Last updated: January 18, 2025

This document describes the technical and organizational measures adopted by Branduo to ensure that the data we process is safe in our care.  

Subprocessing

1)  Branduo uses third party subprocessors and services providers to help us perform our work for our customers.  We will make every effort to ensure that each of our subprocessors and service providers complies with all data protection laws.  This is done differently for different subprocessors and service providers:

a. Large-scale subprocessors and service providers such as cloud providers (AWS, Google Cloud or Azure) have their own data processing agreements (Each, a “DPA”) under which they agree to comply with applicable laws and standards.  We will confirm that those DPA’s are in place.

b. Smaller or newer subprocessors and service providers that do not necessarily have their own DPA’s will be required to sign our DPA. Our DPA will be continually updated and posted on our website at branduo.io/dpa.

c. We will list our subprocessors on our website at branduo.io/dpa and will keep that list updated continually.  We will post a notice of any changes on our website at least ten days prior to any subprocessor coming into contact with any customer personal data. We only process Payment Data to facilitate payment, and we only communicate it to those parties who are strictly necessary for that purpose.

2)  In each case, and via the DPA’s, Branduo will restrict the subprocessors’ access to customer personal data only to what is necessary to assist Branduo in providing or maintaining the services and will prohibit the subprocessor from accessing customer personal data for any other purpose.

3)  As part of our due diligence when we add new subprocessors or service providers, we will ask any new subprocess or service provider to provide us with their DPA, and we will require the following assurances before entering into an agreement with them.

a. They must enter into a DPA with us that contains provisions similar to our DPA.

b. They must tell us in writing where their processing occurs.

c. They must disclose any threatened or active legal actions against them regarding data or privacy issues or breaches.

d. They must agree in writing that they will not use any of the customer personal data for any purposes other than to provide us the services we require, that they will not sell, rent, or make available to any third party any of the customer personal data, and that they will cooperate with us with regard to any customer request for information.  All these provisions can be included in the DPA, but we will independently confirm their existence.  

Security Measures

Branduo has implemented and will maintain appropriate technical and organizational security measures to protect customer personal data from security incidents and to preserve the security and confidentiality of the customer personal data (“Security Measures”). The Security Measures applicable to the Services are as follows:

1)  Network and Web Application Penetration Tests: Branduo shall continue to annually engage in network & web application penetration testing conducted by an independent third party. We will address all high, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe and resolved within 90 days of the findings. Medium and low vulnerabilities are triaged and addressed based on their risk level and effort then prioritized and assigned a completion date in the product backlog.

2)  Security Awareness Trainings: Branduo provides, at minimum, annual security trainings to all personnel. “Security Training” address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials will address industry standard topics which include, but are not limited to:  

•  The importance of information security and proper handling of PII 

•  Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction. 

•  Logical controls related to strong password selection/best practices. 

•  How to recognize social engineering attacks such as phishing. 

3)  Vulnerability Scans: Branduo shall ensure that vulnerability scans are performed on servers continuously and network security scans are completed at a minimum quarterly, in each case using an industry standard vulnerability scanning tool.   

4)  Employee-Related Policies: 

a. Unauthorized persons will be prevented from gaining physical access to our premises and the rooms where data processing systems are located.

b. Employees will only be allowed access to tasks assigned to them.

c. We will ensure that all computers processing personal data (including computers with remote access) are password protected, both after booting up and when left, even for a short period.

d. We will assign individual user passwords for authentication.

e. We will only grant system access to our authorized personnel and strictly limit their access to applications required for those personnel to fulfill their specific responsibilities.

f. We will implement a password policy that prohibits the sharing of passwords, outlines procedures to follow after disclosure of a password, and requires that passwords be changed regularly.

g. We will ensure that passwords are always stored in encrypted form.

h. We will have adopted procedures to deactivate user accounts when an employee, agent, or administrator leaves our employ or moves to another responsibility within the company.

i. We will be able to retrospectively examine and establish whether and by whom your customer personal data has been entered into data processing systems, modified or removed.

j. We will log administrator and user activities.

k. We will process the customer personal data received from different clients so that in each step of the processing the controller can be identified and so that data is always physically or logically separated.

l. Backend systems require employees to use multi-factor authentication including access to tools that serve customer data, communication, code repositories, software deployment, servers and cloud infrastructure.

5)  Process-Level Requirements: We will implement the following processes to ensure security and privacy: 

a. Branduo implements user termination controls that include access removal / disablement promptly upon termination of staff. 

b. Branduo executes regular access control audits to revoke user access that is no longer needed or no longer used and this is done at least annually but typically completed on a quarterly basis.

c. Branduo has and maintains a patch management process to implement patches in a reasonable, risk-based timeframe.  These are identified by engineering tools and our security partners where automated scans occur at the infrastructure/hosting and application levels to identify outdated packages and libraries and resolve vulnerabilities at least quarterly. In addition to this, Branduo software engineers audit and upgrade third party libraries and APIs quarterly.

d. Branduo deploys endpoint protection and regular device scanning on all employee computers and devices to identify viruses and other security threats in addition to outdated packages and software to promptly mitigate security vulnerabilities on a quarterly basis.

e. Branduo uses firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Customer Personal Data. 

f. Branduo tracks admin audit logs and application event audit logs to monitor access and data flows within backend systems including databases, cloud resources, & application usage. Branduo utilizes Azure Defender for Cloud to continuously monitor logs and send out alerts of any suspicious activity. In the event of a security alert, the system will assign a severity level and an engineer will investigate it within 7 days (or within 24 hours for critical severity alerts) and notify Branduo leadership immediately in the event unauthorized access has been gained. Affected customers, data partners, and other third-parties will be notified within seventy-two (72) hours after learning of the incident. (see “Security Incident Response” section below for more details)

g. Where Branduo handles customer personal data, servers are protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Azure, and Google. All cloud-hosted systems are scanned, where applicable and where approved by the cloud service provider.

h. Branduo virtually segregates all Customer Personal Data in accordance with its established procedures. The Customer instance of Services may be on servers used by other non-Customer instances.  

6)  Application-Level Requirements 

a. Branduo maintains documentation on overall application architecture, process flows, and security features for applications handling customer personal data. 

b. Branduo employs industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities.  We will address all high, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe and resolved within 90 days of the findings. 

c. Branduo ensures that all access tokens and secrets used to gain system access or third party system access are stored encrypted and only accessible by authorized system administrators for application request processing. Branduo also ensures that all third party system access tokens and secrets are never exposed within client applications or logged and remain only accessible and decryptable by server-side application systems.

d. All databases have continuous backups of both data and transaction logs, enabling point-in-time recovery to any second within the retention period. Backups are encrypted in transit and at rest, stored securely in geographically separate locations.

e. Production systems and applications shall be monitored continuously for resource utilization, including CPU, memory, storage, and network bandwidth. Thresholds and alerts must be defined to detect and prevent performance degradation or outages. Capacity plans shall be maintained and reviewed regularly to ensure that infrastructure can scale to meet anticipated demand, accommodate growth, and support business continuity. Resource adjustments, including scaling up or down, must be documented and validated to avoid disruption to services.

7)  Data-Level Requirements 

a. Encryption and hashing protocols used for data in transit and at rest supports NIST approved encryption standards (e.g. SSH, TLS). TLS 1.2 or greater is always used and SSL version 2 and SSL version 3 are never used.

b. Branduo ensures that access to information and application system functions is restricted to authorized personnel only. 

c. Customer personal data stored on archive or backup systems are stored at the same level of security or better than the data stored on operating systems. 

d. Employees will not store data from 3rd party systems and integrated social media platforms on personal or organizational devices

8)  End User Computing Level Requirements 

a. Branduo will require anti-virus scans with frequent signature updates for end-user computing devices to run at least weekly. 

b. Branduo will prohibit the use of removable media for storing or carrying customer personal data. Removable media include flash drives, CDs, and DVDs. 

9)  Compliance Requirements 

a. Branduo will implement building access control to control and track access to its networks and other equipment.

b. Branduo will determine each year which officers and employees within the company will have access to which categories of data and shall review this list annually at the executive level. 

10) Personnel. Branduo restricts its personnel from downloading and/or processing Customer Personal Data without authorization by Branduo as set forth in the Security Measures and shall ensure that any person who is authorized by Branduo to process Customer Personal Data is under an appropriate obligation of confidentiality. 

11) Security Incident Response. Upon becoming aware of a Security Incident, Branduo will notify Customer without undue delay and, in any case, where feasible, within seventy-two (72) hours after becoming aware. Branduo will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to fulfill its obligations as controller and will also take reasonable steps to contain, investigate, and mitigate any Security Incident.

Security  Incident Response

Upon becoming aware of any incident in which it suspects that unauthorized access has been gained to Branduo’s systems, the executives of the company at the highest levels will be immediately notified.

1) Executives will immediately confer with each other and with legal counsel regarding any security incident to ensure compliance with legal and contractual obligations.

2) We will notify the impacted customers, data partners, and other third-parties within seventy-two (72) hours after learning of the incident along with the classification of the incident.  

3) We will immediately investigate and mitigate any security incident.

4) Branduo will obtain and maintain reasonable insurance to cover itself for cyber liability.