Evident Security Policy

Date Last Revised: August 5, 2022

This Evident ID, Inc. (“Evident” or “Company”) Security Policy (“Security Policy”) outlines the technical, organizational, and procedural measures that Evident undertakes to protect confidential, proprietary, and personal data of our customers and other individuals (“Customer Data”) from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, or use. Evident has a written information security plan to implement the terms of this Security Policy that is reviewed and approved annually by its senior management team.

As used in this Security Policy: “Customer” or “Relying Party” means the entity that is party to an agreement with Evident for the use of Evident’s services (“Customer Agreement”); “Cloud Provider” means a third-party cloud provider, such as Amazon Web Services, Inc. (“AWS”), Google cloud-based services, and Microsoft Corporation (“Azure”) that hosts the Service; “Cloud Private Network” means the VPC and/or VNET (as applicable to the Cloud Provider) from which the Evident services purchased via a Customer Agreement (“Service” or “Services”) are provided, respectively; and “Evident Personnel” means Evident employees and individual subcontractors. 

Any capitalized terms used but not defined herein shall have the meaning set forth in the Customer Agreement or any data protection agreement or addendum (“DPA”) to which this Security Policy is attached. In the event of any conflict between the terms of the Customer Agreement or DPA and this Security Policy, this Security Policy shall govern. This Security Policy may be updated from time to time upon reasonable notice to Customer (which may be provided through the Service) to reflect process improvements or changing practices, but any such modifications will not materially diminish either party’s obligations as compared to those reflected below. 

1. Customer Data Access and Management

1.1. Evident Personnel’s access to unencrypted Customer Data is highly controlled, with access being limited to cases where Customer provides access to its Evident account to such Evident Personnel or access is necessary for Evident to provide the Services to Customer and is restricted to the specific data elements that need access. If such access is granted, Evident Personnel are prohibited from storing Customer Data on local desktops, laptops, mobile devices, shared drives, removable media such as USB drives, or on public facing systems that do not fall under the administrative control or compliance monitoring processes of Evident.

1.2. Evident uses Customer Data only as necessary to provide the Services to Customers, as provided in our Customer Agreements and DPAs.

1.3. Customer Data is stored only in the Service production environment in the Cloud Private Network and other secure Evident systems. Evident may provide additional documentation about storage in its production environment subject to the recipient accepting confidentiality obligations to protect it.

2. Encryption and Logical Separation of Customer Data

2.1. The Service in the production storage environment always encrypts Customer Data while at rest with encryption standards that are no less secure than AES256-GCM.

2.2. The Service encrypts traffic with Transport Layer Security (“TLS”) 1.2 when communicating across untrusted networks such as the public internet.

2.3. Each Customer in the system is assigned a public-key identity and control of the private key is required to access information for which that Customer has been granted access

3. Service Infrastructure Access Management

3.1. Access to the systems and infrastructure that support the Service is restricted to Evident Personnel who require such access as part of their job responsibilities.

3.2. Unique User IDs are assigned to Evident Personnel requiring access to the Evident servers that support the Service.

3.3. Server authentication policy for the Service in the production environment employs SSH with key based authentication, which is provided under established controls for giving, removing, and auditing access in this manner.

3.4. Access privileges of separated Evident Personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.

3.5. User access to the systems and infrastructure that support the Service is reviewed quarterly.

3.6. Access attempts to the systems and infrastructure that support the Service are logged, monitored, and alerts are generated for suspicious activities.

3.7. Cloud Provider network security groups have deny-all default policies and only enable business required network protocols for network traffic. The Service only allows TLS 1.2 protocol from the public internet.

4. Risk Management

4.1. Evident conducts risk assessments of various kinds throughout the year, including self- and third-party assessments and tests, automated scans, and manual reviews.

4.2. Results of assessments, including formal reports as relevant, are reported to the Chief Executive Officer. Senior management meets periodically to review reports, identify control deficiencies and material changes in the threat environment, and make recommendations for new or improved controls and threat mitigation strategies.

4.3. Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk- adjusted basis.

4.4. Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources. 

4.5. Security Breaches (if any) and Evident’s deployment of its breach response procedures in particular incidents are reviewed by senior management for quality control and improvement.

5. Vulnerability Scanning and Penetration Testing

5.1. Vulnerability scans are automatically performed weekly on systems required to operate and manage the Service. The vulnerability database is updated regularly.

5.2. Scans that detect vulnerabilities meeting Evident-defined risk criteria automatically trigger notifications to security personnel.

5.3. Potential impact of vulnerabilities that trigger alerts are evaluated by staff.

5.4. Vulnerabilities that trigger alerts and have published exploits are reported to the Company executives responsible for our security program, who determine and supervise appropriate remediation action.

5.5. Vulnerabilities are prioritized based on potential impact to the Service, with “critical” and “high” vulnerabilities being addressed within 30 days of discovery and “medium” vulnerabilities being addressed within 90 days of discovery.

5.6. Security management monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.

5.7. Penetration tests by an independent third-party expert are conducted at least annually.

6. Remote Access & Wireless Network

6.1. All access by Evident Personnel to the Cloud Private Network requires successful authentication through network security groups via approved methods and enforced with key authentication and multi-factor authentication (“MFA”).

6.2. Evident corporate offices provide access via Wi-Fi networks that require each user to successfully authenticate using their own unique credentials. Users without corporate network credentials are required to connect to separate Wi-Fi networks that are specifically designed for guests and prohibit connectivity to trusted networks.

7. System Event Logging, Monitoring & Alerting

7.1. Monitoring tools and services are used to monitor systems including network, server events, and Cloud Provider API security events, availability events, and resource utilization.

7.2. Evident infrastructure security event logs are collected in a central system and protected from tampering through access control methods. Logs are stored for a minimum of 12 months. 

7.3. All Evident provided user endpoints have Endpoint Detection & Response (“EDR”) tools to monitor and alert for suspicious activities and potential malware. 

8. System Administration and Patch Management

8.1. Evident implements and maintains system administration procedures for systems that access Customer Data that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications) and proper installation of threat detection software as well as daily signature updates.

8.2. Evident personnel review widely available news services and bulletins, including but not limited to US-Cert, for new vulnerabilities announcements weekly and assess their impact to Evident based on an Evident-defined risk criteria, including applicability and severity.

8.3. Applicable security updates rated as “high” or “critical” are addressed within 30 days of the patch release and those rated as “medium” are addressed within 90 days of the patch release.

9. Evident Security Training and Evident Personnel

9.1. Evident maintains a security awareness program for Evident Personnel, which provides initial education, ongoing awareness, and individual Evident Personnel acknowledgment of intent to comply with Evident’s corporate security policies. New hires complete initial training on security and privacy, sign a proprietary information agreement, and agree to comply with Evident policies that include the Company’s information security and privacy requirements and covers key aspects of Evident’s information security and privacy policies.

9.2. All Evident Personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Customer Data.

9.3. Evident performs criminal background screening as part of the Evident hiring process, to the extent legally permissible.

9.4. Evident will ensure that its subcontractors, vendors, and other third parties (if any) that have direct access to the Customer Data in connection with the services adhere to data security standards consistent with the standards set forth in this policy. 

10. Physical Security

10.1. The Service is hosted with Cloud Providers and all physical security controls are managed by the Cloud Provider. Evident reviews the Cloud Provider’s SOC 2 Type 2 report to ensure appropriate physical security controls, including: 

    • 10.1.1. Visitor management including tracking and monitoring physical access.
    • 10.1.2. Physical access points to server locations are managed by electronic access control devices.
    • 10.1.3. Monitor and alarm response procedures.
    • 10.1.4. Use of CCTV cameras at facilities.
    • 10.1.5. Video capturing devices in data centers with 90 days of image retention.

11. Notification of Security Breach

11.1. A “Security Breach” is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored, or otherwise processed by Evident, as more particularly defined in applicable laws.

11.2. Evident will notify affected parties of a confirmed Security Breach as required by applicable laws or Customer Agreements.

11.3. Such notification will describe the Security Breach and the status of Evident’s investigation.

11.4. Evident will take appropriate actions to contain, investigate, and mitigate the Security Breach.

12. Disaster Recovery

12.1. Evident maintains a Disaster Recovery Plan (“DRP”) for the Service.

13. Evident Security Compliance, Certifications, and Third-party Attestations

13.1. Evident hires accredited third parties to perform audits and to attest to various compliance and certifications annually including:

    • 13.1.1. Security audit assessment related to SOC 2 controls
    • 13.1.2. Annual penetration tests