Security, Privacy, and Architecture Summary

1. Introduction

• The goal of this document is to provide high-level information to our customers regarding Intellum’s commitment to security and data protection. Intellum is committed to achieving and maintaining the trust of our customers. Our goal is to be as transparent as possible with our customers in offering state-of-the-art security and protections to meet and exceed expectations in today’s modern computing world.

2. Policy Ownership

• Security policy development, maintenance, and issuance is the responsibility of the Intellum Security Team. Intellum has a documented information security policy that all employees must read and acknowledge on an annual basis.

3. Intellum Infrastructure

• Intellum customers may elect US or European hosting options.
  ‍
  For US-hosted customers, Intellum hosts the Intellum Services with Amazon Web Services.
  ‍
  For Europe-hosted customers, Intellum hosts the Intellum Services with Amazon Web Services in their Ireland region. Some Intellum Services may also be hosted in the US on Google Cloud Platform.

4. Third-Party Service Providers and Sub-processors

• Intellum may engage third-party service providers to help deliver and support the Intellum Services (including infrastructure, security, support, and content delivery). Intellum evaluates providers for security and privacy risk appropriate to the service provided and the nature of the data involved. Where a provider may process Customer Data on Intellum’s behalf, Intellum contractually requires appropriate confidentiality, security, and data-protection obligations and limits access to what is necessary to perform the contracted services. A current list of Intellum’s sub-processors are available here: https://www.intellum.com/policies/intellum-sub-processors

5. Audits, Certifications, and Regulatory Compliance

• Intellum maintains a SOC 2 Type II examination report, audited annually by an independent third-party firm. Intellum has also completed a third-party HIPAA attestation examination.
  ‍
  Intellum is certified in compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as administered by the U.S. Department of Commerce. Intellum also enters into the EU Standard Contractual Clauses with its Clients that require it.
  ‍
  Intellum’s platform has been evaluated for conformance with WCAG 2.1 accessibility standards.

6. Organization Security

• Intellum’s Security Department is responsible for the overall security of the Intellum Services, including oversight and accountability. Intellum’s contracts with third-party hosting providers such as Google Cloud Platform and Amazon Web Services include industry-standard information protection requirements.

7. Asset Classification and Logical Access Control

• Intellum maintains an inventory of essential information assets such as servers, databases, and information. All Customer Data is classified as Confidential by Intellum. Intellum adopts the principle of least privilege for all accounts running application or database services, as well as with its own staff.
  ‍
  Intellum maintains separate development, staging (or sandbox), user acceptance testing, and production environments. Access to each environment and within each environment is strictly controlled. Access to Intellum’s servers is controlled via short-lived SSH keys and 2-factor authentication. All access to Intellum’s servers is logged and can only be accessed through Intellum’s VPN, which uses certificate-based authentication.
  ‍
  Intellum’s employee onboarding and off-boarding processes handle provisioning and de-provisioning of accounts and access.

8. Personnel Security and Training

• All employees at Intellum sign a non-disclosure agreement when their employment begins. In addition, Intellum conducts background checks of its employees as part of its onboarding process. All employees are informed of, and agree to comply with, Intellum’s security policies and practices as a part of their initial onboarding.
  ‍
  All Intellum employees undergo annual security and privacy training.

9. Physical and Environmental Security

• Access to Intellum facilities is controlled by 24-hour security. Additionally, all Intellum offices are protected by locked access and are under 24-hour video surveillance. All Intellum employee workstations are encrypted and password protected, and all Intellum user accounts with access to sensitive data require two-factor authentication.
  ‍
  Data centers and physical servers are managed and controlled by our cloud hosting providers, Amazon Web Services and Google Cloud Platform. Intellum employees have no access to any of these data centers. Details regarding the security practices and controls applicable to these facilities can be found at their websites:
• AWS: https://aws.amazon.com/security/
  
• Google Cloud Platform: https://cloud.google.com/security

10. Policies and Logging

• The Intellum Services are operated in accordance with the following procedures to enhance security:
• User passwords are never transmitted or stored in clear text.
• Intellum uses industry-standard methods to determine password validity.
• Intellum keeps audit logs for all access to production servers.
• Server access is controlled via public key access, instead of passwords, and only permitted while on VPN.
• Logs are stored in a secure centralized host to prevent tampering.
• Intellum application audit logs are stored for the duration the account is active.
• Passwords are not logged under any circumstances.
• All access to customer accounts by Intellum employees must be done through an internal service that is accessible via strong 2-factor authentication.
• As part of Intellum’s Employee Information Security Policy, employees may not store any Customer Data locally or on removable media.

11. Intrusion Detection

• Intellum monitors system, user, and file behavior across its infrastructure using a host-based Intrusion Detection System. Intrusion Detection alerts are monitored by the Security and DevOps teams 24/7. Additionally, Intellum may analyze data collected by users’ web browsers for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Intellum Services function properly.

12. Security Logs

• All Intellum systems used in the provision of the Intellum Services, including firewalls, routers, network switches, and operating systems log information to their respective system log facility or a centralized logging service in order to enable security reviews and analysis. Intellum has automated alerts and searches on these logs.

13. System Patching and Configuration Management

• Intellum patches its servers and rebuilds its cloud infrastructure from configuration management systems on a regular basis, which ensures that the latest patches are applied. Intellum’s configuration management system regularly applies patches as per Intellum’s policies. Intellum maintains multiple environments and tests changes in containerized development environments and in live staging environments before making changes to production environments.

14. Vulnerability Management

• Intellum’s infrastructure and applications are continuously scanned by a Vulnerability Management System. Alerts are monitored by our Security Team and addressed per defined remediation SLAs. Intellum also maintains memberships to various CVE vulnerability mailing lists.
  ‍
  Vulnerability remediation timelines are as follows:
• Critical-risk: Remediation within 24 hours
• High-risk: Remediation within 5 business days
• Medium-risk: Remediation within 30 business days
• Low-risk: Remediation within 60 business days
• Intellum uses static code analysis tools during the build process to perform static security analysis. Intellum also uses a dynamic analysis tool once the application is running to automatically alert on vulnerabilities in the running applicatio

15. Third-Party Penetration Testing

• Intellum undergoes a third-party penetration test of the Intellum Services on an annual basis or after major updates.

16. Monitoring

• For technical monitoring, maintenance and support processes, Intellum uses a combination of tools to ensure that processes and servers are running properly, including but not limited to:
• Process monitoring
• CPU, disk, and memory monitoring
• Uptime monitoring
• Functional monitoring
• Database monitoring
• APM performance monitoring
• Error monitoring

17. Customer Access Control

• The Intellum Services employ a variety of security controls. These include, but are not limited to:
• The Intellum platform includes multiple authentication methods, including but not limited to SAML 2.0, OAuth, Google Login, OpenID Connect (using OAuth 2.0), LDAP, and Azure AD B2C. The platform can also be extended with custom SSO solutions.
• Customer-Configurable Roles and Permissions – Intellum customers have the option to manage their users of the Intellum Services through selective and granular permissioning.
• All requests on the Intellum Platform have cross-site request forgery (CSRF) protection. All web services use encrypted HTTPS for all traffic and disallow all HTTP traffic via HTTP Strict Transport Security (“HSTS”). User password complexity, account lockout, and session duration are all settings available to the customer, so they can be set in a way that follows your own policies.
• Intellum’s REST v3 APIs are accessed with expiring API keys, which can only be enabled by users with Unrestricted admin access.

18. Development and Maintenance

• Intellum uses tools to effectively manage the development lifecycle. During testing, Intellum generates development environments and fake data for testing. Intellum does not use production data in development environments. Application source control is accomplished through private repositories. Intellum has controls in place to ensure that all code must be reviewed and approved before being merged to Intellum’s main code branch.

19. Malware Prevention

• As a mitigating factor against malware, all Intellum servers run LTS editions of operating systems, as well as endpoint monitoring services for virus and malware protection.
  ‍
  Intellum adopts the principle of least privilege for all accounts running application or database services. Proper change management ensures that only authorized packages are installed via a package management system containing only trusted software, and that software is never installed manually. All Intellum employee computers have virus scanners installed and updated definitions sent out from a central device management platform.

20. Information Security Incident Management

• Intellum maintains 24x7x365 on-call coverage supported by defined escalation paths and call-rotation management.

21. Data Encryption

• The Intellum Services use industry-accepted encryption practices to protect Customer Data and communications during transmissions between a customer’s network and the Intellum Services, including 256-bit TLS Certificates. Intellum audits the TLS ciphers used in connection with the provision of the Intellum Services with third-party security auditors to ensure that anonymous or weak ciphers are not used. These audits also confirm that the Intellum Services do not allow client renegotiation, support downgrade attack protection and forward secrecy.
  ‍
  Data shipped to Amazon Web Services is encrypted in transit and at rest using AES-256 encryption via Amazon’s managed encryption key process. Data shipped to Google Cloud is encrypted in transit and at rest using AES-256 encryption via Google Cloud’s managed encryption key process.

22. Return and Deletion of Customer Data

• The Intellum Services allow import, export, and deletion of Customer Data by authorized users at all times during the term of a customer’s subscription. Following termination or expiration of the Intellum Services, Intellum processes will automatically purge a customer’s account data 90 days after account suspension. Upon request, data can be returned to the customer prior to deletion and data purge can be decreased to 30 days.

23. Reliability and Backup

• All networking components, web servers and application servers are configured in a redundant configuration. All Customer Data submitted to the Intellum Services is stored on a primary database server with multiple active clusters for higher availability. All database servers replicate in near real-time and are backed up on a regular basis. Backups are encrypted using AES-256 encryption and verified for integrity.

24. Business Continuity Management and Disaster Recovery

• Intellum has a written Business Continuity and Disaster Recovery Plan, which is tested annually. Intellum tests database backups and failovers as part of our Business Continuity Plan. Backups are encrypted and stored in Amazon Web Services and Google Cloud Platform provided backup services.

25. Mobile Device Management

• Intellum uses Mobile Device Management (“MDM”) platforms to control and secure access to Intellum resources on employee mobile devices. Intellum enforces common security settings such as, but not limited to, encryption, lock screen passwords, password expiration, display timeouts, security patches, and remote location and remote wipe.

26. Artificial Intelligence

• Intellum’s use of artificial intelligence within its Services is governed by our published Artificial Intelligence Use Policy, available at https://www.intellum.com/policies/intellum-artificial-intelligence-use-policy.

27. Blocking Third-Party Access

• The Intellum Services have not been designed to include any backdoors or similar functionality that would allow the government or any third parties to access Customer Data. We do not voluntarily provide any government or other third party with encryption keys, or any other way to break our encryption.

28. Contacts

• Intellum’s Security Team can be reached by emailing support@intellum.com.