Technical and Organization Measures.
Extu has implemented and will maintain appropriate technical and organization measures, internal controls and information security practices that are designed to safeguard data Processed by Extu under the Agreement, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
Employee Screening, Training and Security
- Personnel. Extu takes reasonable steps to ensure its personnel have adequate skills, experience and training in the care and handling of Personal Information when providing the Services.
- Background checks. Extu conducts reasonable and appropriate background investigations on all personnel in accordance with applicable laws and regulations.
- Training. Extu’s compliance training program includes a requirement for employees and contractors to complete data protection training upon joining the organization, as well as mandatory annual data protection and privacy awareness training. This includes passing an annual assessment. The data protection training includes topics such as security awareness, data incident management and may also include materials specific to certain job functions.
- Confidentiality. Extu ensures its employees are obligated to maintain and protect the confidentiality of any Personal Information they handle pursuant to this Agreement.
Physical and Environmental Security
- Data centers. Extu uses data centers manage physical security with 24/7 guarded access and bio metric scanners. Our data center providers meet SOC 2 compliance requirements.
- Physical controls. Extu has adopted a clear desk policy that requires no Personal Information be left unattended and requires personnel to lock their computer screen when away from desks. All print media that contains Personal Information is securely destroyed (e.g. by incineration or shredding) in accordance with our retention policy. All Personal Information held on hardware and exchangeable media must be securely destroyed before disposing of an old device. Extu ensures through regular training that personnel do not copy or transfer Personal Information onto any PC hard-drive, laptop, handheld device, exchangeable media or other technology.
- Subprocessors. Extu has established a third party compliance program that incorporates security in the evaluation of a vendor or subprocessor as well as ensuring the confidentiality, integrity and availability of data. Extu maintains contractual relationships with vendors in order to provide the Services in accordance with an agreed data protection agreement.
- Access control. Extu maintains a formal access control policy and employs a centralized access management system to control employee and contractor access to systems. Access is provided based on segregation of duties and the principle of least privilege. Access control includes the usage of username and a complex password and multifactor authentication. Extu adjusts access rights of personnel whenever they assume different responsibilities and revokes all access upon termination of employment or contract.
- Data transmission and encryption. Extu takes all reasonable steps to ensure that all Personal Information (stored in any form and media whether tangible or intangible) that would cause damage or distress to a data subject if lost, stolen or accessed by an unauthorized person, is encrypted, especially when in transit between systems. This includes implementing industry-standard encryption practices in the transmission of personal data (such as Transport Layer Security) and encrypting personal data at rest and in transit.
- Data security protection. Appropriate data security measures are in place, including (without limitation): anti-virus and malware software is installed on information systems, the latest patches and security updates for software used are applied, network protection is provided via firewall with intrusion detection systems in place and logs for critical systems.
- Code review. Extu maintains a formal software development life cycle that includes security coding practices, including code reviews and engineering and product development change management practices.
- Data retention. Extu maintains a data retention and disposal policy.
SOC II Compliant and PCI DSS Certification.
Extu’ credit card processing vendor uses security measures to protect your information both during the transaction and after it is complete. Our vendor is certified as compliant with card association security initiatives. Our incentive management systems integration with the supplier is PCI DSS compliant (under SAQ A).
We also perform annual SOC II Type 2 audits on our incentive management systems. We provide our SOC II Report upon request.
Incident Response and Breach Notification
- Disaster recovery. Extu has taken steps to ensure the Services can continue to be provided in the event a disaster disrupts the normal mode of operation. Critical systems and services have been identified and a disaster recovery plan has been established. Extu takes regular back-ups, ensuring that critical systems can be restored with minimal data loss.
- Incident response. Extu has established incident response procedures, allowing for handling of incidents in a timely and controlled manner and in accordance with applicable law and obligations.