Security Measures

IMPORTANT:
The following document is provided as a sample security addendum for informational and illustration purposes only. It does not represent a binding commitment by Flex Peeps LLC. Actual security obligations and measures will be defined in each client’s individual agreement.

SECURITY MEASURES

For the purpose of this supplemental document, the term “Service Provider” (also referred to as “Provider”) shall consistently denote “Flex Peeps LLC” in alignment with the terminology used in the Cloud Services Agreement. In instances where Flex Peeps LLC. offers Software as a Service (SaaS) solutions, it represents and warrants to the Company that:

1. INFORMATION SECURITY MANAGEMENT SYSTEM

1.1. Information security is managed through a stringent set of controls, including policies, processes, procedures, software, and hardware functions that constitute the Service Provider’s Information Security Management System (“ISMS”). These controls are monitored, reviewed, and, where necessary, improved to ensure that specific security and business objectives are met.
1.2. All employees shall receive comprehensive and mandatory information security and data protection training upon joining the company, as well as annual compliance refresher training.
1.3. The Service Provider shall appoint dedicated personnel to manage information security and data protection (DPO) and shall be ultimately responsible for risk and security incident management, acting as the central point of contact for information security for both employees and external organizations.

2. HUMAN RESOURCE SECURITY

2.1. Service Provider ensures that pre-employment screening requirements are carried out according to applicable local laws.
2.2. Confidentiality clauses are included in all employee and third-party vendor contracts, providing adequate protection for the confidentiality of Service Provider Data.
2.3. A disciplinary process is in place to address non-compliance with security policies and requirements.
2.4. Upon termination of employment, access is revoked from employees on their last working day, and all equipment and proprietary information must be returned.
2.5. The Service Provider shall notify the Company immediately and without undue delay regarding any terminated employees who had direct access to the Company’s systems or held Company credentials.

3. ASSET MANAGEMENT AND DATA SECURITY

3.1. Assets associated with information and information-processing facilities shall be identified and an inventory of assets maintained.
3.2. Information and Data shall be classified and managed in line with a management-approved Information Classification & Data Management Policy.
3.3. Only trusted devices, including Service Provider computers and mobile devices, shall have access to corporate network resources.
3.4. A Data Retention Policy and Data Retention Schedule are in place to define data retention requirements in line with GDPR and the Data Protection Act, as well as secure data disposal requirements of sensitive data on physical or electronic media according to recognized IT industry security standards/best practices.
3.5. Customer Data shall be stored in a SOC2 Type II certified or equivalent industry standard data center.
3.6. Media containing any information shall be destroyed using secure means of disposal in accordance with NIST or equivalent data destruction standards.
3.7. Service Provider shall implement controls to restrict employee access to Customer Data and storage of scoped systems.
3.8. Service Provider shall ensure Company data is segregated using unique identifiers assigned at the time of account implementation, and proper data isolation exists in multi-tenant environments.

4. ACCESS CONTROL

4.1. Service Provider shall implement a Role-Based Access Control (RBAC) model, ensuring roles and permissions are assigned strictly according to job responsibilities and the principle of least privilege.
4.2. Separation of duties and least privilege principles are enforced, with privileged access managed through a documented approval process by senior management.
4.3. Privileged IT administrative rights are provided via a separate User ID (elevated account) in addition to the user’s normal User ID.
4.4. All events associated with server logins using administrative accounts, as well as changes/modifications to privileged groups, shall be monitored.
4.5. Access rights reviews shall be conducted periodically, with frequency based on the criticality of the information asset and ranging from quarterly to annually.
4.6. The Service Provider shall maintain a strong password policy across all systems.
4.7. Multi-factor authentication is enforced on all Service Provider user and administrative accounts.
4.8. Where possible, Service Provider enforces Single Sign-On (SSO) with an identity provider.
4.9. Immediate access revocation shall be enforced in the event of a critical security incident.

5. CRYPTOGRAPHY

5.1. Service Provider shall implement cryptographic controls to protect sensitive data both in transit and at rest.
5.2. Databases shall be encrypted using AES 256-bit encryption or stronger, and data tokenization techniques shall be applied where appropriate.
5.3. All traffic to and from public-facing applications (including websites and SaaS platforms) shall utilize HTTPS certificates encrypted with TLS 1.2 or higher.
5.4. Service Provider shall encrypt and apply authentication to all public API endpoints and storage buckets.
5.5. All backups shall be encrypted at rest.

6. OPERATIONS SECURITY

6.1. Changes to production environments shall be controlled, approved by relevant owners, and documented.
6.2. Malware detection, prevention, and recovery controls (including next-generation anti-malware solutions) are applied to all endpoints and servers.
6.3. A comprehensive patch management process is in place. Patches and security updates are deployed monthly, or more frequently if a significant security risk is identified. Technical vulnerability management includes ongoing remediation, with vulnerabilities identified through internal and external scans, SAST/DAST, and configuration tests.
6.4. An annual comprehensive penetration testing program is carried out by accredited independent penetration testers.

7. LOGGING, MONITORING & SECURITY INCIDENT MANAGEMENT

7.1. Service Provider shall manage event logging, recording user activities, exceptions, faults, and audit trails. Information security events are generated, reviewed, retained for at least one year, and protected from tampering.
7.2. Security information events are analyzed, and incident response and mitigation procedures (including root cause analysis) are performed to reduce or remove potential attack vectors.
7.3. Service Provider shall notify the Company of any security breach without undue delay, and in any case no longer than 48 hours.
7.4. Service Provider shall allow the Company or its authorized representatives to audit compliance with these security measures upon reasonable notice.

8. COMMUNICATION & NETWORK SECURITY

8.1. Service Provider’s network is managed through appropriate security controls such as network segmentation, access management, firewalls, configuration standards, and logging/monitoring.
8.2. Assets are segregated via dedicated VPCs and Security Groups. Proper production, development, staging, and test environments are configured to ensure environment separation and data integrity.
8.3. Web Application Firewalls (WAF) and DDoS protections are implemented on the production environment where Company data and tenants reside.

9. PHYSICAL SECURITY

9.1. Service Provider maintains adequate physical and environmental security measures to prevent unauthorized physical access, damage, and interference to data, premises, and processing facilities. Minimum controls include:
9.1.1. Offices:

• 9.1.1.1. Manned building reception during office hours and CCTV coverage at all access points, including ingress and egress areas. Entry is restricted to authorized individuals with a business need.
• 9.1.1.2. Visitors are granted access for specific, authorized purposes only, always supervised while on premises. Visitor logs are maintained for all physical access to offices, server rooms, and data centers hosting Service Provider information assets.

10. SOFTWARE DEVELOPMENT

10.1. Service Provider implements a Secure Software Development Lifecycle (S-SDLC) Policy including requirements analysis/specification, security by design, secure engineering principles, secure development environment, application support, QA/testing, implementation, training, and post-implementation review.
10.2. Secure development best practices are followed, such as OWASP, NIST, or similar frameworks.
10.3. Ongoing code reviews are conducted using proper tools and methodologies, including SAST, DAST, and covering open source and IaC (Infrastructure as Code).

11. SUPPLIER RELATIONSHIPS

11.1. Service Provider ensures that every direct supplier (including data sub-processors) undergoes due diligence, covering Information Security, Data Protection, Business Continuity, annual policy review, certifications, independent audit reports, and penetration tests.
11.2. Suppliers are subject to confidentiality, security, and right-to-audit clauses within their contracts.
11.3. Suppliers are reviewed periodically, with scope and frequency determined by the nature and criticality of the provided services.
11.4. Service Provider shall notify the Company without undue delay of any sub-processor change, granting the Company the right to reject or block the adoption and data transfer to the new sub-processor.

12. BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1. Business continuity plans are formally reviewed and exercised annually, or more frequently if necessary (e.g., after significant changes).
12.2. An annual Business Impact Analysis (BIA) is conducted to determine the tolerable level of disruption, minimum levels for key activities, and resources/dependencies required to resume operations.
12.3. Regular backups ensure that critical information in storage and databases is stored securely, independently, and is restorable in the event of loss or corruption.
12.4. Service Provider shall maintain a minimum Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 24 hours.
12.5. Backups are tested periodically to verify integrity and restorability.

13. INFORMATION SECURITY RISK MANAGEMENT

13.1. The Service Provider operates a security risk management program that covers the identification and assessment of information security risks arising from periodic activities, as well as from planned and unplanned changes. Identified risks are prioritized, treated or accepted, and appropriately approved.

ADDITIONAL SECURITY MEASURES FOR CONSULTING SERVICES

If the Service Provider provides Consulting services, it further represents and warrants to the Company the following:

1. Introduction

This Security Measures Document outlines the information security practices that service providers and consultants shall adhere to during the course of their engagement with the Company. These measures are designed to protect the Company’s sensitive data, systems, and infrastructure, and ensure compliance with industry best practices. By following these guidelines, a secure environment is maintained and potential risks are mitigated.

1. Access Control

• Service Provider shall adhere to the principle of least privilege, granting access only to the resources necessary for assigned tasks.
• Strong and unique passwords must be used for all accounts, including system logins, email, and other relevant platforms.
• Two-factor authentication (2FA) should be enabled wherever possible to enhance account security.
• Service Provider will access Company systems only via defined processes, tools, and methods as specified by the Company’s IT and Security teams.

1. Data Protection

• Confidential and sensitive data must be handled with utmost care and only shared with authorized personnel on a need-to-know basis.
• Service Provider shall not store Company data on personal devices or cloud services without explicit permission.
• Encryption must be used when transmitting or storing sensitive information to protect it from unauthorized access.

1. Physical Security

• Service Provider shall maintain the physical security of its work area, ensuring that unauthorized individuals cannot access its premises or workspaces where sensitive materials are present.
• Laptops, mobile devices, and other portable storage media must be protected with strong passwords or biometric authentication.

1. Software and System Security

• Service Provider shall keep work devices and software up to date with the latest security patches and updates.
• Only approved software and applications may be installed on devices used for Company work.
• Antivirus and anti-malware software must be installed and regularly updated to prevent and detect threats.

1. Network Security

• Service Provider shall only connect to secure and trusted networks, avoiding public Wi-Fi or unsecured networks whenever possible.
• VPN (Virtual Private Network) connections must be used when accessing Company resources remotely to ensure secure communication.
• Regular network scans and vulnerability assessments should be conducted to identify and mitigate security weaknesses.

1. Incident Reporting

• Service Provider shall report any security incidents, breaches, or suspected vulnerabilities immediately to the designated contact in the Company department. This includes the loss of personal or work devices used to work on Company projects or handle Company Proprietary Information.
• Full cooperation and support should be provided during incident response to minimize impact.

1. Confidentiality and Non-Disclosure

• Service Provider shall comply with all confidentiality and non-disclosure obligations to safeguard the Company’s information.
• Proprietary information, trade secrets, and client data must be treated as strictly confidential and not shared externally without proper authorization.