Policies

1. Introduction

ImpactMapper, PBC ("ImpactMapper") is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic personal information (PI) it receives, maintains, processes and/or transmits on behalf of its Customers. ImpactMapper strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by ImpactMapper to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit data for ImpactMapper Customers.ImpactMapper provides secure and compliant cloud-based software. This software is cited throughout polices also as ImpactMapper System or simply application.

1.2 Compliance Inheritance

ImpactMapper provides secure hosted software infrastructure for its Customers.ImpactMapper has been through internal audits to validate and map organizational policies and technical controls to GDPR rules. ImpactMapper's service offerings are hosted on AWS. ImpactMapper has signed the following agreements through AWS Artifact:

• Business Associate Addendum
• AWS Artifact Nondisclosure Agreement
• AWS Australian Notifiable Data Breach Addendum

Some of the AWS Compliance Programs are inheritable, please contact us to clarify any compliance questions.

1.3 ImpactMapper Organizational Concepts

The physical infrastructure environment is hosted at Amazon Web Services (AWS).The network components and supporting network infrastructure are contained within the AWS infrastructures and managed by AWS (respectively). ImpactMapper does not have physical access into the network components. The ImpactMapper environment consists of nginx web servers; Node and Ruby application servers; PostgreSQL database servers; Log stash logging servers; Linux Ubuntu monitoring servers; Docker containers; and developer tool servers running on Linux Ubuntu.
‍
Within the ImpactMapper System on AWS, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. ImpactMapper assumes all data *may* contain PI, even though our assessment does not indicate this is the case, and provides appropriate protections based on that assumption.
‍
The data and network segmentation mechanism differs depending on the primitives offered by the underlying cloud provider infrastructure.
‍
AWS Security Groups are configured to restrict access to only justified ports and protocols. ImpactMapper has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers.
The environment is configured so that data is transmitted from the load balancers to the application servers over an TLS encrypted session.

The nginx web server, and application servers are externally facing and accessible via the Internet. The database servers, where the PI resides, are located on the internal ImpactMapper network and can only be accessed through a bastion host. Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason. Remote access to internal servers is not accessible except through load balancers.
All systems and operating systems are tested end-to-end for usability, security, and impact prior to deployment to production.

2. Data Management Policy

ImpactMapper has procedures to create and maintain retrievable exact copies ofelectronic personal information (PI) stored in conjunction withImpactMapper Customer Content.The policy and procedures will assure that complete, accurate, retrievable, andtested backups are available for all systems used by ImpactMapper.
Data backup is an important part of the day-to-day operations of ImpactMapper.To protect the confidentiality, integrity, and availability of PI, both forImpactMapper and ImpactMapper Customers, complete backups are done daily toassure that data remains available when it needed and in case of a disaster.
Violation of this policy and its procedures by workforce members may result incorrective disciplinary action, up to and including termination of employment.

2.1 Backup Policy and Procedures

1. Perform daily snapshot backups of all systems that process, store, or   transmit PI and Customer Content for ImpactMapper Customers.
2. The ImpactMapper Ops Team is designated to be in charge of backups.
3. Dev Ops Team members are trained and assigned to complete backups and manage   the backup media.
4. Document backups: Name of the system, Date & time of backup, Where backup stored (or to whom it was provided)
5. Securely encrypt stored backups in a manner that protects them from loss or environmental damage.
6. Test backups annually and document that files have been completely and accurately restored from the backup media.

3. System Access Policy

Access to ImpactMapper systems and application is limited for all users,including but not limited to workforce members, volunteers, businessassociates, contracted providers, and consultants. Access by any other entityis allowable only on a minimum necessary basis. All users are responsible forreporting an incident of unauthorized user or access of the organization'sinformation systems. These safeguards have been established to address theGDPR Security regulations including the following:

3.1 Access Authorization

• Role based access categories for each ImpactMapper system and application are  pre-approved by the Security Officer, or an authorized delegate of the  Security Officer.
• ImpactMapper utilizes hardware and software firewalls to segment data,  prevent unauthorized access, and monitor traffic for denial of service  attacks.

3.2 Person or Entity Authentication

• Each workforce member has and uses a unique user ID and password that   identifies him/her as the user of the information system.
• Each Customer and Partner has and uses a unique user ID and password that   identifies him/her as the user of the information system.
• All Customer support desk interactions must be verified before ImpactMapper   support personnel will satisfy any request having information security   implications.

3.3 Unique User Identification

1. Access to the ImpactMapper Platform systems and applications is controlled by   requiring unique User Login IDs and passwords for each individual user and developer.
2. Passwords requirements mandate strong password controls (see below).
3. Passwords are not displayed at any time and are not transmitted or stored in plain text.
4. Shared accounts are not allowed within ImpactMapper systems or networks.
5. Automated log-on configurations that store user passwords or bypass password entry are not permitted for use with ImpactMapper workstations or production   systems.

3.4 Automatic Logoff

1. Users are required to make information systems inaccessible by any other   individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).
2. Passwords requirements mandate strong password controls (see below).

3.5 Password Management

• User IDs and passwords are used to control access to ImpactMapper systems   and may not be disclosed to anyone for any reason.
• Users may not allow anyone, for any reason, to have access to any   information system using another user's unique user ID and password.
• On all production systems and applications in the ImpactMapper environment,   password configurations are set to require: * a minimum length of 8 characters;   * a mix of upper case characters, lower case characters, and numbers or     special characters;
• All system and application passwords must be stored and transmitted securely.   * Where possible, passwords should be stored in a hashed format using a salted cryptographic hash function (SHA-256 or equivalent).
• Passwords are inactivated immediately upon an employee's termination.
• Upon initial login, users must change any passwords that were automatically generated for them.
• Password change methods must use a confirmation method to correct for user input errors.
• All passwords used in configuration scripts are secured and encrypted.
• If a user believes their user ID has been compromised, they are required to    immediately report the incident to the Security Office.
• In cases where a user has forgotten their password, the password reset    request is logged for auditing purposes.
• Two-factor authentication is supported and accomplished using a    Counter-based One-Time Password (HOTP) as the second factor.