Orange County NC Website
Browse       Search
<br />Submittable Customer Terms of Service <br />v1.4 <br /> Page 20 of 28 <br />Appendix 2 <br />Security Measures <br /> <br />1. ORGANIZATIONAL MEASURES. <br />1.1. Submittable has appointed one or more security officers responsible for coordinating and monitoring the <br />security rules and procedures. <br />1.2. Submittable personnel with access to Personal Information are subject to confidentiality obligations. <br />1.3. Submittable has performed a risk assessment before Processing Personal Information. <br />1.4. Submittable has implemented and will maintain an information security program that establishes roles and <br />responsibilities for information security, and supports the confidentiality, integr ity, and availability of <br />information systems operated by Submittable and its Subcontractors. <br />1.5. Submittable has implemented and will maintain information security policies that define requirements for <br />acceptable use, access control, application, and system development, passwords, remote access, <br />information classification, operational security, workstation security, network security, media handling and <br />disposal, mobile computing, and physical security. <br />1.6. Submittable has implemented and will maintain a governance framework with supporting risk management <br />policies that enables risk identification, analysis, and mitigation. <br />1.7. Submittable conducts data security training upon hiring and annually for all employees. <br />2. PHYSICAL ACCESS CONTROLS <br />2.1. Entries for secure areas are controlled by security personnel, identification badges, and/or electronic key <br />cards. <br />2.2. All physical access is logged. <br />2.3. Physical access logs are reviewed quarterly for unusual activity. <br />3. SYSTEM ACCESS CONTROLS. <br />3.1. System access is based on the principle of least privilege, i.e., Submittable restricts access to Personal <br />Information to only those individuals who require such access to perform their job function. <br />3.2. System access is revoked immediately upon employment termination or other change resulting in an <br />individual no longer needing such access. <br />3.3. Management conducts quarterly review of accounts, system access, and permission levels. <br />4. DATA ACCESS CONTROLS <br />4.1. Data access is based on the principle of least privilege, i.e., Submittable restricts access to Personal <br />Information to only those individuals who require such access to perform their job function. <br />4.2. Data access, including access to Personal Information, is revoked immediately upon employment <br />termination or other change resulting in an individual no longer needing such access. <br />4.3. Management reviews access to Personal Information, on a monthly basis. <br />4.4. Submittable uses industry standard practices to identify and authenticate users who attempt to access <br />information systems. <br />4.5. Submittable employees may not store Personal Information on a personally owned device. <br />4.6. Submittable classifies Personal Information to allow for appropriate access restrictions. <br />4.7. Submittable has implemented an anti-virus solution that shall be kept up to date to protect against viruses <br />and other malicious code. <br />4.8. Submittable maintains a policy for recording Security Breaches where such records include a description <br />of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the <br />breach was reported, and the procedure for recovering data. <br />5. TRANSMISSION CONTROLS <br />DocuSign Envelope ID: 367666E5-0A49-40C9-BFB5-74D495BAB8F1