MASTERCONTROL - SECURITY MEASURES

LAST UPDATED: April 20, 2022

SECURITY ADDENDUM

This Security Addendum is incorporated into and made a part of the written agreement between MasterControl and Customer that references this document (this “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.

1. PURPOSE

This Security Addendum describes MasterControl's security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats shift and evolve, MasterControl continues to update its security program and strategy to help protect Customer Data and the Services. As such, MasterControl reserves the right to update this Security Addendum from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Addendum.

2. SECURITY ORGANIZATION AND PROGRAM

MasterControl maintains a risk-based assessment security program. The framework for MasterControl's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. MasterControl's security program is intended to be appropriate to the nature of the Services and the size and complexity of MasterControl's business operations. MasterControl has internal teams that manage MasterControl's security program. These teams facilitate and support independent audits and assessments performed by third parties. MasterControl's security framework is based on the ISO 27001 (information security management system) and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response.

3. CONFIDENTIALITY

MasterControl has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All MasterControl employees and contract personnel are bound by MasterControl's internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.

4. PEOPLE SECURITY

4.1 Employee Background Checks

MasterControl performs background checks on all new employees at the time of hire in accordance with applicable local laws. MasterControl verifies a new employee's previous employment and performs reference checks. Where permitted by applicable law, MasterControl may also conduct criminal, credit, immigration, credit, drug screening, and security checks depending on the nature and scope of a new employee's role.

4.2 Employee Training

All MasterControl employees must regularly complete a security training which covers MasterControl's security policies and security best practices. MasterControl's dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees.

5. THIRD PARTY VENDOR MANAGEMENT

5.1 Vendor Assessment

MasterControl may use third party vendors to provide the Services. MasterControl carries out assessments of prospective vendors before working with them to validate that they meet applicable security requirements. MasterControl ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors or third-party vendors of MasterControl.

5.2 Vendor Agreements

MasterControl enters into written agreements with its key vendors, which include confidentiality, privacy and, security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.

6. SECURITY CERTIFICATIONS AND COMPLIANCE

MasterControl holds the following security-related certifications:
Certification:

• ISO 27001:2013
• ISO 27017:2015
• ISO 9001:2015

Additionally, when used and configured correctly, MasterControl software is compliant with 21 CFR Part 11 and with EU Annex 11

7. ARCHITECTURE

7.1 Delivery Methods

MasterControl offers its product through the following alternative delivery methods: (i) Cloud, where MasterControl's product is hosted by MasterControl through AWS, and (ii) On-premise, where the product runs on the customer's own internal IT infrastructure.

7.2 Cloud Services

The cloud communication platform for the MasterControl's cloud-based Services is hosted by Amazon Web Services (“AWS”). The AWS data center infrastructure used in providing the MasterControl Services are located in North America (United States, Canada), Europe (Germany), and the Asia-Pacific region (Japan, Singapore, Australia, India). AWS data centers are ISO 27001 and 27017 certified and use Statement of Standards for Attestation of Controls (SSAE) 16/Service Organization Controls (SOC)1 Type II reports. Additional information about security provided by AWS is available at https://aws.amazon.com/security and https://aws.amazon.com/whitepapers/overview-of-security-processes.

Each customer receives a dedicated instance of MasterControl that is specifically assigned to the customer; each customer also has their own database, electronic file path, and associated service accounts and permissions, fully isolating customers from one another. MasterControl operates in a single-tenant model with a shared back-end infrastructure, data isolation, and associated controls.

7.3 File Storage

MasterControl uses S3 (Amazon Simple Storage Service) buckets for file storage. S3 buckets, which are similar to file folders, store data and its descriptive metadata. Each customer has a dedicated S3 bucket.

7.4 Data Segregation

MasterControl uses a single-tenant infrastructure with dedicated instances for each customer. Data is segregated into unique repositories that are controlled by customer-assigned access rights. These are also combined with dedicated database instances specific to each customer.

8. DATA SECURITY

MasterControl ensures data security by using the industry-standard data encryption technology called Transport Layer Security (TLS). TLS provides a high degree of data protection by encrypting all data. To encrypt data in transit, TLS uses a symmetric-key algorithm that generates unique keys set up for each connection — not each customer site. The identity is verified using public-key cryptography for the server. To ensure data integrity, TLS checks each message using a message authentication code to prevent tampering and data loss.

9. ENCRYPTION

9.1 Data at rest:

To protect data at rest, MasterControl uses an advanced encryption standard (AES) technique for its TLS digital certificates. Customer data is stored and encrypted using AES 256-bit encryption.

9.2 Data in transit:

MasterControl uses an industry-leading, external certificate authority for its TLS digital certificates with 2048-bit keys and secure hash algorithm (SHA)-256 signatures and enforces a minimum of 128-bit symmetric key encryption.

9.3 Data in use:

MasterControl tightly controls data in the database and the file system — no data is cached on your system. We also secure this data with authentication and controls that are implemented with our Okta integration.

10. SECURITY

10.1 Change management

Changes to IT facilities and systems are managed using a documented change control process that requires approval before releasing the changes to production servers.

10.2 Vulnerability Management and Penetration Testing

Systems undergo periodic vulnerability and penetration testing in two ways: (i) Industry-recognized third-party security specialists who use multiple overlapping enterprise security solutions to swiftly handle any vulnerabilities; and (ii) Internal experts using additional vulnerability and penetration testing.

10.3 Third-party service delivery management

Where feasible, security requirements, ongoing monitoring, and change management clauses are in place for MasterControl service level commitments. MasterControl's internal quality team audits third-party suppliers per MasterControl's Supplier Management procedure.

10.4 Monitoring

Application, database, and system monitoring are in place. Personnel responsible for monitoring are notified when alerts are triggered. Logs are secured for only authorized personnel to access. Performance monitoring is employed at all locations throughout the world.

10.5 Database Security

MasterControl encrypts database data-at-rest at multiple levels. We encrypt all database data. Transparent data encryption (TDE), which is similar to encrypting data at rest, is enabled on each customer's database. We also add an extra layer of encryption at the application level. AWS monitors the data centers using their global Security Operations Centers, which are responsible for monitoring, triaging, and executing security programs. They provide 24/7 international support by managing and monitoring data center access activities, equipping local teams and other support teams to respond to security incidents by triaging, consulting, analyzing, and dispatching responses.

11. SOFTWARE SECURITY

MasterControl performs automated and manual code reviews, and developers are trained on secure software development principles. MasterControl also procures software from other software vendors with software licensing agreements that ensure prompt security patches and updates. MasterControl tests security measures throughout the following software development life cycle phases to ensure system protection:

11.1 Design phase:

Automated and manual security control requirements are analyzed and documented. This includes assessment of data risk and resulting encryption requirements.

11.2 Coding phase:

Practices of secure coding are defined and reviewed, and access to source code and test data is controlled. Secure coding practices include session management security, as well as the prevention of Open Web Application Security Project (OWASP) Top 10 software vulnerabilities, including malformed XML or HTTP requests, XSS, CSRF, and SQL injection. Automated and manual code reviews are also performed in this phase.

11.3 Testing phase:

Application software is tested for security vulnerabilities during the testing phase using static and dynamic code analysis tools. Vulnerabilities are documented and a remediation plan is developed. Also, the vulnerabilities are monitored to ensure each is addressed appropriately. A complete application penetration testing is conducted for each major release.

12. APPLICATION VULNERABILITY ASSESSMENTS

MasterControl follows industry best practices for application vulnerability assessments, these include guidelines outlined by OWASP to identify and defend against any vulnerability. MasterControl conducts periodic vulnerability assessments on its production systems and tests contemporary attack vectors using automated and manual methods like threat modelling, vulnerability classification, and automated scanning to find potential SQL, AD, XPATH, or JQUERY injection paths and prevent against distributed denial of service (DDoS) attacks. Vulnerability testing examples include spoofing of user identity, tampering, repudiation, information disclosure, denial of service, and elevation of privileges.

13. USER CREDENTIALS AND ACCESS MANAGEMENT

13.1 Password Management and Login Policies. MasterControl enables strict user authentication and permission enforcement at every access point, ensuring that only users with the proper credentials can access data. MasterControl provides configurable password policies for length, complexity (alphanumeric), expiration and lockouts, intruder alerts, forgotten password helps, etc.

13.2 User Authentication and Single Sign-on (SSO)

User accounts are set up and maintained by customer administrators. MasterControl supports user authentications directly in the application as well as via integration with Active Directory (AD) servers or Security Assertion Markup Language (SAML) 2.0 providers. Most customers use a combination of direct authentication (local) and AD or SAML.

13.3 Audit Trails

MasterControl automatically logs document and user activity. Audit logs provide the administrator visibility into system activity and are a component of compliance with electronic records and electronic signature regulations. The logs contain detailed information such as date and time stamp, username, and the event.