BuyerAssist Security Standards

BuyerAssist will abide by the security standards set forth below (“Security Standards”), which detail the various actions taken by BuyerAssist to provide the BuyerAssist Subscription Services (“Information Security”). During the Subscription Term, these Security Standards may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as deemed reasonably necessary by BuyerAssist, provided that such changes will not materially diminish such controls that are utilized prior to any such changes.

1. Capitalized terms used in this exhibit and not otherwise defined herein shall have the meanings set forth in the underlying agreement for Subscription Services entered into between the Parties to which these security standards are attached as an exhibit (the “Agreement”).

 

2. Security Controls and Safeguards

 

• BuyerAssist will comply with all applicable privacy and data security laws and regulations governing its use, processing and storage of Customer Data.

 

• During the Agreement Term, BuyerAssist shall maintain a security program materially aligned with applicable industry standards designed to ensure the security, confidentiality and integrity of Customer Data and protect against unauthorized disclosure or access of Customer Data. Such security program shall include the implementation of administrative, technical and physical safeguards appropriate for the type of information that BuyerAssist processes and the need for security and confidentiality of such information.

 

• BuyerAssist implements controls aligned to industry standards intended to keep Customer Data secure and throughout the Agreement Term shall maintain security measures designed to: (i) protect the security of BuyerAssist systems which interact with Customer Data; (ii) protect against any anticipated threats or hazards to the security or integrity of BuyerAssist systems which interact with Customer Data and (iii) protect against unauthorized access to or use of BuyerAssist systems which interact with Customer Data that could result in harm to Customer’s Users of the Subscription Services.

 

• BuyerAssist maintains access controls which include, but are not limited to, the following:

 

• Limiting access to its information systems and the facilities in which they are housed to properly authorized persons;
• Access by BuyerAssist personnel to Customer Data is removed upon termination of employment or a change in job status that results in the personnel no longer requiring access to Customer Data;
• All the logins are done using SSO, with the IDP behind a strong password with MFA 2 factor authentication

• BuyerAssist encrypts access to its SaaS application and Customer Data during transmission over the Internet. Customer can elect, for an additional charge, to configure the Subscription Services to use encrypted channels to collect data via landing pages, e-mails, and user activity on Customer’s site.

 

• BuyerAssist shall ensure that all critical, exploitable vulnerabilities are patched in a timely manner.

 

3. Uses and Disclosures of Customer Data. BuyerAssist will not use or disclose Customer Data except as necessary to provide the BuyerAssist Services or as otherwise set forth in the Agreement.

 

4. Audit

   

• BuyerAssist acknowledges that Customer may be subject to regulation and audit by governmental and/or regulatory authorities or standards organizations under applicable laws, rules and regulations. If any such entity exercises its right to audit Customer, BuyerAssist shall provide reasonable assistance by allowing inspection, on BuyerAssist’s premises, of relevant documents or records, to the extent such information: (i) directly relates to the transaction records for the Subscription Services provided by BuyerAssist to the Customer under the Agreement only, and; (ii) does not conflict with BuyerAssist’s confidentiality obligations to its other customers.  The audit shall be conducted at a mutually agreed upon time and Customer will provide BuyerAssist with no less than ten (10) business days’ advanced written notice of any requested audit.  BuyerAssist will provide appropriate management personnel to engage with Customer and supervise any audit.  The onsite part of the audit shall last no longer than three (3) business days, unless the auditor requests a longer onsite inspection period, in which case BuyerAssist reserves the right to invoice the Customer on a time and material basis for costs incurred by BuyerAssist for the audit execution.  During any such audit, BuyerAssist shall have no obligation to expose its customers’ or employees’ personal or private information or any data that BuyerAssist reasonably believes would adversely impact its customers’ or employees’ security.  An auditor shall not be permitted to remove any physical or electronic copies of BuyerAssist’s Confidential Information.

 

• BuyerAssist may, in lieu of an audit, provide to Customer a copy of an attestation report by an independent third-party auditor. All information presented under this Section shall constitute Confidential Information of BuyerAssist.

 

5. Security Awareness and Training. BuyerAssist requires annual security and privacy training for all personnel with access to Customer Data.

 

6. Background Checks. Upon request, BuyerAssist shall perform a criminal background check on any employee performing BuyerAssist Services under the Agreement.

 

7. Business Continuity and Disaster Recovery

 

• BuyerAssist has policies and procedures in place for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic, and natural disaster) that could damage Customer Data or production systems that contain Customer Data.

 

• BuyerAssist’s data protection and built-in redundancy are designed to ensure application availability and protect information from accidental loss or destruction. Subscription Service restoration is within commercially reasonable efforts and is performed in conjunction with a data center provider’s ability to provide adequate infrastructure at the prevailing failover location.

 

• BuyerAssist relies on reputable data center providers’ multiple levels of power redundancy, uninterrupted power supply (UPS) and backup power for BuyerAssist’s system containing Customer Data. The power systems of the data centers processing Customer Data are designed to run uninterrupted during a total utility power outage, with every server receiving conditioned UPS power.  The UPS power subsystem is redundant, with instantaneous failover if the primary UPS fails.

 

• Data center facilities containing Customer Data have advanced fire suppression systems and redundant heating, ventilation and air conditioning systems providing appropriate and consistent airflow, temperature and humidity levels.

 

• Backup and Recovery. BuyerAssist data center facility in the U.S. utilize snapshot and data mirroring capabilities for periodic backup of Customer Data.

 

• Network and Storage Redundancy. Every component in the SaaS infrastructure is designed and built for high availability.  All network devices, including firewalls, load balancers, and switches are fully redundant and highly-available.  High availability for Internet connectivity is ensured by multiple connections in each data center to different ISPs.

 

8. Security and Availability

8.1. All data center facilities (i.e., AWS) have successfully been attested to SSAE 16 SOC 2 type 2, ISO 27001, or similar requirements.

8.2. Physical security controls in all data centers utilized by BuyerAssist, in providing the Service, include protection of facility perimeters using various access control measures (including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems).

8.3. Access to data centers is limited to authorized employees or contractors only.

8.4. All the data is within a private VPC on AWS servers, which cannot be accessible from the public network. Only Authorized users with proper authentication mechanisms can access this information.

8.5. BuyerAssist hosts its servers in multiple Availability Zone, so in case any of the Availability Zone fails, the services still remains highly available.

9. Communications and Operations Management

• The operations team maintains hardened standard server configurations. Systems are deployed and configured in a uniform manner using configuration management systems.

 

• BuyerAssist maintains change control programs for development, operations, and Information Technology teams.

 

• Separate environments are maintained to allow for the testing of changes.

 

• The organization maintains documented backup procedures. Full backups are performed daily for all production databases. Customer Data backups are transferred to an offsite location and stored encrypted for at least 30 days.