Unanet Information Security Exhibit
Effective Date: August 17, 2023
Unanet maintains a written information security program that contains administrative, technical, and physical safeguards that are appropriate to protect Customer Data in its possession and control and that are reasonable based on the size and scope of Unanet’s business, its resources, and the type of Services it provides.
Unanet’s security program is designed to:
- Protect the confidentiality and availability of Customer Data in Unanet’s possession or control;
- Protect against unauthorized or unlawful access to the Customer Data or accidental loss or destruction of Customer Data in Unanet’s possession or control; and
- Protect against anticipated threats to Customer Data or Unanet Subscription Services.
Policies.
Unanet maintains internal policies designed to:
- Limit access to software and systems to authorized individuals;
- Place restrictions on software installation and use;
- Manage technical vulnerabilities and malware; and
- Manage data retention and deletion requirements.
Security and Access Controls.
Unanet has implemented and maintains security controls, including:
- Asset inventory and asset classification based on criticality for business continuity;
- Return policy for equipment and process for disabling access following employee termination;
- Unique, individual access credentials to approved applications, operating systems, databases, and network devices;
- Multi-factor authentication for authorized employee access to local operating system, VPN, AWS environment, and individual servers;
- System segregation and access controls for access to Customer Data;
- Limit access to authorized users based on the principle of least privilege within Unanet;
- Review access rights quarterly;
- Password complexity requirements and password expiration and storage policies;
AWS provides all physical asset controls to the cloud platform.
Network Security.
All network devices are virtualized and redundant across AWS availability zones. Unanet continuously monitors network devices for vulnerabilities and misconfiguration.
Encryption.
All Customer Data is encrypted at rest with a minimum of AES 256 encryption.
All Customer Data is encrypted in transit with a minimum of TLS 1.2 or greater using AES 128 or 256 encryption dependent on what the web browser supports.
Data Deletion.
Customer Data is segregated and deleted or destroyed as set forth in the Customer Data section of the Cloud Terms & Conditions. Customer Data contained in backup files is set aside until it is aged out of backups in accordance with internal policies. Unanet follows the NIST 800-88 standard for Customer Data deletion.
Location; Hosting.
All data is hosted in the United States unless agreed upon separately with a Customer outside of the United States.
Unanet is hosted on AWS and Customer Data is stored in the US-East1 and US-East2 regions.
Employees; Training and Awareness.
Unanet requires background checks on all employees.
All employees are required to:
- Sign a non-disclosure agreement prior to employment;
- Acknowledge Unanet’s Employee Guidebook, which contains workplace policies on use of electronic communications and computer systems and social networking policies; and
- Attend initial new-hire security training, annual awareness security training, insider threat, and focused role-based security training.
Incident Response.
Unanet maintains a formal Incident Response Plan internally, including:
- Procedures to collect and maintain evidence;
- Planned actions for events based on current industry activity; and
- 24x7 contact method for customers to report security incidents
Unanet notifies Customers of security incidents as set forth in the Security and Incident Response section of its Cloud Terms & Conditions.
Unanet completes annual information security incident response/disaster recovery tests and monthly phishing test campaigns.
Business Continuity.
Unanet maintains an internal business disaster recovery plan, which is evaluated during annual SOC2 audits. Formal procedures including notification to senior leadership, determination of root cause, and isolating the issue, are established.
Assigned Security Responsibilities.
Unanet has designated an information security team and incident response team comprised of employees in product development, SysOps, CloudOps, and product development.
Testing and Certifications
Unanet regularly tests its controls, systems, and procedures, against industry standards, which includes, where applicable based on the AWS environment:
- Internal risk assessments;
- NIST 800-171/CMCC 2.0 Level 2
- SOC1 and SOC2 Type 2 audit reports