Fortra Data Processing Agreement

  1. Scope of this DPA

    • 1.1 This DPA is incorporated by reference into the Fortra Master Solutions Agreement and Professional Services Terms & Conditions at https://www.fortra.com/legal or other applicable executed Services Agreement (each referred to as “Services Agreement”). When providing the Services Fortra may Process Personal Data on behalf of the Client and the Parties agree to comply with the terms of this DPA.
    • 1.2 In the event of any conflict between this DPA and the underlying Services Agreement, this DPA shall prevail. In the event of any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail.
    • 1.3 To the extent the Data Protection Law DORA is applicable , the terms in Exhibit A are incorporated into this DPA.
     
  2. Definitions

    In this DPA, the following terms shall have the following meanings:

  • 2.1 “Adequacy Decision” means, as applicable, a decision from the European Commission, UK Government and/or Swiss Federal Council that a third country provides an adequate level of data protection.
  • 2.2 “CCPA” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act effective 1 January 2023, and any subsequent amendments or implementing regulations.
  • 2.3 “Client Personal Data” means any Personal Data Processed by Fortra on behalf of the Client pursuant to the Services Agreement.
  • 2.4 “Controller” means an entity which alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including any equivalent term under Data Protection Law.
  • 2.5 “Data Protection Law” means, as applicable, any privacy and data protection laws and regulations including: (i) the GDPR and Member State laws implementing the GDPR; (ii) the UK GDPR and Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) the European Union’s Digital Operational Resilience Act (“DORA”); and (v) the CCPA, each as amended, updated or replaced from time to time.
  • 2.6 “Data Subject” means an identified or identifiable individual.
  • 2.7 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.
  • 2.8 “Personal Data” means any information relating to a Data Subject, including any equivalent term under Data Protection Law.
  • 2.9 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • 2.10 “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
  • 2.11 “Processor” means an entity which Processes Personal Data on behalf of a Controller, including any equivalent term under Data Protection Law.
  • 2.12 “Standard Contractual Clauses” means, as applicable, (i) the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR (“EU SCCs”); and (ii) the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under S119A(1) of the Data Protection Act 2018 (“UK Addendum”).
  • 2.13 “Sub-processor” means any third party appointed by Fortra to Process the Client’s Personal Data on behalf of the Client.
  • 2.14 “Supervisory Authority” has the meaning or equivalent meaning given under Data Protection Law.
  • 2.15 “UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
  • 2.16 Capitalized terms not defined in this DPA shall have the meaning given to those terms in the Services Agreement.
  1. Scope of the Processing
    • 3.1 The Parties agree that in relation to the Processing of the Client Personal Data, the Client is the Controller and Fortra is the Processor. If the Client is a Processor of the Client Personal Data Fortra shall be a sub-processor of the Client Personal Data. The terms of this DPA shall govern each scenario. In the event Fortra is deemed a sub-processor, Client shall be designated as the point of contact for the applicable Controller(s) and Fortra’s notice to Client shall be deemed to satisfy its notice requirements under the applicable Data Protection Law as notice to the applicable Controller(s). Client shall be responsible for providing notice on behalf of Fortra to the applicable Controller(s). To the extent Fortra has provided notice to the Client, and Client fails to sufficiently provide notice on behalf of Fortra to the applicable Controller(s) and any Supervisory Authority determines that Fortra did not satisfy its notice requirements to the Controller(s), then (x) such nonsatisfaction shall not be deemed a material breach of this DPA or the Services Agreement by Fortra and (y) Client shall defend and indemnify Fortra for any deficiencies related to providing notices under applicable Data Protection Law to Controller(s) by Fortra acting as sub-processor.
    • 3.2 Each Party shall comply with its respective obligations under the Data Protection Law.
    • 3.3 Fortra shall only Process the Client Personal Data on the written instructions of the Client, unless Fortra is legally required to do otherwise. In the latter case, Fortra shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
    • 3.4 Fortra shall not: (a) collect, retain, use, or disclose the Client Personal Data for any purpose other than as necessary for the specific purpose of performing the Services on behalf of the Client; (b) collect, retain, use or disclose the Client Personal Data for a commercial purpose other than providing the Services on behalf of the Client; (c) collect, retain, use or disclose the Client Personal Data outside of Fortra’s direct business relationship with the Client; (d) combine the Client Personal Data with other Personal Data it receives other than as expressly permitted by Data Protection Law (except to contribute to improve its Services); or (e) “sell” or “share” the Client Personal Data, each as defined in the CCPA. However, Fortra may also collect, retain, use, disclose and combine Client Personal Data either anonymized, or in the case of specific threat information, non-anonymized (as long as Client is not identified as source of such data).
    • 3.5 The Processing of the Client Personal Data by Fortra comprises the subject matter, nature, purpose and duration determined in the relevant section of Schedule 1 to this DPA. The Processing relates to the types of Personal Data and categories of Data Subjects identified therein.
    • 3.6 Fortra shall immediately inform the Client if, in its opinion, an instruction infringes the Data Protection Law.
  2. Personnel Requirements
    • 4.1 Fortra shall ensure that persons authorized to Process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Security of Processing
    • 5.1 Fortra shall implement appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances, and purposes of the Processing of the Client Personal Data, as well as the respective likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of data security appropriate to the risk of the Client Personal Data.
    • 5.2 Fortra shall comply with the technical and organizational measures as specified in Schedule 2 to this DPA.  Fortra may update such measures from time to time provided that any such updates do not diminish the level of security provided for in Schedule 2 of this DPA.
  4. Engagement of Sub-processors
    • 6.1 The Client hereby authorizes Fortra to engage Sub-processors in a general manner to Process the Client Personal Data. Upon written request from the Client Fortra will provide a complete list of Sub-processors it engages.
    • 6.2 Client shall notify of any objection of any sub-processors within 10 days of receiving the list. If the objection has not been resolved to the mutual satisfaction of the Parties within 30 days after receipt of the Subscriber’s objection either Party may terminate the Services Agreement (in whole or in part solely to the extent necessary to terminate access to the Services affected by the addition of the proposed Sub-processor), which shall be the Subscriber’s sole and exclusive remedy.
    • 6.3 Fortra shall contractually impose obligations to comply with applicable Data Protection Law.
    • 6.4 Fortra shall remain fully liable to the Client for the performance of the obligations of each Sub-processor with regards to the Services.
  5. Support Obligations
    • 7.1 Taking into account the nature of the Processing, Fortra shall assist the Client, insofar as this is possible, with technical and organizational measures to fulfil the Client’s obligations to respond to requests for exercising Data Subjects’ rights relating to the Client Personal Data. Fortra may respond to such requests directly to the Data Subject only upon prior written authorization of the Client. If a Data Subject directly contacts Fortra to exercise their Data Subject rights, Fortra shall forward this request immediately to the Client.
    • 7.2 Fortra shall notify the Client without undue delay of an actual Personal Data Breach involving the Client Personal Data. The notification shall contain a description of the:
      • a) nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
      • b) name and contact details of Fortra’s contact point where more information can be obtained;
      • c) likely consequences of the Personal Data Breach; and
      • d) measures taken or proposed to be taken by Fortra to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

        Where it is not possible to provide such information at the same time, Fortra may provide the information in phases without undue further delay.
    • 7.3 To the extent required by Data Protection Law, taking into account the nature of the Processing and the information available to Fortra, Fortra shall reasonably assist the Client in ensuring compliance with the security of Processing, breach notifications, data protection impact assessments and prior consultations with Supervisory Authorities at Client’s cost.
  6. Deletion and Return of Client Personal Data
    • 8.1 This DPA shall remain in effect for as long as Fortra Processes the Client Personal Data on behalf of the Client. Upon written request Fortra shall no later than 90 days after the date of cessation of any Service involving the Processing of the Client Personal Data, delete or return the Client Personal Data. If Fortra is required by law to maintain the Client Personal Data Fortra shall inform the Client of such requirement.
  7. Audit
    • 9.1 At the Client’s cost, Fortra shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and, to the extent required by Data Protection Law, allow for and contribute to audits, conducted by the Client or another auditor mandated by the Client. The Client may only exercise its right to audit once per calendar year and will not include access to premises or systems. Fortra and the Client will discuss and agree in writing the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit and the Client shall take all necessary steps to minimize the disruption to Fortra’s business. The Client or relevant auditor shall not have any right to access any other of Fortra’s customers Personal Data or any system not involved in the Processing of the Client’s Personal Data. Any information obtained pursuant to an audit shall be deemed to be confidential information of Fortra.  
    • 9.2 Fortra shall ensure, as applicable, that any transfer of the Client Personal Data, subject to the GDPR, UK GDPR and/or FADP, outside of the EEA, UK and/or Switzerland to a third country without an Adequacy Decision complies with Data Protection Law.
    • 9.3 If the Client transfers Client Personal Data which is subject to the GDPR, UK GDPR and/or FADP outside of the EEA, UK and/or Switzerland, as applicable, to Fortra in a third country without an Adequacy Decision the Parties agree to comply with module 2 and/or 3 of the Standard Contractual Clauses, as applicable, which are incorporated into this DPA by reference, as if they had been set out in full, and are populated in this clause 10. The Parties agree that for the purposes of the Standard Contractual Clauses the Client shall be the data exporter and Fortra shall be the data importer.
    • 9.4 The Parties agree that execution or acceptance of the Services Agreement constitutes execution of the Standard Contractual Clauses to the extent required by Data Protection Law.
  8. International Transfers
  • 10.1 The Parties agree to complete the EU SCCs as follows in relation to the Client Personal Data subject to the GDPR: (i) any optional clauses are excluded; (ii) the Parties details shall be as set out in the Services Agreement and this DPA; (iii) the description of the transfer shall be as set out in the relevant section of Schedule 1 of this DPA; (iv) the competent Supervisory Authority shall be determined in accordance with clause 13 of the EU SCCs; (v) the data importer’s technical and organizational security measures shall be in accordance with clause 5 of this DPA; and (vi)   the data importer has a general written authorization to appoint Sub-processors in accordance with clause 6 of this DPA.
  • 10.2 The Parties agree to complete the UK Addendum in relation to the Client Personal Data subject to the UK GDPR: (i) the version of the EU SCCs the UK Addendum is appended to shall be the version set out in this DPA and populated at clause 10.4; (ii) the start date shall be the date of the Services Agreement; (iii) the Parties details and Annex details shall be in accordance with clause 10.4; (iv) the competent Supervisory Authority shall be the Information Commissioner; and (v) the data importer shall have the right to terminate the UK Addendum.
  • 10.3 The Parties agree to comply with EU SCCs as populated in clause 10.4 of this DPA in relation to the Client Personal Data subject to the FADP, and as amended as follows: (i) the competent Supervisory Authority shall be the Federal Data Protection and Information Commissioner; (ii) the term ‘Member State’ will not be interpreted to exclude Data Subjects in Switzerland from initiating legal proceedings in Switzerland; and (iii) references to the ‘GDPR’ in will be understood as references to the FADP.
  • 10.4 The following additional safeguards are designed to further support the use of the Standard Contractual Clauses by the Parties: (a) Fortra represents that it has not, as of the effective date of this DPA, received any requests under Section 702 of the U.S. Foreign Intelligence Surveillance Act for the Personal Data of residents of EEA, UK, Switzerland or any such other country; (b) Fortra shall provide the Client with notice if it becomes unable to comply with the Standard Contractual Clauses; and (c) if Fortra receives a request for any Client Personal Data from any third party, including a government or law enforcement authority or under Section 702 of the Foreign Intelligence Surveillance Act, Fortra will make commercially reasonable efforts to assert available defenses against making the disclosure and will minimize the scope of any legally required disclosure to only that which is strictly necessary to meet the disclosure obligation.
  1. Limitation of Liability
  • This DPA is subject to the terms and conditions of the Services Agreement and the limitations of liability set forth in the Services Agreement shall apply to this DPA, including without limitation of any breach of this DPA by either party. For the avoidance of doubt, such limitations of liability are an aggregate limit and all claims under this DPA shall be aggregated with all claims under the Services Agreement. 

 

     Exhibit A

DORA Addendum

  1. This Addendum is attached to and made part of the Fortra Master Solutions Agreement (this “Agreement”) in effect between Fortra, LLC. and Client. Absent a signed agreement, Agreement shall mean Fortra’s Master Solutions Agreement available at https://www.fortra.com/legal.
  2. Definitions:
  3. DORA means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.        
  4. ‘ICT-related incident’ means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;
  5. Cooperation and Access
  6. ICT Incidents
  7. Termination  
    1. In addition to the Termination rights in Section 9 of the Fortra Master Solutions Agreement, Client may immediately terminate this Agreement if termination is based on express instructions from the customer's financial services regulator.
    2. Upon expiry or termination of this Agreement, if Client requires assistance with a transition to another ICT third-party service provider, Fortra agrees to enter into good faith negotiations to provide transition services at a cost that is determined ex-ante.
  8. Security Awareness
  9. Security Testing
    1. On-prem Solutions
    2. Hosted Solutions

Fortra shall reasonably cooperate, where necessary, with any competent authorities having authority over Client under DORA.

Upon request, Fortra will make internal or third-party audit reports available to Client, if available. If internal or third-party audit reports are not available, and Fortra is deemed an ICT service provider that supports critical or important functions, during a current Subscription or Maintenance Term the Client will be entitled, once per year, at its own expense, upon at least fifteen (15) business days' prior written notice to Fortra, to review or audit the business records of Fortra as reasonably agreed upon by both Parties to verify Fortra’ compliance with this Agreement.  Such review or audit may be conducted by the Client’s own employees or agents, or by an external auditor appointed by Client with a non-disclosure agreement in place. 

Fortra shall reasonably assist the Client if ICT-related incident occurs, taking into account the nature of the ICT-related incident, the impact to Client, data available to Fortra, and applicable law. This may include recommend actions to be taken by Customer on Customer-controlled systems to reduce the risk of a recurrence of the same or a similar ICT-related incident, including, as appropriate, the provision of action plans and mitigating controls, coordinating with Customer in developing action plans and mitigating control, providing guidance, recommendations and other necessary information for recovery efforts and long-term remediation and/or mitigation for cyber security risks posed to Customer Cyber Security Information, equipment, systems, and network.

New employees of Fortra are required to complete security training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with security policies, as well as other corporate policies, such as the Fortra Code of Conduct. This includes requiring Fortra employees to annually re-acknowledge the Code of Conduct and other Fortra policies as appropriate. Fortra conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.

As on-premises solutions are hosted on the Client’s environment, Client can test these on-premises Solutions without further cooperation or assistance from Fortra. Upon request, Fortra can provide executive summary reports of vulnerability scanning for these Solutions.

If Client has deemed Fortra as a provider supporting a critical or important function, Fortra shall provide third-party security penetration testing report executive summaries or summary result from pooled TLPT testing, if available, upon request from Customer. If Client is not satisfied with the offer of these executive summaries, Forta will cooperate with the Customer from time to time to carry out security penetration testing to assess the effectiveness of Fortra’s cyber and information technology security measures and processes at a cost that is determined ex-ante.

  1. Compliance with Laws        

Each Party will comply with applicable laws, and have the correct registrations and/or licenses to do business. Fortra will perform any services in a professional manner and in line with our support service standards.

  1. Information Sharing.

Notwithstanding any provision concerning Confidential Information in the Agreement, Client shall have the right to share anonymized Confidential Information on Incidents with third parties in accordance with Article 45 of DORA for the purpose of enhancing its digital operational resilience.

Schedule 1 

Data Processing Instruction

Nature of the Processing The nature of the Processing involves, but is not limited to, collecting, using, storing, and transferring Client Personal Data.
Purposes of the ProcessingFor the purposes of providing the Services pursuant to the Services Agreement. 
Types of Personal Data including Special Category Personal Data

Data Exporter may submit Client Data, the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Client Data:

  • First and last name
  • Business contact information (company, email, phone, fax, physical business address) or geographic information like zip code
  •  Personal contact information (email, cell phone)
  • Local identifier (e.g., passport, tax ID number, social insurance number or license numbers).
  • Title  
  • Position  
  • Employer  
  • ID data
  • Professional life data
  • Personal life data (in the form of security questions and answers)
  • Connection data
  • Localization data
  • Device level data
  • Network data (including source and destination IP addresses)
  • Log data, configuration data and diagnostic output of business-managed assets
  • Electronic identification and access credentials for business-managed assets, including IP address, user name, password;
  • Special categories if applicable to products or services
Categories of Data Subjects

Data Exporter may submit Client Data to the Solution(s), the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to Client Data relating to the following categories of data subjects:

  • Client, business partners, and vendors of the Data Exporter (who are natural persons)
  • Employees or contact persons of Data Exporter customers, business partners, and vendors  
  • Employees, agents, advisors, contractors, or any user authorized by the Data Exporter to use the Service (who are natural persons)
Frequency and Duration of the ProcessingOn a continuous basis for the duration of the Services Agreement.

Schedule 2

Technical and Organizational Security Matters

Subject MatterMeasures

Organization of Information Security 

Fortra has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures. 

Fortra personnel with access to Personal Data are subject to confidentiality obligations. 

Fortra security personnel receive data security training at least annually. 

Asset Management 

Fortra classifies Personal Data to help identify it and to allow for access to it to be appropriately restricted.  

Fortra has management processes for the assignment, responsibility, return, disposal and repurposing of electronic assets.

Personnel Security and Acceptable Use

Fortra conducts pre-employment background and reference checks, in compliance with applicable laws and regulations. 

Fortra’s onboarding process includes communicating roles and responsibilities, and security training. Security awareness training will occur at least annually thereafter. 

Fortra maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel.  

Physical and logical access and asset assignment is managed and documented throughout personnel lifecycles. 

Personnel are expected to acknowledge annually the IT Acceptable Use Policy and be responsible for the guidelines and standards set forth by Fortra. 

Fortra reserves the right to monitor and retain information gathered during personnel’s use of its resources.

Access Control 

  

Fortra maintains a role-based assignment of security privileges of individuals having access to Personal Data. 

Fortra maintains and updates a record of personnel authorized to access Vendor systems that contain Personal Data. 

Fortra identifies personnel who may grant, alter or cancel authorized access to data and resources.  

Technical support personnel are only permitted to have access to Personal Data when needed.  

Fortra restricts access to Personal Data to only those individuals who require such access to perform their job function. 

Fortra instructs Fortra personnel to disable administrative sessions when leaving premises Fortra controls or when computers are otherwise left unattended. 

Fortra uses industry standard practices to identify and authenticate users who attempt to access information systems. 

Where authentication mechanisms are based on passwords, Fortra requires that the passwords are changed regularly. 

Where authentication mechanisms are based on passwords, Fortra requires the password to be at least eight characters long. 

Fortra maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed. 

Fortra uses industry standard password protection practices. 

Fortra has controls designed to avoid individuals assuming access rights they have not been assigned to gain access to Personal Data they are not authorized to access. 

Working Remotely

Fortra allows employees and contractors to work remotely and provides the required infrastructure to work in an efficient manner. 

 

Fortra prescribed remote wireless device guidelines and requirements used for work purposes. 

 

Fortra does not allow remote work in certain countries/regions due to sanctions and high-security risks.

Server and Serverless SecurityFortra has server base guidelines for configurations, monitoring, patch management and the implementation and decommissioning of both physical and virtual servers.
Key Management and CryptographyFortra has established requirements for selecting cryptographic keys, managing keys, assigning key strengths and managing digital certificates for IT resources that store, transmit or process sensitive information.
Backup and Restoration

Fortra documents, monitors and periodically tests backups to ensure that they are recoverable and verify data integrity. 

Fortra data owners and Disaster Recovery Plan determine the frequency and retention of backups in accordance with the acceptable risk. 

Fortra creates routine backup copies of production data to enable data recovery. 

Fortra stores backup copies of data in a different location from where the production data is located.  

Change Management

Fortra formally submits changes and include the change of scope, rollback plan, test plan, communication plan and approvals. 

Fortra has a pre-approved process for “routine changes” and provides for a post approval process for “emergency changes”.

Incident Management 

Fortra requires immediate and mandatory incident reporting from all personnel. 

Fortra’s Security Incident Response Team (SIRT) will handle incidents as outlines by the Incident Response Plan. 

Fortra will document, communicate and review confirmed incidents for lessons learned, practical remediation and potential training value. 

Logging and Monitoring

Fortra logging infrastructure is kept secured and available only to authorized personnel. 

Fortra requires specific system and application logging elements and administrative responsibilities. 

Fortra requires that activity logs are created whenever a system, application or user: executes, creates, modifies or removes; access, content permissions or configurations.

Vulnerability and Penetration Testing

Fortra performs regular scans of all systems and network devices using approved vulnerability scanning tools. 

Fortra has developed a comprehensive penetration testing plan that outlines the scope, objective and methodology used by a qualified independent third-party. 

Fortra’s Corporate Security Team is responsible for managing and overseeing vulnerability assessment and penetration testing activities.

Software Development Lifecycle

Fortra’s Production Requirements Document (PRD) determines the privacy and security requirements during the software design phase. 

Fortra assesses security and privacy at all stages of development through code review and controls involving the management of authorized libraries, scripts and source code systems.

Data Retention and Disposal

Fortra complies with regulatory, legal and contractual requirements regarding the data retention and disposal of Intellectual Property (IP), Personally Identifiable Information (PII) Personal Health Information (PHI) and Business-Sensitive Information (BSI). 

Fortra will perform the disposal of customer data according to contractual agreement or customer request. A default disposal schedule is adhered to if not contractually defined. 

Fortra defines roles, guidelines and secure methods for the retention and disposal of data for both regulated and unregulated data. 

Fortra will suspend the disposal of documents as it related to an investigation, audit or litigation until management, with the advise of counsel, determines otherwise.

Information ClassificationFortra information assets (electronic and non-electronic) are identified, inventoried, classified and follow information classification guidelines. Information that is either in custody of and/or produced and owned by Fortra are classified into one of the three categories: Public, Internal, and Confidential.
Workstation and Mobile Device 

Fortra-owned workstation and mobile devices assigned to personnel have baseline configurations which limits the end-user access and privileges to Fortra information assets. 

Fortra implements operational safeguards on workstation and mobile devices that include patching, disk and network encryption, password requirements, firewalls, antivirus and malware detection, software management and device monitoring. 

Network Security

Fortra’s networks shall be segregated from external networks by resources (firewalls, security groups, network access-control lists, etc.) that allow Fortra staff to apply rules that determines the route of network traffic. 

Fortra has established standards for network configuration that include but are not limited to encryption, authentication, remote access, network interconnectivity, physical security and patching. 

Fortra must first have explicit approval from Corporate Security prior to network connection acquisition between Fortra and a third-party (vendors, customers and subsidiaries including newly acquired organizations). 

Fortra has anti-malware controls designed to help avoid malicious software gaining unauthorized access to Personal Data, including malicious software originating from public networks. 

Fortra encrypts, or enables Controller to encrypt, Personal Data that is transmitted over public networks. 

Business Continuity and Disaster Recovery

Fortra defines a formal Business Impact Analysis (BIA) to determine the criticality of a given process, business unit, and it’s impact on the business if not operational. 

Fortra evaluates a Business Continuity Plan (BCP) for business process and service activities identified as critical in the BIA on an annual basis. 

Fortra has established a Disaster Recovery Plan (DRP) that addresses the process of recovering, reinstating and testing business operations to a pre-disaster state on an annual basis.

Risk Assessment 

Fortra applies a risk management framework that includes guidelines for identifying and estimating the cost of protective measures to eliminate or reduce information security risks to an acceptable level. 

Fortra’s risk management program focuses on the following activities: identification of strategic objectives, identifying risk, analyzing risk, mitigation planning, tracking and controlling risk. 

Fortra Management is responsible for reviewing risk assessment and approving risk mitigation plans. 

Vendor Management

Fortra has developed a vendor security risk strategy for outsourced products and services that process or have access to Fortra’s information and IT infrastructure. 

Fortra requires a confidentiality agreement or data processing agreement to outline the security role and responsibility of the vendor and it’s product or service.

Customer Support and Responsiveness 

Fortra Customer support uses best efforts to respond to reported problems within the targeted time frames and provide status updates during the resolution process. 

Fortra and Customer should refer to their individual Master Services Agreement (MSA) for information regarding Fortra general services, targeted time frames, and any applicable support costs and credits.