CONFIDENTIALITY

No part of this document may be disclosed verbally or in writing, including by reproduction, to any third party without the prior written consent of CheckWorkRights (CWR).

Policy Overview

This CWR Data Security Policy (“Security Policy”) outlines the technical and procedural measures that CWR undertakes to protect Customer Data from unauthorised access or disclosure. As used in this Security Policy: “Cloud Provider” means the third party cloud provider, such as Amazon Web Services (AWS). This Security Policy may be updated from time to time (which may be provided through the Service) to reflect process improvements or changing practices, but any such modifications will not materially diminish either party’s obligations as compared to those reflected below. CWR conducts risk assessments of various kinds throughout the year, including self assessments and tests, automated scans, and manual reviews.

1 Customer Data Access and Management

1.1 Customer controls access to its Account in the Service via User IDs and passwords.

1.2 CWR uses Customer Data only as necessary to provide services to Customer, as provided in the Agreement.

1.3 Customer Data is stored only in the Service production environment in the Cloud Private Network.

1.4 Customer Data is stored in the available Service Region for the account requested by Customer Service

2 Infrastructure Access Management

2.1 Access to the systems and infrastructure that support the Service is restricted to CWR Personnel who require such access as part of their job responsibilities.

2.2 Unique User IDs are assigned to CWR personnel requiring access to the CWR servers that support the Service.

2.3 Server password policy for the Service in the production environment adheres to the PCI-DSS password requirements.

2.4 Access privileges of separated CWR personnel are disabled promptly.

2.5 Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.

2.6 User access to the systems and infrastructure that support the Service is reviewed quarterly.

2.7 Cloud Provider network security groups have deny-all default policies and only enable business required network protocols for egress and ingress network traffic. The Service only allows TLS 1.2 protocol from the public internet.

3 Risk Management

3.1 Results of assessments, including formal reports as relevant, are reported to the Technical Director. Regular meetings are held to review reports, identify control deficiencies and material changes in the threat environment, and make recommendations for new or improved controls and threat mitigation strategies.

3.1 Changes to controls and threat mitigation strategies are evaluated and prioritised for implementation on a risk adjusted basis.

3.3 Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.

4 Vulnerability Scanning and Penetration Testing

4.1 Vulnerability scans are automatically on a continual basis to operate and manage the Service.

4.2 The vulnerability database is updated regularly via subscription to expert providers.

4.3 Scans that detect vulnerabilities automatically trigger notifications to security personnel.

4.4 Potential impact of vulnerabilities is considered as alerted by the Technical Director in consultation with the development team.

4.5 Vulnerabilities that trigger alerts and have published exploits are reported to the Security Committee, which determines and supervises appropriate remediation action.

4.6 Vulnerabilities are prioritised based on potential impact to the Service, with “critical” and “high” vulnerabilities typically being addressed within 30 days of discovery and “medium” vulnerabilities being addressed within 90 days of discovery.

4.7 Security management monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.

4.8 Penetration tests by an independent third-party expert are conducted regularly.

4.9 Penetration tests performed by CWR are performed regularly throughout the year.

5 System Event Logging, Monitoring & Alerting

5.1 Monitoring tools and services are used to monitor systems including network, server events, and Cloud Provider API security events, availability events, and resource utilisation.

5.2 CWR. infrastructure Security event Logs are collected in a central system and protected from tampering. Logs are stored for a minimum of 12 months.

5.3 All CWR. provided user endpoints have Endpoint Detection & Response (“EDR”) tools to monitor and alert for suspicious activities and potential malware.

5.4 All Cloud Private Networks leverage advanced threat detection tools to monitor and alert for suspicious activities and potential malware.

6 System Administration and Patch Management

6.1 CWR shall create, implement and maintain system administration procedures for systems that access Customer Data that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications) and proper installation of threat detection software as well as daily signature updates of same.

7 Physical Security

7.1 The Service is hosted with Cloud Providers and all physical security controls are managed by the Cloud Provider. CWR reviews the Cloud Provider’s SOC 2 Type 2 report annually to ensure appropriate physical security controls, including:

7.1.1 Visitor management including tracking and monitoring physical access.

7.1.2 Physical access point to server locations are managed by electronic access control devices.

7.1.3 Monitor and alarm response procedures.

7.1.4 Use of CCTV cameras at facilities.

7.1.5 Video capturing devices in data centres with 90 days of image retention.

8 Notification of Security Breach

8.1 A “Security Breach” is (a) the unauthorised access to or disclosure of Customer Data, or (b) the unauthorised access to the systems within the Service that transmit or analyse Customer Data.

8.2 CWR will notify customers in writing within seventy-two (72) hours of a confirmed Security Breach.

8.3 Such notification will describe the Security Breach and the status of CWR’s investigation.

8.4 CWR will take appropriate actions to contain, investigate, and mitigate the Security Breach.

9 Disaster Recovery & Business Continuity

9.1 CWR maintains a Disaster Recovery Plan (“DRP”) for the Service. The DRP is tested annually.

9.2 Where AWS is the Cloud Provider, the Service is managed in different AWS Regions as standalone deployments, which can be employed as part of Customer’s DRP strategy. To effectively use the AWS cross-regional availability of the Service for disaster recovery purposes, the Customer is responsible for the following:

9.2.1 Requesting additional Service accounts in different regions to support its DRP program.

9.2.2 Managing its data replication across applicable regions.

9.2.3 Configuring and managing its CWR accounts.

9.2.4 Managing backup and restoration strategies.

9.3 CWR maintains a Business Continuity Plan (“BCP”). The BCP is assessed annually.

10 Customer Responsibilities

10.1 The Customer will promptly notify CWR if a user credential has been compromised or if Customer suspects possible suspicious activities that could negatively impact the security of the Service or Customer’s account.

10.2 The Customer may not perform any security penetration tests or security assessment activities without the express advance written consent of CWR