Polka Dot Sky Software shall be annually audited against the SOC 2 Type II standard. The audit shall be completed by an independent third-party. Upon Customer’s written request, Polka Dot Sky Software will provide a summary copy (on a confidential basis) of the most recent resulting annual audit report, so that Customer can verify Polka Dot Sky Software’s compliance with the audit standards against which it has been assessed and this DPA. Although that report provides an independently audited confirmation of Polka Dot Sky Software security posture annually, the most common points of interest are further detailed below. Polka Dot Sky Software shall provide the Customer with this initial evidence of compliance within thirty (30) days of written request and annually upon written request.
Polka Dot Sky Software shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, Polka Dot Sky Software shall provide a summary of the findings to Customer. Polka Dot Sky Software shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Polka Dot Sky Software shall provide the Customer with this initial evidence of compliance within thirty (30) days of written request.
Polka Dot Sky Software shall provide annual Security Training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials should address industry standard topics which include, but are not limited to:
Polka Dot Sky Software shall ensure that vulnerability scans are performed on servers continuously and network security scans are completed at a minimum annually, in each case using an industry standard vulnerability scanning tool.
a. Polka Dot Sky Software shall implement user termination controls that include access removal / disablement promptly upon termination of staff.
b. Documented change control process will be used to record and approve all major releases in Polka Dot Sky Software environment.
c. Polka Dot Sky Software shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.
Polka Dot Sky Software shall use firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Customer Personal Data.
a. Where Polka Dot Sky Software handles Customer Personal Data, servers shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Salesforce and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.
b. Cloud Environment Data Segregation: Polka Dot Sky Software will virtually segregate all Customer Personal Data in accordance with its established procedures. The Customer instance of Service may be on servers used by other non-Customer instances.
a. Polka Dot Sky Software shall maintain documentation on overall application architecture, process flows, and security features for applications handling Customer Personal Data.
b. Polka Dot Sky Software shall employ secure programming techniques and protocols in the development of applications handling Customer Personal Data.
c. Polka Dot Sky Software shall employ industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities prior to release.
a. Encryption and hashing protocols used for Customer Personal Data in transit and at rest shall support NIST approved encryption standards (e.g. SSH, TLS).
b. Polka Dot Sky Software shall ensure laptop disk encryption.
c. Polka Dot Sky Software shall ensure that access to information and application system functions is restricted to authorized personnel only.
d. Customer Personal Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems.
a. Polka Dot Sky Software shall employ an anti-virus solution with daily signature updates for end-user computing devices which connect to the Customer network or handle Customer Personal Data.
b. Polka Dot Sky Software will have a policy to prohibit the use of removable media for storing or carrying Customer Personal Data. Removable media include flash drives, CDs, and DVDs.
a. As of August 2021, Polka Dot Sky Software will, when and to the extent legally permissible, perform criminal background verification checks on all of its new employees that provide Services to Customer prior to obtaining access to Customer Personal Data. Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.
b. Polka Dot Sky Software will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level.
Polka Dot Sky Software Service requires a shared responsibility model. For example, Customer must maintain controls over Customer user accounts (such as disabling/removing access when a Customer employee is terminated, establishing password requirements for Customer users, etc.).