minimum amount of personal data necessary in order to achieve Paradiso’s relevant business purposes must be used. Except as contemplated for the delivery of services, and particularly cloud-related, Personal data must never be copied or moved to any storage or electronic device that is not owned or controlled by Paradiso.
Personnel must not read, copy, modify, or remove personal data unless necessary in order to carry out their work duties
All third-party use of personal data is governed through contractual terms and conditions between the third party and Paradiso, which limit the third party’s use of personal data and restrict such use to what is necessary for the third party to provide services. Any use outside of these terms is prohibited

8. Availability Control

Personal data is protected against accidental destruction or loss by following these controls:

Personal data is retained in accordance with law and customer contract or, in its absence, Paradiso’s record management policy and practices, as well as legal retention requirements
Hard copy personal data is disposed of in a secure disposal bin or a cross-cut shredder so the information is no longer decipherable.
When disposing of devices that contain electronic personal data, each device is given to Paradiso’s IT Asset Management team for proper disposal.
Approved backups, UPS (Uninterruptible Power Supplies), hardware redundancy, and fault tolerance measures are in place for data center and server hardware containing data

9. Data Input Controls

Provider’s policy on the control of data input is as follows:

Where appropriate, measures are designed to log/record when, where and by whom, personal data has been entered into data processing systems, and/or whether such data has been modified or removed
All access to relevant applications is logged/recorded.

10. Cryptography

Cryptographic controls are designed and implemented to protect the confidentiality, integrity and availability of assets. All employees and service providers must adhere to the IS Business Applications IS Infrastructure Operations Cryptographic Policy.

11. Privacy Requirements

Where personal information is being processed, all employees and service providers will also adhere to the Data Privacy Policy.

12. Vulnerability Management

Paradiso’s policy on vulnerability management is as follows:

Publicly released third-party vulnerabilities are reviewed for applicability to the Providers’ environment.
Based on the risk to Paradiso’s business and customers, there are pre‑determined time frames for remediation that are followed.
Vulnerability scanning, testing, or assessments are performed on new and key applications or infrastructure, or on a regular basis, and are performed based on risk.
Code reviews and testing is performed in the development environment prior to deploying to production to detect coding vulnerabilities proactively.

13. Cloud Service Security

To address the specifics of Cloud Services, Paradiso’s Engineering teams have established additional policies and practices as part of their existing Software Development Lifecycle (SDLC). These policies are comprehensive, based on industry best practices, and reviewed regularly by the leadership. Security and Privacy are key priorities of the Development and Operations teams. This section addresses the provision of Provider cloud services, include the following:

Baseline information security requirements applicable to the design and implementation of Provider cloud services.
Multi-tenancy and cloud service customer isolation, including virtualization and virtualization security;
Risks from authorized insiders; Access to cloud service customer assets by Providers’ staff and access control procedures, e.g., strong authentication for administrative access to cloud services;
Communications to cloud service customers during change management;
Access to and protection of cloud service customer data;
Lifecycle management of cloud service customer accounts.
Communication of breaches and information sharing guidelines to aid investigations and forensics

14. Enforcement

Employees who violate this Policy will be subject to appropriate disciplinary action or other remedial measures up to and including termination of employment if warranted under the circumstances and permissible under applicable law. Assigned workers and third parties who violate this Policy are subject to being denied access to Provider facilities, personnel and assets, permission to perform services on Provider’s behalf, or being terminated as a Provider authorized partner.

15. Policy Maintenance and Compliance

Compliance: Responsible parties will verify compliance with this policy through various methods, including, but not limited to, periodic walk-throughs, internal audits, and inspections, and will provide feedback to the policy owner and appropriate business manager.

Non-Compliance: An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Policy Maintenance: This policy is reviewed and approved annually. Updates are made annually or more frequently as required

18. Confidential Information :

In connection with this Agreement each party (as the “Disclosing Party”) may disclose or make available Confidential Information to the other party (as the “Receiving Party”). As a condition to being provided with any disclosure of or access to Confidential Information, the Receiving Party shall: (a) not access or use Confidential Information other than as necessary to exercise its rights or perform its obligations under and in accordance with this Agreement; (b) not disclose or permit access to Confidential Information other than to its representatives who: (i) need to know such Confidential Information for purposes of the Receiving Party’s exercise of its rights or performance of its obligations under and in accordance with this Agreement; (ii) have been informed of the confidential nature of the Confidential Information and the Receiving Party’s obligations under this Section; and (iii) are bound by confidentiality and restricted use obligations at least as protective of the Confidential Information as the terms set forth in this Section; (c) safeguard the Confidential Information from unauthorized use, access or disclosure using at least the degree of care it uses to protect its similarly sensitive information and in no event less than a reasonable degree of care.

Note:

If you have any questions or concerns regarding this Agreement, don’t hesitate to get in touch with us at legal@paradisosolutions.com