Forsta Technical and Organizational Measures
| Measures of pseudonymization and encryption of personal data | Forsta will encrypt all client data at rest and while in transit over public networks. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Forsta will regularly apply security patches to computing devices and monitor for exploitable vulnerabilities. Forsta will engage partners to perform external and internal penetration testing to look for potential risks to confidentiality, availability and integrity of SaaS products and Client Data. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Forsta will design and implement disaster recovery plans for its software and Client Data. Restorability of backups will be tested regularly. Systems storing Client Data will be protected against environmental impacts (water, fire, electrical). Physical security and resilience systems will be regularly maintained by qualified personnel. Disaster recovery plans will be tested periodically. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Forsta will implement security monitoring technologies and internal and external audits to confirm ongoing compliance with its security policies. |
| Measures for user identification and authorization | All Forsta users will authenticate using unique credentials and strong passwords. Multi-factor authentication will be used for remote access to private services. Forsta will maintain proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing personal data. All access requests will be approved based on individual role-based access, least-privilege principles, and reviewed on a regular basis for continued business need. All systems must meet Forsta’s security standards and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources. Forsta will follow a documented process for timely revocation of access for terminated staff. |
| Measures for the protection of data during transmission | Forsta will encrypt all data in transit over public networks. Forsta will employ encrypted and authenticated remote connectivity to its computing environments. Remote access to private Forsta systems and applications will be done through use of an encrypted private network (VPN). |
| Measures for the protection of data during storage | Forsta prohibits the transfer of Client Data onto personal removable media. User workstations and SaaS infrastructure will be protected through encryption, malware prevention, and security monitoring. |
| Measures for ensuring physical security of locations at which personal data are processed | Forsta will implement physical security measures at its offices and data centers. Controls will be based on likelihood and impact of unauthorized access to each site. Access controls will ensure only authorized personnel have physical access to systems and applications containing personal data. Visitor procedures will ensure all visitors are logged and escorted. Where data centers are owned/managed by subcontractors, Forsta will regularly confirm subcontractor compliance with substantially similar physical security controls and by requiring data center subcontractors to perform third-party audits (such as a SOC 2 type II). Forsta will enforce a clean-desk policy for all staff with access to Client Data in shared spaces. |
| Measures for ensuring events logging | Forsta will ensure that all system logs are collected and monitored by automated systems in near real-time. Suspicious events will be investigated. |
| Measures for ensuring system configuration, including default configuration | Forsta will use hardened configurations to deploy all computing devices, including network, storage, and computing resources. |
| Measures for internal IT and IT security governance and management | Forsta will create and maintain security and privacy policies. Policies will be reviewed periodically and updated to reflect Forsta’s commitment to securing Client Data. All Forsta staff will be trained on security practices and policies when hired and annually thereafter. |
| Measures for certification/assurance of processes and products | Forsta will engage qualified third party auditors to review its information security program and to issue opinions or certifications validating the quality of the information security and privacy program. |
| Measures for ensuring data minimization | Forsta Clients are responsible for determining how much data is collected and stored in Forsta SaaS products. |
| Measures for ensuring data quality | Forsta offers software tools to enable clients to update and/or delete inaccurate personal data. |
| Measures for ensuring limited data retention | Forsta Clients are responsible for data deletion within their SaaS subscription. |
| Measures for ensuring accountability | Forsta will grant Clients the right to perform audits and will ensure that all subcontractors allow Forsta to perform audits. Audit rights ensure ongoing accountability for securing and protecting personal data. |
| Measures for allowing data portability and ensuring erasure | Forsta will logically delete client data at termination of SaaS agreements. Forsta will sanitize all media at end-of-life in accordance with NIST SP 800-88 guidelines. |
| Measures for securing custom software and software development | Forsta will design and build its software with protection of personal data as a guiding principle. Forsta will use industry standard tools to scan for quality code. Forsta will test all web applications for common vulnerabilities prior to production release. |
| Measures for reducing attack surface | Forsta will implement firewalls, intrusion detection, system hardening, and mobile device management technologies to reduce likelihood of a security incident. |
| Measures for managing assets that process or store personal data. | Forsta will implement an asset lifecycle program to maintain an inventory and ownership for all assets that process or store personal data. |
| Measures for managing sub-processors | Forsta will ensure all sub-processors agree to implement and maintain substantially similar technical and organizational measures. Forsta will assess sub-processors’ technical and organizational measures prior to engagement and regularly thereafter. |
| Measures for detecting and responding to security incidents | Forsta will ensure that all system logs are collected and monitored by automated systems in near real-time. Suspicious events will be investigated. Forsta will notify Data Controller of any incident impacting personal data without undue delay. |