Security Measures

for Bonterms Platform

Effective as of April 11, 2024.

1. Governance and Risk Management

1.1. Board Oversight

Annual briefings to and oversight by Bonterms’ board of directors on cybersecurity and privacy risk.

1.2. Risk Management Program

A documented risk management program designed to identify potential threats, assess risks, and implement mitigation strategies.

2. Security Controls

2.1. Asset Management

Procedures for disposal of electronic media containing Customer Data that are designed to effectuate permanent removal from storage devices.

Formal data retention and disposal procedures that outline the retention periods for Customer Data and the appropriate disposal methods.

2.2. Configuration Management

Configuration management procedures designed to achieve consistent deployment of system configurations throughout our environment and accurate system configurations through the use of configuration baselines and version control mechanisms.

2.3. Change Management

Change management procedures that require changes to be authorized, documented, tested, reviewed, and approved prior to implementation, and require proper segregation of duties and requires multiple levels of approval.

Access controls restricting access to production environments to authorized personnel.

2.4. Access Controls

Access controls designed to grant access on a need-to-know basis, following the principle of least privilege, and manage access through a centralized identity and access management (IAM) system, which allows for granular control and monitoring of user permissions.

Authentication mechanisms, such as multi-factor authentication (MFA), designed to enhance the security of user accounts, and to log and audit user activities and access atempts for any unauthorized access or suspicious behavior.

2.5. Physical Access Controls

Access control measures, including the use of biometric authentication, access cards, and security personnel, to restrict access to data centers to authorized individuals.

Access control measures, including access cards and security personnel, to restrict access to Bonterms offices to authorized personnel.

2.6. Network Security

Security measures designed to protect against unauthorized access and external threats, including firewalls and intrusion detection and prevention systems (IDPS) deployed to monitor and filter network traffic, identifying and mitigating potential security incidents.

Periodic vulnerability assessments and penetration testing designed to identify and address any weaknesses in Bonterms’ network infrastructure.

2.7. Security Monitoring and Incident Response

Security monitoring tools and technologies designed to detect and respond to security incidents.

Continuous monitoring of system logs, network traffic, and user activities for any suspicious behavior or potential threats.

Documented incident response plan specifying containment, investigation, and recovery procedures.

2.8. Secure Software Development

Secure coding practices and security assessments performed throughout the software development lifecycle.

Testing and quality assurance processes designed to assess the reliability and security of our sotiware products, including code reviews, static analysis, and secure configuration management.

2.9. Data Backup and Disaster Recovery

Data backup and implements disaster recovery strategies, including storage of backups in off-site locations, and periodic testing of recovery procedures.

Redundant systems and geographically distributed infrastructure designed to minimize the risk of data loss and minimize service interruption.

3. Human Resources Security

3.1. Employee Conduct

A code of conduct applicable to Bonterms personnel, which includes provisions related to information security and data protection.

Background checks on new Bonterms employees to verify their credentials and assess their trustworthiness for handling sensitive information.

3.2. Confidentiality

Confidentiality agreements signed by Bonterms personnel that require confidential treatment of Customer Data, highlight the importance of protecting company and Customer Data, and outline the consequences of unauthorized disclosure or misuse.

Security awareness training for Bonterms employees to educate them about potential risks and best practices for data protection.

4. Third-Party Security

Vendor risk management procedures applicable to third-party providers requiring access to Customer Data, which include risk assessment, contracting requirements, and incident response and communication protocols to effectively manage security incidents involving third-party providers.

5. Continuous Improvement

Periodic review of and updates to our security policies and procedures that consider changes to industry standards and the threat landscape.