Information Security Program

Payactiv maintains and implements an Information Security Program (the “Program”), which establishes proper policies, procedures, and standards in accordance with PCI/SOC/ISO controls to help protect the confidentiality, integrity, and availability of all information and data, whether in electronic or tangible form. The Program helps protect against anticipated or actual threats or hazards, including security breaches, and contains administrative, physical, technical, and organizational safeguards in accordance with industry best practices. Payactiv implements and enforces disciplinary measures against employees and contractors for failure to abide by the Program. 

1. APPLICATION SECURITY 

1.1. Change Control. Payactiv maintains policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and the testing and approval of changes into production. 

1.2. Key Management. Payactiv implements key management procedures that include the secure generation, distribution, activation, storage, recovery, and replacement/update of cryptographic keys. Keys are rotated on a regular basis and lost, corrupted, or expired keys are revoked or disabled immediately. 

1.3. Secure Communications. Payactiv employs industry-standard communication security measures to protect data from unauthorized access, including data encryption and server authentication. Payactiv protects its data processing environment using one or more firewalls that are updated according to industry standards. 

1.4. Logging and Monitoring. Payactiv generates administrator and event logs for systems and applications that store, allow access to, or process Customer Data. Logs also record key security events. Logs are archived for a minimum of 180 days. Logs for all applications, systems, or infrastructure that support, process, or store confidential data are archived for at least one year. Payactiv restricts access to modify system logs and reviews logs regularly to identify failures, faults, or potential security incidents affecting Customer Data. No sensitive information is kept in the logs. 

1.5. Anti-Virus/Anti-Malware. Payactiv implements anti-virus/anti-malware detection software across all information systems that process Customer Data and that are determined to be at risk and where an acceptable solution is available, in accordance with NIST 800-83r1. Payactiv keeps anti-virus/anti-malware software up-to-date with the most recent virus and malware signatures and definitions. 

1.6. Intrusion Detection. Payactiv implements and maintains an intrusion detection monitoring process at the network and/or host level to detect unwanted or hostile network traffic. Payactiv updates its intrusion detection software regularly and implements measures to trigger alerts when the system detects unusual or malicious activity. 2 Classification: Proprietary 

1.7. Data Segmentation. To prevent unauthorized access to Customer Data, Payactiv implements technical controls to properly segment Customer Data originating from different customers. 

1.8. Secure Coding Practices. Payactiv uses, documents, and integrates secure software engineering and coding practices in an official Software Development Life Cycle (SDLC). Developers attend secure development training regularly. All new code is peer-reviewed and undergoes full quality assurance and regression testing prior to being introduced into production. Payactiv logically or physically separates environments for development, testing, and production. 

1.9. System Hardening. Payactiv maintains system hardening procedures and baseline configurations for systems that store or process Customer Data. Hardening procedures, at a minimum, remove all unnecessary services and applications and any default users and passwords. 

1.10. End User Passwords. Payactiv only stores hashed passwords, utilizing a salting mechanism. Payactiv provides account administrators the ability to set password security requirements, which include password complexity requirements, the number of failed attempts before account lockout, lockout duration, password reset frequency, and password reuse. Passwords are never presented in clear text, and password reset emails do not send credentials. 

2. DATA SECURITY 

2.1. Encryption. Payactiv encrypts Customer Data while at rest and while in transit. Payactiv utilizes industry-standard platform and data-appropriate encryption in non-deprecated, open/validated formats, and standard algorithms. 

2.2. Vulnerability & Patch Management. Payactiv maintains a vulnerability management process to identify, report, and remediate vulnerabilities by performing vulnerability scans, implementing vendor patches or fixes, and developing a remediation plan for critical vulnerabilities. Payactiv regularly applies security patches to servers, firewalls, and systems used to access or process Customer Data. 

2.3. Data Segregation. Payactiv logically, and physically, if applicable, segregates Customer Data from all other Payactiv and third-party data. 

2.4. Data Transfers and Downloads. Payactiv has controls in place that block data downloads from its secured cloud infrastructure. Payactiv does not replicate Customer Data to non-production environments. 

2.5. Storage Media. Payactiv stores data on a secured cloud. Payactiv does not store data in removable media. All sensitive data is encrypted, including at rest. 

2.6. Data Management and Classification. All Customer Data is classified as “Confidential” and is handled according to Payactiv’s Data Classification and Access policies. 3 Classification: Proprietary 

2.7. Remote Access. The ability to access Payactiv’s internal networks is limited to individuals with authorization and a business need. Remote access is permitted for employees working remotely from non-public places (such as home or traveling) while using IP whitelisting techniques that allow connections from allowed IPs only. 

2.8. Vendor Assessments. Prior to engaging new third-party service providers and vendors that may have access to Customer Data, Payactiv conducts a risk assessment of the data security practices of such third parties. Payactiv regularly reviews the third parties to verify their data security practices continue to meet necessary requirements to protect Customer Data. 

2.9. Secure Disposal. Payactiv securely disposes of Customer Data either at the Customer’s request or in accordance with applicable Policy, considering currently available technology, so that Customer Data cannot be reasonably read or reconstructed. 

3. PERSONNEL SECURITY 

3.1. Training. Payactiv provides annual security awareness and privacy and confidentiality training to all personnel. This training educates personnel about the importance of information security, laws, and contractual obligations that govern personal information and Customer Data and instructs them on how to safeguard such data against loss, misuse, or security breaches through physical, logical, and social engineering mechanisms. 

3.2. Access Management. Payactiv implements access control policies to support creation, amendment, and deletion of user accounts. Personnel receive account privileges only at the maximum level necessary for their role. Personnel access to environments and Customer Data are restricted and segregated based on job responsibilities and is reviewed at least quarterly. Payactiv maintains separation of duties to prevent end-to-end control of a process by one individual. 

3.3. Passwords and Multi-Factor Authentication. Payactiv utilizes industry-standard password security for all accounts. Payactiv requires minimum length, complexity, restrictions on password reuse, number of password resets in a given timeframe, and frequency in which passwords must be changed. Payactiv requires multi-factor authentication for access to applications and systems containing Customer Data. 

3.4. Secure User Authentication. Payactiv requires user authentication for all employees and contractors with access to Customer Data, including by assigning each employee and contractor unique access credentials for access to any system on which Customer Data can be accessed and by prohibiting employees and contractors from sharing their access credentials. Payactiv does not permit unaffiliated third parties to have access to Customer Data. All persons having access to Payactiv’s systems and Customer Data have appropriately controlled and limited access. Payactiv removes such access when it is no longer required or appropriate, including when employees are terminated. 4 Classification: Proprietary 

3.5. Background Checks. Payactiv performs standard background checks, including criminal records checks, for all employees prior to their employment and access to Customer Data. When a background check is not permitted by law, Payactiv obtains alternate evidence to verify an employee’s history and good standing. 

3.6. Termination. Payactiv employee termination process specifies timeframes for termination of electronic and physical access. 

4. PHYSICAL SECURITY 

4.1. Payactiv maintains physical security measures for the safety and protection of employees, company assets, and Customer Data at facilities it controls. Payactiv continually monitors changes to its physical infrastructure and known threats. 

5. TESTING AND AUDITS 

5.1. Penetration Tests. Payactiv undertakes an external application and network penetration test at least annually and an internal penetration test by an independent third-party at least twice a year. Payactiv remediates all critical and high vulnerabilities identified in the penetration test within 30 days of the date of identification. All other findings are remediated in a timeframe that is commensurate with the identified risks. 

5.2. Compliance and Certifications. Payactiv engages in security audits on an annual basis and Payactiv’s security practices align with the principles of SOC/ISO 27001/PCI. 

5.3. Vulnerability Scanning. Payactiv performs regular vulnerability scanning against services and key infrastructure utilizing industry-standard tools and/or well-known external suppliers. Internal scans are performed at least monthly. External scans are performed at least quarterly, utilizing a Payment Card Industry Security Standards Council Approved Scanning Vendor. 

6. DISASTER RECOVERY & BUSINESS CONTINUITY 

6.1. Risk Assessment. Payactiv maintains a risk assessment program to help identify foreseeable internal and external risks to Payactiv’s information resources and to determine if existing controls, policies, and procedures are adequate. 

6.2. Backups. Payactiv backs-up its production databases according to a defined schedule and stores encrypted back-ups on a secure cloud. 

6.3. Incident Response Plan. Payactiv maintains an incident response plan to promptly review, address, and mitigate any security breaches. The incident response plan includes clearly defined roles and responsibilities, a reporting mechanism for suspected vulnerabilities and events affecting the security of Customer Data. Payactiv conducts regular testing of this plan. 5 Classification: Proprietary 

6.4. Business Continuity Plan. Payactiv maintains a business continuity plan to manage and minimize the effects of unplanned disruptive events (cyber, physical, or natural). This plan includes procedures to be followed in the event of an actual or potential business interruption and has a stated goal of resumption of routine services within 48 hours of such event.