In accordance with the Data Processing Agreement located at: https://www.sturdy.ai/legal/sturdy-dpa (“DPA”), Sturdy maintains commercially reasonable and risk-based administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of Customer Data (“TOMs”). The following provides a high-level summary of those safeguards. This is not intended to be an exhaustive list, as Sturdy continually improves its security position in response to changes in business and emerging threats. Capitalized Terms not defined herein shall have the same meaning set forth in the DPA.
- Change Management: Sturdy maintains logs that document all changes to the information technology operating environment, such as the addition of a server, modifying of code/configurations, or any and all changes affecting production equipment.
- Encryption: Sturdy encrypts all Customer Data, both at rest and in transit. All Sturdy backups utilize full Advanced Encryption System (“AES”).
- Information Security Program: Sturdy maintains a comprehensive written information security program including administrative, technical, and physical safeguards to protect Customer Data.
- Multi-Factor Authentication: Sturdy enforces multi-factor authentication for all users with administrative privileges or elevated accounts.
- Password Management: All Sturdy users are required to use strong passwords with multi-factor authentication in place. In addition, all passwords for administrative accounts are maintained in a key vault with multi-factor authentication in place.
- Patch Management: Sturdy maintains and pushes critical security updates for all equipment immediately upon vendor release.
- Physical Safeguards: All Sturdy locations and data centers employ a full-time security guard, and maintains an access control system with clearance badges. In addition, Sturdy has established security areas with restriction of access paths.
- Risk Assessment & Penetration Testing: Sturdy performs annual information security risk assessments with penetration testing, as well as annual phishing awareness training.
- Scanning: Sturdy performs vulnerability scans of all devices connected to its network by executing real-time anti-virus scans and malware scans, as well as full-time use of intrusion detection and penetration systems. Sturdy also scans all emails for potentially malicious content and provides Sturdy users the ability to report and quarantine as desired.
- Training & Awareness: Sturdy mandates its employees complete annual security and incident response training and maintains an ongoing awareness progress to keep employees apprised of new requirements and threats.
- Sturdy Policies: Sturdy will act in accordance with its existing policies and procedures governing the handling of Personal Data including, but not limited to, Sturdy’s Privacy Policy (as amended from time to time) which shall be incorporated into these TOMs by reference.