This Information Security Overview, (“Security Overview”) is incorporated into and made part of the Agreement.  All terms not defined in this Security Overview retain the meaning in the Agreement.  

1. Purpose

This Security Overview describes Hearsay’s security program, infrastructure, and organizational security safeguards to protect (a) Customer Data from unauthorized use, access, or theft and (b) the Services. Hearsay continually reviews and updates its security program and strategy to help protect Customer Data and the Services. Hearsay reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. The current terms of this Security Overview are available at www.hearsaysystems.com/company/legal/information-security-overview.  This Security Overview does not apply to any Services that are identified as beta, limited release, or developer preview. 

2. Information Security Safeguards

Hearsay shall maintain throughout the Term an information security program that is reasonably designed to provide protection to the security, confidentiality, integrity and availability of Customer Confidential Information in accordance with applicable laws governing privacy of personal information in the United States, E.U. and Canada, and at a minimum, includes controls for (i) system access, (ii) system and application development and maintenance, (iii) change management, (iv) incident response, physical and environmental security, (v) disaster recovery/business continuity, and (vi) employee training (“Information Security Safeguards”).

• 2.1.  Standards & Practices.  Information Security Safeguards will incorporate commercially reasonable methods and safeguards to ensure the security, confidentiality, integrity, availability and privacy of the Customer Confidential Information.  Hearsay will adhere to generally accepted information security practices relating to Hearsay’s industry.

• 2.2.  Updates.  Information Security Safeguards will be documented and kept current in light of changes in applicable legal and regulatory requirements related to privacy and data security practices applicable to Hearsay.  

• 2.3.  Workspace Security.  Information Security Safeguards must include controls designed to ensure that work areas containing the Customer Confidential Information are secured. Access to such work areas will be controlled by a commercial grade access control system.  All electronic copies, printed copies, computer screen captures or any form of duplication of original documents containing the Customer Confidential Information will be protected in the same manner as the original. The Customer Confidential Information in hard-copy form shall be protected against disclosure to any individuals who do not have a legitimate business need to have access to the Customer Confidential Information, and the Customer Confidential Information must be safeguarded to ensure the privacy, security, availability and integrity of the Customer Confidential Information.  

• 2.4.  Appropriate Safeguards.  Information Security Safeguards will include (i) safeguards against the unauthorized destruction, loss, or alteration of the Customer Confidential Information; (ii) safeguards against unauthorized access to Customer Confidential Information; and (iii) network and internet security procedures, protocols, security gateways and firewalls with respect to Customer Confidential Information in accordance with applicable legal and regulatory requirements and applicable industry practices.

• 2.5.  Physical Security Safeguards.  Hearsay shall use third-party data centers that have annual SSAE 16 (or comparable audit engagement) performed. In the event that such data center(s) become non-compliant with the requirements, then Hearsay, in a reasonable time period, will discontinue using the third party and find an alternative third party that will meet the requirements. 

3. Information Security Infrastructure

• 3.1.  Access Controls. Hearsay will ensure appropriate access controls (i.e., password/key requirements and two-factor authentication) are in place to protect Customer Confidential Information. Hearsay agrees that it shall maintain, throughout the term of the Agreement and at all times while Hearsay has access to or possession of the Customer Confidential Information, appropriate access controls and shall not materially degrade or lessen the access controls.  Hearsay must also ensure that segregation of duties is employed in the assignment of all critical job functions related to the Services involving the Customer Confidential Information. Customer will be solely responsible for implementing and maintaining access controls on its own systems.

• 3.2.  Authorized Persons.  Hearsay must limit access to the Customer Confidential Information solely to those of its employees, contractors or agents who have a need to access the Customer Information: (i) in connection with the Services; (ii) to perform Hearsay’s obligations or rights pursuant to the Agreement; or (iii) to facilitate the due diligence and closing of an acquisition, divestiture, or similar transactions (including auditors, bankers, attorneys, and potential parties to a transaction) (“Authorized Persons”). Hearsay will ensure that Authorized Persons have signed confidentiality agreements or are otherwise bound by confidentiality obligations. Hearsay will be held responsible for any breach resulting from failure of its Authorized Persons to comply with these Information Security Safeguards with regard to the Customer Confidential Information.

• 3.3.  Password Administration.  Hearsay’s passwords that are associated with access to the Customer Confidential Information as applicable will be at minimum the generally accepted standards applicable to Hearsay’s industry (e.g. currently Hearsay uses two factor auth.) 

• 3.4.  Encryption.  Hearsay encrypts all laptops, network file transfers, and web transactions involving any of the Customer Confidential Information in connection with the performance of the Service pursuant to the Agreement.  Encryption must be provided through commercial grade, industry-standard strong cryptographic algorithms, protocols, and commercially reasonable key strengths. Hearsay agrees that it shall not implement a less secure method of encryption.  

• 3.5.  Network and Host Security.  Hearsay must have commercially reasonable firewalls and anti-virus protection on all laptops and desktops in place and functioning properly (the “Network and Host Security Methods”). Hearsay will use reasonable commercial efforts to ensure that operating systems and applications that are associated with the Customer Confidential Information are patched within a commercially reasonable time period after Hearsay has actual or constructive knowledge of any security vulnerabilities. Hearsay will exercise generally accepted industry standards to ensure that any software, systems, or networks that may interact with Customer’s systems, networks or any of the Customer Confidential Information under Hearsay’s control are not and do not become infected by any viruses.  

4. Compliance with Laws and Customer Security Procedures

Prior to performing services on Customer’s site, Customer shall provide Hearsay with written security procedures (including, without limitation, procedures relating to Customer’s facilities and materials, the Customer Confidential Information, and if applicable any Software for Hearsay’s review and compliance with such).

5. Security Breach Management

• 5.1.  Notice.  Hearsay must notify Customer after confirmation of breach of security of the Customer Confidential Information by Hearsay in accordance with the Agreement.  ‍
• 5.2.  Remediation.  In the event of a confirmed breach of security of the Customer Information by Hearsay, Hearsay will, at its own expense, (i) investigate the actual breach of security, (ii) provide Customer with a remediation plan, reasonably acceptable to Customer, to address the security breach and to mitigate the incident and reasonably prevent any further incidents, (iii) remediate the effects of the security breach in accordance with such remediation plan, and (iv) provide reasonable cooperation to Customer and any law enforcement or regulatory official investigating such security breach.