The Novata Information Security Schedule encompasses Novata’s security protections and specifications for handling access to Customer confidential data, as of November 2024.
Information Security Program. Novata has implemented and will maintain an enterprise Information Security Program (“A documented set of information security policies, procedures, processes, guidelines, and standards”) that meets or exceeds the applicable requirements of Industry Standards (see section “Industry Standards”) through the term of the Customer Agreement. Any material change to the security program will be communicated to the Customer by Novata.
Data Security. Novata will preserve the confidentiality, integrity, and availability of Customer confidential data with administrative, technical, and physical controls that conform to generally recognized Industry Standards within our processing environment. Maintenance of a secure processing environment will include but is not limited to the timely application of patches, fixes, and updates to operating systems and applications as provided by the vendor or open-source project.
Data Use. Novata agrees that any data exchanged shall be used expressly and solely for the purposes enumerated in the Customer Agreement and this Addendum. Data shall not be distributed, repurposed, or shared across other applications, environments, or business units. Novata further agrees that no Customer data of any kind shall be transmitted, exchanged, or otherwise passed to other vendors or interested parties except on a case-by-case basis as specifically agreed to in writing by the Customer. If Novata does utilize other vendors or sub-processors, it shall, by written agreement with any sub-processor, ensure that any Processing of Data carried out by sub-processor shall be subject to the same obligations and limitations as those imposed on the vendor according to the Current Agreement and this Addendum.
Data Transmission and Encryption. Novata will ensure that all electronic transmission or exchange of system and application data with the Customer or any other parties expressly designated by the Customer shall occur via secure means (using HTTPS, SFTP or equivalent). Novata will store all Customer backup data as part of its designated backup and recovery processes in encrypted form, using a commercially supported encryption solution. Novata will ensure Customer confidential data defined as personally identifiable information, which may include name, social security number, address, email, phone number, or other data as defined by applicable data privacy law, will be encrypted, whether at rest or in transit. Encryption solutions will be deployed that comply with Novata Data Encryption policies and technology standards that will meet or exceed the guidance in compliance with applicable Industry Standards.
Data Storage. Novata will ensure that Customer data will be stored, processed, and maintained solely on designated target platforms and that no data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium unless that device or storage medium is in use as part of Novata’s designated backup and recovery processes. Novata shall ensure that all data will be encrypted at rest and in transit.
Secure Systems Development Life Cycle (SDLC). Novata has adopted and requires acknowledgement by all appropriate stakeholders to our SDLC policy which is aligned to applicable Industry Standards. Novata’s SDLC policy is reviewed and amended at least annually, or more frequently based upon business need or elevated risk identification by Novata, in compliance with our obligations under AICPA SOC 2 and ISO 27001:2022.
Application Security. Novata will maintain and support its Software platform and work proactively to resolve identified defects, vulnerabilities and deficiencies in a timely manner in compliance with internal service level objectives managed by Novata.
Vulnerability Assessments. Novata will perform annual independent third-party control validation and vulnerability assessments of applications and systems. Control validation audits will be performed to validate the effectiveness of the Novata Information Security Program per guidelines published by the AICPA and ISO. Vulnerability assessments will include automated and manual vulnerability scans and penetration tests. Novata agrees to provide Customer access to such assessments upon request.
Vulnerability Remediation. For vulnerabilities, defects or risks identified as part of Novata Application Security reviews and Vulnerability Assessments, remediation of identified risks will be made on a best effort basis with the expectation of resolution of Common Vulnerabilities and Exposures (“CVE”) rated critical risks within 30 days of identification, high risks within 90 days of identification, medium risks within 180 days of identification.
Network Security. Novata will maintain network security controls to ensure the protection of external network access, intrusion detection, and malware protection. The specific controls deployed by Novata will be at their sole discretion that will meet or exceed the guidance in compliance with applicable Industry Standards.
Change Management. Novata will maintain a change management policy with procedures for requesting, testing, and approving application, infrastructure, and product-related changes. The change management policy will meet or exceed the guidance in compliance with applicable Industry Standards.
Security Breach Notification. Without limiting either Party's rights in respect of a breach, Novata will operate Security Controls in a manner that ensures prompt detection, response, escalation, and reporting of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise Processed (each, a “Security Event”). Novata will take appropriate actions to contain, mitigate, and recover from any Security Event. Novata will notify Customer as soon as possible, but at most within seventy-two (72) hours of becoming aware of a Security Event (subject to any delay required by applicable law). If Novata does not have the information to provide a comprehensive notification within seventy-two (72) hours, Novata shall provide within that timeframe such information that it does have.
Regulatory Compliance. Novata represents and warrants that its collection, access, use, storage, disposal, and disclosure of Personal Information does and will comply with all applicable international, national, regional and local privacy and data protection laws.
Right to Audit. Customer shall retain the right to perform limited on-site control assessment and verification, at Customer’s cost, of Novata Controls and records pertaining to the Processing of Customer Data (“Controls Assessment”), either directly or through an agreed independent third party, once per calendar year during Novata’s normal business hours to verify Novata’s compliance with obligations outlined within this Addendum. Customer or its representatives will provide 30 days’ written notice for scheduling of such an audit. Novata will provide all reasonable cooperation to Customer or its representatives during the assessment process while reserving the right to restrict access to any data, system, service or function that is not directly related to the Customer or might provide access, insight or awareness to other customer data or metadata.
Background Checks. Novata will ensure that any employees, associates, or contractors providing services for the Customer have successfully passed their Background Check prior to providing access to sensitive data or systems.
Industry Standards. 16.1 General Security Standards. Novata has established and will maintain an information security program aligned to the recognized General standards as indicated below: a. ISO/IEC 27001:2022 International Organization for Standardization (ISO) and the International Electrotechnical Commission (I.E.C.) b. NIST Standards (National Institute for Standards and Technology), in particular, please reference NIST SP 800-53 and the NIST Cybersecurity Framework c. AICPA SOC 2 Trust Principles for Security, Availability and Confidentiality 16.2 Secure Application and Systems Development Lifecycle (S-SDLC) Standards. Novata has aligned their Secure Software Development policies and practices to the recognized standards as indicated below: d. ISO/IEC 27002:2022 (International Organization for Standardization (ISO), Information Technology Security Techniques – Code of practice for information security controls) e. ISO/IEC 27034 (International Organization for Standardization (ISO) and the International Electro technical Commission (IEC), Information – Security Techniques – Application Security) f. NIST Special Publication 800-64 Revision 2 (National Institute for Standards and Technology, Security Considerations in the System Development Life Cycle) g. OWASP Development Guide, Open Web Application Security Project – Development Guide for developing secure applications. 16.3 Vulnerability Assessment Standards. Novata has aligned their application risk assessment practices to incorporate the recognized standards as indicated below: h. OWASP Testing Guide i. OWASP Code Review Guide j. NIST Special Publication 800-115 (National Institute for Standards and Technology, Technical Guide to Information Security Testing and Assessment) 16.4 Media Sanitization Standards k. NIST Special Publication 800-88 Revision 1 l. NCSC Guidance for Secure sanitisation of storage media
Conflicts. Any conflict between this Information Security Schedule and the Customer Agreement will be superseded by the terms agreed in the ratified Customer Agreement.