DPA – Schedule B

Security Measures

Swoogo implements and maintains policies and procedures that include appropriate technical and organizational measures to ensure a level of security appropriate to: (i) protect the security, confidentiality, and integrity of Customer Personal Data; and (ii) protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Customer Personal Data. Swoogo regularly monitors, evaluates, and assesses the effectiveness of the technical and organizational measures implemented. Swoogo’s technical and organizational measures include:

Risk Management

Swoogo maintains a risk management framework and conducts a yearly risk assessment of its environment and systems to understand its risks and applies appropriate controls to manage and mitigate risks before processing Customer Personal Data.

Access Controls

Swoogo implements the following access controls with respect to Customer Personal Data:

Access to Customer Personal Data is restricted to Swoogo personnel authorized to have such access in accordance with their job function and based on the principle of “least privilege.”

• Swoogo maintains account creation and deletion procedures, with appropriate approvals, for each personnel role.
• Swoogo maintains a record of personnel security privileges for those personnel that have access to Customer Personal Data.
• Swoogo reviews personnel access rights at regular intervals and makes adjustments as necessary.
• Each account from which Customer Personal Data can be accessed is attributable to a single user with a unique ID which is authenticated through a password or another authentication method.
• Swoogo uses industry-standard practices to identify and authenticate users who attempt to access its information systems, including multi-factor authentication.
• Passwords are renewed regularly.
• Passwords are required to conform to very strong password control parameters. Passwords are required to contain: (i) eight alphanumeric characters; (ii) upper and lowercase letters; (iii) one number; and (iv) one special character.

Physical Security:

Swoogo implements the following physical security measures with respect to Customer Personal Data:

• All devices are secured with a password/PIN screen lock with the automatic activation feature. Swoogo personnel are required to lock the screen or log off when a device is unattended.
• Access to locations where Customer Personal Data is processed or stored is limited to authorized personnel only.  
• Visitors to locations where Customer Personal Data is processed or stored are required to sign a visitor register and are escorted at all times.
• Physical access logs detailing access are retained. 
• Physical documents that contain Customer Personal Data are required to be kept in a locked office or file cabinet when not in use.
• Swoogo facilities are monitored 24/7.

Network Security

Swoogo’s network employs the following safeguards:

• Swoogo maintains security controls designed to detect and mitigate attacks by use of network layer firewalls and intrusion detection/prevention systems (IDS/IPS).
• All network traffic passes through firewalls, which are monitored at all times. 
• Swoogo maintains management procedures that provide a consistent approach for controlling, implementing, and documenting changes for information systems. 
• Endpoint protection, including anti-virus and anti-malware, is implemented on all endpoints.
• When remote connectivity to Swoogo’s network is required, Swoogo uses VPN servers for the remote access with encrypted connection of 256-bit encryption. 
• Swoogo employs multi-factor authentication for administrative interfaces and for all access to Swoogo systems and applications. 

Vulnerability and Patch Management

All Swoogo devices are configured for automatic patching and application security patches are installed without unreasonable delay. Swoogo conducts regular testing and monitoring of the effectiveness of safeguards, controls, systems, including penetration testing.

Encryption

Swoogo encrypts Customer Personal Data as follows:

• Swoogo shall use encryption certified against U.S. against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard.
• All emails between Swoogo and Customer shall utilize Transport Layer Security (TLS) if transmitting Customer Personal Data.
• Swoogo will encrypt all Customer Personal Data that resides on the Swoogo’s systems, servers, backups, or other information systems, including Customer Personal Data that resides on the systems and servers of any third-party with which the Swoogo has subcontracted to store electronic data.
• Swoogo shall encrypt at rest using solutions that are certified against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and verify that the encryption keys and any keying material are not stored with any associated data.
• In the event Swoogo uses a cloud-based environment to store Customer Personal Data, Swoogo will only use providers whose dedicated cloud-based environment encrypts data at rest.
• In the event that Customer Personal Data could be transferred to a mobile device, tablet, or laptop by Swoogo personnel, Swoogo implements, monitors, and maintains encryption and information leakage prevention tools using solutions that are certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and verifies that the encryption keys and keying material are not stored with any associated data.

Personnel

Swoogo employs the following administrative safeguards for its personnel:

• All Swoogo personnel undergo privacy and data security training, upon hiring, and annually thereafter.
• Swoogo informs its personnel of relevant security procedures and their roles and ensure that all personnel sign a confidentiality agreement or be subject to statutory obligations of confidentiality.
• Personnel that fail to comply with Swoogo’s information security policies, practices, and procedures may be subject to disciplinary action, up to and including termination.
• Swoogo performs background checks on personnel where legally permissible.
• Swoogo maintains procedures for revoking or changing access in response to termination or changes in job functions.

Sub-processors

Swoogo employs the following safeguards with respect to any Sub-processors that access, store, or transmit Customer Personal Data on its behalf:

• Due diligence is conducted on all Sub-processors who may gain access to, store, or transmit Customer Personal Data in accordance with the DPA. 
• Sub-processor physical and electronic access to Customer Personal Data is terminated no later than the date of separation or to a role no longer requiring access to Customer Personal Data.
• Swoogo has agreements with all Sub-processors who may gain access to, store, or transmit Customer Personal Data that requires compliance with Swoogo’s information security requirements. 

Business Continuity

Swoogo maintains a disaster recovery and business continuity program for systems and facilities used to provide services. Such program is designed to ensure that Swoogo is able to continue providing services after its systems are damaged, destroyed, or otherwise unavailable for use. Swoogo’s disaster recovery and business continuity program is tested on an annual basis.

Incident Management

Swoogo maintains an incident management plan designed to promptly identify, prevent, investigate, mitigate, and address the impact of security incidents.