Security

Last Updated: August, 2019

1.0      Introduction

This Information Security Policy (the “Policy”) describes the security policies that must be implemented, maintained, and followed in managing Noyo Technologies, Inc.’s (“Noyo”) information systems and by anyone who has access to Noyo’s information systems, including those systems that Noyo maintains for purposes of managing files, records, communications, and work product (the “System”) or information, data, or records maintained by Noyo (the “Information”).

This Policy describes the general principles that must be followed to help protect
the System, the Resources, Personnel, Noyo’s customers and partners, and the Information.
It is designed to reflect reasonable and appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of the Information and address the information security risks to Noyo and others. More detailed information security standards and guidelines may be developed in accordance with this Policy to supplement specific needs, risks, and requirements on a case-by-case basis.  

Failure to follow the Policy including through inappropriate or improper use of the System,
Resources, or Information may expose Noyo to risks including cyber-attacks, compromise of the System, Resources, and Information, harm to Personnel, customers, or partners, liability, and legal or regulatory issues.

 

1.1      Scope

This Policy applies to all Noyo personnel, regardless of employment status or location, who has been granted access to Information, Systems, or Resources (the “Personnel”). This includes employees, staff, contractors, interns, vendors, and visitors. The System includes Noyo offsite facilities. It also applies to any computing or storage device used to connect to the System (the “Resources”)
which may include:

  • Desktop, laptop, or tablet computers
  • Servers
  • Mobile phones and other portable electronic devices
  • USB drives and other portable hard drives or solid-state media
  • DVDs, CDs, or other similar media
  • Copiers, scanners, printers, and fax machines
  • Wireless and network systems 

Information includes information stored in electronic or physical form.  This Policy
has been adopted considering Noyo’s existing and reasonably anticipated legal,
regulatory, professional, and contractual obligations.  To the extent that any of Noyo’s legal, regulatory, professional, and contractual requirements from time to time are
stricter than what is contained in the Policy or any other policy or guidelines
relating to Information, Personnel must abide by those stricter requirements. If
any Personnel encounter such requirements that they are unable to comply with
using the resources currently available to them, they must immediately contact
the Chief Security Officer to determine the appropriate steps to be taken.

 

1.2      Administration

Noyo has designated its Chief Security Officer (CSO) to oversee and maintain this Policy. The CSO shall ensure that this Policy and corresponding information security objectives are: (i) compatible with the strategic direction of Noyo, (ii) integrated into Noyo’s
organizational processes and implemented successfully; (iii) defined and assigned
appropriate resources, (d) communicated to management and Personnel; and (e)
continually improved and updated in accordance with this Policy. The CSO shall
ensure that the applicable responsibilities outlined in this Policy are
assigned to the appropriate personnel and effectively communicated to all Personnel
and relevant contractors and vendors.

Noyo’s Chief Security Officer and HIPAA Security Officer is:

Name: Dennis Lee

Contact Information: security@gonoyo.com

2.0      Information Resource Management

2.1      Inventory of Information Resource

Resources, including applicable hardware, software, records, systems, documents, storage media, portable devices and other equipment, devices, or documents where, or through which, Noyo’s Information is processed, recorded stored, or transmitted must be inventoried.
All items in the inventory must have an assigned custodian.
 

2.2      Information Classification

2.2.1  Categories of Information Classification.  Information must be classified as follows:

This classification category must be assigned to information where accidental or unauthorized access to or loss or disclosure of could cause material, severe, or catastrophic harm or impact to Noyo, any data subjects, customers or partners, or relying parties.  Sensitive Information includes:

§  Passwords, authentication/authorization credentials, and/or other information that can be
used to access the System or Confidential or Sensitive Information,

§  Information
under strict regulatory or contractual handling requirements (e.g., PCI, HIPAA,
GDPR, and other data security laws) including:

  • social security numbers, tax identification number, national identification number, or
    an identity protection personal identification number issued by the IRS, driver’s license numbers or other government-issued ID card number, passport numbers, bank
    or financial account information, credit or debit card numbers (including CIV numbers and magnetic stripe information) or other personally identifiable financial information, account
    passwords, PINs, or other information that would permit access to an account, 
  • medical records information, health information, or “protected health information”, as
    that term is defined by the Health Information Portability and Accountability
    Act,
  • fingerprints,
    voice prints, retina or iris images, or other unique physical representations
    or biometric information,
  • genetic
    data,
  • information
    revealing a person’s racial or ethnic origin, political opinions, religious or
    philosophical beliefs, trade union membership, or sex life or sexual
    orientation, 
  • digital
    signatures,
  • legal records, 
  • information relating to criminal convictions and offences,
  • real-time or precise geolocation data,
  • employee identification numbers,
  • date of birth, mother’s maiden name, or other similar secrets or identifiers that
    may be used to access an individual’s financial accounts or records.

§ Business secrets deemed highly confidential (e.g., highly-confidential business strategies and communications, sensitive attorney-client privileged and confidential communications).

.
This classification category must be assigned to information asset types where accidental
or unauthorized access to or loss or disclosure of could cause loss or harm to Noyo,
any data subjects, customers or partners, or relying parties. Confidential
Information includes:

§ 
Internal
communications and documents not specifically described as Sensitive
Information,

§ 
Non-sensitive
attorney-client privileged and confidential communications, and

§ 
Personal
information related to Noyo’s Personnel, customers, partners, or any other
individuals of the type not specifically described as Sensitive Information.


This classification category must only be assigned to information asset types
where unauthorized disclosure could result in no loss or harm to Noyo, Noyo customers
or partners, or relying parties. Non-Confidential Information includes:

§ 
Information
required to be accessible to the public under law, and

§ 
Information
generally accessible in the public domain (but not including internal
compilations of public information).

 

“Information Classification Managers” are individuals or departments that
are accountable for the protection of the Information. Individuals may be
considered Information Classification Managers of any Information they have
created, have been assigned, have knowingly received, or are responsible for
(e.g., business unit or department leaders).

 

Information Classification
Managers must ensure that Information for which they are responsible is
identified, properly classified, and protected in accordance with the
guidelines associated with the assigned classification.

 

All Information
created or used by a particular business unit within Noyo must have a
designated Information Classification Manager. Information Classification
Managers for Confidential or Sensitive Information are responsible for controlling
authorized access to this Information and ensuring that inventories are maintained that document the Confidential
or Sensitive Information used within
their business unit or department. If an Information Classification Manager leaves
Noyo, management must ensure that all relevant Confidential and Sensitive
Information is assigned to a new, appropriate Information Classification
Manager.

 

 If Resources contain mixed sets of Information,
the resource must be treated in accordance with the most stringent requirement applicable
to any component thereof. To the extent less sensitive Information is extracted
from Resources containing Sensitive or Confidential Information, such limited
extraction can be treated according to the standards that apply only to that
extraction.

 

2.3      Information
Collection/Retention/Destruction

 

Collection of
Sensitive and Confidential Information must be limited to only information that
is necessary and appropriate for Noyo’s legitimate business purposes. 

 


 Sensitive and Confidential Information must
be kept only as long as needed or as necessary to comply with regulatory, contractual,
professional, or ethical obligations or for such statutory periods as may
warrant retention to protect and defend Noyo or its customers or partners. Appropriate
retention periods must be followed in accordance with the Noyo Retention Policy.

 

Subject to any
applicable legal holds, Sensitive and Confidential Information must be properly
destroyed when no longer needed. Resources containing Sensitive and
Confidential Information must be properly destroyed or disposed of when no
longer needed or subject to legal hold. Data destruction guidelines ensuring
proper disposal must be implemented.

 

2.4      Information
Recovery and Restoration

Sensitive and Confidential Information must routinely
be backed up and properly stored to allow access to information needed to
continue business operations in the event of equipment failure or disaster. Offsite
storage must be considered and is required for any data that could result in material,
severe, or catastrophic harm or impact to Noyo, any data subjects, customers or
partners, or relying parties if the data were to become unavailable. Backup
mechanisms must be tested regularly. As appropriate, Resources and Systems
shall be implemented with redundancy sufficient to ensure appropriate
availability and maintain organizational requirements. Noyo will establish and
maintain appropriate policies and procedures designed to enable the back-up,
retrieval, and continuation of Noyo’s access to Sensitive and Confidential as
well as policies and procedures for responding to an emergency or other
occurrence that damages systems collecting, processing, or storing Sensitive or
Confidential Information.

 

3.0      Physical
Security and Safeguards

 

3.1      Access
Controls

Physical access to Sensitive or Confidential
Information must be limited to Personnel for whom access is appropriate.  Areas containing, or enabling access to, Resources
containing Sensitive Information must be segregated from areas open to the
general public and limited to those personnel with a need-to-know and/or
need-to-use and access such information and information technology Personnel.
In addition, such areas must be monitored by reasonable surveillance under the
circumstances and any unauthorized individuals that must visit such areas must
be escorted by authorized and appropriate Personnel to ensure that Sensitive or
Confidential Information is not accessed. Procedures designed for working in
secure areas shall be designed on a case-by-case basis and applied to all
personnel with access.

 

3.2      Access Points

Access points such as reception, delivery,
and loading areas and other points where unauthorized persons could enter the
premises shall be controlled and, where possible, isolated from activities
involving the processing of Sensitive and Confidential information.

 

3.3      Protection
from Theft or Unauthorized Use

Information Resources that contain Confidential
or Sensitive Information must be physically safeguarded to prevent theft or
unauthorized access or use. Equipment must not be left unattended and
unattended desks and screens must be kept clear of Confidential and Sensitive
Information. Physical documents, records, and files containing Confidential or
Sensitive Information must be kept in locked facilities. Physical documents,
records, and files containing Sensitive Information must also be kept in locked
storage areas, containers, files or drawers. Access to or copies of keys for storage
areas, containers, files or drawers containing physical documents and files
containing Confidential or Sensitive Information must be limited to authorized
personnel. Such keys must also be physically safeguarded to prevent theft or
unauthorized access or use.

 

3.4      Protection
from Environmental Threats

Resources must be protected from physical and
environmental threats.

 

3.5      Equipment Safeguards

Appropriate steps must be taken with all Resources
to protect against loss, damage, theft, or compromise, including, but not
limited to, protection against power failure, interception or interference with
telecommunications cabling, and removal of Resources from Noyo premises.

 

3.6     Physical
Disposal or Destruction

Documents and files containing Sensitive or
Confidential Information must be placed in locked destruction (shred and/or
burn) bins for disposal. Recycling bins must not be used for disposal of
Sensitive or Confidential Information.

 

4.0      Technical
Security and Safeguards

 

4.1      Access
Controls

Electronic access to Sensitive or
Confidential Information will be limited to Personnel that need access. Each Personnel
granted access must be given their own unique user ID and password. Strong
authentication protocols must be used to control user IDs and other identifiers
and to limit access to active Personnel accounts and active Personnel with authorized
and appropriate access privileges. For example, access to Sensitive or
Confidential Information, including whether such access is “read only”, must be
controlled and documented by Noyo in a manner that takes into account job title,
roles, and function of the owner of the user ID. Users shall only be provided
with access to the Systems and Resources for which they have been specifically
authorized and have a corresponding need-to-know and/or need-to-use. Access
controls must be maintained by the applicable Noyo Resource and/or System owner
and reviewed at regular intervals to ensure that allocation of access is
appropriately restricted. Access to Sensitive or Confidential information must
be terminated immediately upon termination of the corresponding need (e.g., if
an employee leaves or is terminated from Noyo or leaves the position for
another where access to such Information is not required). Processes must be
established to ensure that redundant access controls are not issued to users.

 

  Password guidelines, user ID guidelines, and
remote access guidelines to help prevent unauthorized access to Sensitive or
Confidential Information will be implemented and maintained. Unique identifications
plus passwords or other credentialing technologies reasonably designed to
maintain the integrity of the security of the access controls will be assigned
to each person with access to the System. A reasonably secure method of
assigning and selecting passwords or use of credentialing technologies will be
implemented and maintained. For example, users must be required to change any
issued passwords upon first accessing their unique user ID and all users must
be required to update their passwords at regular and appropriate intervals. Vendor-supplied
default identifications and passwords will not be used. Passwords and other
credential technologies must be kept in a location and/or format that do not
compromise the security of the data they protect. Noyo will design password and
credential-protected systems to block access after multiple unsuccessful
attempts to gain access or such other reasonable limitation placed on access
for the particular system.

 


 Appropriate steps shall be taken to
segregate development, testing, and production environments for all Systems.
Development and testing environments should not use Sensitive or Confidential
Information unless necessary for the System to function and only if in
compliance with the applicable security policies.

 

Appropriate steps
shall be taken to logically segregate Noyo’s Confidential or Sensitive
Information from other data sources. Appropriate steps shall be taken to
segregate groups of information services, users, and information systems on Systems.
As appropriate, systems that house Confidential or Sensitive Information must
be segregated from other systems, particularly those that are publicly
accessible or subject to lower access controls.

 

4.2      Electronic
Safeguards

Resources and Systems that contain Sensitive
or Confidential Information must be technically safeguarded to prevent, detect,
and remove any security threats to Systems, Resources, and Sensitive and
Confidential Information.

 

.  Encryption must be used when Sensitive
Information is at rest or in transit within or into or out of Systems or when
stored on any portable device or media. Cryptographic keys and passwords must
be stored securely and separately from the encrypted Information and disclosed
only to those individuals with a need to access or maintain the underlying
information. Encryption must be maintained in compliance with all applicable
contractual commitments, legislation, and regulation. Noyo shall have internal
policies regulating the selection of cryptographic techniques, key management,
and encryption and decryption procedures for any type of encryption utilized
under this Policy.

 

Reasonably up-to-date firewall protection and
operating system security patches reasonably designed to maintain the confidentiality
and integrity of personal information must be implemented and maintained to
protect files containing Sensitive and Confidential information on any parts of
the System connected to the Internet. Systems and Resources must be segregated
as appropriate to minimize security risks. Reasonable measures must be employed
to restrict the installation of insecure software on Resources.

 

Reasonably up-to-date versions of system
security agent software (which include malware detection and protection and
reasonably up-to-date patches and virus definitions, or versions of such
software that can still be supported with up-to-date patches and virus and
malware definitions, and is set to receive the most current security updates on
a regular basis) must be implemented and maintained on all Resources.

 

Reasonable logs and audit trails for tracking
authorized and unauthorized access to, use of, or changes to, Systems and Resources
which store, process, or enable access to Sensitive or Confidential Information
must be implemented and maintained (e.g., a record of the unique user IDs used
to access any internal computer servers or systems). Appropriate logs and audit
trails must account for user activities, exceptions, faults, and security
events and protected against unauthorized access and tampering. Information
about specific technical vulnerabilities that affect Resources and Systems
shall be regularly researched and maintained. Noyo will implement and maintain a
process for receiving and reviewing internally and externally reported security
vulnerabilities. Applicable vulnerabilities must be evaluated and mitigated to
address associated risks.

 

Any Sensitive or Confidential Information
passing over public or third-party networks shall be protected from
unauthorized disclosure and modification using reasonable security measures
including, as appropriate, encryption. Sensitive Information passing over
public or third-party networks or transmitted wirelessly must be encrypted. For
shared networks, especially those extending across Noyo’s network boundaries,
the capability of individual users to connect to the network shall be
restricted in line with appropriate access controls. Virtual desktop access
shall prevent processing and storage of information on privately owned
equipment.

 

When
using mobile or personal devices, special care must be taken to ensure the
Confidential and Sensitive Information is not compromised. Unencrypted
Sensitive Data shall never be stored on an unencrypted mobile or portable
device. Personnel shall be required to register mobile and personal devices
with access to Confidential or Sensitive Information. Mobile and personal
devices will be required to employ security measures designed to (a) restrict
the installation of insecure software capable of accessing the Information, System,
or the Resources, (b) require that the latest security and operating system
software updates be installed, (c) restrict connection to Resources, (d)
establish passcode and device access requirements, (e) mandate cryptographic
controls and remote deletion, and (f) create secure backups. Personnel using
mobile or personal devices shall undergo training designed to encourage
physical and electronic security practices.

 

Confidential
or Sensitive Information is prohibited from storage on removable media (e.g.
USB or flash drives, portable back-up drives, CD-ROM, DVD, SD card, etc). If
required by applicable Noyo customer or partner agreements, responsible
personnel must be notified of any requirements related to storage of
Confidential or Sensitive Information on removable media. Removable media shall
be disposed of securely when no longer required and appropriate steps must be
taken to ensure that any data previously stored on the media is no longer
recoverable.

 

 

5.0      Administrative
Safeguards

Noyo’s Resources that contain Sensitive or
Confidential Information must be administratively safeguarded to prevent theft
or unauthorized access or use.

 

5.1      Policy, Standards and Guidelines

Information security standards and guidelines
that describe proper use, handling, and safeguarding of Systems and Resources will
apply to all collection, use, retention, transmission, and disposal of
Sensitive and Confidential Information. This Policy and any such corresponding
information security standards and guidelines will be updated from time-to-time
as needed to reflect changes in the law, technology, security threats, environmental
or operational changes, and business operations. This Policy will be reviewed
at planned intervals to ensure its sustainability, adequacy, and effectiveness.

 5.2      Human Resources

Adequate background screening
must be used for all Personnel with access to Systems, Resources, and any Sensitive
or Confidential Information. Background screening must be conducted in
accordance with relevant laws, regulations, and ethics and shall be
proportional to the applicable business requirements, classification of
Sensitive or Confidential Information available for access by the applicable
employee, and corresponding assessed risks.

Employees will be
required to agree to this Policy as a part of their contractual agreement with Noyo.

This Policy must be made available to Personnel
and appropriately communicated in a manner that articulates the purposes of the
Policy and the consequences of not complying. Employees will be educated and trained
to comply with this Policy and any information security standards and guidelines
and in the proper use and safeguarding of Systems and Resources and the collection,
handling and disposal of Sensitive and Confidential information. Personnel with
information security responsibilities assigned under this Policy must be evaluated
for competence to ensure they have appropriate education, training, and
experience.

Employee compliance with the Policy will
be enforced using appropriate disciplinary measures up to and including termination
of employment.  

Employee access to Noyo’s
Systems and Resources must be terminated immediately when employment with the Noyo
ceases or when access to certain Systems or Resources is no longer necessary as
part of the employee’s role and responsibility.

 5.3      Internal Development

Any internal or contracted development of
software and systems must be subject to rules for secure development and
appropriate formal change control procedures. Applicable rules must take into
account any adverse impact that might result to organizational operations and
security and must be documented, maintained, and applied to any applicable
development. Appropriate testing of Resources and Systems must be conducted in
accordance with such rules. 
 

5.4      Vendor Security

Appropriate and reasonable steps must be
taken to select and retain Vendors that are capable of maintaining appropriate
security measures to protect such personal information consistent with these security
policies and any applicable industry standards, laws or contractual
requirements. Vendors with access to Sensitive or Confidential Information must
be contractually required to implement and maintain adequate and appropriate
measures to protect Systems, Resources, and any Sensitive and Confidential
information it controls, handles, processes, or transfers and to notify Noyo in
the event of a breach or suspected breach. Vendor performance shall be
monitored to ensure compliance with these requirements. Any new acquisitions of
technology or technological services, together with enhancements to existing
resources, shall be appropriately analyzed and vetted by specifically
designated personnel. Corresponding requirements must be developed, documented,
and communicated to the applicable vendor. To the extent that vendors are
provided access to Systems and Resources, access controls and security
precautions shall be employed consistent with the requirements in this Policy.

5.5      Security Assessment

Regular assessments must be conducted to identify and evaluate internal and external risks to the security, confidentiality, integrity and/or availability of any Sensitive or Confidential Information and to evaluate and improve, where necessary, the effectiveness of Noyo’s safeguards for limiting such risks, including:

(1)  Ongoing employee (including temporary and contract employee) training;

(2)  Employee compliance with policies and procedures; and

(3)  Means for detecting and preventing security system failures.

Such an assessment will be conducted and documented at least annually under the direction and analysis of the CSO using methodology that ensures reproducible results that measure the conformance of security practices to this Policy. Each assessment shall take into account risk criteria specific to Noyo and the Confidential and Sensitive Information it holds. Any nonconformities shall be documented with clear steps for remediation and new methods of monitoring compliance assigned to the specific Personnel responsible for mitigating such risk. As applicable, designations must be
provided that indicate the consequences and likelihood of a given risk.
Mitigation of nonconformities must be prioritized for remediation accordingly and
carried out by designated Personnel according to the documented steps for
remediation.

5.6      Security Testing and Monitoring

Regular testing and monitoring, including through
the collection and analysis of electronic logs as appropriate, must be
conducted to ensure that Noyo’s information security program is operating in a
manner reasonably designed to prevent unauthorized access to or unauthorized
use of Sensitive and Confidential Information. Upgrades and improvements to information
safeguards will be made as necessary to limit risks. The scope of security
measures will be reviewed at least annually or whenever there is a material
change in business practices that may reasonably implicate the security or
integrity of records containing personal information. Vendors shall be regularly
monitored and audited to ensure compliance with their security obligations.

5.7      Information Security Incident Management

A detailed Incident Response Plan will be
implemented, maintained, and reviewed on a regular basis. Incident response
team members must document responsive actions taken in connection with any
incident involving a breach of security, and mandatory post-incident review of
events and actions taken, if any, to make changes in business practices,
including if appropriate to this Policy and related policies and guidelines,
relating to protection of Sensitive Information and Confidential Information.

5.8      Documentation

All documentation prepared pursuant to this
Policy must be appropriately identified using version control and available for
review and approval for suitability and adequacy and for use when needed. All
documentation must be retained as necessary and required by applicable law,
regulation, and professional obligations. All documentation must be adequately protected,
and access must be limited to those with a strict need to know.

5.9     Escalations

All security failures, concerns, incidents, and complaints can be sent to security@gonoyo.com. For confidential concerns, please refer to this form: Reporting Unethical Behavior. Noyo follows its Security Incident Response Plan for all reported incidents.