ASCENDO.AI PRIVACY AND SECURITY STANDARDS
Security Policies
Last Updated : May 17, 2023
1. Purpose
Ascendo.ai relies on the integrity and accuracy of its data in order to deliver Ascendo prediction SaaS services. It is therefore paramount that the confidentiality, integrity and availability of the customer data are ensured. All employees and approved subcontractors of Ascendo that processes or manages Ascendo (and customer) Information must adhere to these requirements to ensure that Ascendo.ai maintains the trust of all relevant stakeholders and remains in compliance with relevant legal and regulatory requirements.
2. Scope
The scope of this document includes what Ascendo will process, have access to, transmit, or store customer information. This includes, but is not limited to:
-
Employees involved in the design, development, operation, hosting of information systems.
-
All staff, including contractors and third parties employed directly and indirectly by the Ascendo (i.e., subcontractors).
In the instance where services are provided by the Ascendo’s sub-vendors (4th, 5th or 6th party vendors), Ascendo.ai is fully liable and responsible for all subcontractor adherences to this privacy and security standards.
3. Access Control
3.1 Access control program, applicable where Ascendo maintains access to Customer data
a. Ascendo manages access to internal and external applications via security groups.
b. Ascendo allocates system privileges and permissions to users and groups using the principle of least privilege.
c. Ascendo assigns application and data rights based on user groups and roles, and grants access to information based on job function (i.e., role-based security).
3.2 Entitlement reviews
a. Ascendo requires approval to add, change, or delete users to its networks and systems that processes, transmits, or stores customer information.
b. Ascendo implements role-based security to ensure access to the application is restricted based on defined functional roles.
c. Ascendo promptly removes application, platform and network access for terminated users upon notification of termination.
d. Ascendo promptly updates user access rights based on changes in job responsibilities.
e. Ascendo reviews access privileges to systems and corporate networks, including administrative access privileges, at a minimum on a bi-annual basis.
f. Ascendo uses separate administrative accounts to perform privileged functions and the accounts are restricted to individuals who are authorized.
3.3 Remote access
a. Ascendo shall not allow remote access into the Ascendo’s network to perform work for or on behalf of customer except by support resources for system administration and production system support work.
b. In the case of remote access for IT support resources, traffic with the remote device will be encrypted (i.e., VPN) and the remote user must utilize multi-factor authentication.
4. Change Management
a. Ascendo follows documented change management policies for requesting, testing, and approving application, infrastructure, and product-related changes.
b. Changes undergo various levels of review and testing including security and code reviews, regression, and acceptance testing prior to approval for implementation.
c. Following the successful completion of testing, Ascendo ensures appropriate managers must approve changes prior to implementation in a production environment.
5. Software Development Life Cycle
a. The Ascendo’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, configuration, maintenance, modification and management of infrastructure and software components. The SDLC methodology is consistent with the defined security, availability, and confidentiality policies of Ascendo.
b. System source/object code must be protected from unauthorized access. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
c. Ascendo ensures that customer Information on the hosted environment is segregated from other customer data by appropriate physical, technical and/or logical means.
d. Application development environments must be segregated from the production environment. Usage of "Production" data in Non-Production/Lower environments is prohibited. Usage of production data in the lower environments for the intent of development or testing requires an approval from Ascendo CTO. And will be treated as Exemption. Logical access controls for the two environments to ensure authorized individuals moving code to production.
6. Maintenance
Ascendo’s maintenance windows are scheduled and communicated to customers in advance. In the event of a service interruption, Ascendo notifies customers describing the affected services. If additional maintenance is needed, Ascendo notifies customers in advance of scheduled maintenance occurring outside of the scheduled window. Ascendo communicates upgrades, new releases, and minimum release version requirements to customers.
7. Data Management & Security
7.1 Data Ownership
Notwithstanding anything herein to the contrary, Ascendo acknowledges that each customer is the exclusive owner of all right, title, and interest in and to any and all of the customer specific data. The foregoing includes, without limitation, all patent, copyright, trademark, trade secrets, and all other proprietary, licensing and privacy rights in and to their respective Customer Data. Notwithstanding anything to the contrary, Ascendo shall have the right collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Ascendo will be free to (I) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate, or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein. Ascendo hereby waives any and all statutory and common law liens it may now or hereafter have with respect to Customer data.
7.2 Limitations on use
Ascendo will access, use and disclose Confidential Information only when it is necessary to perform the customer’s obligations under a Purchasing Agreement. Ascendo will not disclose Confidential Information other than to Ascendo personnel and any other sub-contractors who:
a. Need such access to assist Ascendo in the performance of a Purchasing Agreement.
b. Have agreed in writing to be bound by a duty of confidentiality no less protective to the Confidential Information than the Term set forth in the respective Customer Agreement.
7.3 Applicable Laws
In addition to any obligation that Ascendo may have under a Purchasing Agreement, Ascendo will comply with all applicable privacy and data protection laws, rules, and regulations in any jurisdiction where the Products and/or Services may be provided regarding Confidential Information to which it is subject including, without limitation:
a. State security breach notification laws.
b. Laws regarding the protection of Social Security numbers.
c. Laws imposing minimum security requirements.
d. Laws requiring the secure disposal of records containing certain personal data.
e. All other applicable federal, state, and local requirements.
f. Electronic storage industry standards concerning privacy, data protection, confidentiality or information security.
7.4 End of Term Handling
Upon termination or expiration of the agreement or upon customer’s written request, Ascendo will return to customer all copies of customer’s information already in Ascendo’ possession or within its control within 30 (thirty) days. Ascendo shall maintain procedures for the removal of customer Information from electronic media before the media are available for re-use. Alternatively, with customer’s prior written consent, Ascendo may destroy such customer information; provided that the customer information is:
a. Destroyed in accordance with applicable laws, rules or regulations.
b. Sanitized via the use of industry accepted standards (clear, purge, destroy).
c. Rendered unreadable, undecipherable and otherwise incapable of reconstruction.
d. Backup copies are purged/removed by following an established process for data backups.
7.5 Data Encryption
a. Ascendo will encrypt data at rest and in transit using industry standard encryption techniques for
b. Ascendo will also use standard encryption techniques for data backups.
c. Any systems which maintain, transmit, or store customer data shall be encrypted.
7.6 Data Storage
Ascendo stores data solely on their target servers and not on any laptop or portable device (unless there is explicit written permission from customer). Ascendo uses Amazon AWS and Google GCP as the preferred cloud service providers.
7.7 Information Security Program
a. Ascendo maintains a written Information Security program that complies with applicable global industry-recognized security frameworks.
b. Ascendo has internal policies, standards, and operating procedures related to security, availability, and confidentiality that are available to personnel. Ascendo reviews, updates and approves security policies and procedures at least annually to maintain their continuing relevancy and accuracy. Ascendo’s personnel Privacy Policy describes confidentiality and privacy commitments to our customers and is available on the Ascendo website.
c. Ascendo’s CTO acts as the Chief Information Security Officer and Governance, Risk and Compliance officer. He/she is responsible to develop, maintain, review, and approve the Ascendo’s security, availability, and confidentiality standards and policies.
d. Ascendo shall monitor, evaluate and adjust, as appropriate its Information Security program in light of any relevant changes in technology or industry standards, the sensitivity of customer Information, internal or external threats to the Ascendo or customer, requirements of applicable work orders, and customer’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to information systems.
e. Ascendo conducts periodic security awareness campaigns to educate employees on their responsibilities for creating and maintaining a secure workplace.
7.8 Risk Management
Ascendo has a formal cyber security risk assessment and management process that includes mitigation of any identified findings.
8. Incident Response & Notification
a. Ascendo shall contact customers upon the occurrence of any Security Incident.
b. Ascendo shall promptly notify customers of any vulnerability discovered through internal monitoring or testing that impacts its security safeguards or Services provided to the customer (each, an “Impact”). Impact means any reported security incident that materially exposes customer’s data to unauthorized usage and that will not be remediated, and/or for which a compensating control will not be in place, within ninety (90) days of the discovery of the Impact.
c. Ascendo shall promptly develop and implement an appropriate action plan to address and resolve any Impact, vulnerabilities, and/or recommendations identified during such an event. Ascendo, at its own expense, shall undertake remedial action to the extent necessary to comply with Ascendo’s obligations under the respective customer agreement.
d. Ascendo shall maintain a documented and tested incident-handling program, and ensure that all Security Incidents follow the Ascendo’s incident handling program.
e. Ascendo shall use reasonable efforts to notify customer representatives within thirty (30) minutes after becoming aware of any Incident or suspected or actual data security breach. This includes a security breach of the Ascendo’s systems used to conduct or process its Services or to store customer confidential information. Such security breaches will include, without limitation, third party incursions that could in any way result in unauthorized access to any customer confidential information.
f. Ascendo shall not notify law enforcement or federal or state regulatory authorities of any such security breach without prior notice to customers unless otherwise required by applicable law. In the event that Ascendo notifies customers of a suspected or actual security breach, Ascendo shall, if requested by respective affected customer, grant access to customer representatives or a qualified third party agreed to by customer and Ascendo to Ascendo’s systems and premises to allow such representatives or third party to perform an investigation (including the installation of any monitoring or diagnostic software) deemed necessary by customer to locate the source of such security breach. Each party shall act reasonably and in good faith in the selection of such third party.
g. Ascendo shall, and shall cause its Representatives to, provide the affected customer with the following information concerning any suspected or actual security breach by or involving any person or in any systems, processes, hardware or software used to store, transmit or otherwise affect confidential information:
i. The date of the security breach.
ii. Details concerning the data compromised (e.g., strategic financial information, or customer names and addresses).
iii. The method of the security breach.
iv. Appropriate Ascendo security personnel contacts and security personnel contacts of its Representatives.
v. The name of any person and or law enforcement agency assisting Ascendo with the investigation of the suspected or actual data security breach.
vi. A list of all parties known to have gained unauthorized access to the affected customer confidential information for the limited purpose of assessing customer’s exposure.
vii. Any other information which affected customer reasonably requests from Ascendo and/or its Representatives concerning such suspected or actual data security breach, including without limitation any forensics report(s).
Ascendo shall provide the information listed in (i)-(vii) as soon as is reasonably practicable and in any event, shall provide the information listed in (i)-(vi) to the affected customer within twelve (12) hours of Ascendo’s initial notification of the actual or suspected security breach. Ascendo and/or its Representatives must provide the affected customer with copies of any reports concerning the security breach as soon as practicable. Ascendo and/or its Representatives agree not to issue any press release or other public announcement concerning the suspected or actual data security breach without the prior approval of the affected customers.
h. Ascendo shall cooperate with the affected customers to ensure that appropriate security measures and procedures are implemented by a mutually agreeable deadline and using a mutually agreeable approach if customer notifies Ascendo that customer believes that Ascendo’s or any of its Representatives’ security procedures in connection with the Services are inadequate or do not comply with the security requirements. Ascendo shall immediately take appropriate steps to ensure that any actual data security breach does not continue. With respect to matters under this section, Ascendo and customer agree that they shall act reasonably and in good faith and shall not unreasonably withhold, delay or condition their consent or cooperation.
i. Any fraud or security incident can be sent to Ascendo through ascendoinfosec@ascendo.ai. Note that this email should be used only for the purpose of noting the security and fraud incidents and in no situation should be used for any other purposes such as spam or marketing.
9. Password Management & Authentication Controls
a. Authorized users must identify and authenticate to the Ascendo’s network, applications, and platforms using their unique user ID and password.
i. Use of shared accounts to enable interactive access to the application and/or data by multiple users is prohibited.
ii. Accounts must be locked after 60 minutes of inactivity (i.e., idle session).
iv. Accounts must be removed/secured if in a disabled state for a period no greater than 90 days (if disabled account cannot be deleted, all associated permissions must be removed).
v. Accounts can use multifactor authentication to log in to the Ascendo’s network.
b. Password complexity.
i. Passwords must be at least 8 (eight) characters in length.
ii. Passwords must contain one of each character: upper case, lower case, numeric, and special character. (Note: if using multi-factor authentication (MFA), a combination of three of the above characters is acceptable).
iii. Must be masked during authentication.
iv. Must be set to expire within 120 days or less.
v. Password history must restrict use of previous 4 (four) password iterations.
vi. All passwords must be secured while stored or transmitted (encrypted / hashed).
vii. Passwords must not be saved for the intent of bypassing future log on (i.e., save password check box).
viii. Communication of initial password must be in a secure manner.
ix. Default passwords for accounts must be changed prior to use (e.g., Ascendo supplied, application, database, etc.).
10. Network Security & Monitoring
10.1 Intrusion Detection
a. Network perimeter defense solutions including an Intrusion Detection System and firewalls are in place to prevent malicious network activity. Security operations personnel monitor items detected and take appropriate action.
b. Firewall configurations and rules are reviewed at least annually. Significant changes to firewall rules follow the Change Management (Section 4) process and require approval by Ascendo’s Change Advisory Board led by CTO.
10.2 Patch Management
a. All Laptops, desktops, servers (and any other hardware asset) owned by the Ascendo must have up-to-date database and operating system security patches installed to protect the asset from known vulnerabilities.
b. Critical security patches must be applied within 72 hours. Non-critical security patches should be applied at least quarterly or more frequently. Ascendo should be made aware of any vulnerabilities that cannot be patched.
10.3 Threat and Vulnerability Management and Security Testing
a. Ascendo shall maintain a threat and vulnerability management program, which includes at a minimum regular vulnerability scans using industry recognized tools.
b. Ascendo shall perform vulnerability and threat assessment testing (VTA Testing) of Ascendo systems and facilities that are used to support customer engagements at least annually. VTA Testing shall determine if vulnerabilities exist within technology, including applications, systems, and networks which are used by Ascendo to provide Ascendo Products or Services hereunder. VTA Testing must adhere to the following:
i. Be based on industry-accepted penetration testing approaches.
ii. Include testing from inside and outside the network.
iii. Include testing to validate segmentation.
iv. Include network-layer, operating system, and application layer testing.
10.4 Logging and Monitoring
a. Ascendo will work with cloud service providers for real-time logging of security information from applications and databases, servers, firewalls, routers, and intrusion detection system devices. Logs contain details on the date, time, source, and type of events (actions performed, object or account affected, etc.). Ascendo’s admin team reviews key reports daily and follows up on events, as necessary.
b. Ascendo continuously monitors application, infrastructure, network, and data storage space and system performance on a 24X7 basis.
c. Ascendo enabled System logging for end-user and administrator activity and is reviewed as necessary and updates executed by privileged system users.
10.5 DMZ
a. When providing internet-based services and products to customer Ascendo shall protect customer’s information by the implementation of a network DMZ. Web servers providing service to customer shall reside in the DMZ. Any system or information resource storing customer’s information (such as application and database servers) shall reside in a trusted internal network.
11. Next Gen Anti-Virus and Malware controls
Ascendo will use a system-centric approach on endpoint security that examines every process on every endpoint to algorithmically detect and block malicious tools, tactics, techniques and procedures upon which attackers rely. All Ascendo desktops and laptops have next gen anti-virus installed for virus and malware infections. Endpoint devices are scanned in real-time and a full system scan is performed weekly. Virus definition updates are pushed out to endpoint devices automatically from the anti-virus software central administration console as they become available.
12. Mobile and Portable Devices
Not applicable at this time.
13. Human Resources & Third-Party Security
a. New employees sign a confidentiality agreement and acknowledge security policies during the new employee onboarding process.
b. Background checks are run in accordance with relevant laws and regulations. The background checks are commensurate to an individual's job duties and include at minimum social security verification and a criminal history check.
c. Ascendo maintains a disciplinary process to take action against personnel that does not comply with company policies, including but not limited to, those put in place to meet its security, availability and confidentiality commitments and requirements.
d. Ascendo management team assesses the risk associated with new vendors (i.e., sub-vendors and/or sub-contractors) prior to onboarding and has an ongoing risk management process for existing vendors.
e. Ascendo communicates security and confidentiality requirements and operational responsibilities to third parties (i.e., sub-vendors, 4th or 5th party, etc.) through contractual agreements.
14. Business Continuity
14.1 Business Continuity Management and Disaster Recovery
Ascendo has a business continuity plan and a disaster recovery plan in place to manage significant disruptions to its operations and infrastructure. Ascendo will be able to resume full performance of their contractual services in 72 hours.
a. Management reviews, updates and approves these plans annually.
b. Exercises are conducted to test the response to a specific incident on a regular basis.
14.2 Backup Procedures
Ascendo will provide the Products, Services, and/or Network (as applicable) in accordance with the following procedures to enhance security. Ascendo will:
a. Ensure that customer data is backed up on a daily basis and backup is encrypted
b. Store copies of customer data and data recovery procedures in a different place from where the primary computer equipment processing the customer data is located.
c. Have specific procedures in place governing access to copies of customer data.
d. Review data recovery procedures at least annually.
15. Physical & Environmental Security
-
Ascendo uses third party cloud service providers and as such the physical access is controlled by Amazon and Google.
16. Standard of Conduct
Ascendo and any of its Representatives performing Services or providing Products on customer’s premises or accessing customer’s networks remotely shall comply with all of customer’s security, supervision and other standard procedures and policies as communicated to Ascendo and such Representatives.
Appendix A - Glossary
Term
Definition
Critical Security Patch
A set of changes to a computer program to fix security vulnerabilities.
Finding
An issue related to an internal control review.
Risk
A potential situation where the system or data may be exposed to a cyber threat.
Security Breach
A security breach is any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.
Security Event
A security event is a change in the everyday operations of a network or information technology service indicating that a security policy may have been violated or a security safeguard may have failed.
Security Incident
A security incident is an event that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed.
Vulnerability
A vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within a computer system.