Parative has a documented third-party risk management program in place for the selection, oversight and risk assessment of Subcontractors (e.g. service providers, dependent service providers, sub-processors). Parative also has a third-party risk management program which explicitly requires all business units to notify management if there are new or changed subcontractors.
Parative's third-party risk management program requires Confidentiality and/or Non Disclosure Agreements from Subcontractors, in addition to requiring Subcontractors to notify Parative if there are changes affecting services rendered.
For all Parative subcontractors requiring assessment, there exists a fully executed contract. All Parative subcontractor contracts include:
Ownership of information, trade secrets and intellectual property
Indemnification/liability
Permitted use of confidential information
Non-Disclosure/Confidentiality Agreements
Breach of agreement terms
Data breach notification
Termination/exit clause
Parative's third party risk management program includes an assigned individual or group responsible for capturing, maintaining and tracking subcontractor Information Security or other issues. In order to support remediation reporting, Parative also has a process to identify and log subcontractor information security, privacy and/or data breach issues.
Parative maintains a set of information security policies and standards that are approved by our Chief Technology Officer, Jason Zopf. We review these security policies and standards annually. These security policies are published on our website and are communicated to customers at the onset of their subscription.
Parative conducts a comprehensive information security assessment for all projects involving Scoped Systems and Data.
Parative's asset management program is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. We maintain an asset inventory and review details of this program annually.
Parative's acceptable use policy is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. This policy is reviewed annually.
Upon termination of a Parative employee, Parative follows a documented process to verify the return of employee assets (computers, cell phones, access cards, tokens, smart cards, keys, etc.). This process is overseen by our Chief Technology Officer, Jason Zopf, and Chief of Staff, Paige Brewster.
Parative classifies information according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification.
Parative assigns a named owner to all Information Assets. Owners are responsible for periodically approving and reviewing access to these Information Assets.
Parative's information handling policy addresses the storing, processing, and communication of information consistent with its classification. This policy is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. The information handling policy covers the following areas:
Requirement for encryption of all sensitive information.
Data retention and destruction of information including live media, backup/archived media, and information managed by Subcontractors.
Electronic transmission security requirements including email, web, and file transfer services.
Storage requirements including authorized use of Public Cloud storage.
Parative's Human Resource policy requires background screening of all employees, including criminal screening as part of employee background checks.
Parative conducts regular, mandatory Security Awareness Training for all employees. All new hires are required to complete Security Awareness Training. All employees are required to complete the program annually. Training includes an explanation of employees’ security roles and responsibilities.
Parative's Human Resource policy includes processes for Termination and change of status. Electronic access to systems containing scoped data is removed within 24 hours for terminated employees.
Parative's access control program is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. Parative's customers have the ability to directly manage which third party tools Parative integrates and communicates with, in addition to being able to manage their own personal data (in the form of user and admin PII) in Parative.
Parative requires Unique IDs for authentication to applications, operating systems, databases and network devices. We maintain a set of rules governing the way IDs are created and assigned.
Parative segregates duties for granting access and approving access to Scoped Systems and Data, as well as duties for approving and implementing access requests for Scoped Systems and Data.
Parative provisions access to applications, operating systems, databases, and network devices according to the principle of least privilege.
Parative follows a documented process to request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data.
Parative restricts access to systems that store or process scoped data.
Parative's password policy is approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. This policy covers systems that transmit, process or store Scoped Systems and Data and is enforced on all platforms and network devices. The password policy:
Applies to both employee and customer passwords
Requires a minimum password length of at least six (6) characters
Defines specific length and complexity requirements
Defines requirements for provisioning and resetting passwords
Requires passwords to be encrypted in transit
Prohibits keeping an unencrypted record of passwords (paper, software file or handheld device)
Requires changing passwords when there is an indication of possible system or password compromise
Requires multi-factor authentication for all passwords
Parative's Password Policy requires the following access reviews:
Periodic reviews of all user access rights
Periodic review of privileged user access rights
Review of access rights when an employee changes roles, including upon hiring and termination, or upon transition to a separate department.
Parative configures web applications to follow best practices or security guidelines. Parative validates data input into all applications.
Scoped Systems and Data are not used in Parative's test, development, or QA environments. We have multiple pre-production environments which are entirely separate for use in development, testing, and staging.
Parative maintains governance policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements.
Parative maintains a documented process to identify and assess regulatory changes that could significantly affect the delivery of products and services.
Parative's network security requirements are approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. The policy includes an approval process prior to installing a network device.
Parative's incident management and response program is approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. The program includes:
Guidance for escalation procedure. The line of escalation is: Incident Manager > CTO > CEO.
Documented actions to be taken in the event of an information security event
In the event of an incident, Parative uses a specific methodology to review events on Scoped Systems or systems containing Scoped Data relevant to supporting incident investigation.
Parative employees undergo annual training regarding company expectations related to non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities.
Parative maintains documented policies and procedures to ensure compliance with applicable laws and regulations including Unfair, Deceptive, or Abusive Acts or Practices.
Parative conducts training for employees who have direct customer contact regarding consumer protection compliance responsibilities.
Parative maintains a documented escalation and resolution process to address specific complaints to management and the customer.
Parative maintains documented policies and procedures to enforce applicable legal, regulatory or contractual cybersecurity obligations.
Parative maintains documented policies and operating procedures regarding limiting the personal data collected and its use to the minimum necessary.
Parative informs individuals about their rights to access, review, update, and correct their personal information which is maintained by the organization.
Parative maintains a documented data protection program with administrative, technical, and physical and environmental safeguards for the protection of customer-scoped Data.
Parative maintains documented server security configuration standards based on external industry and vendor guidance.
All Parative servers are configured according to security standards as part of the build process.
Parative uninstalls or disables all unnecessary/unused services on all servers.
Parative removes, changes or disables all vendor default passwords prior to placing any device or system into production.
Parative maintains sufficient detail in Operating System and application logs to support security incident investigations (at a minimum, successful and failed login attempts, and changes to sensitive configuration settings and files).
Parative subcontracts cloud hosting services through Amazon Web Services (AWS). AWS provides an independent audit report (e.g., Service Operational Control - SOC) for their cloud hosting services. The Cloud Service Provider is certified by an independent third party for compliance with domestic or international control standards (e.g., the National Institute of Standards and Technology - NIST, the International Organization for Standardization - ISO).
