SOFTLEDGER, INC.
Security Policy

SoftLedger, Inc. (“SoftLedger ”)​ considers protection of Customer Data a top priority. As further described in this Security Policy, SoftLedger uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under SoftLedger’s control. 

This policy is issued under and forms part of the Master Services Agreement or other End User Terms which reference this policy and any capitalized terms not defined herein shall have the meanings ascribed to them in such agreement. 

1. Customer Data Access and Management Controls.​ SoftLedger implements formal procedures to limit its personnel’s access to Customer data as follows:
   1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access;
   2. Limits the Customer Data accessible to SoftLedger personnel on a principle of least authority (POLA) for server/network/and application access;
   3. Limits access to SoftLedger’s production environment by SoftLedger’s personnel on the basis of business need;
   4. Prohibits SoftLedger personnel from storing Customer Data on electronic portable storage devices such as computer laptops, portable drives and other similar devices;
   5. Logically separates each of SoftLedger’s users’ data and maintains measures designed to prevent Customer Data from being exposed to or accessed by other users.
2. Data Encryption.  SoftLedger provides industry standard encryption for Customer Data as follows:​
   1. Implements encryption in transport and at rest;
   2. Uses strong encryption methodologies to protect Customer Data, including AES 256-bit encryption for Customer Data stored in SoftLedger’s production environment;
   3. Encrypts all Customer Data located in cloud storage while at rest; and
3. Network Security, Physical Security and Environmental Controls.
   1. SoftLedger implements properly configured and patched firewalls, network access controls and other technical measures designed to prevent unauthorized access to systems processing Customer Data;
   2. SoftLedger maintains effective controls to ensure that security patches for systems and applications used to provide the service are properly assessed, tested and applied;
   3. SoftLedger monitors privileged access to applications that process Customer Data, including cloud services;
   4. SoftLedger operates on Amazon Web Services (“AWS​”) and is protected by Amazon’s security and environmental​ controls.  Detailed information about AWS security is available at ​ https://aws.amazon.com/security​ and http://aws.amazon.com/security/sharing-the-security-responsibility. AWS ISO certification and SOC Reports​ are available at https://aws.amazon.com/compliance/iso-certified​​ and https://aws.amazon.com/compliance/soc-faqs,​ respectively; and
   5. Customer Data hosted in AWS is AES-256 encrypted both in transit and at rest. AWS does not have access to unencrypted Customer Data.
4. Incident Response.​ If SoftLedger becomes aware of unauthorized access or disclosure of Customer Data under its control (an “Incident​”), SoftLedger will:​
   1. Take reasonable measures to mitigate the harmful effects of the Incident and prevent further unauthorized access or disclosure;
   2. Upon confirmation of the Incident, notify the Customer’s designated security contact by email within 72 hours. Notwithstanding the foregoing, SoftLedger is not required to make such notice to the extent prohibited by Laws, and SoftLedger may delay such notice as requested by law enforcement and/or in light of SoftLedger’s legitimate need to investigate or remediate the matter before providing notice; and 5.3. Each notice of an Incident will include:
      1. The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Incident;
      2. A description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
      3. The scope of the Incident, to the extent known; and
      4. A description of SoftLedger’s response to the Incident, including steps SoftLedger has taken to mitigate any harm caused by the Incident.
5. Business Continuity Management.
   1. SoftLedger maintains a business continuity and disaster recovery plan in accordance with industry trends and standards; and
   2. SoftLedger maintains processes to ensure failover redundancy with its systems, networks and data storage.
6. Personnel Management.
   1. SoftLedger performs employment verification, including proof of identity validation, check of education records and employment track, and criminal background checks for new hires in positions requiring access to systems and applications storing Customer Data in accordance with applicable Law;
   2. SoftLedger provides training for its personnel who are involved in the processing of Customer Data to ensure they understand their obligations to not collect, process or use Customer Data without authorization and to keep Customer Data confidential, including following the termination of any role involving Customer Data;
   3. Upon employee termination, whether voluntary or involuntary, SoftLedger immediately disables all access to SoftLedger systems, including SoftLedger’s physical facilities.