Data Security Standards

Data Security Standards. The Provider shall implement and maintain administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, disclosure, alteration, or destruction, in accordance with industry best practices and applicable law. Security measures shall include, at a minimum: (a) encryption of Customer Data in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent; (b) multi-factor authentication (MFA) for all administrative access to systems processing Customer Data; (c) role-based access controls (RBAC) implementing the principle of least privilege; (d) continuous monitoring and logging of all access to systems containing Customer Data, with logs retained for a minimum of twelve (12) months; (e) regular vulnerability assessments and annual penetration testing conducted by a qualified independent third party, with remediation of critical and high-severity findings within thirty (30) days; (f) an incident response plan that includes procedures for detection, containment, investigation, remediation, and notification; (g) employee security awareness training at least annually; and (h) maintenance of SOC 2 Type II certification (or equivalent) covering the Security, Availability, and Confidentiality trust service criteria. Upon Customer's written request, the Provider shall provide copies of its most recent SOC 2 report and penetration test executive summary.