- SECURITY PRACTICES. Aegisys is responsible for the security measures set out in the Agreement and shall maintain and implement the following technical and organizational measures in relation to the security of the Customer Configuration.
1.1. Physical Security – Data Centers. The following physical security controls apply to Customer Data residing in data center or office premises either owned or leased by AEGISYS, Inc. or its Affiliate in connection with the provision of Services to Customer (and expressly excludes third party hosting Services):
(A) Servers and devices dedicated to Customer’s use as part of the Customer Configuration provided by Aegisys will be located in a controlled access data center (or portion thereof) either operated by or dedicated to use by Aegisys or its Affiliate.
(B) Aegisys operates or audits the use of an electronic access control system which logs access to physical facilities, managed by a professional security guard force in line with its current processes.
(C) Access to the production floor of the data halls will be restricted to Aegisys employees or its agents who need access for the purpose of providing the Services. Access within data center facilities is in zones and provisioned based on physical access rights required by a given individual. Access to designated “meet me” rooms will be available to customers, subject to data center escort policies.
(D) The data center will be staffed 24/7/365 and will be monitored by video surveillance, recording to a centralized location.
(E) Aegisys limits access to physical facilities to authorized individuals by proximity-based access cards and biometric hand scanners or other approved security authentication methods.
(F) Except as specifically stated in the Agreement, Aegisys will not relocate the Customer Configuration from a Aegisys datacenter in one country to a data center in another country without Customer’s express written permission.
(G) Following the termination of the Agreement or a Customer Configuration, Aegisys will wipe data from those hard drives and storage devices dedicated to Customer use prior to re-use.
1.2. Security Controls Audits & Reporting. Aegisys shall use AlienVault SIEM Appliances as well as other Vulnerability assessment tools to perform examinations of its systems and services in accordance with the best practice recommendations for the purpose of auditing Aegisys compliance compliance frameworks (based upon select Trust Services Principles); and/or equivalent industry standards.
1.3. Administrative Controls.
(A) Screening. Aegisys will perform pre-employment background screening of its employees who have access to Customer’s account, and is committed to employee supervision, training, and management.
(B) Aegisys Access. Aegisys will restrict the use of administrative access codes for Customer’s account to its employees and other agents who need the access codes for the purpose of providing the Services. Aegisys personnel who use access codes shall be required to log on using an assigned username and password.
(C) Customer Access. As the primary system administrator, Customer is responsible for the management of their account, including creation, change management, and termination, and enforcement of related remote working and password controls.
1.4. Reports of and Response to Security Breach. Aegisys will report to Customer as soon as reasonably practicable in writing and in accordance with applicable law, of a material breach of the security of the Customer Configuration which results in unauthorized access to Customer Data resulting in the destruction, loss, unauthorized disclosure or alteration of Customer Data of which Aegisys becomes aware. Upon request, Aegisys will promptly provide to Customer all relevant information and documentation that Aegisys has available to Aegisys regarding the Customer Configuration in connection with any such event. Aegisys shall be under no obligation to notify routine security alerts in respect of the Customer Configuration (including pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) save as otherwise specifically set out in the Agreement.
1.6. Customer Data.
(A) Customer remains the primary system and account administrator and is responsible for the integrity, security, maintenance, and protection of Customer Data, including Sensitive Data, by:
(i) selecting, purchasing, and properly configuring appropriate Services;
(ii) implementing adequate controls to maintain appropriate security, protection, and deletion of Customer Personal Data (which shall include encryption and logical access measures);
(iii) ensuring that Aegisys is not provided with any access to Customer Data, except as otherwise explicitly set out in the Agreement; and (iv) using the data integrity controls to allow Customer to request restore the availability of Customer Personal Data in a timely manner (which shall include routine backups and archiving of Customer Personal Data in an environment separate from the Customer Configuration). Customer Data is, and at all times shall remain, Customer’s exclusive property. Aegisys will only back up data to the extent stated on a Service Order, and Aegisys will not use or disclose Customer Data except as materially required to perform the Services or as required by law.
(B) Unless otherwise specified in the Service Order, the Services enable Customer to retrieve, correct, and delete Customer Data. Customer’s access to the Customer Configuration or Customer Data may be restricted during a suspension or following termination of the Services or the Agreement. Customer is responsible for retrieving a copy of Customer Data prior to the termination of the Agreement. Aegisys may delete Customer Data at any time following Agreement termination.
(C) Customer will cooperate with investigation and resolution of outages and security incidents. Aegisys is not responsible to Customer or any third party for unauthorized access to Customer Data or for unauthorized use of the Services that is not solely caused by Aegisys failure to meet its security obligations under the Agreement.
Aegisys URL: SECURITY AND PRIVACY PRACTICES – Aegisys Cloud Solutions
Revised 02/13/2021 SAPP:2145