Purpose
This Information Security Policy (this “Policy”) describes the information security practices that ELUCIDIA GROUP INC. (doing business as Mondata) (“Mondata”, “we”, “us”, or “our”) maintains to protect data that is transmitted by customers to our systems (“Customer Data”) when using the “MD.ECO” software-as-a-service platform and related information technology management and security solutions and our other products or services (“Services”).
This Policy does not apply to any third-party services which you may use in connection with our Services. Third-party services are provided by third-party service provider and we have no control over the security practices that may be in place with respect to them.
We may amend this Policy in the future. We will give notice of any amendment by posting a notice of the amendments on our website or within any application or administrative controls used to access our services. If you continue to use our services after any amendment, it will mean that you accept that amendment. If you do not agree, then you may terminate your use of our services following existing termination process. Please refer to your MASTER SERVICE AGREEMENT with us for further details.
If you have any questions regarding this Policy, please contact us at administration@mondata.ai.
Incident Response
Mondata has an incident response plan and team to assess, escalate, and respond to identified physical and cyber security incidents that may compromise the integrity, confidentiality or availability of Customer Data (an “Incident”). Mondata reviews and updates this plan frequently throughout the year. The incident response team resolves intrusions and vulnerabilities upon discovery and in accordance with the established procedures.
If Mondata determines that an Incident has led to an actual and confirmed disclosure of Customer Data to an unauthorized third party (a “Breach”) (and not merely a potential exposure to a Breach), Mondata will follow its breach notification process and comply with all applicable laws. The first step of this process is to inform the point of contact (“POC”) for the organization affected. Incident management and escalation procedures exist to ensure that Mondata addresses system issues, problems and security-related events, in a timely manner, and that all Incidents are logged, prioritized, and resolved based on established criteria and severity levels.
Risk Management
Mondata has a security risk assessment and management process to identify potential threats to the organization. Mondata management rates and reviews all identified risks.
Access Control Program
Mondata manages access to internal and external applications via user security groups. Mondata allocates system privileges and permissions to users or groups on a least privilege principle. Mondata assigns application and data rights based on user groups and roles, and grants access to information based on job function.
User Access Management
Mondata requires approved access requests prior to granting new user access and changing existing user access to the corporate and cloud networks and systems. Mondata promptly disables application, platform and network access for terminated users upon notification of termination.
Password Management and Authentication Controls
Authorized users must identify and authenticate to the network, applications, and platforms using multifactor authentication where available or their unique user ID and password. The user management system requires minimum password parameters for access to the corporate network.
Asset Configuration and Security
All Mondata workstations have active anti-virus (AV) software installed to monitor for virus and malware infections. Endpoint devices are scanned in real-time and a full system scan is performed periodically. Monitoring is in place to indicate when an anti-virus agent does not check in for prolonged periods of time. The Security Operations Team investigates and takes action to resolve issues as appropriate. Virus definition updates to endpoint devices are automatically downloaded as they become available.
Ownership
All devices and software used by our employees to execute work are owned by Mondata and remain property of Mondata at all time. No use of personal devices or software is permitted.
Endpoints
All employees’ laptops are provided by Mondata are installed with an Antivirus software. All laptops are the property of Mondata and remain property of Mondata after employment termination.
Logging and Monitoring
Mondata monitors application, infrastructure, network, data storage space and system performance. Logs containing the details on the date, time, source, and type of events are also collected. The Security Operations Team reviews reports and follows up on events, as necessary. System logging is enabled for end user and administrator activity and is reviewed as necessary, including failed and successful login attempts.
Secure Development
Mondata’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, implementation, configuration, maintenance, modification, and management of infrastructure and software components. The SDLC methodology is consistent with the defined Mondata security, availability, and confidentiality requirements.
Network Security
Network perimeter defense solutions, including an Intrusion Detection System (IDS) and firewalls, are in place to monitor, detect, and prevent malicious network activity. Security operations personnel monitor items detected and take appropriate action. Firewall configurations and rules are reviewed. Mondata’s corporate and cloud networks are logically segmented by Virtual Local Area Networks (VLANs) and firewalls monitor traffic to restrict access to authorized users, systems, and services.
Physical security
Access to offices
Access to Mondata office space is controlled by electronic card and logged. All visitors are required to be accompanied by an employee at all time or will be provided a temporary access card based on their requirements.
Human Resources Security
Security policy
Mondata understands that it is acting as a custodian for sensitive information and thus aim to comply with best security practices. All Mondata employees have to read and sign our internal security policy, which are being kept by the HR department. This security policy covers the different mechanisms in place to ensure we can provide a secure environment to both our employees as well as our customers.
Confidentiality agreement
In addition to signing Mondata security policy on a yearly basis, all Mondata employees also have to sign our confidentiality agreement.
Background check
As part as our hiring process, all Mondata candidate have to go through a background check.
Disaster Recovery and Business Continuity
Mondata maintains a disaster recovery and business continuity plan to ensure of operations in the event of problems that could disrupt the available of the Services, such as failure of computer systems, telecommunications failures, power failures or disasters. Mondata tests this plan least least once per year to ensure that it is effective. As part of the plan, Mondata maintains a disaster recovery facility that is physically separate from the primary hosting for the Services. All systems on the primary hosting site are backed up on a daily basis with incremental activity logs saved at the disaster recovery facility on a periodic basis throughout the day. Mondata also maintains redundant connections via the Internet to allow access to its Services. Mondata’s hosting facilities have extensive uninterrupted power supplies in case of power outages.