Statement of Technical and Organizational Measures
Parmonic (SalesTing Inc)
Parmonic (SalesTing Inc) takes information security seriously in its processing and transfers of Personal Data. This information security overview applies to Parmonic (SalesTing Inc)’s corporate controls for safeguarding Personal Data which is processed by Parmonic (SalesTing Inc) or its affiliates and/or transferred amongst Parmonic (SalesTing Inc)’s group companies.
Security Practices
Parmonic (SalesTing Inc) has implemented corporate information security practices and standards that are designed to safeguard Parmonic (SalesTing Inc)’s corporate environment and to address business objectives across information security, system and asset management, development, and governance.
These practices and standards are approved by Parmonic (SalesTing Inc)’s executive management and are periodically reviewed and updated where necessary.
Parmonic (SalesTing Inc) shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle. Key policies will be reviewed at least annually.
Organizational Security
It is the responsibility of all of Parmonic (SalesTing Inc) employees who are involved in the processing of Customer Personal Data to comply with these practices and standards. Parmonic (SalesTing Inc)’s Information Security (“IS”) function is responsible for the following activities:
- Security strategy –The IS function works to ensure compliance with its own security related policies and standards and all relevant regulations, and to raise awareness and provide education to users. The IS function also carries out risk assessments and risk management activities, and manages contract security requirements.
- Security engineering – the IS function manages testing, design and implementation of security solutions to enable adoption of security controls across Parmonic (SalesTing Inc)’s online and information technology environment.
- Security operations – the IS function manages support of implemented security solutions, monitors and scans Parmonic (SalesTing Inc)’s online and information technology environment and assets, and manages incident response.
- Forensic investigations – the IS function works with, Legal and Compliance, and Human Resources to carry out investigations, including discovery and forensics.
- Security consulting and testing – the IS function works with software developers on developing security best practices, consults on application development and architecture for software projects, and carries out assurance testing.
Asset Classification and Control
Parmonic (SalesTing Inc)’s practice is to track and manage key information and physical, software and logical assets. Examples of the assets that Parmonic (SalesTing Inc) might track include:
- information assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information;
- software assets, such as identified applications and system software;
- physical assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These safeguards may include controls such as access management, encryption, logging and monitoring, and data destruction.
Employee Screening, Training and Security
- Screening/background checks: Where reasonably practicable and appropriate, as part of the employment/recruitment process, Parmonic (SalesTing Inc) performs employee screening and background checks on employees or prospective employees (which shall vary from country to country based on local laws and regulations), where such employees will have access to Parmonic (SalesTing Inc)’s networks, systems or facilities.
- Identification: Parmonic (SalesTing Inc) requires all employees to provide proof of identification and any additional documentation that may be required based on the country of hire or if required by other Parmonic (SalesTing Inc) entities or customers for whom the employee is providing services.
- Training: Parmonic (SalesTing Inc)’s annual compliance training program includes a requirement for employees to complete an online data protection and information security awareness.
- Confidentiality: Parmonic (SalesTing Inc) ensures its employees are legally bound to protect and maintain the confidentiality of any data they handle pursuant to standard agreements.
Physical Access Controls and Environmental Security
- Physical Security Program: Parmonic (SalesTing Inc) uses a number of technological and operational approaches in its physical security program to mitigate security risks to the extent reasonably practicable. Parmonic (SalesTing Inc)’s security team works closely with each site to determine appropriate measures are in place to prevent unauthorized persons from gaining access to systems within which personal data is processed and continually monitor any changes to the physical infrastructure, business and known threats. They also monitor best practice measures used by others in the industry and carefully select approaches that meet both uniqueness in business practice and expectations of Parmonic (SalesTing Inc). Parmonic (SalesTing Inc) balances its approach towards security by considering elements of control that include architecture, operations and systems.
- Physical Access controls: Physical access controls/security measures at Parmonic (SalesTing Inc)’s facilities/premises are designed to meet the following requirements:
- access to Parmonic (SalesTing Inc)’s buildings, facilities and other physical premises is controlled and is based on business necessity, sensitivity of assets and the individual’s role and relationship to Parmonic (SalesTing Inc). Only personnel associated with Parmonic (SalesTing Inc) are provided access to Parmonic (SalesTing Inc)’s facilities and physical resources. Access is only provided in a manner consistent with the personnel’s role and responsibilities in the organization;
- relevant Parmonic (SalesTing Inc) facilities are secured by an access control system. Access to such facilities is granted with an activated card only;
- persons requiring access to card-controlled facilities and/or resources are issued with appropriate and unique physical access credentials (e.g. a badge or keycard assigned to one individual) by the IS function. Individuals issued with unique physical access credentials are instructed not to allow or enable other individuals to access Parmonic (SalesTing Inc)’s facilities or resources using their unique credentials (e.g. no “tailgating”). Temporary (up to 14 days) credentials may be issued to individuals who do not have active identities where this is necessary (i) for access to a specific facility and (ii) for valid business needs. Unique credentials are non-transferable and if an individual cannot produce their credentials upon request they may be denied entry to Parmonic (SalesTing Inc)’s facilities or escorted off the premises. At staffed entrances, individuals are required to present a valid photo identification or valid credentials to the security representative upon entering. Individuals who have lost or misplaced their credentials or other identification are required to enter through a staffed entrance and be issued a temporary badge by a security representative;
- visitors who require access to Parmonic (SalesTing Inc)’s facilities must enter through a staffed and/or main facility entrance. Visitors must register their date and time of arrival, time of leaving the building and the name of the person they are visiting. Visitors must produce a current, government issued form of identification to validate their identity. To prevent access to, or disclosure of, company proprietary information visitors are not allowed un-escorted access to restricted or controlled areas;
- select Parmonic (SalesTing Inc) facilities use CCTV monitoring, security guards and other physical measures where appropriate and legally permitted;
- locked shred bins are provided on most sites to enable secure destruction of confidential information/personal data;
- for software development and infrastructure deployment projects, the IS function uses a risk evaluation process and a data classification program to manage risk arising from such activities.
Security Incidents and Response Plan
- Security incident response plan: Parmonic (SalesTing Inc) maintains a security incident response policy and related plan and procedures which address the measures that Parmonic (SalesTing Inc) will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access, or unauthorized acquisition of personal data. These measures may include incident analysis, containment, response, remediation, reporting and the return to normal operations.
- Response controls: Controls are in place to protect against, and support the detection of, malicious use of assets and malicious software and to report potential incidents to Parmonic (SalesTing Inc)’s IS function or Service Desk for appropriate action. Controls may include, but are not limited to: information security policies and standards; restricted access; designated development and test environments; virus detection on servers, desktop and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; firewall rules; logging and alerting on key events; information handling procedures based on data type; e-commerce application and network security; and system and application vulnerability scanning. Additional controls may be implemented based on risk.
Data Transmission Control and Encryption
Parmonic (SalesTing Inc) shall, to the extent it has control over any electronic transmission or transfer of personal data, take all reasonable steps to ensure that such transmission or transfer cannot be read, copied, altered or removed without proper authority during its transmission or transfer. In particular, Parmonic (SalesTing Inc) shall:
- implement industry-standard encryption practices in its transmission of personal data. Industry-standard encryption methods used by Parmonic (SalesTing Inc) includes Secure Sockets Layer (SSL), Transport Layer Security (TLS), a secure shell program such as SSH, and/or Internet Protocol Security (IPSec);
- for Internet-facing applications that may handle sensitive personal data and/or provide real-time integration with systems on network that contains such information (including Parmonic (SalesTing Inc)’s core network), a Web Application Firewall (WAF) may be used to provide an additional layer of input checking and attack mitigation. The WAF will be configured to mitigate potential vulnerabilities such as injection attacks, buffer overflows, cookie manipulation and other common attack methods.
System Access Controls
Access to Parmonic (SalesTing Inc)’s systems is restricted to authorized users. Formal procedures and controls govern how access is granted to authorized individuals and the level of access that is required and appropriate for that individual to perform their job duties.
Data Access Control
Parmonic (SalesTing Inc) applies the controls set out below regarding the access and use of personal data:
- personnel are instructed to only use the minimum amount of personal data necessary in order to achieve Parmonic (SalesTing Inc)’s relevant business purposes
- personnel are instructed not to read, copy, modify or remove personal data unless necessary in order to carry out their work duties;
- third party use of personal data is governed through contractual terms and conditions between the third party and Parmonic (SalesTing Inc) which impose limits on the third party’s use of personal data and restricts such use to what is necessary for the third party to provide services;
Availability Control
Parmonic (SalesTing Inc) protects personal data against accidental destruction or loss by following these controls:
- personal data is retained in accordance with customer contract or, in its absence, Parmonic (SalesTing Inc)’s record management policy and practices, as well as legal retention requirements;
- hardcopy personal data is disposed of in a secure disposal bin or a crosscut shredder such that the information is no longer decipherable;
- electronic personal data is given to Parmonic (SalesTing Inc)’s IT Asset Management team for proper disposal;
- appropriate technical measures are in place, including (without limitation): anti-virus software is installed on all systems; network protection is provided via firewall; network segmentation; user of content filter/proxies; interruption-free power supply; regular generation of back-ups; hard disk mirroring where required; fire safety system; water protection systems where appropriate; emergency plans; and air-conditioned server rooms.
Data Input Control
Parmonic (SalesTing Inc) has, where appropriate, measures designed to check whether and by whom personal data have been input into data processing systems, or whether such data has been modified or removed. Access to relevant applications is recorded.
System Development and Maintenance
Publicly released third party vulnerabilities are reviewed for applicability in the Parmonic (SalesTing Inc) environment. Based on risk to Parmonic (SalesTing Inc)’s business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
Compliance
The information security, legal, privacy and compliance departments work to identify regional laws and regulations that may be applicable to Parmonic (SalesTing Inc). These requirements cover areas such as, intellectual property of Parmonic (SalesTing Inc) and its customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements.
Mechanisms such as the information security program, the executive privacy council, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.
Data Location
All data is stored in datacenters located in the United States.