Third Party Risk Management:

Subcontractor Selection & Management

Parative has a documented third-party risk management program in place for the selection, oversight and risk assessment of Subcontractors (e.g. service providers, dependent service providers, sub-processors). Parative also has a third-party risk management program which explicitly requires all business units to notify management if there are new or changed subcontractors.

Subcontractors' Third-Party Risk Management

Parative's third-party risk management program requires Confidentiality and/or Non Disclosure Agreements from Subcontractors, in addition to requiring Subcontractors to notify Parative if there are changes affecting services rendered.

Service Provider Agreements

For all Parative subcontractors requiring assessment, there exists a fully executed contract. All Parative subcontractor contracts include:

Issue Management

Parative's third party risk management program includes an assigned individual or group responsible for capturing, maintaining and tracking subcontractor Information Security or other issues. In order to support remediation reporting, Parative also has a process to identify and log subcontractor information security, privacy and/or data breach issues.

Information Security Policy Management:

Parative maintains a set of information security policies and standards that are approved by our Chief Technology Officer, Jason Zopf. We review these security policies and standards annually. These security policies are published on our website and are communicated to customers at the onset of their subscription.

Security Oversight

Parative conducts a comprehensive information security assessment for all projects involving Scoped Systems and Data.

Asset Inventory

Parative's asset management program is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. We maintain an asset Inventory list and configuration management Database (CMDB). Details of this program are reviewed annually.

Acceptable Use

Parative's acceptable use policy is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. This policy is reviewed annually.

Asset Recovery

Upon termination of a Parative employee, Parative follows a documented process to verify the return of employee assets (computers, cell phones, access cards, tokens, smart cards, keys, etc.). This process is overseen by our Chief Technology Officer, Jason Zopf, and Chief Financial Officer, Matt Finn.

Information Management

Information Classification

Parative classifies information according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification.

Information Ownership

Parative assigns a named owner to all Information Assets. Owners are responsible for periodically approving and reviewing access to these Information Assets.

Information Handling

Parative's information handling policy addresses the storing, processing, and communication of information consistent with its classification. This policy is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. The information handling policy covers the following areas:

Human Resource Policy

Background Information Policy

Parative's Human Resource policy requires background screening of all employees, including Criminal screening as part of employee background checks.

Security Awareness Training

Parative conducts regular, mandatory Security Awareness Training for all employees. All new hires are required to complete Security Awareness Training. All employees are required to complete the program annually. Training includes an explanation of employees’ security roles and responsibilities.

Separation Procedures

Parative's Human Resource policy includes processes for Termination and change of status. Electronic access to systems containing scoped data is removed within 24 hours for terminated employees.

Access Control

Policies & Procedures

Parative's access control program is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. Parative's customers have the ability to directly manage which third party tools Parative integrates and communicates with, in addition to being able to manage their own personal data (in the form of user and admin PII) in Parative.

Access Provisioning & Approval

Parative requires Unique IDs for authentication to applications, operating systems, databases and network devices. We maintain a set of rules governing the way IDs are created and assigned.

Parative segregates duties for granting access and approving access to Scoped Systems and Data, as well as duties for approving and implementing access requests for Scoped Systems and Data.

Parative provisions access to applications, operating systems, databases, and network devices according to the principle of least privilege.

Parative follows a documented process to request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data.

Access Restrictions

Parative restricts access to systems that store or process scoped data.

Password Policy

Parative's password policy is approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. This policy covers systems that transmit, process or store Scoped Systems and Data and is enforced on all platforms and network devices. The password policy:

Access Reviews

Entitlement Reviews

Parative's Password Policy requires the following access reviews:

Parative configures web applications to follow best practices or security guidelines (e.g., OWASP). Parative validates data input into all applications.

Scoped Systems and Data are not used in Parative's test, development, or QA environments. We have multiple pre-production environments which are entirely separate for use in development, testing, and staging.

Cybersecurity Incident Management

Governance

Parative maintains governance policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements.

Parative maintains a documented process to identify and assess regulatory changes that could significantly affect the delivery of products and services.

Parative's network security requirements are approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. The policy includes an approval process prior to installing a network device.

Parative's policies address payments compliance in the delivery of the product or services where required by regulation. This is periodically reviewed by our Chief Financial Officer, Matt Finn.

Cybersecurity Incident Response Plan

Parative's incident management and response program is approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. The program includes:

In the event of an incident, Parative uses a specific methodology to review events on Scoped Systems or systems containing Scoped Data relevant to supporting incident investigation.

Business Ethics, Consumer Protection, & Corporate Compliance

Parative employees undergo annual training regarding company expectations related to non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities.

Parative maintains documented policies and procedures to ensure compliance with applicable laws and regulations including Unfair, Deceptive, or Abusive Acts or Practices.

Parative conducts training for employees who have direct customer contact regarding consumer protection compliance responsibilities.

Parative maintains a documented escalation and resolution process to address specific complaints to management and the customer.

Parative maintains documented policies and procedures to enforce applicable legal, regulatory or contractual cybersecurity obligations.

Personal Data Protection

Parative maintains documented policies and operating procedures regarding limiting the personal data collected and its use to the minimum necessary.

Parative informs individuals about their rights to access, review, update, and correct their personal information which is maintained by the organization.

Parative maintains a documented data protection program with administrative, technical, and physical and environmental safeguards for the protection of customer-scoped Data.

Cybersecurity Information Management

Parative maintains documented server security configuration standards based on external industry and vendor guidance.

All Parative servers are configured according to security standards as part of the build process.

Parative uninstalls or disables all unnecessary/unused services on all servers.

Parative removes, changes or disables all vendor default passwords prior to placing any device or system into production.

Parative maintains sufficient detail in Operating System and application logs to support security incident investigations (at a minimum, successful and failed login attempts, and changes to sensitive configuration settings and files).

Cloud Hosting

Parative subcontracts Cloud Hosting services through Google Cloud Platform and Amazon Web ServicesThe Cloud Hosting Providers provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services.The Cloud Service Provider is certified by an independent third party for compliance with domestic or international control standards (e.g., the National Institute of Standards and Technology - NIST, the International Organization for Standardization - ISO)