Data Security

This Exhibit B describes Archipelago’s security principles and architecture with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms in this attachment shall have the meaning assigned to them in the Agreement unless otherwise defined herein.

1. Principles.

Archipelago emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.  

2. Security Program.
Archipelago maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting periodic risk assessments of all systems and networks that process Customer Data on at least an annual basis; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data.

3. Data Centers.
Archipelago uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.

4. Access, Controls, and Policies.
Access to manage Archipelago’s AWS environment requires multi-factor authentication, ssh access to the Service is logged, and access to Customer Data is restricted to a limited set of approved Archipelago employees. All employees with access to Customer Data have passed background checks. AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege. Employees are trained on documented information security and privacy procedures. Access to Archipelago systems is promptly revoked upon termination of employment.

5. Vendor Management.
Archipelago takes reasonable steps to select and retain only third-party service providers that will maintain and implement the security measures consistent with the measures stated in this attachment. Before software is implemented or a software vendor can be used at Archipelago, Archipelago IT carefully reviews the vendor’s security protocols, data retention policies, privacy policies, and security track record. IT may reject use of any software or software vendor for failure to demonstrate the ability to sufficiently protect Archipelago’s data and Users. 

6. Security Incident Response.
Archipelago maintains an incident response plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, proprietary data or personal data transmitted, stored, or otherwise processed by Archipelago.

7. Antivirus and Security Scans.
Anti-virus or anti-malware applications have been installed to detect or prevent unauthorized or malicious software. Archipelago runs security scans on a regular basis. For virus monitoring, Archipelago automatically or manually updates most software it runs and outsources to Amazon when logical and possible. Archipelago maintains a vulnerability scanning process for production systems. The scope of vulnerability scans includes both external and internal systems in the production environment. Archipelago’s Security team performs vulnerability scans at least quarterly and determines a severity rating for each vulnerability based on the assessment tools criteria such that high or higher-level ranked vulnerabilities require remediation. Vulnerability scans are also run after any significant change to the production environment as determined by the Archipelago security team.

8. Encryption.
Customer Data remains encrypted at rest and the connection to is encrypted with 256-bit encryption and supports TLS 1.2. Logins and sensitive data transfer are performed over encrypted protocols such as TLS or ssh.

9. Backup and Restoration.
Archipelago takes daily snapshots of its databases and securely copies them to a private S3 bucket. Backups are encrypted and have the same protection in place as production. Additionally a warm standby database is maintained in a separate availability zone should the primary database or zone fail.

10. Change Management.
Archipelago has established a change management policy to ensure changes meet Archipelago's security, confidentiality, and availability requirements. Management reviews and approves the policy annually. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by the relevant teams holding the area of responsibility (“AoR”) prior to deployment.
Archipelago reserves the right to update this Exhibit from time to time and modify its security practices, provided that such update or modification will not materially and adversely diminish the overall security of the Service during the Subscription Term.