Accusoft 2018 Type 1 SOC 2 Final Report

May 23, 2018 | Publisher: accusoft | Category: Civic & Government |  

Proprietary and Confidential Accusoft Type 1 SOC 2 2018 Proprietary and Confidential REPORT ON ACCUSOFT'S DESCRIPTION OF ITS SYSTEM AND ON THE SUITABILITY OF THE DESIGN OF ITS CONTROLS RELEVANT TO SECURITY AND CONFIDENTIALITY Pursuant to Reporting on Service Organization Controls 2 (SOC 2) Type 1 examination performed under AT-C 105 and AT-C 205 April 15, 2018 Proprietary and Confidential Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR'S REPORT ................................................ 1 SECTION 2 MANAGEMENT OF ACCUSOFT'S ASSERTION REGARDING ITS SYSTEM AS OF APRIL 15, 2018 ................................................................................................................... 4 SECTION 3 DESCRIPTION OF ACCUSOFT'S SYSTEM AS OF APRIL 15, 2018 .................. 7 OVERVIEW OF OPERATIONS ............................................................................................... 8 Company Background ......................................................................................................... 8 Description of Services Provided ......................................................................................... 8 CONTROL ENVIRONMENT ..................................................................................................12 Integrity and Ethical Values ................................................................................................12 Commitment to Competence ..............................................................................................12 Management's Philosophy and Operating Style..................................................................12 Organizational Structure and Assignment of Authority and Responsibility ..........................13 Human Resources Policies and Practices ..........................................................................13 RISK ASSESSMENT .............................................................................................................13 TRUST SERVICES PRINCIPLES AND CRITERIA .................................................................14 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES ....................15 ADDITIONAL CRITERIA FOR CONFIDENTIALITY ............................................................32 MONITORING .......................................................................................................................35 INFORMATION AND COMMUNICATION SYSTEMS ............................................................35 COMPLEMENTARY USER ENTITY CONTROLS ..................................................................35 SECTION 4 INFORMATION PROVIDED BY THE SERVICE AUDITOR .................................37 GUIDANCE REGARDING INFORMATION PROVIDED BY THE SERVICE AUDITOR ..........38 Proprietary and Confidential 1 SECTION 1 INDEPENDENT SERVICE AUDITOR'S REPORT Proprietary and Confidential 2 INDEPENDENT SERVICE AUDITOR'S REPORT ON CONTROLS AT ACCUSOFT RELEVANT TO SECURITY AND CONFIDENTIALITY To Accusoft: We have examined the attached description titled "Description of Accusoft's SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018" (the description) and the suitability of the design of controls to meet the criteria for the security and confidentiality principles set forth in TSP section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2016) (AICPA, Technical Practice Aids) (applicable trust services criteria), as of April 15, 2018. The description indicates that certain applicable trust services criteria specified in the description can be achieved only if complementary user-entity controls contemplated in the design of Accusoft's ('Accusoft' or 'the Company') controls are suitably designed, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user- entity controls. Accusoft uses Amazon Web Services ("subservice organization") for cloud hosting services. The description indicates that certain applicable trust services criteria can only be met if controls at the subservice organization are suitably designed. The description presents Accusoft's system; its controls relevant to the applicable trust services criteria; and the types of controls that the service organization expects to be implemented, and suitably designed at the subservice organization to meet certain applicable trust services criteria. The description does not include any of the controls implemented at the subservice organization. Our examination did not extend to the services provided by the subservice organization. Accusoft has provided the attached assertion titled "Management of Accusoft's Assertion Regarding Its SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018," which is based on the criteria identified in management's assertion. Accusoft is responsible for (1) preparing the description and assertion; (2) the completeness, accuracy, and method of presentation of both the description and assertion; (3) providing the services covered by the description; (4) specifying the controls that meet the applicable trust services criteria and stating them in the description; and (5) designing, implementing, and documenting the controls to meet the applicable trust services criteria. Our responsibility is to express an opinion on the fairness of the presentation of the description based on the description criteria set forth in Accusoft's assertion and on the suitability of the design of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is fairly presented based on the description criteria, and (2) the controls were suitably designed to meet the applicable trust services criteria as of April 15, 2018. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design of those controls to meet the applicable trust services criteria. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed to meet the applicable trust services criteria. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. We did not perform any procedures regarding the operating effectiveness of the controls stated in the description and, accordingly, do not express an opinion thereon. Because of their nature and inherent limitations, controls at a service organization may not prevent, or detect and correct, all errors or omissions to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or conclusions about the suitability of the design of the controls to meet the applicable trust services criteria is subject to the risks that the system may change or that controls at a service organization may become inadequate or fail. Proprietary and Confidential 3 In our opinion, in all material respects, based on the description criteria identified in Accusoft's assertion and the applicable trust services criteria: a. the description fairly presents the system that was designed and implemented as of April 15, 2018, and b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively as of April 15, 2018, and user entities applied the complementary user-entity controls contemplated in the design of Accusoft's controls as of April 15, 2018 and the subservice organization applied, as of April 15, 2018, the types of controls expected to be implemented at the subservice organization and incorporated in the design of the system. This report is intended solely for the information and use of Accusoft; user entities of Accusoft's SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018; and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following: The nature of the service provided by the service organization. How the service organization's system interacts with user entities, subservice organizations, or other parties. Internal control and its limitations. Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria. The applicable trust services criteria. The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks. This report is not intended to be and should not be used by anyone other than these specified parties. April 16, 2018 Tampa, Florida Proprietary and Confidential 4 SECTION 2 MANAGEMENT OF ACCUSOFT'S ASSERTION REGARDING ITS SYSTEM AS OF APRIL 15, 2018 Proprietary and Confidential 5 Management of Accusoft's Assertion Regarding Its System as of April 15, 2018 April 16, 2018 We have prepared the attached description titled "Description of Accusoft's SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018" (the description), based on the criteria in items (a)(i)(ii) below, which are the criteria for a description of a service organization's system in paragraphs 1.34.35 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (the description criteria). The description is intended to provide users with information about the SaaS - OnTask and PrizmDoc Hosted Services System, particularly system controls intended to meet the criteria for the security and confidentiality principles set forth in TSP section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2016) (AICPA, Technical Practice Aids) (applicable trust services criteria). We confirm, to the best of our knowledge and belief, that: a. the description fairly presents the SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018, based on the following description criteria: i. The description contains the following information: (1) The types of services provided. (2) The components of the system used to provide the services, which are the following: Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and telecommunications networks). Software. The application programs and IT systems software that supports application programs (operating systems, middleware, and utilities). People. The personnel involved in governance, operation, and use of a system (developers, operators, entity users, vendor personnel, and managers). Processes. The automated and manual procedures. Data. Transaction streams, files, databases, tables, and output used or processed by a system. (3) The boundaries or aspects of the system covered by the description. (4) How the system captures and addresses significant events and conditions. (5) The process used to prepare and deliver reports and other information to user entities or other parties. (6) If information is provided to, or received from other parties, how such information is provided or received; the role of the other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls. (7) For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, complementary user-entity controls contemplated in the design of the service organization's system. (8) Any applicable trust services criteria that are not addressed by a control at the service organization and the reasons therefore. (9) Other aspects of the service organization's control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria. Proprietary and Confidential 6 (10) Relevant details of changes to the service organization's system during the period covered by the description. ii. The description does not omit or distort information relevant to the service organization's system while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs. b. the controls stated in description were suitably designed throughout the specified period to meet the applicable trust services criteria. Jack Berlin CEO Accusoft Proprietary and Confidential 7 SECTION 3 DESCRIPTION OF ACCUSOFT'S SYSTEM AS OF APRIL 15, 2018 Proprietary and Confidential 8 OVERVIEW OF OPERATIONS Company Background Accusoft was founded as Pegasus Imaging Corporation in 1991 as a reseller of fractal image compression and decompression toolkits and digital image compression applications. Over the years, the company has made numerous acquisitions and has expanded its portfolio of software offers to include various document and imaging SDKs and hosted services. Accusoft provides a full range of tools that help build document management solutions in a variety of industries including Financial, Government, Legal, and Healthcare. Description of Services Provided OnTask and PrizmDoc Cloud are both cloud-based applications. OnTask is a web-based workflow automation solution that allows customers to make better use of their most valuable resourcetheir time. PrizmDoc is a suite of web services that are accessed using REST APIs which provide document & image processing functionality for the application, including: Viewing Annotation Redaction Compression OCR Forms with AutoField Detection Watermarking Conversion Infrastructure Primary infrastructure used to provide Accusoft's OnTask and PrizmDoc system includes the following: Primary Infrastructure Hardware Type Purpose Virtual Instances AWS Runs application code and web server Databases AWS Houses application data Object Storage AWS Stores document data Software Primary software used to provide Accusoft's OnTask and PrizmDoc system includes the following: Primary Software Software Operating System Purpose AWS Linux / Windows Provides virtual cloud infrastructure for hosting applications Zabbix Linux Monitoring application used to provide monitoring, alert and notification services formhosted applications AWS RDS Provides database services Proprietary and Confidential 9 People The Accusoft staff provides support for the above services in each of the following functional areas; Executive management - provides general oversight and strategic planning of operations Development team - responsible for delivering a responsive system that fully complies with the functional specification Quality assurance team - verifies that the system complies with the functional specification through functional testing procedures System administrators - responsible for effective provisioning, installation/configuration, operation, and maintenance of systems hardware and software relevant to the system Customer Support - serves customers by providing product and service information that includes resolving product and service issues Processes Formal IT policies and procedures exist that describe physical security, logical access, computer operations, change control, and data communication standards. All teams are expected to adhere to the Accusoft policies and procedures that define how services should be delivered. These are located on the Company's intranet and can be accessed by any Accusoft team member. Physical Security Purpose: The purpose of the Building Security Policy is to outline the many resources Accusoft utilizes to keep the building and employees safe. Key Access: All employees who are issued keys or key cards to the office are responsible for their safekeeping. These employees will sign an Acknowledgement of Receipt form upon receiving the key (See Onboarding Procedure). Alarms: Alarms sponsored by TYCO are located by the rear parking lot entrance at HQ and the east and west entrance at West Annex, and the east and west entrances at East Annex. To arm or disarm the alarm systems, refer to Arming/Disarming Alarm. Gates: There is a gate installed to the parking lot entrance at Poplar Street that is required to be locked at all times. Access to this parking lot through this gate is only permitted for deliveries or construction. To open/close, please see Gate Procedure. Security Cameras: Accusoft has eight (8) security cameras at West Annex, eight (8) security cameras at East Annex, and seven (7) around the entrances and premises of HQ used to monitor the facilities. Security cameras are supervised by the IS department. Intercom System: Entry access into the Tampa buildings is triggered by the intercom system. Access can be given by the receptionist and Accounting Department by picking up the phone, asking who it is, and if they are allowed entry, pressing. Once identity and purpose is verified, entry may be granted. Logical Access Accusoft uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users' authorized roles in access control lists. Proprietary and Confidential 10 Employees and approved vendor personnel sign on to the Accusoft network using an Active Directory user ID and password. Users are also required to separately sign on to any systems or applications that do not use the shared sign-on functionality of Active Directory. Passwords must conform to defined password standards and are enforced through parameter settings in the Active Directory. These settings are part of the configuration standards and disable the user ID's ability to access the system and components after a specified number of unsuccessful access attempts, and mask workstation screens, requiring reentry of the user ID and password after a period of inactivity. Upon hire, employees are assigned to a position in the HR management system. Seven days prior to the employees' start date, HR creates a report of employee user IDs to be created and access to be granted. The report is used by the IT help desk to create user IDs and access rules. Access rules have been pre- defined based on the defined roles. The system lists also include employees with position changes and the associated roles to be changed within the access rules. On a bi-annual basis, access rules for each role are reviewed by a working group composed of IT help desk, product Managers, and HR personnel. In evaluating role access, group members consider job description, duties requiring segregation, and risks associated with access. HR generates a list of terminated employees on a daily basis. This daily report is used by the IT help desk to delete employee access. On a bi-annual basis, HR runs a list of active employees. The IT help desk uses this list to suspend user IDs and delete all access roles from IDs belonging to terminated employees. Computer Operations - Backups Customer data is backed up and replicated via AWS RDS automated backup and S3 system redundancy. Computer Operations - Availability The incident response policy and procedure at Accusoft is designed to ensure rapid response and remediation of any information technology incidents. As part Accusoft's incident response there is a post- mortem step where the response team reviews the issue, analyzes the response and identifies system and software improvements to prevent a future incident. Accusoft uses Amazon Web Services (AWS) to support the OnTask and PrizmDoc Cloud products. AWS provides auto scaling, load balancing and monitoring of Accusoft's cloud infrastructure. Resource stability, capacity and load are monitored and managed using common AWS practices. Change Control Accusoft has a documented Scrum process used to guide personnel in documenting and implementing application and infrastructure changes. Change control procedures include change request and initiation processes, documentation requirements, development practices, quality assurance testing requirements, and required approval procedures. JIRA is utilized to document the change control procedures for changes in the application and implementation of new changes. Quality assurance testing results are documented and maintained with the associated change request. Development and testing are performed in an environment that is logically separated from the production environment. The Scrum team approves changes prior to migration to the production environment. Data Communications Firewall systems are in place to filter unauthorized inbound network traffic from the Internet and deny any type of network connection that is not explicitly authorized. Network address translation (NAT) functionality is utilized to manage internal IP addresses. Administrative access to the firewall is restricted to authorized employees. Proprietary and Confidential 11 Redundancy is built into the system infrastructure supporting the data center services to help ensure that there is no single point of failure that includes firewalls, routers, and servers. In the event that a primary system fails, the redundant hardware is configured to take its place. Authorized employees may access the system from the Internet through the use of SSL VPN technology. Employees are authenticated through the use of Active Directory authentication. Data Customer data is managed, stored and processed in accordance with confidentiality and privacy policies for each product. Customer data is captured which is utilized by Accusoft in delivering its PrizmDoc Cloud and OnTask services. Such data includes but is not limited to, the following: Email addresses First and Last Name Documents used in transactions with the system User data entered into workflows Boundaries of the System The scope of this report includes OnTask and PrizmDoc Cloud services provided by Accusoft. This report does not include the hosting services provided by AWS facilities. Significant Events and Conditions Accusoft has implemented health checks, CloudWatch alerts, dashboards, Zabbix alerts and AWS logging to detect, monitor and capture incidents. Please see the attached documentation for information on these items. Preparation and Delivery of Reports and Data Accusoft utilizes the services and procedures described above to capture, prepare, and deliver reports and other information (described in the data section above) to user entities and other parties. Subservice Organizations The cloud hosting services provided by AWS are monitored by management; however, they have not been included in the scope of this review. The following criteria and controls are expected to be implemented by AWS. Subservice Organization Controls Principle Criteria Applicable Controls Security CC5.5 Physical access to facilities housing the production system is restricted to authorized personnel Criteria Not Applicable to the System All Common Security and Confidentiality criterion was applicable to the Accusoft OnTask and PrizmDoc Cloud system. Proprietary and Confidential 12 Significant Changes in the Last 12 Months OnTask has developed and released the following items to its users in the last 12 months: The ability to edit, comment and suggest on documents A self-service module where customers can sign up and start using OnTask services PrizmDoc Cloud has developed and released the following items to its users in the last 12 months: New version of the base PrizmDoc product with additional APIs and tools A new portal for the end users to manage their transactions and accounts CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Accusoft's control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of Accusoft's ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well as by example. Specific control activities that the service organization has implemented in this area are described below: Formally, documented organizational policy statements and codes of conduct communicate entity values and behavioral standards to personnel Policies and procedures require employees sign an acknowledgment form indicating they have been given access to the employee manual and understand their responsibility for adhering to the policies and procedures contained within the manual A confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties is a component of the employee handbook Background checks are performed for employees as a component of the hiring process Commitment to Competence Accusoft's management defines competence as the knowledge and skills necessary to accomplish tasks that define employees' roles and responsibilities. Management's commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge. Specific control activities that the service organization has implemented in this area are described below: Management has considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements Training is provided to maintain the skill level of personnel in certain positions Management's Philosophy and Operating Style Accusoft's management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management's approach to taking and monitoring business risks, and management's attitudes toward information processing, accounting functions, and personnel. Proprietary and Confidential 13 Specific control activities that the service organization has implemented in this area are described below: Management is periodically briefed on regulatory and industry changes affecting the services provided Executive management meetings are held to discuss major initiatives and issues that affect the business as a whole Organizational Structure and Assignment of Authority and Responsibility Accusoft's organizational structure provides the framework within which its activities for achieving entity- wide objectives are planned, executed, controlled, and monitored. Management believes establishing a relevant organizational structure includes considering key areas of authority and responsibility. An organizational structure has been developed to suit its needs. This organizational structure is based, in part, on its size and the nature of its activities. Accusoft's assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge, and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Organizational charts are in place to communicate key areas of authority and responsibility. These charts are communicated to employees and updated as needed. Human Resources Policies and Practices Accusoft's success is founded on sound business ethics, reinforced with a high level of efficiency, integrity, and ethical standards. The result of this success is evidenced by its proven track record for hiring and retaining top quality personnel who ensures the service organization is operating at maximum efficiency. Accusoft's human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Specific control activities that the service organization has implemented in this area are described below: New employees are required to sign acknowledgement forms for the employee handbook and a confidentiality agreement following new hire orientation on their first day of employment Evaluations for each employee are performed on an annual basis Employee termination procedures are in place to guide the termination process and are documented in a termination checklist RISK ASSESSMENT Risk assessments are conducted on an annual basis. When conducting a risk assessment each risk will be added to the Risk Register. The Risk Register will track the following items: Risk Description - Descriptive text identifying the risk Impact - This is an impact score on a scale of 1-5 with 1 being the lowest and 5 the highest. An example of a 1 would be a single user getting an occasional error but they are able to proceed with their work. An example of a 5 would be all systems are down and there is no way for the customers to work Likelihood - This is how likely the event may happen on a scale of 1-5 with 1 being very unlikely and 5 being very likely. An example of a 1 would be the Tampa office being hit by a Tsunami. An example of a 5 would be, electricity going out in the Tampa office Severity - Impact multiplied by the Likelihood Mitigating Action - Actions that can be taken to mitigate the risk Status - The status of any mitigating actions for the identified risk Proprietary and Confidential 14 Each risk will then be assessed for its impact and likelihood as outlined above. These ratings will be multiplied together to calculate the overall severity of each risk in the register. Risks will then be ranked in order of severity from highest to lowest and triaged in order. During the triage process the risk assessment team will add mitigating actions designed to minimize the risk. After the risk assessment is complete the appropriate JIRA stories and IT tickets will be created for the mitigation actions so they can be prioritized with the Product Management Team and executed. Items created in JIRA should have the label Risk Assessment with the Year of the assessment. The risk team will update the risk assessment when items assigned to their product team are completed. TRUST SERVICES PRINCIPLES AND CRITERIA In-Scope Trust Services Principles Common Criteria (to all Security and Confidentiality Principles) The security principle refers to the protection of the system resources through logical and physical access control measures in order to enable the entity to meet its commitments and system requirements related to security, availability, processing integrity, confidentiality, and privacy. Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information. Confidentiality The confidentiality principle addresses the system's ability to protect information designated as confidential, including, its final disposition and removal from the system in accordance with management's commitments and system requirements. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention, and restrict its disclosure to defined parties (including those who may otherwise have authorized access within the boundaries of the system). Such requirements may be contained in laws or regulations, or commitments in user contracts. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that the privacy applies only to personal information, while the confidentiality principle applies to various types of sensitive information. In addition, the privacy principle addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property. Integration with Risk Assessment The environment in which the system operates; the commitments, agreements, and responsibilities of Accusoft's OnTask and PrizmDoc system; as well as the nature of the components of the system result in risks that the criteria will not be met. Accusoft addresses these risks through the implementation of suitably designed controls to provide reasonable assurance that the criteria are met. Because each system and the environment in which it operates are unique, the combination of risks to meeting the criteria and the controls necessary to address the risks will be unique. As part of the design and operation of the system, Accusoft's management identifies the specific risks that the criteria will not be met and the controls necessary to address those risks. Proprietary and Confidential 15 Control Activities Specified by the Service Organization COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC1.0 Common Criteria Related to Organization and Management Control Point Criteria Control Activity Specified by the Service Organization CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and system requirements as they relate to security and confidentiality. A documented organizational chart is in place to communicate organizational structures, lines of reporting, and areas of authority. Reporting relationships and organizational structures are reviewed as needed by management. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Management reviews job descriptions on an as needed basis and makes updates, if necessary. CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity's system controls and other risk mitigation strategies are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and implemented to meet the entity's commitments and system requirements as they relate to security and confidentiality. A documented organizational chart is in place to assign responsibility and delegate lines of authority to personnel. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Management reviews job descriptions on an as needed basis and makes updates, if necessary. CC1.3 The entity has established procedures to evaluate the competency of personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting security and confidentiality and provides resources necessary for personnel to fulfill their responsibilities. Job requirements are documented in the job descriptions and candidates' abilities to meet these requirements are evaluated as part of the hiring or transfer evaluation process. The experience and training of candidates for employment or transfer are evaluated before they assess the responsibilities of their position. Employee evaluations are performed for employees on an annual basis. Employees are required to read and acknowledge information security policies/complete information security training upon hire and complete training on an annual basis as a part of training compliance. Management documents skills and continued training to establish the organization's commitments and requirements for employees. Management tracks and monitors compliance with training requirements. Proprietary and Confidential 16 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC1.0 Common Criteria Related to Organization and Management Control Point Criteria Control Activity Specified by the Service Organization CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to security and confidentiality. An employee handbook and code of conduct are documented to communicate workforce conduct standards and enforcement procedures. Personnel are required to sign and accept the employee handbook and code of conduct upon hire. Personnel are required to complete a background check provided by a third-party vendor upon hire. Proprietary and Confidential 17 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC2.0 Common Criteria Related to Communications Control Point Criteria Control Activity Specified by the Service Organization CC2.1 Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external users of the system to permit users to understand their role in the system and the results of system operation. System descriptions are communicated to authorized external users via the company website that delineate the boundaries of the system and describe relevant system components. A description of the system delineating the boundaries of the system is posted on a secure network drive and is available to personnel. A documented organizational chart is in place to communicate organizational structures, lines of reporting, and areas of authority. Reporting relationships and organizational structures are reviewed as needed by management. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Customer responsibilities are outlined and communicated through the company website. CC2.2 The entity's security and confidentiality commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal users to enable them to carry out their responsibilities. Security and confidentiality commitments are communicated to external users via the company website. Policies and procedures are documented for significant processes and are available on the entity's intranet. Employees are required to read and acknowledge information security policies/complete information security training upon hire and complete training on an annual basis as a part of training compliance. Personnel are required to sign and accept the employee handbook and code of conduct upon hire. CC2.3 The responsibilities of internal and external users and others whose roles affect system operation are communicated to those parties. Policies and procedures are documented for significant processes and are available on the entity's intranet. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Management reviews job descriptions on an as needed basis and makes updates, if necessary. Proprietary and Confidential 18 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC2.0 Common Criteria Related to Communications Control Point Criteria Control Activity Specified by the Service Organization Personnel are required to attend annual security and confidentiality training. Customer responsibilities are outlined and communicated through the company website. CC2.4 Information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the security and confidentiality of the system, is provided to personnel to carry out their responsibilities. Processes are monitored through service level management procedures to help ensure compliance with service level commitments and agreements. Employees are required to read and acknowledge information security policies/complete information security training upon hire and complete training on an annual basis as a part of training compliance. CC2.5 Internal and external users have been provided with information on how to report security and confidentiality failures, incidents, concerns, and other complaints to appropriate personnel. The organization's security policies and code of conduct are communicated to employees in the employee handbook. Documented incident response policies and procedures are in place to guide personnel in the event of an incident. Policies and procedures are in place to guide personnel in the handling of customer support. Customer support is available to external users via the company website. CC2.6 System changes that affect internal and external users' responsibilities or the entity's commitments and system requirements relevant to security and confidentiality are communicated to those users in a timely manner. System changes are authorized, tested, and approved by management prior to implementation. Changes are communicated to both internal and external users. Proprietary and Confidential 19 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC3.0 Common Criteria Related to Risk Management and Design and Implementation of Controls Control Point Criteria Control Activity Specified by the Service Organization CC3.1 The entity (1) identifies potential threats that could impair system security and confidentiality commitments and system requirements (including threats arising from the use of vendors and other third parties providing goods and services, as well as threats arising from customer personnel and others with access to the system), (2) analyzes the significance of risks associated with the identified threats, (3) determines mitigation strategies for those risks. A master list of the entity's system components is maintained, accounting for additions and removals, for management's use. Documented policies and procedures are in place to guide personnel when performing the risk assessment process. A formal risk assessment is performed on an annual basis to identify threats that could impair systems security and confidentiality commitments and requirements. Identified risks are rated using a risk evaluation process and rating are reviewed by management. CC3.2 The entity designs, develops, implements, and operates controls, including policies and procedures, to implement its risk mitigation strategy; reassesses the suitability of the design and implementation of control activities based on the operation and monitoring of those activities; and updates the controls, as necessary. Management has defined a formal risk management process that specifies the process for evaluating risks based on identified threats and the specified tolerances. Disaster recovery plans are in place and tested on an annual basis. Management develops risk mitigation strategies to address risks identified during the risk assessment process. Proprietary and Confidential 20 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC4.0 Common Criteria Related to Monitoring Controls Control Point Criteria Control Activity Specified by the Service Organization CC4.1 The design and operating effectiveness of controls are periodically evaluated against the entity's commitments and system requirements as they relate to security and confidentiality, and corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. Control self-assessments that include, but are not limited to, physical and logical access reviews, and backup restoration tests are performed on a bi-annual basis. Monitoring software is used to identify and evaluate ongoing system performance, security threats, changing resource utilization needs, and unusual system activity. The monitoring software is configured to alert IT personnel when thresholds have been exceeded. Proprietary and Confidential 21 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization CC5.1 Logical access security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized internal and external users; (2) restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access to meet the entity's commitments and system requirements as they relate to security and confidentiality. Documented policies and procedures are in place regarding systems authentication, access, and security monitoring. Logical and physical access to systems is granted to an employee as a component of the hiring process. Logical and physical access to systems is revoked as a component of the termination process. Network Network user access is restricted via role based security privileges defined within the access control system. Network administrative access is restricted to user accounts accessible by authorized personnel. Network users are authenticated via individually- assigned user accounts and passwords. Networks are configured to enforce password requirements that include: Password history Password length Complexity Network account lockout policies are in place that include: Account lockout duration Account lockout threshold Account lockout counter reset Network audit policy configurations are in place that include: Account logon events Account management Network access reviews are completed by management on a bi-annual basis. Database Database user access is restricted via role based security privileges defined within the access control system. Database administrative access is restricted to user accounts accessible by authorized personnel. Proprietary and Confidential 22 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization Database users are authenticated via individually- assigned user accounts and passwords. Databases are configured to enforce password requirements that include: Password length Complexity Database access reviews are completed by management on a bi-annual basis. Application Application user access is restricted via role based security privileges defined within the access control system. Application administrative access is restricted to user accounts accessible by authorized personnel. Application users are authenticated via individually-assigned user accounts and passwords. The application is configured to enforce password requirements that include: Password history Password length Complexity Application account lockout policies are in place that include: Account lockout duration Account lockout threshold Account lockout counter reset Application access reviews are completed by management on a bi-annual basis. Remote Access Policies and procedures are in place to guide personnel in the use of remote access. VPN user access is restricted via role based security privileges defined within the access control system. The ability to administer VPN access is restricted to user accounts accessible by authorized personnel. VPN users are authenticated via active directory authentication prior to being granted remote access to the system. Proprietary and Confidential 23 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization Privileged access to sensitive resources is restricted to defined user roles. CC5.2 New internal and external users, whose access is administered by the entity, are registered and authorized prior to being issued system credentials and granted the ability to access the system to meet the entity's commitments and system requirements as they relate to security and confidentiality. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. Documented policies and procedures are in place regarding systems authentication, access, and security monitoring. Logical and physical access to systems is granted to an employee as a component of the hiring process. Logical and physical access to systems is revoked as a component of the termination process. Control self-assessments that include, but are not limited to, physical and logical access reviews, and backup restoration tests are performed on a bi-annual basis. CC5.3 Internal and external users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data) to meet the entity's commitments and system requirements as they relate to security and confidentiality. Documented policies and procedures are in place regarding systems authentication, access, and security monitoring. Logical and physical access to systems is granted to an employee as a component of the hiring process. Network Network user access is restricted via role based security privileges defined within the access control system. Network administrative access is restricted to user accounts accessible by authorized personnel. Network users are authenticated via individually- assigned user accounts and passwords. Networks are configured to enforce password requirements that include: Password history Password length Complexity Network account lockout policies are in place that include: Account lockout duration Account lockout threshold Account lockout counter reset Network audit policy configurations are in place that include: Account logon events Account management Proprietary and Confidential 24 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization Network access reviews are completed by management on a bi-annual basis. Database Database user access is restricted via role based security privileges defined within the access control system. Database administrative access is restricted to user accounts accessible by authorized personnel. Database users are authenticated via individually- assigned user accounts and passwords. Databases are configured to enforce password requirements that include: Password length Complexity Database access reviews are completed by management on a bi-annual basis. Database user access is restricted via role based security privileges defined within the access control system. Application Application user access is restricted via role based security privileges defined within the access control system. Application administrative access is restricted to user accounts accessible by authorized personnel. Application users are authenticated via individually-assigned user accounts and passwords. The application is configured to enforce password requirements that include: Password history Password length Complexity Application account lockout policies are in place that include: Account lockout duration Account lockout threshold Account lockout counter reset Application access reviews are completed by management on a bi-annual basis. Proprietary and Confidential 25 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization Remote Access Policies and procedures are in place to guide personnel in the use of remote access. VPN user access is restricted via role based security privileges defined within the access control system. The ability to administer VPN access is restricted to user accounts accessible by authorized personnel. VPN users are authenticated via active directory authentication prior to being granted remote access to the system. Users can only access the production server remotely through the use of the VPN, secure sockets layer (SSL), or other encrypted communication system. CC5.4 Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to meet the entity's commitments and system requirements as they relate to security and confidentiality. Documented policies and procedures are in place regarding systems authentication, access, and security monitoring. Logical and physical access to systems is granted to an employee as a component of the hiring process. Logical and physical access to systems is revoked as a component of the termination process. Control self-assessments that include, but are not limited to, physical and logical access reviews, and backup restoration tests are performed on a bi-annual basis. CC5.5 Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations, as well as sensitive system components within those locations) is restricted to authorized personnel to meet the entity's commitments and system requirements as they relate to security and confidentiality. Not Applicable - Accusoft's production systems are hosted in AWS. Physical access controls over production systems are the responsibility of the third-party service provider. Policies and procedures are in place to guide personnel in physical security activities. A manned reception desk is in place to monitor and control access to the entrance of the office facility during standard business hours. A badge access system controls access to and within the office facility. Proprietary and Confidential 26 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization Personnel are assigned to predefined badge access security zones based on job responsibilities. The badge access system logs successful and failed access attempts. The logs can be pulled for review if necessary. The ability to request badge access changes is restricted to authorized personnel. Physical access to systems is granted to an employee as a component of the hiring process. Access to the server room is restricted to authorized personnel with key code access. A video surveillance system is in place to monitor the facility and access to the server room. Visitors to the facility and server room are required to be escorted by an authorized employee. Physical access privileges to the corporate office facility are revoked as a component of the termination process. User access to the badge access system is reviewed on a bi-annual basis. CC5.6 Logical access security measures have been implemented to protect against security and confidentiality threats from sources outside the boundaries of the system to meet the entity's commitments and system requirements. A firewall is in place to filter unauthorized inbound network traffic from the internet. The firewall system is configured to deny any type of network connection that is not explicitly authorized by a firewall system rule. Externally routable IP addresses are not assigned to production processing servers. Network address translation (NAT) functionality is utilized to manage internal IP addresses. Server certificate-based authentication is used as part of the SSL/TLS encryption with a trusted certificate authority. Remote connectivity users are authenticated via an authorized user account and password before establishing a VPN session. Proprietary and Confidential 27 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization CC5.7 The transmission, movement, and removal of information is restricted to authorized internal and external users and processes and is protected during transmission, movement, or removal, enabling the entity to meet its commitments and system requirements as they relate to security and confidentiality. VPN, SSL, secure file transfer program (SFTP), and other encryption technologies are used for defined points of connectivity. The ability to recall backed up data is restricted to authorized personnel. CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's commitments and system requirements as they relate to security and confidentiality. The ability to migrate changes into the production environment is restricted to authorized and appropriate users. Antivirus software is installed on workstations to detect and prevent the transmission of data or files that contain certain virus signatures recognized by the anti-virus software. The antivirus software is configured to scan workstations while the system is idle. The antivirus software provider pushes updates to the installed anti-virus software as new updates/signatures are available. Proprietary and Confidential 28 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC6.0 Common Criteria Related to System Operations Control Point Criteria Control Activity Specified by the Service Organization CC6.1 Vulnerabilities of system components to security and confidentiality breaches and incidents due to malicious acts, natural disasters, or errors are identified, monitored, and evaluated, and countermeasures are designed, implemented, and operated to compensate for known and newly identified vulnerabilities to meet the entity's commitments and system requirements as they relate to security and confidentiality. Monitoring software is used to identify and evaluate ongoing system performance, security threats, changing resource utilization needs, and unusual system activity. The monitoring software is configured to alert IT personnel when thresholds have been exceeded. Documented incident response policies and procedures are in place to guide personnel in the event of an incident. An automated backup system is utilized to perform scheduled system backups. Full backups of the database components are performed on a daily basis. IT personnel monitor the success or failure of backups, and are notified of backup job status via email notifications. Antivirus software is installed on workstations to detect and prevent the transmission of data or files that contain certain virus signatures recognized by the anti-virus software. The antivirus software is configured to scan workstations while the system is idle. The antivirus software provider pushes updates to the installed anti-virus software as new updates/signatures are available. A firewall is in place to filter unauthorized inbound network traffic from the internet. The firewall system is configured to deny any type of network connection that is not explicitly authorized by a firewall system rule. CC6.2 Security and confidentiality incidents, including logical and physical security breaches, failures, and identified vulnerabilities, are identified and reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity's commitments and system requirements. Documented incident response policies and procedures are in place to guide personnel in the event of an incident. A ticket tracking application is utilized to track and respond to incidents. Resolution of events is communicated to users within the corresponding ticket. Change management requests are opened for events that require permanent fixes. Proprietary and Confidential 29 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC6.0 Common Criteria Related to System Operations Control Point Criteria Control Activity Specified by the Service Organization Entity policies include termination as potential sanctions for employee misconduct. Proprietary and Confidential 30 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC7.0 Common Criteria Related to Change Management Control Point Criteria Control Activity Specified by the Service Organization CC7.1 The entity's commitments and system requirements, as they relate to security and confidentiality, are addressed during the system development lifecycle, including the authorization, design, acquisition, implementation, configuration, testing, modification, approval, and maintenance of system components. Documented change control policies and procedures are in place to guide personnel in the handling system changes. System changes are authorized, tested, and approved by management prior to implementation. CC7.2 Infrastructure, data, software, and policies and procedures are updated as necessary to remain consistent with the entity's commitments and system requirements as they relate to security and confidentiality. Management has defined a formal risk management process that specifies the process for evaluating risks based on identified threats and the specified tolerances. A formal risk assessment is performed on an annual basis to identify threats that could impair systems security and confidentiality commitments and requirements. Identified risks are rated using a risk evaluation process and rating are reviewed by management. Management develops risk mitigation strategies to address risks identified during the risk assessment process. CC7.3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and are monitored to meet the entity's commitments and system requirements as they relate to security and confidentiality. Documented escalation procedures for reporting security incidents are in place to guide users in identifying and reporting failures, incidents, concerns, and other complaints. Incidents are documented and tracked in a standardized ticketing system and updated to reflect the planned incident and problem resolution. CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity's security and confidentiality commitments and system requirements. Documented change control policies and procedures are in place to guide personnel in the handling system changes. System change requests are documented and tracked in a ticketing system. System changes are tested prior to implementation. Types of testing performed depend on the nature of the change. Changes are approved by management prior to implementation. Changes are communicated to both internal and external users. Proprietary and Confidential 31 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC7.0 Common Criteria Related to Change Management Control Point Criteria Control Activity Specified by the Service Organization Development and test environments are physically and logically separated from the production environment. Access to implement changes in the production environment is restricted to authorized IT personnel. Prior code is held in the repository for rollback capability in the event that a system change does not function as designed. The change management process has defined the following roles and assignments: Authorization of change requests-Product Manager Development-application design and support department Testing-quality assurance department Implementation-Lead Engineer Proprietary and Confidential 32 C1.0 ADDITIONAL CRITERIA FOR CONFIDENTIALITY Control Point Criteria Control Activity Specified by the Service Organization C1.1 Confidential information is protected during the system design, development, testing, implementation, and change processes to meet the entity's confidentiality commitments and system requirements. Customer data is protected from loss, misuse, unauthorized access or disclosure, alteration or destruction per privacy policy posted on company webpage. C1.2 Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition to meet the entity's confidentiality commitments and system requirements. Documented policies and procedures are in place regarding systems authentication, access, and security monitoring. Logical and physical access to systems is granted to an employee as a component of the hiring process. Logical and physical access to systems is revoked as a component of the termination process. Network Network user access is restricted via role based security privileges defined within the access control system. Network administrative access is restricted to user accounts accessible by authorized personnel. Network users are authenticated via individually- assigned user accounts and passwords. Networks are configured to enforce password requirements that include: Password history Password length Complexity Network account lockout policies are in place that include: Account lockout duration Account lockout threshold Account lockout counter reset Network audit policy configurations are in place that include: Account logon events Account management Network access reviews are completed by management on a bi-annual basis. Database Database user access is restricted via role based security privileges defined within the access control system. Database administrative access is restricted to user accounts accessible by authorized personnel. Proprietary and Confidential 33 C1.0 ADDITIONAL CRITERIA FOR CONFIDENTIALITY Control Point Criteria Control Activity Specified by the Service Organization Database users are authenticated via individually- assigned user accounts and passwords. Databases are configured to enforce password requirements that include: Password length Complexity Database access reviews are completed by management on a bi-annual basis. Application Application user access is restricted via role based security privileges defined within the access control system. Application administrative access is restricted to user accounts accessible by authorized personnel. Application users are authenticated via individually-assigned user accounts and passwords. The application is configured to enforce password requirements that include: Password history Password length Complexity Application account lockout policies are in place that include: Account lockout duration Account lockout threshold Account lockout counter reset Application access reviews are completed by management on a bi-annual basis. Remote Access Policies and procedures are in place to guide personnel in the use of remote access. VPN user access is restricted via role based security privileges defined within the access control system. The ability to administer VPN access is restricted to user accounts accessible by authorized personnel. VPN users are authenticated via active directory authentication prior to being granted remote access to the system. Proprietary and Confidential 34 C1.0 ADDITIONAL CRITERIA FOR CONFIDENTIALITY Control Point Criteria Control Activity Specified by the Service Organization Training Awareness training is provided to personnel around the policy and usage of personal information. C1.3 Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties to meet the entity's confidentiality commitments and system requirements. Application security restricts output to approved roles or user IDs. Server certificate-based authentication is used as part of the SSL/TLS encryption with a trusted certificate authority. Logical access to stored data is restricted to application and database administrators. A policy is in place to guide personnel in the limited use of removable media as well as mandate that it be encrypted. C1.4 The entity obtains confidentiality commitments that are consistent with the entity's confidentiality system requirements from vendors and other third parties whose products and services are part of the system and have access to confidential information. Security and confidentiality commitments regarding the system are included on the company website. C1.5 Compliance with the entity's confidentiality commitments and system requirements by vendors and others third parties whose products and services are part of the system is assessed on a periodic and as-needed basis, and corrective action is taken, if necessary. Related party and vendor systems are subject to review as part of the vendor risk management process. Attestation reports (SOC 2 reports) are obtained and evaluated when available. C1.6 Changes to the entity's confidentiality commitments and system requirements are communicated to internal and external users, vendors, and other third parties whose products and services are part of the system. Changes to confidentiality policies are updated to the company website as they become available. Related party and vendor systems are subject to review as part of the vendor risk management process. Attestation reports (SOC 2 reports) are obtained and evaluated when available. C1.7 The entity retains confidential information to meet the entity's confidentiality commitments and system requirements. The entity establishes written policies related to retention periods for the confidential information it maintains. Confidential information is maintained in locations restricted to those authorized to access. C1.8 The entity disposes of confidential information to meet the entity's confidentiality commitments and system requirements. The entity establishes written policies related to the disposal of the confidential information it maintains. Proprietary and Confidential 35 MONITORING Management monitors controls to ensure that they are operating as intended and that controls are modified as conditions change. Accusoft's management performs monitoring activities to continuously assess the quality of internal control over time. Necessary corrective actions are taken as required to correct deviations from company policies and procedures. Employee activity and adherence to company policies and procedures is also monitored. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. On-Going Monitoring Accusoft's management conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings and informal notifications. Reporting Deficiencies Management's close involvement in Accusoft's operations helps to identify significant variances from expectations regarding internal controls. Upper management evaluates the facts and circumstances related to any suspected control breakdown. A decision for addressing any control's weakness is made based on whether the incident was isolated or requires a change in the company's procedures or personnel. The goal of this process is to ensure Accusoft is able maximize performance of personnel and the company's services. INFORMATION AND COMMUNICATION SYSTEMS Information and communication is an integral component of Accusoft's internal control system. It is the process of identifying, capturing, and exchanging information in the form and time frame necessary to conduct, manage, and control the entity's operations. This process encompasses the primary classes of transactions of the organization, including the dependence on, and complexity of, information technology. At Accusoft, information is identified, captured, processed, and reported by various information systems, as well as through conversations with clients, vendors, regulators, and employees. Various meetings are held to discuss operational efficiencies within the applicable functional areas and to disseminate new policies, procedures, controls, and other strategic initiatives within the organization. Additionally, Chalk Talk meetings are held regularly to provide staff with updates on the company and key issues affecting the organization and its employees. Senior executives lead the Chalk Talk meetings with information gathered from formal automated information systems and informal databases, as well as conversations with various internal and external colleagues. General updates to entity-wide security policies and procedures are usually communicated to the appropriate Accusoft personnel via e-mail messages. COMPLEMENTARY USER ENTITY CONTROLS Accusoft's services are designed with the assumption that certain controls will be implemented by user entities. Such controls are called complementary user entity controls. It is not feasible for all of the Trust Services Principles related to Accusoft's services to be solely achieved by Accusoft control procedures. Accordingly, user entities, in conjunction with the services, should establish their own internal controls or procedures to complement those of Accusoft's. The following complementary user entity controls should be implemented by user entities to provide additional assurance that the Trust Services Principles described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user entities' locations, user entities' auditors should exercise judgment in selecting and reviewing these complementary user entity controls. Proprietary and Confidential 36 1. User entities are responsible for understanding and complying with their contractual obligations to Accusoft. 2. User entities are responsible for notifying Accusoft of changes made to technical or administrative contact information. 3. User entities are responsible for maintaining their own system(s) of record. 4. User entities are responsible for ensuring the supervision, management, and control of the use of Accusoft services by their personnel. 5. User entities are responsible for developing their own disaster recovery and business continuity plans that address the inability to access or utilize Accusoft services. 6. User entities are responsible for providing Accusoft with a list of approvers for security and system configuration changes for data transmission. 7. User entities are responsible for immediately notifying Accusoft of any actual or suspected information security breaches, including compromised user accounts, including those used for integrations and secure file transfers. Proprietary and Confidential 37 SECTION 4 INFORMATION PROVIDED BY THE SERVICE AUDITOR Proprietary and Confidential 38 GUIDANCE REGARDING INFORMATION PROVIDED BY THE SERVICE AUDITOR A-LIGN's examination of the controls of Accusoft was limited to the Trust Services Principles and related criteria and control activities specified by the management of Accusoft and did not encompass all aspects of Accusoft's operations or operations at user entities. Our examination was performed in accordance with American Institute of Certified Public Accountants (AICPA) AT-C 105 and AT-C 205. Our examination of the control activities were performed using the following testing methods: TEST DESCRIPTION Inquiry The service auditor made inquiries of service organization personnel. Inquiries were made to obtain information and representations from the client to determine that the client's knowledge of the control and corroborate policy or procedure information. Observation The service auditor observed application of the control activities by client personnel. Inspection The service auditor inspected among other items, source documents, reports, system configurations to determine performance of the specified control activity and in some instances the timeliness of the performance of control activities. Re-performance The service auditor independently executed procedures or controls that were originally performed by the service organization as part of the entity's internal control. In determining whether the report meets the user auditor's objectives, the user auditor should perform the following procedures: Understand the aspects of the service organization's controls that may affect the processing of the user entity's transactions; Understand the flow of significant transactions through the service organization; Determine whether the control objectives are relevant to the user entity's financial statement assertions; and Determine whether the service organization's controls are suitably designed to prevent or detect processing errors that could result in material misstatements in the user entity's financial statements and determine whether they have been implemented.

REPORT ON ACCUSOFT’S DESCRIPTION OF ITS SYSTEM AND ON THE SUITABILITY OF THE DESIGN OF ITS CONTROLS RELEVANT TO SECURITY AND CONFIDENTIALITY
Pursuant to Reporting on Service Organization Controls 2 (SOC 2) Type 1 examination performed under AT-C 105 and AT-C 205
April 15, 2018

Solving document lifecycle complexities with products built for developers.

Accusoft offers a robust portfolio of document and imaging tools created for developers. Our APIs and software development kits (SDKs) are built using patented technology, providing high performance document viewing, advanced search, image compression, conversion, barcode recognition, OCR, and other image processing tools for use in application and web development.

About accusoft

Accusoft provides a full spectrum of document, content and imaging solutions as fully supported, enterprise-grade, best-in-class client-server applications, mobile apps, cloud services and software development kits (SDKs). The company’s HTML5 viewing technology is available to the enterprise as PrizmDoc, in cloud-based SaaS versions, and in a version optimized for SharePoint integration.

Visit http://www.accusoft.com and download your free trial to see how our software can work for you.

4001 N Riverside Dr

Tampa, FL 33603

(800) 875-7009

Comments

You must log in to comment