All our online activity is hosted by site minder.

SiteMinder IT Security Policy

1. POLICY Siteminder has always been committed to ensuring the safety and security of the data of its stakeholders, including its customers, partners and employees. This Security Policy outlines the measures implemented to ensure we adhere to best practice, and comply with our regulatory obligations, including under the EU General Data Protection Regulation (GDPR).

2. COMPLIANCE SiteMinder has implemented robust security measures and controls based on internationally recognised industry standards such as PCI DSS. Vulnerability and penetration testing is performed annually as a requirement by the relevant standards, as well as prior to any major release in SiteMinder’s products and services (Products). SiteMinder engages respected external security firms to perform regular audits of the Products to verify that our security practices are sound and to monitor for new vulnerabilities. Annual audits are performed in accordance with the requirements set out in the PCI DSS Level 1 Service Provider standard by an independent external auditor covering all relevant systems and processes that store and process card data. PCI DSS certification and our Attestation of Compliance can be shared subject to appropriate confidentiality obligations being agreed to.

3. STAFF PRACTICES All staff undertake security and data privacy training. This training is focused on how to handle sensitive information, social engineering, phishing and physical security. The operation of Products requires that some employees have access to systems which store and process customer data. SiteMinder performs Police background checks on staff that handle highly sensitive information. Staff are also committed to ensuring that customer data is not seen by anyone that should not have access to it. SiteMinder uses logical restrictions on the application layer to ensure that staff only have access to the customer data required for performing their job. Access is managed through both single sign-on and account provisioning from a source of truth to allow us to provision, deprovision, update and audit access efficiently. Access is reviewed regularly and upon request. Strong authentication is enforced through password policies and through the implementation of multi-factor authentication implemented on both internal systems and Products.

4. INFRASTRUCTURE A. Product Hosting and Implementation The Products are hosted on Amazon Web Services (AWS) infrastructure in the US Oregon region. The AWS environment that hosts the Products maintains multiple security certifications, including ISO 27001, PCI DSS and SOC. For more information about their certification and compliance, please visit the AWS security website and the AWS compliance website The Products are implemented across multiple tiers, each tier only implements the functions necessary within that tier. Our infrastructure is accessible only by operational teams with multi-factor authentication implemented. All activity is logged and audited. B. Data Encryption The Products support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit and in storage. Sensitive card data is also encrypted at rest within the database. The cryptographic landscape is monitored for changes and we will work promptly to upgrade the Products to respond to cryptographic weaknesses. For encryption in transit, we will balance the need for compatibility for older versions of commonly used browsers. In situations where SiteMinder has to support older cryptographic protocols, these channels will not be used for the transit of sensitive data. C. Availability and Disaster Recovery The Products run on systems that are fault tolerant of failures of individual services. Customer data is stored redundantly in our hosting provider’s data centres to ensure availability. Backup and restoration procedures are tested regularly. D. Monitoring and Logging SiteMinder uses infrastructure and application level monitoring tools. In combination with analysis and data visualisation, we receive strong insights about the condition of the Products. SiteMinder maintains an extensive logging environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Products.

5. SOFTWARE DEVELOPMENT LIFECYCLE SiteMinder’s development process is our own implementation of all values and principles found in agile methodologies. SiteMinder does frequent releases and continuously evaluates and optimizes our workflow according to customer needs and lessons learnt. During the development of new features, new code is reviewed by senior members of the engineering team and approved only if it meets a set of pre-defined requirements. Approval and release management is performed only by SiteMinder staff. Features that may impact sensitive data are reviews and approved by the security team prior to deployment. Prior to release, new code is deployed into a non-production environment where testing is performed. Once everything is running as expected and approved, the new feature is deployed into the production environment. New major features will undergo penetration testing to discover any vulnerabilities prior to the production deployment.

6. SECURITY INCIDENT MANAGEMENT AND RESPONSE 2 The SiteMinder security team is responsible for incident management and response. The security team proactively reviews security related logs, search for any sign of a security incident, react to security incidents and engage with the relevant stakeholders to resolve any threats and mitigate risks to any SiteMinder environment. SiteMinder security incident management processes are reviewed and audited on an annual basis. The relevant staff are trained for incident specific scenarios. All security incidents, as well as known operational risks, are recorded. SiteMinder will advise relevant third parties of any security or data breach in accordance with applicable legal and contractual requirements. We may share a high level summary of the incident timeline, data impact and resolution taken once confidence has formed around scope, impact and resolution. This document was last reviewed on the 17th of June 2020 by the Director of Security.