Effective: Sep 1, 2023

Version: 23.9.1

Information Security Requirements

These Information Security Requirements (referred to as this “Exhibit“) are integrated by reference into the Master Subscription Agreement, or any services agreement, or analogous agreement (collectively referred to as the “Agreement”) that exists between the Customer and Sparky. This Exhibit is instituted to outline the technical and operational measures established for the safeguarding of Customer Property within the Services. Terms capitalized but not defined herein shall carry the definitions ascribed in the Agreement.

1. Information Security Program: Sparky is committed to maintaining and enhancing a meticulously documented information security program. This program is designed in alignment with prevailing industry standards and best practices. The aim is to ensure the continuous improvement of security measures.
   1. Internal Controls: Operational and technical controls surpassing prevalent industry benchmarks are diligently implemented by Sparky. The objective is to thwart unauthorized access, manipulation, utilization, and deletion of Customer Property. A yearly internal audit is conducted to assess the efficacy of the internal security controls.
   2. Policies: Annually, Sparky’s Director of Security meticulously reviews and grants approval to the Company’s information security policies.
2. Technical Controls
   1. Encryption of Customer Data: To ensure data integrity, Sparky encrypts Customer Property both while at rest and during transit across untrusted networks. These encryption practices adhere to existing industry norms. 
      1. Key Management: Sparky employs an encryption key management scheme that involves regular rotation of encryption keys. These keys are logically separated from Customer Data. 
   2. Access Control: Access to Customer Property is exclusively authorized based on the necessities of job roles, responsibilities, and legitimate business requisites. All access, be it production or administrative, mandates the utilization of a unique user ID and password, along with multi-factor authentication. 
      1. Revocation: Access is promptly revoked within two business days in the event of employee termination. 
      2. User Access Reviews: Semi-annual user access reviews are conducted, ensuring the removal of inactive and unnecessary accounts.
   3. Device Management: Sparky personnel employ centrally managed laptops, configured with security controls such as disk encryption, password protection, and inactivity lockout. 
   4. Environment Segregation: A stringent logical and physical segregation is maintained between the production environment and the development/testing environments. The production environment is isolated from Sparky’s corporate offices and networks.
   5. Network Security: Sparky employs a multi-tiered network infrastructure that enforces restrictions on unauthorized traffic, continuously monitors activity, and minimizes the impact of attacks. Firewall technology, security groups with deny-all default policies, intrusion detection, and prevention systems are deployed. 
      1. Hardening: Secure configuration baselines are followed for system deployment, incorporating measures like altering default passwords, eliminating redundant software, deactivating unnecessary services, and regular patching. 
      2. WAF: A web application firewall guards against common web application vulnerabilities. 
   6. Logging and Monitoring: Monitoring tools are employed to record activities and changes in the production environment. Logs are persistently scrutinized for anomalies and securely stored for at least one year. 
   7. Vulnerability Management: Weekly vulnerability scans are conducted, with identified vulnerabilities addressed according to Sparky’s vulnerability management policy. Annual independent penetration testing is carried out on applications and infrastructure, with executive summary reports available upon request. 
   8. SDLC (Software Development Life Cycle): Secure code development practices are integral, including peer reviews, dynamic application security testing, and dependency management. Developers undergo scoped secure code training upon hire and annually.
3. Operational Controls 
   1. Personnel Security: All new hires undergo background screening as part of the recruitment process, as allowed by applicable law. Signing confidentiality agreements is mandatory for all Sparky personnel.
   2. Security Training: Security awareness training is mandatory upon hire and annually. The curriculum includes incident reporting, device security, remote work best practices, and phishing awareness.
   3. Third-Party Risk Management: A robust third-party risk management program is upheld, ensuring Subprocessors maintain security standards equal to Sparky’s. Annual assessments of Subprocessors are conducted, reviewing audit and penetration test reports.
   4. Physical Security: Comprehensive physical controls are enforced.
   5. Incident Response: A documented incident response program addresses security incidents, tested annually. Breach notification obligations include timely communication and containment.
   6. Business Continuity: A business continuity and disaster recovery plan ensures timely recovery in case of disruptions. Annual disaster recovery testing and daily backups of Customer Property are conducted.
4. Customer Audit Rights 
   1. Due Diligence Requests: Upon written request, Customer may access documentation demonstrating Sparky’s compliance with security obligations.
   2. Audit Rights: Customer can request an annual written information security questionnaire, which Sparky will complete to confirm compliance. 
   3. 4.3.  Risk Remediation: Mitigation plans are negotiated for significant findings identified during audits. 
   4. Penetration Testing: Customer’s penetration testing is limited, subject to certain conditions.
5. Customer Security Responsibilities
   1. Access Management: Customer is responsible for user access and password complexity requirements. 
   2. Acceptable Use: Customer is responsible for appropriate data uploads, adhering to certification or authorization requirements.

These Information Security Requirements reflect our commitment to robust security practices for the protection of Customer Property.