Security Exhibit
Introduction
The data that resides at Sapience Analytics (Sapience), is of great value to Sapience. As such, Sapience has outlined various policies to address the confidentiality, integrity, availability, privacy, and security of that data. Sapience Management is committed to developing, adopting, and maintaining appropriate information security policies, standards and procedures to ensure integration of information security with Sapience’s mission, business strategy, risk posture and in accordance with applicable regulatory and compliance requirements.
Security
Sapience has implemented various security policies in accordance to industry standards, and System and Organization Controls 2 (SOC 2) requirements. Sapience outlined and implemented security policies which include, but is not limited to:
- Access Control
- Acceptable Use
- Information Security
- Encryption
- Software Development
- Vulnerability Management
- Risk Management/Assessment
- Data Classification, Retention, Disposal
- Backup/Recovery
- Business Continuity
- Network Security
- Audit and Logging
- Change Management
- Incident Response
- Vendor Management
- Security Awareness training
Risk Management
Sapience conducts risk assessments on a quarterly basis across functional areas, maintaining a risk register of identified risks to Sapience and data collected, and addressing documented. Risk assessments cover emerging threats, legal/regulatory concerns, and security concerns specific to Sapience. All risk assessments are reviewed by senior management.
Compliance
Sapience maintains SOC 2 certification or its equivalent on an annual basis. Sapience engages an independent third party to conduct annual security testing of all Sapience commercial Products and its corporate IT network. Upon written customer request, Sapience will provide authorized information relating to security practices and compliance documentation. Sapience will provide responses to reasonable information security-related questionnaires.
Organizational Safeguards
Administration
Sapience has a designated individual responsible for managing, coordinating, and ensuring Sapience’s compliance with the obligations set forth in its Security Program based on documented organizational structure.
Sapience maintains an Employee Handbook that outlines what is appropriate in the operation and care of hardware, software, and services provisioned to Sapience employees. Contractors engaged by Sapience must adhere to Sapience policies and procedures, as well as sign a non-disclosure agreement and agree to the documented Acceptable Use Policy. Violations may be subject to disciplinary action or termination of contracts/legal action.
All Sapience employees must attend mandatory security training upon hire and annually thereafter on information security and information security procedures, risks, and threats. Any employee who has access to Sapience-owned systems, confidential information, or have the ability to impact the security of Sapience systems are required to attend additional security training, based upon their role and level of access. Sapience maintains an established set of procedures designed to ensure all staff promptly report actual and/or suspected security events.
Only authorized Personnel with a specific business purpose shall be allowed access to production and development resources and all access shall be appropriately approved.
Software Development
Sapience develops products and features based on Agile Scrum. All development requires an adherence to Change Management Processes and security controls such as peer reviews, automated testing, load testing, vulnerability checks, quality assurance, user testing, and code promotion.
Infrastructure
Sapience utilizes cloud infrastructure distributed through data centers operated by third parties which are SOC 2 compliant at a minimum. Sapience relies on these third parties for providing redundant street power, redundant backup generators, and redundant cooling systems. Network connectivity is provided through multiple Tier 1 providers. Network Operations Centers (NOC) are located on site and manned 24x7x365. NOC personnel are trained to handle all aspects of security for the facility. Physical access to all datacenter floor space is secured according to industry standards, which measures may include security cameras, proximity cards, biometric scanners, mantraps, and complete access logging, or equivalent measures.