Quadient Digital Trust Center

Assets in Quadient are subject to multiple industry practice hardening measures, including but not limited to:

• Antimalware tool with auto updated antimalware definitions
• Patched operation system
• Mobile Device Management (MDM)
• Storage encryption
• Auto-locking screens

All Quadient employees and contractors have a contract in place where security responsibilities are clearly specified. Non-disclosure agreement  is signed and is valid even after the termination of employment or contract.

Background checks are performed in line with local legislation and can be agreed with customers for specific regulated projects in the required form, like criminal record checks, credit checks etc.

Employees and contractors sign an agreement to follow all Quadient Security and Privacy Policies and Code of Ethics.

Disciplinary Actions Policy is in place and can be used when noncompliance with Quadient policies is detected.

A dedicated Security Incident Response Team (SIRT) is responsible within Quadient to provided effective solving of any Security or Privacy related topics. Incident reporting channels are identified, together with clear escalation paths. Root causes are identified for any incident, together with its impact and lessons learned.

Action items from incident investigations are tracked, have clearly assigned owners, an action plan and due date.

Customers are informed about any incidents directly affecting them or the  information or material, including personal data and customer content, that the customer or the customer’s end users may disclose or submit to Quadient or upload to the ICA service in the course of using the Service (“Customer Data”).

Throughout the year, multiple audits take place in Quadient, focused on different scopes, standards, frameworks and legal requirements. Such audits are performed by internal teams of skilled professionals, and at least annually confirmed by independent external auditors.

Findings from audits are tracked, have clearly assigned owners, an action plan and due date.

Quadient stores security and audit logs to ensure auditable traceability of important actions, in line with industry standards. Such logs include user id, type of action, time stamp.

Logs are kept for at least one year and will be generally deleted within twelve months, unless specific reasons require differently. The logs are monitored by internal, and sometimes also dedicated external teams. Any suspicious events are investigated.

All production systems and network devices are constantly monitored on an application level. Application-is-running monitoring measured in 5-minute intervals to provide maximum availability. For Infrastructure Monitoring, various performance indicators are monitored on used Virtual Machines, databases, and storage to provide an overview of the health status as well as utilization (capacity planning).

Status pages for customers are made available to inform about any planned or unplanned downtime at the following links.

• AP – https://quadientap.statuspage.io
• IDA – https ://university.quadient.com/group/site/quadient-cloud-status
• CXM – https://university.quadient.com/group/site/quadient-cloud-status
• AR - http://yp-status-page.s3-website-us-east-1.amazonaws.com

Quadient utilizes multiple technical tools within its network. This includes (not full list):

• Web filtering
• Firewall rules management
• Auto-terminated sessions
• Network zoning concept
• Virtual Private Networks (VPN)
• Intrusion Detection System (IDS)
• Intelligent Threat Detection
• Distributed antivirus software with centralized management
• Automated policy management and violation detection
• Zero Trust Architecture (ZTA)

Networking cables within offices are protected from interception, interference or damage. Wireless networks are protected by username/password (WPA2).

Network events are monitored by internal and external Secure Operations Center (SOC) teams and incidents are escalated and investigated according to internal procedures.

Data Loss Prevention tool (DLP) is not yet implemented within Quadient fully, but future implementation is regularly reviewed. Currently it is substituted by other technical and administrative controls in place.

Security Information and Event Management (SIEM) is in place in AR. Rest of Quadient is reviewing possible implementation. Currently it is substituted by other technical and administrative controls in place.

Unique passwords are assigned to internal users and are forbidden to be shared. The password construction guidelines follow latest industry practices, to provide appropriate security. Passwords use salt and are encrypted. Usage of password management tools is recommended internally.

For customers, password management within Quadient solutions is configurable as needed. It is up to the customer’s admin to set it up according to their standards.

Quadient R&D offices are protected by Close Circuit Television (CCTV) systems, physical keys, ID cards and other controls. Zoning concepts are implemented to highlight more critical areas (e.g., server room, HR office). Only restricted number of users have access to such areas. Clean Desk Policy is implemented, and offices are locked, and security is monitored by alarm system after business hours.

Physical and environmental security of the datacenters remains the responsibility of the hosting providers, Azure and AWS.

Quadient’s Cloud platform takes advantage of Azure cloud service infrastructure which provides the physical and environment security. Azure’s high-standard certifications and its top class security mechanisms and measures ensure maximum safety of Customer Data (see Azure Trust Center at https://www.microsoft.com/en-us/trust-center/product-overview for more details).

Further information about the physical security provided by AWS is available from the AWS website at: https://aws.amazon.com/compliance/data-center/controls/

Quadient has implemented a sophisticated quality assurance (QA) system. Each new release of all Quadient applications is thoroughly tested using a high multitude of scenarios. Different types of tests are used, such as automated/manual regression tests, security tests, functional tests and high availability tests.

Risk Management within Quadient is based on ISO 27005 and uses an asset-based risk approach. Asset Owners are responsible that risks affecting assets in their responsibility are within Quadient defined acceptable levels, or to put in place risk treatment plans to mitigate such risks.

Risk assessment is performed at least annually and its results, together with proposed risk treatment plans, are approved by executive management.

Quadient incorporates security into its software development life-cycle using the OWASP SAMM framework, for more information on the SAMM project see https://owasp.org/www-project-samm/. Security by Design, Security by Default, Privacy by Design and Privacy by Default principles are followed. Compliance is regularly checked by internal QA/QE teams and confirmed by external independent parties. All code is tracked, version controlled, and peer reviews are performed prior to deployment. Quadient uses separate development, test and live environments. Production Customer Data is never used in development or test environments.

We publish the Security Bulletins and/or Status Reports for Quadient solutions on a monthly basis, which list the Security Fixes for Open Source Libraries that we have made to protect Quadient software from newly recognized vulnerabilities. We also publish the results of the Security Scans on Quadient Cloud that we have performed to prevent penetration of our online services.

The Security Bulletin is published in password-protected web locations made available to customers for each ICA Service as applicable (e.g. Quadient Academy for IDA, Quadient University for CXM or YayPay HelpJuice for AR), where customers can view and download it. Customers are not proactively informed about the release of new Security Bulletins.

As Quadient ICA solutions operate in cloud as SaaS model, there is a concept of shared responsibility with the Customer administrators. For some security aspects Quadient is solely responsible, for others customer is solely responsible and for the rest, the responsibility is shared.

Q = Quadient

C = Customer

Quadient ICA solutions are development environments in which our customer can create their own business workflows. Such systems can enable our customer to import, store, process and distribute information. Often this information is personal data which can be considered sensitive or is protected by law. Our Quadient components provide an extensive set of security-related features and multiple levels of data protection, as described in this document.

However, when developing the customer’s own logic within the customer’s licensed area of Quadient ICA environment, the customer shares the responsibility for the security of the solution. We strongly recommend that the customer designs the licensed solutions along the highest security standards available in our components. The customer may contact our support for more information on how to achieve maximum security in the customer’s solution.

Quadient is not liable for any damage or loss caused by insecure practices or development on our customer’s side.

To keep the confidentiality of the communications sent to customers’ clients and to prevent disclosure of personally identifiable information (PII) or protected health information (PHI), this PII or PHI information shall be included only with extended security as set forth in the data processing addendum where applicable according to the contractual agreement between Quadient and the customer for the relevant ICA Service. Quadient strongly recommends the customer to follow best industry practice to either inform their client of the ICA Service output within their account or to send a URL link to a secure web portal managed by the customer, where their client’s user must log into.

The customer may reach out to our relevant Account Manager if the customer needs to clarify any specific questions on its responsibilities, so the customer may be directed to the respective Quadient ICA support expert.

Quadient understand risks relevant to supply chain management and, as a result, regularly reviews its suppliers. New suppliers need to go through due diligence process, which is evaluated by multiple Quadient internal departments. Current suppliers are evaluated on periodic basis, at least annually. This review can go from self-assessment to full audit performed by independent third party, depending on the criticality of the supplier.

Quadient uses wide range of Vulnerability Assessments and Penetration Tests, which are performed based on approved timeline depending on the assets, which may be weekly for specific assets.

They are performed by dedicated internal and external teams, using industry leading tools (e.g., Qualys, Goose), utilizing both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).

Identified vulnerabilities are fixed according to internal process, prioritizing more critical vulnerabilities.