Stoneridge Software Security Policy

Security is of upmost importance to Stoneridge Software. Stoneridge Software shall implement and maintain data security practices for the security of the Client’s Data, i.e., its availability, authenticity, integrity, and confidentiality in accordance with industry standards.Enter text

Data Security

Stoneridge Software shall regularly, and at least once a year, monitor and assess Stoneridge Software’s technical and organizational security measures to ensure adequate data security controls are in place. Controls include but are not limited to:

 • Data information labels for all documents stored within Stoneridge Software’s infrastructure.
• Encryption of Client Data at rest and in transit using industry-standard protocols.
• Regular backups of Client Data to ensure data integrity and availability where applicable.
• Access controls to restrict Client Data access to authorized personnel only.
• Data anonymization and pseudonymization, where applicable.

Physical Security

Technical and organizational measures to control access to premises and facilities will be in place for Stoneridge Software facilities. Controls aim to protect technology infrastructure from environmental hazards and unauthorized access, and otherwise aim to prevent unauthorized individuals from gaining physical access to premises, buildings, or rooms where systems that data is processed and stored. Controls shall include:

 • Controlled access to server and network infrastructure with surveillance systems to verify logs.
• Fob-based access systems to prevent unauthorized entry to office spaces, and additional role-based fob-based access for secure areas such as IT equipment rooms.
• Environmental controls such as fire suppression, climate control, and power backup systems. 

Network Security

To protect Client Data from unauthorized access and cyber threats, Stoneridge Software will implement comprehensive network security measures at all Stoneridge Software office locations, including:

 • Firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious activities.
• Secure VPNs and encrypted communication channels for remote access.
• Regular security audits and network penetration testing.
• Incident response plan to promptly address and mitigate any security breaches. 

Access Controls

Stoneridge Software will establish access controls to protect Client’s Data and systems, including:

 • Role-based access control (RBAC) to ensure that employees have access only to the data necessary for their job functions.
• Multi-factor authentication (MFA) for accessing sensitive systems and data.
• Regular review and update of access permissions.
• Immediate revocation of access upon employee termination or role change. 

Vulnerability and Patch Management

Stoneridge Software will proactively manage vulnerabilities and apply patches to maintain the security of Client systems. This includes:

 • Regular vulnerability assessments and scanning of systems and applications.
• Timely application of security patches and updates.
• Monitoring of security advisories and threat intelligence sources.
• Documentation and tracking of vulnerabilities and remediation efforts. 

Employee Training and Awareness

Security related trainings are an annual requirement for Stoneridge Software employees. Topics included will include but are not limited to phishing, social engineering, and data protection.

Client Responsibilities

Client retains full control over the management of logical access rights to its systems, even when it has entrusted to Stoneridge Software with the operation of its systems. Client’s responsibilities shall include:

 • Define, maintain, and monitor access rights to its systems, including setting permissions and determining which employees and third parties can access specific information or features.
• Actively monitor Client systems for suspicious activity and promptly report any potential security incidents to Stoneridge Software.
• Implement security measures to restrict unauthorized access to Client systems that Stoneridge Software has been engaged to manage.
• Conduct regular, but no less than once annually, security awareness trainings for all employees
• Provide Stoneridge Software with written instructions regarding access to Client’s system.  

Data Breach

A “Data Breach” is defined as any unauthorized access to Client’s Data, regarding in the compromise of the integrity, availability, or confidentiality of Client’s Data. In the event of a Data Breach, Stoneridge Software shall notify Client without undue delay. Such notification shall include, to the extent know at the time of disclosure: (i) the nature of the Data Breach; (ii) the types of Client Data impacted by the breach; (iii) and remediation efforts taken by Stoneridge Software.

Upon such Data Breach, Stoneridge Software shall use commercially reasonable efforts to remedy the Data Breach at Stoneridge Software’s cost and expense.  

Incident Response and Notification

• Incident Response Plan: Stoneridge Software shall maintain a documented incident response plan that outlines procedures for identifying, responding to, and recovering from security incidents.
• Remediation: Stoneridge Software shall take prompt action to remediate any vulnerabilities that led to the Data Breach. 

Security Assessment and Audits

Stoneridge Software shall work with an external third party to conduct regular security assessments to ensure compliance with security standards. The following activities will be completed annually:

 • Security assessment
• External systems penetration test
• Vulnerability scanning 

Audit

Upon written request, Stoneridge Software shall make available to Client the latest third-party security report (“Report”) regarding Stoneridge Software’s security practices in order for Client to verify compliance with this Appendix. If Client cannot reasonably determine Stoneridge Software’s compliance based on the Report, Client may, at Client’s expense, conduct an audit or authorize a third party to conduct an audit to verify Stoneridge Software’s compliance with this Appendix; provided that any third party authorized by Client is not a competitor of Stoneridge Software and signs a confidentiality agreement at least as restrictive as the Agreement. Such audit may only occur once per year, upon 60 days prior written notice to Stoneridge Software, and occur during normal business hours with minimal business disruption. For avoidance of doubt, Reports are considered Stoneridge Software’s confidential information.