Collaborne B.V. dba NEXT (“NEXT”) considers protection of Customer Data a top priority. As further described in this Security Policy, We use commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under NEXT control.This policy is issued under and forms part of the Master Cloud Agreement or other NEXT agreement which references this policy and any capitalized terms not defined herein shall have the meanings ascribed to them in such NEXT agreement.

1. Customer Data Access and Management Controls

NEXT implement formal procedures to limit NEXT personnel’s access to Customer data as follows:

1.1 Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for administrator access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access;

1.2 Limits access to Customer Data to NEXT personnel on a “need to know basis”;

1.3 Limits access to NEXT production environment by NEXT personnel on the basis of business need;

1.4 Prohibits NEXT personnel from storing Customer Data on unauthorized electronic portable storage devices such as computer laptops, portable drives and other similar devices;

1.5 Logically separates each of NEXT users’ data and maintain measures designed to prevent Customer Data from being exposed to or accessed by other users.

2. Data Encryption

NEXT provide industry standard encryption for Customer Data as follows:

2.1.     Implements encryption in transport and at rest;

2.2.     Uses strong encryption methodologies to protect Customer Data, including AES 256-bit encryption for Customer Data stored in NEXT production environment; and

2.3.     Encrypts all Customer Data located in cloud storage while at rest.

3. Network Security, Physical Security and Environmental Controls

3.1.     NEXT implement properly configured and patched firewalls, network access controls and other technical measures designed to prevent unauthorized access to systems processing Customer Data;

3.2.     NEXT maintain effective controls to ensure that security patches for systems and applications used to provide the service are properly assessed, tested and applied;

3.3.     NEXT monitor privileged access to applications that process Customer Data, including cloud services;

3.4.     Remote access to NEXT environments is controlled with a virtual private network (“VPN”) and/or encrypted connection, and/or private lines, consistent with industry best practices;

3.5.     NEXT operate on Amazon Web Services (“AWS”) and are protected by Amazon’s security and environmental controls. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. AWS ISO certification and SOC Reports are available at https://aws.amazon.com/compliance/iso-certified/ and https://aws.amazon.com/compliance/soc-faqs/, respectively; and

3.6.     Customer Data hosted in AWS is AES-256 encrypted both in transit and at rest. AWS does not have access to Customer unencrypted Data.

4. Independent Security Assessments

NEXT periodically assess the security of NEXT systems and the Service as follows:

4.1.     Regular penetration testing of the Service is conducted by independent third-party security experts that includes black-box automated and manual penetration testing of Service. At Customer's request, NEXT will provide Customer a high-level summary of the most recent penetration test, subject to reasonable confidentiality protections.

5. Incident Response

If NEXT become aware of unauthorized access or disclosure of Customer Data under its control (an “Incident”), NEXT will:

5.1.     Take reasonable measures to mitigate the harmful effects of the Incident and prevent further unauthorized access or disclosure;

5.2.     Upon confirmation of the Incident, notify Customer designated security contact by email within 24 hours. Notwithstanding the foregoing, NEXT is not required to make such notice to the extent prohibited by Laws, and NEXT may delay such notice as requested by law enforcement and/or in light of NEXT legitimate need to investigate or remediate the matter before providing notice; and

5.3.     Each notice of an Incident will include:

5.3.1 The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Incident;

5.3.2 A description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;

5.3.3 The scope of the Incident, to the extent known; and

5.3.4 A description of NEXT response to the Incident, including steps NEXT have taken to mitigate any harm caused by the Incident.

6. Business Continuity Management

6.1.     NEXT maintains a business continuity and disaster recovery plan in accordance with industry trends and standards; and

6.2.     NEXT maintains processes to ensure failover redundancy with its systems, networks and data storage.

7. Personnel Management

7.1.     NEXT perform employment verification (e.g. proof of identity validation, review of education records and employment track, and background checks) for new hires in positions requiring access to systems and applications storing Customer Data in accordance with applicable Law;

7.2.     NEXT provide training for its personnel who are involved in the processing of Customer Data to ensure they understand their obligations to not collect, process, or use Customer Data without authorization and to keep Customer Data confidential, including following the termination of any role involving Customer Data;

7.3.     NEXT conduct continuous monitoring of employee activity on its production environments; and

7.4.     Upon employee termination, whether voluntary or involuntary, NEXT immediately disables all access to NEXT systems, including any NEXT physical facilities.