ABBYY Information Security Policy (Products and Support)
“Customer Data“ means any data, information, or material (including but not limited to any images, scanned documents or photos) provided or submitted by Customer or its representatives, agents, consultants to ABBYY in the course of provision of the Services and/or performance under the Agreement. Customer Data may include Personal Data / Personally Identifiable Information.
Risk Management
ABBYY shall perform a Risk Assessment periodically and upon significant organizational, information technology, or other relevant changes. ABBYY shall document results of the Risk Assessment. ABBYY shall document and implement a Risk Treatment plan based on the results of the Risk Assessment.
Information security management program
ABBYY shall implement a comprehensive and structured approach to protecting Customer Data including an information security program comprised of policies, standards, procedures and controls that is either aligned with or certified by the current versions of one or more of the following:
(a) ISO/IEC 27000 series information security standards and/or certifications
(b) NIST Cybersecurity Framework
(c) AICPA SOC 2 Attestation or SSAE 18
ABBYY shall implement a written information security policy that is:
(a) comprehensive, addressing the information security risks and controls identified through the Risk Assessment process, for each area of information security (i.e., user access, system development and change, business continuity, etc.) (and supplemental policies should be developed and implemented as appropriate),
(b) reflects the requirements of applicable law, including Data Protection laws,
(c) approved by management,
(d) published and communicated to all employees and applicable third-party ABBYYs,
(e) annually reviewed and updated to address relevant organizational changes, contractual requirements, identified threats or risks to information assets and relevant changes in applicable laws and regulations.
ABBYY shall have a specific function, composed of suitably qualified information security specialists, to lead the information security management program. The specific function shall be ratified and supported by ABBYY’s business leadership.
Human resources security
Where background screening is legally permissible, ABBYY shall perform background verification checks on employees that have access to Customer Data, in accordance with relevant laws, regulations, and ethical requirements for each individual at least upon initial hire (unless prohibited by law). The level of verification shall be appropriate according to the role of the employee, the sensitivity of the information to be accessed in the course of that person’s role, and the risks that may arise from misuse of the information. The following checks shall be performed for each individual at least upon initial hire, unless prohibited by law: identity verification, criminal history, employment history, education verification.
ABBYY’s staff shall be bound to maintain the confidentiality of Customer Data pursuant to executed confidentiality obligations and must be bound by confidentiality provisions at least as protective as those confidentiality obligations executed by ABBYY.
ABBYY shall provide information security awareness training to employees upon hire and at least annually thereafter. Such training shall:
(a) be up to date to include changes in organizational policies and procedures,
(a) be relevant to trainee job functions and responsibilities,
(b) include specific data protection training for Customer Data,
(c) include phishing awareness, either by simulations or explicitly in an annual course.
Information security responsibilities and duties that remain valid after employee is terminated shall be defined, enforced and communicated to employees.
Asset management and media handling
Assets that store or process Customer Data shall be identified and included within an asset register.
Employees shall agree to documented policies for the acceptable use and handling of assets. Assets shall be returned immediately upon termination of employment. Return of assets shall be tracked and verified.
ABBYY shall implement controls to protect equipment, information, and assets located off-premise and/or during remote access sessions such as teleworking or remote administration. Teleworking, mobile device, and removable media policies shall be implemented and enforced.
Personally-owned and managed equipment shall not be used to store Customer Data. A BYOD model shall be implemented. Security controls applicable to BYOD devices shall be at least equal to or higher than controls applied to corporate devices.
Secure disposal
ABBYY shall implement procedures to ensure that Customer Data is securely destroyed when no longer needed for the purposes authorized by Customer.
ABBYY shall ensure that disposal of removable media holding, or suspected of once holding, Customer Data, including without limitation, tapes, floppy discs, hard drives, or laptops or any other portable devices or media will be disposed of in such a way that Customer Data is not recoverable by reasonable computer forensic means.
Encryption
Customer Data shall be encrypted at rest.
ABBYY shall encrypt all laptops that store Customer Data.
Customer Data shall be encrypted during transmission across networks, including over untrusted networks (e.g., public networks). ABBYY shall use platform and data-appropriate encryption (e.g., AES-256) in non-deprecated, open/validated formats and standard algorithms. SSL certificates used for encryption in transit shall be obtained from a recognized certification authority.
Access Control
ABBYY shall implement formal, documented access control policies to support creation, amendment, and deletion of user accounts for systems or applications holding or allowing access to Customer Data.
ABBYY shall implement a formal, documented user account and access provisioning process to assign and revoke access rights to systems and applications. User account privileges shall be allocated on a “least privilege” basis and shall be formally authorized and documented. ABBYY shall prohibit the use of “generic” or “shared” accounts without system controls enabled to track specific user access and prevent shared passwords.
Privileged user access rights shall be
(a) restricted to users with clear business need,
(b) assigned to a separate user account,
(c) segregated appropriately (e.g., code migration, security administration, audit log permissions, production support administration, etc.),
(d) captured by system logs and periodically reviewed,
(e) accomplished by multi-factor authentication.
ABBYY shall monitor and restrict access to utilities capable of overriding system or application security controls. Administrator access rights to workstation endpoints shall be restricted where appropriate. System and application owners shall periodically review user access rights. Inappropriate access shall be revoked immediately upon identification.
Access modification confirmation shall be communicated to system owners when complete. User access rights to systems and applications storing or allowing access to Customer Data shall be removed upon termination or change of employment responsibilities. Specifically, user access rights shall be removed within 24 hours, upon termination of employment.
User access to systems and applications storing or allowing access to Customer Data shall be controlled by a secure logon procedure. To support this, ABBYY shall implement the following controls for user authentication: (a) each user account ID shall be unique; (b) each user account shall have a password; (c) passwords shall be echo-suppressed on screen or masked on print-outs; (d) if set by system administrator, initial password issued shall be random and shall be changed by the user upon first use; (e) users should set their own passwords as part of a password management system; (f) passwords shall be treated as confidential data and shall be encrypted upon transmission; (g) implement a password policy that (i) restricts reuse of passwords for at least ten (10) previous versions; (ii) enforces password changes if compromised; (iii) enforces account lock-out after ten (10) failed login attempts; (iv) requires password complexity (passwords shall be a minimum of twelve (12) alphanumeric characters and shall include characters from at least three of following categories: upper-, lowercase characters, one (1) numeric and one (1) special character; (h) passwords shall be stored using a one-way encryption mechanism; (j) service account passwords shall be at least fifteen (15) characters in length and shall be configured to prevent interactive logon.
Users shall protect unattended sessions and equipment. After, at most, twenty minutes of inactivity system and application sessions shall automatically terminate and password protected screen savers (e.g., locked screens) shall activate. Additionally, a clear desk and clear screen policy shall be enforced.
Physical security measures
Physical access to facilities where Customer Data is stored or processed shall be restricted to authorized personnel. Controls include the following as appropriate, unless prohibited by law:
(a) Security perimeter controls, such as fences, solid buildings, true floor-to-ceiling walls, locked doors, turnstiles, alarm systems.
(b) Dedicated secure areas (e.g. data centres, server rooms) with a limited number of authorized personnel who have access.
(c) Electronic access cards (ID cards, badges), keys and door locks.
(d) Video surveillance systems.
(e) Facility security services and/or entrance security staff.
(f) Proper authorization and escorting of visitors.
ABBYY shall implement environmental controls to protect personnel and equipment used to process or store Customer Data. These controls shall include the following, unless prohibited by law:
(a) fire suppression systems, smoke/heat detectors
(b) climate control systems,
(c) alarm systems, temperature, and water sensors,
(d) protection against possible loss of information due to failure of power supply (e.g. provision of uninterrupted power supply).
Network security
ABBYY shall logically segregate Customer Data within a shared service environment. ABBYY shall secure network segments from external entry points where Customer Data is accessible.
External network perimeters shall be hardened and configured to prevent unauthorized traffic. External connections shall be recorded in event logs. Inbound and outbound points shall be protected by firewalls. Communications shall be limited to systems strictly allowed, and if reasonable, intrusion prevention systems (IPS) shall be used. Ports and protocols shall be limited to those with specific business purpose. Web and application servers shall be separated from corresponding database servers.
ABBYY shall implement access controls on wireless networks. Strong encryption and strong authentication (e.g., WPA2) shall be used.
ABBYY shall synchronize system clocks on network servers to a universal time source (e.g., UTC) or network time protocol (NTP).
ABBYY shall implement Internet filtering procedures to protect end user workstations from malicious websites and unauthorized file transfers outside the network.
ABBYY shall encrypt remote access communications to systems or applications containing Customer Data and shall require a minimum of multi-factor authentication, Virtual Private Networking (VPN) device access or equivalent, and restricted ports and protocols.
Malware protection
ABBYY shall implement controls to detect and prevent malware, malicious code, and unauthorized execution of code. Controls shall be updated regularly with the latest technology available (e.g., deploying the latest signatures and definitions).
Vulnerability and Patch management
ABBYY shall have a program for identifying vulnerabilities and a program for applying patches in a timely manner.
Logging and Monitoring
ABBYY shall generate event logs for systems and applications that store, allow access to or process Customer Data. Logs shall capture date, time, user ID, device accessed, and port used. Logs shall capture key security event types (e.g., critical files accessed, user accounts generated, multiple failed login attempts, events related to systems that have an internet connection). Access to modify system logs shall be restricted.
ABBYY shall review system logs periodically to identify system failures, faults, or potential security incidents affecting Customer Data. Corrective actions shall be taken to resolve or address issues within any required timeframes.
ABBYY shall have pertinent logs retained for forensic analysis.
Incident management
ABBYY shall implement a formally documented incident management policy that includes:
(a) clearly defined management and user roles and responsibilities,
(b) reporting mechanism for suspected vulnerabilities and events affecting the security of Customer Data,
(c) procedures for classification of security incidents,
(d) procedures for response to security incidents within a reasonable timeframe and proportionate to the nature of the security incident and the harm, or potential harm, caused,
(e) procedures for notification to relevant authorities as required by law and ABBYY, within the timeframes specified in the agreement,
(f) procedures for forensic investigation of a security incident when needed,
(g) procedure for incident and resolution analysis designed to prevent the same, or similar, incidents from happening again.
ABBYY shall maintain a security incident tracking system that documents the following items for each security incident affecting Customer Data:
(a) incident type, including how and where the incident occurred,
(b) whether there has been any unauthorized or unlawful access, disclosure, loss, alteration or destruction of Customer Data,
(c) the Customer Data affected by the incident, including the categories of any Customer Data affected,
(d) the time when the incident occurred, or is estimated to have occurred,
(e) remediation actions taken to prevent the same, or similar, incidents from happening again.
Any security incident impacting Customer Data shall be reported to Customer in timely manner.
ABBYY shall support any investigation (e.g., by the ABBYY, law enforcement, or regulatory authorities) that involves Customer Data.
Business Continuity and Disaster Recovery
ABBYY shall have adequate business continuity and disaster recovery plans in place to provide effective protection against loss, damage, or corruption of information arising from human error, computer virus, network failure, theft, fire, flood, and other natural and man-made disasters.
ABBYY shall have regular creation of backup copies and procedures to store the backups in a secure location outside the original data processing location over the retention time,
ABBYY shall have their business continuity and disaster recovery plans reviewed and tested at least annually or after performing substantive changes to systems processing Customer Data.
ABBYY shall inform Customer in a timely manner, when necessary, to activate its Business Continuity Plan.
System Development, Acquisition, and Maintenance
The hardware, software, and service procurement process shall be documented and include identification and evaluation of information security risks where applicable.
Acceptance criteria shall be established for production change approval and implementation. Stakeholder approval shall be provided prior to change implementation.
ABBYY shall logically or physically separate environments for development, testing, and production. User access to environments and Customer Data shall be restricted and segregated, based on job responsibilities. User access to program source code shall be restricted and tracked.
ABBYY must have adequate segregation of duties to prevent developers from making unauthorized changes to production.
System and application changes shall undergo testing and meet defined acceptance criteria prior to implementation. Testing shall include relevant security controls.
Customer Data use within a test environment shall be approved by Customer.
ABBYY shall monitor outsourced system development activities, subject to third party supplier management controls.
ABBYY must have a secure coding program that ensures at a minimum that OWASP top 10 vulnerabilities are addressed.
ABBYY must have a change management process in place that requires all changes to be approved and tested prior to any change in production. The change management process must include roll back procedures.
Penetration Testing
ABBYY shall perform periodical vulnerability and penetration test of its software and services provided to Customer to verify the sufficiency of its security measures, properly document such assessment in a detailed report in accordance with accepted industry practices, and promptly undertake commercially reasonable efforts to remedy any defect detected in such assessment report. The vulnerability and penetration test shall be performed by individual(s) of sufficient knowledge and skill to attempt non-standard approaches to the test. An executive summary of the results and ABBYY’s plan for addressing or resolving of the results can be shared with Customer by request.
Third Party Supplier Management
ABBYY shall ensure that the security requirements defined in the current document are also respected by its subcontractors.
ABBYY shall review its third parties’ information security controls according to the risks represented by third parties, taking into account any state-of-the-art technology and the costs of implementation.
When access to Customer Data is necessary for performance of the contracted service, ABBYY shall permit access to Customer Data only as necessary to perform the services.
Audit and Compliance
ABBYY shall periodically review whether its systems and equipment storing, enabling access to, or otherwise processing Customer Data comply with legal and regulatory requirements and contractual obligations.
ABBYY shall ensure an independent (external or internal where appropriate) audit of its technical and organizational controls implemented to protect Customer Data is performed periodically and results reported to senior management. A formal follow-up process including provisions for the timely verification and remediation of critical audit findings shall be established.
This Policy is effective November 29, 2021.