Security Terms

These Security Terms apply to the Information Security controls Intrado implements across its hosted infrastructure and workforce. Appliances installed in customer environments are not scanned, monitored or defended by the Intrado Information Security Program once installed in the customer environment. Customized application feature requirements such as using the Customer’s single-sign-on (SSO) to authenticate to the application must be documented separately.

In the event of a conflict between these Security Terms and any other term between the parties, these Security Terms will apply.

1) Definitions

“Applicable Laws” means all applicable federal, state, local, and foreign laws, rules, regulations and ordinances issued by regulatory bodies, whether existing as of the date of these Security Terms or enacted in the future, relating to the privacy, security, protection, disposal, transfer or other processing of Customer Personal Data.

“Customer Personal Data” means Personal Data received from or on behalf of the Customer, or otherwise obtained or accessed in connection with the performance of the Supplier’s obligations under the Agreement.

“Data Controller” means the party that determines the purposes and means of the Processing of Personal Data or the meaning set out in the applicable Data Protection Laws.

“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller or the meaning set out in the applicable Data Protection Laws.

“Industry Best Practice” means the processes, techniques, and controls that are widely recognized in public and private organizations as effective. For Information Security, Intrado predominantly references the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).

“Information Security Program” means a system based on defined, tested controls designed to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

“Security Breach” means any unauthorized, accidental or unlawful destruction, loss, alteration, disclosure of, or access to Customer Personal Data.

“Security Incident” means the attempted or successful unauthorized access, acquisition, use, disclosure, modification, or destruction of Intrado information or interference with the operations of any of the Service Provider Processing Resources.

“Intrado Information Systems” means information systems resources supplied or operated by Intrado or its contractors, including without limitation, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, proprietary applications, printers, and internet connectivity, which are owned, controlled, or administered by or on behalf of Intrado.

2) Compliance with Laws

Each party shall comply, at its own expense, with all applicable federal, state, local and foreign laws, ordinances and regulations in the performance of its obligations under the Agreement.

3) Information Security Program

Intrado has designated one or more specifically named employees to be responsible for the administration of its Information Security Program.

Intrado has and will maintain a comprehensive, written Information Security Program aligned with Industry Best Practices that is designed to implement administrative, physical, and technical safeguards that are reasonably and appropriately designed to protect the confidentiality, integrity and availability of Customer Personal Data that Intrado receives, handles, stores, and/or transmits in the course of providing the Services.

Background Checks: Intrado executes or requires (in cases of vendors) (i) background checks on personnel to the extent permitted by law, and (ii) enforceable confidentiality agreements.

Security Awareness: Intrado ensures that its employees and contractors remain aware of security requirements and their responsibilities for protecting Intrado Information Systems and Customer Personal Data, including reporting suspected security incidents.

Network: Intrado maintains a restricted and segmented network with separate access for Employees and guests.

Access Control: Intrado manages access identification and authentication using appropriate technology and established processes, including access control lists, password complexity, password encryption, session timeouts, and multi-factor authentication

Access Termination: Intrado revokes physical and logical access rights and associated materials and property (e.g., passwords, badges, keys) upon termination of employment or change of responsibilities.

Endpoint Protection: Intrado deploys endpoint protection against advanced malware, unauthorized access attempts and attacks throughout its environment. (Customer on-premise appliances excluded.)

Vulnerability Management: Intrado ensures that all hosted platforms (i) are scanned for known, discovered, documented, and/or reported vulnerabilities at least every 30 days, and (ii) applicable and necessary security patches are installed within a reasonable timeframe. (Customer on-premise appliances excluded.)

Penetration Testing: Intrado engages a qualified third-party to perform external penetration testing across its network annually. Intrado corrects exploitable vulnerabilities discovered during penetration testing, and conducts follow up testing to verify the effectiveness of the corrections. (Customer on-premise appliances excluded.)

Data Security: Intrado encrypts Customer Personal Data at rest and in transit. Customer Personal Data, including Call Data Records (CDRs), stored on Intrado hosted systems will be permanently deleted after thirteen (13) months (rolling) unless otherwise required by Applicable Laws or investigation. At any time during the term of the Agreement at the Customer’s written request or upon the termination or expiration of the Agreement for any reason, except as required to be retained for legal, regulatory and/or audit requirements, Intrado Life & Safety, Inc. Version 1 Security Terms Last Updated June 14, 2024 Page | 3 and as part of its back-up and disaster recovery procedures, Intrado shall either promptly return to the Customer all copies, whether in written, electronic or other form or media, of Customer Personal Data in its possession, or securely dispose of all such copies, and certify in writing (signed by an officer of Service provider) to the Customer that such Customer Personal Data has been returned to Customer or disposed of securely.

Software Development: Intrado follows secure coding practices in application development and employs industry accepted guidelines for testing to protect against known, unknown and unexpected vulnerabilities.

Vendors/Suppliers/Sub-processors: Intrado assesses vendor risk in relation to the services provided and the level of access granted to Intrado facilities, systems, and data. Intrado contractually imposes security terms compatible with its own.

Business Continuity: Intrado provides appropriate levels of system and data reliability and backup to ensure it can meet service level agreements (SLAs) specified in supporting contracts, service agreements, and/or statements of work.

Intrado may modify its safeguards and standards at any time, without notice, provided that any such modifications will not reduce the protection provided for Customer Personal Data in Intrado’s possession

4) Assurance

Upon written request by the Customer under appropriate confidentiality agreement, and not more than once in any twelve (12) month period, Intrado agrees to provide:

1. its then-current Security Control Library including description of implementation and mapping to industry frameworks such as NIST 800-53, ISO 27001, Shared Assessment Standard Information Gathering (SIG) Questionnaire;
2. its then-current Information Security Policy Manual;
3. its then-current Service Organizational Control (SOC) 2 Type II report; and
4. the Executive Summary Report from the most recent external penetration test.

Such reports shall be considered Confidential Information of Intrado, subject to requirements of the confidentiality agreement and not redistributed without prior consent from Intrado.

5) Security Breach Notification

Intrado will notify Customer of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after confirming or having reasonable belief that a Security Breach has occurred.