Systems’ Access Controls. Lotame maintains appropriate technical and organizational policies, procedures, and safeguards to limit access to its platform and services to only those individuals that require access, including protection against unauthorized processing, loss, or unauthorized disclosure of or access to Data Provider Data. Access to Data Provider Data within Lotame’s platform is governed by role-based access control (RBAC) and can be configured to define granular access privileges, including distinct read/write privileges. These privileges are packaged into reusable and customizable roles to support various permission levels for employees and users (owner, admin, agent, end-user, etc.). Individual users are granted any number of roles, thus providing the capability to control specific responsibilities and access levels within Lotame’s organization. Lotame’s information security management system is ISO/IEC 27001:2013 certified and is audited annually by an independent third party. Lotame’s ISO/IEC 27001:2013 certificate is available upon request.
Systems’ Access Controls. Firewalls, perimeter security controls, VPNs, and access-controlling routers are in place and configured to Verisign’s standards to prevent unauthorized communications. Network based intrusion detection systems are configured to detect attacks or suspicious behavior, and vulnerability scans are performed to identify potential weakness to the security and confidentiality of systems and data. Verisign may, depending on the specific service, apply the following controls: (i) authentication via passwords and/or multi-factor authentication; (ii) documented authorization and change management processes; and (iii) logging of access. Software supporting Verisign’s infrastructure includes operating systems databases and anti-virus software that is updated as needed. Internally-developed applications perform product delivery functions. In addition, Verisign uses multiple backup/restore utilities to perform daily and periodic backups of production systems. Verisign’s access to its customers’ data is restricted to authorized personnel and access is granted after receiving proper approval from management. Only Verisign staff with a need to know will be granted access to customer data for the sole purpose of providing customers with support. In addition, Verisign provides a mechanism by which customers can control access to their environments and to their content by their authorized staff.
Systems’ Access Controls. In respect of any systems used to access Pantheon platform information containing Data Controller data, this paragraph shall apply. Access to system information is protected by multiple authentication and authorization mechanisms. Pantheon leverages XXXX to manage access to corporate resources. Pantheon’s vulnerability assessment consists of scanning server resources, identifying vulnerabilities, assessment of the vulnerabilities, and remediation. Vulnerability scans are performed periodically. To the extent supported by native device or operating system functionality, Data Processor will maintain computing protections for systems containing Data Controller Personal Data and all end-user systems that include, but may not be limited to, endpoint firewalls, full disk encryption, signature-based antivirus and malware detection and removal that shall be regularly updated by central infrastructure and ii) logged to a central location, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In accordance with Pantheon’s IT policies, all computers must either have antivirus software installed or alternative means to validate system integrity. Updates are pushed automatically and managed by the IT department.
