This Security Exhibit (“Security Exhibit”) will become part of the executed agreement between Lever and Customer that references this document. Lever’s performance of the services must be in accordance with the Agreement and this Security Exhibit. Terms used here but not defined here are defined in the Agreement.
This Security Exhibit was last updated September 7, 2021. Lever reserves the right to periodically modify this Security Exhibit to reflect current security practices, and such modification will automatically become effective in the next Service Term.
Lever will make commercially reasonable efforts to prevent loss, theft, or damage to Customer Data from the Services. This Exhibit establishes the requirements necessary to maintain a security program and ensure that sufficient physical, operational, and technical security measures are in place for the protection of Customer Data in the Services. This Security Exhibit applies when Lever provides the Services and Support to Customer.
1. Information Security Management
1.1 Information Security Management System. Lever shall maintain and continually make improvements to a documented information security management system in accordance with industry standard practices and accepted frameworks for the delivery of Lever Services and Support which its personnel are to be made aware of and comply with (“Information Security Management System”).
1.2 Certification. During the term of the Agreement, Lever shall maintain AICPA SOC2 certification or equivalent as well as maintain a lawful transfer mechanism for export of personal data out of the European Union.
1.3 Testing. Lever will conduct at least annual third-party security tests on applications and infrastructure used to support the provision of Services and Support to identify security vulnerabilities. Lever will provide summary reports of security test reports to Customer upon request.
2. Organizational Security
2.1 Information Security Responsibilities. Lever must have dedicated roles with clearly defined responsibilities for the administration of the Information Security Management System.
2.2 Security Policies. As part of administration of the Information Security Management System, Lever will create information security policies that will define responsibility for the protection of Lever and Customer Data (“Information Security Policies”). The Information Security Policies will include requirements to designed to monitor for compliance with privacy/information security policies and procedures.
3. Asset Classification
3.1 Asset Management. Lever will maintain an asset management policy in accordance with industry standard practices, including asset classification (e.g. information, software, hardware) and an inventory of devices and systems that administer the Services and Support to enable Lever to protect Customer Data and assets.
3.2 Asset Controls. Lever will establish physical, organizational, and technical security controls to protect Customer Data from unauthorized access and disclosure.
4. People Security
4.1 Lever Employees. Lever employees must behave consistently with this Security Exhibit to ensure effective security. Lever will make its employees aware of their responsibilities for maintaining effective security controls, particularly regarding the use of passwords, disposal of information, social engineering attacks, incident reporting, and the physical and technical security of users and company equipment through security awareness/onboarding trainings. Lever will issue documented security policies, update them as necessary, provide security training, and obtain acknowledgement of these policies by all employees at least annually.
4.2 Background Checks. Lever must ensure that its employees involved in providing the Services and Support have passed basic background checks designed to validate the completeness and accuracy of resumes, confirmation of professional qualifications, and verification of identity where permitted by law these checks should also include checks of criminal history.
5. Physical and Environmental Security
5.1 Physical Access. Where Lever maintains a physical office location, Lever shall ensure that only authorized users have physical access to the network, critical systems and applications, server rooms, communication rooms and work environments it is required that and that Lever shall provide secure protection for its physical facilities (e.g. through card readers, key cards or a manned reception area) from which Lever provides the Services and Support. Lever will maintain controls to monitor for attempts at unauthorized access. Additional controls will be maintained to prevent or detect the removal of any such equipment.
5.2 Data Transfer. Lever will not permit Customer Data to be transferred to any external or removable storage media.
6. Communications and Operations Management
6.1 Vulnerability/Patch Management. Lever will establish a vulnerability/patch management process that ensures all systems used to provide the Services and Support services, including network devices, servers, and desktop/laptop computers, are patched against known security vulnerabilities in a reasonable period of time based on the criticality of the patch and sensitivity of the Customer Data accessed through the systems.
6.2 Secure System Configuration. Lever will establish controls to ensure that all systems used to provide Services and Support are securely configured in a repeatable manner. This involves changes to default settings to improve system security (e.g., system “hardening”), changes to default account passwords and removal of unnecessary software or services/daemons. Additionally, employee devices used to interact or manage systems that provide the Services and Support are to also be configured in a repeatable manner. Specific additional requirements beyond what also exists in this Exhibit include:
6.2.1 Full/whole disk encryption; and
6.2.2 Remote data wipe and lock capability in case of lost/stolen device
6.3 Malware Prevention. Lever will implement detection and prevention controls to protect against malicious software and appropriate user awareness procedures. Lever will keep and update technical controls and must regularly evaluate all systems for the existence of malware. Lever will run real-time or regular scans of Lever’s owned devices to detect viruses, malware, and possible security incidents.
6.4 Logging and Auditing. Lever will have in place a comprehensive log management program defining the scope, generation, transmission, storage, analysis and disposal of logs based on then current industry practices. The systems and the services will provide logging capabilities in accordance with the following principles:
6.4.1 the scope of logging and the retention policy will be based on a risk-based approach, with minimum retention of six (6) months;
6.4.2 logs will be collected to permit forensic analysis on information security incidents;
6.4.3 logs will record administrative changes to the Services;
6.4.4 log records will be kept physically and virtually secured to prevent tampering;
6.4.5 passwords and other sensitive data elements will not be logged under any circumstances;
6.4.6 will perform regular log analysis to evaluate security;
6.4.7 configuring all affected systems to provide real-time logging of any event that may indicate a system compromise, denial-of-service event, or other security violation, including notifying an administrator when pre-determined event thresholds are exceeded; and
6.4.8 protect logs from unauthorized access or modification.
7. Disaster Recovery and Business Continuity Planning
7.1 Programs. Lever must establish disaster recovery and business continuity programs, and must ensure that the plans are capable of ensuring confidentiality and integrity of Customer Data during recovery operations. Lever will ensure the programs do not allow any reduction of security.
7.2 Backups. Lever must ensure the availability of Customer Data stored or processed by Lever that is stored locally through the use of backups. All backups should be encrypted prior to being stored.
8. Security Incidents
8.1 Incident Detection. Lever must establish and maintain an operational incident detection capability and a clearly documented incident response program for responding to suspected or known security incidents or system breaches. Incident response plans must include methods to protect evidence of activity from modification or tampering, and to properly allow for the establishment of a chain of custody for evidence.
8.2 Incident Response. In the event of an incident that affects Customer Data, Lever will utilize industry standard efforts to respond to the incident and mitigate the risk to Customer and Customer Data.
8.3 Incident Notification. In the event of an incident that affects Customer Data, Lever will provide notice of the security incident to Customer within forty-eight (48) hours of detection.
9.1 Authentication. Lever must support either a) Single sign on (SSO) mechanisms for Customer to interact with Lever assets (e.g., SAML 2.0, OKTA).
9.2 Centralization. Lever must have centralized authentication management mechanisms.
9.3 Administrative Access. Lever must use multiple factors of authentication for all Lever administrative access.
9.4 Brute-force Protection. Lever must implement controls to limit the capability of attackers to brute-force authentication endpoints.
9.5 Support Access. If Lever allows Lever employees to access Customer Data through an application support interface, that interface, at a minimum must uniquely identify the Lever employee who used it, (a) record all interactions in a log that is available to Customer upon request, and (b) have its access list audited each quarter
9.6 User Passwords. Lever will provide training to employees reasonably designed to ensure employees have sufficient complexity and expiration requirements or require an additional layer of security with multi- factor authentication.
9.6.1 Authentication and Two-Factor Authentication. “Two-factor authentication” means the authentication through the combination of something a person knows, such as a username and password, in combination with something a person has, such as a disconnected authentication token, or a biometric factor, such as a fingerprint. Lever must use multiple authentication factors where available, and Lever will use at least two-factor authentication to access accounts used to provide data hosting services. All administrative access by Lever employees must require two-factor authentication. If Lever is using Google Apps to manage their accounts, two-factor verification must be enabled.
9.6.2 Inactivity. All Lever devices must be locked after a reasonable period of inactivity.
9.6.3 Employee or Consultant Termination. At the time of the termination of an employee, contractor, or any third-party consultant, the terminated person’s access to the networks, systems, and accounts used to provide the Services and Support, and access to any Customer Data, must be terminated.
9.6.4 Authorization. Lever alone will control and provide access to Customer Data. Lever will not use a third party to control access to Customer Data. Access will be granted only on a need-to-know basis and following the principles of least privilege.
9.6.5 Network Access Controls. All networks Lever uses to provide the Services and Support must be protected through the use of controls capable of blocking unauthorized network traffic, both inbound (ingress) and outbound (egress). Lever will maintain capabilities to monitor network traffic.
10. Data Security
10.1 Data Segregation. Lever logically separate, secure, and monitor production environments.
10.2 Credential Hashing. Lever must have appropriate algorithms in place for hashing secrets, including passwords and API tokens, both for Lever’s accounts and for Customer accounts to access Lever’s system. No credentials are to be stored in plain text or in a format that can be reversed.
10.3.1 Data in Transit. Lever must ensure that HTTPS is enabled in any web interface related to the product or service. Lever must disable non-encrypted transmission services (e.g., Telnet, FTP). Lever must have commercial certificates to provide Customer the option to utilize TLS 1.2 or greater for web facing applications.
10.3.2 Data at Rest. Customer Data both at rest and in-transit must be encrypted at all times using industry accepted cryptography standards. Lever must have key management in place for high sensitivity data (e.g. key rotation, key encryption, access control, etc.). At a minimum, this includes:
10.3.2.1 Use Advanced Encryption Standard (AES) defined in FIPS 197.
10.3.2.2 Where different algorithms are used, they are to have comparable strengths e.g. if an AES-128 key is to be encrypted, an AES-128 key or greater, or RSA-3072 or greater could be used to encrypt it.
11.1 Lever represents and warrants that:
11.1.1 as of the date of this contract, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C.§ 1881a (“FISA Section 702”).
11.1.2 no court has found Vendor to be the type of entity eligible to receive process issued under FISA Section702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
11.1.3 it is not the type of provider that is eligible to be subject to Upstream collection (“bulk” collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the judgment in the EU Court of Justice CaseC-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), and that therefore the only FISA Section 702 process it could be eligible to receive, if it is an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4), would be based on a specific “targeted selector” i.e., an identifier that is unique to the targeted endpoint of communications subject to the surveillance.
11.2 Where possible Lever will use all reasonably available legal mechanisms to challenge any request under FISA Section 702 for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance). Lever will use all reasonably available legal mechanisms to challenge any demands for data access through national security process it receives as well as any non-disclosure provisions attached thereto.
11.3 All employees are required to comply with Lever security and privacy policies and standards. Noncompliance is subject to disciplinary action, up to and including termination of employment.
11.4 Lever regularly reviews our collection, storage, and processing practices to prevent unauthorized access to Lever’s system.
11.5 Lever will promptly notify Customer if Lever can no longer comply with the Standard Contractual Clauses or the clauses in this section 11. Lever shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law.
Please contact Lever at 1125 Mission St, San Francisco, CA 94103 with any questions regarding these Terms.