OCP Security Policy
Last modified: May 10, 2023
This OCP Security Policy is incorporated by reference into the OCP Service Terms and Conditions agreement with OMILIA NATURAL LANGUAGE SOLUTIONS LTD, a company incorporated and existing under the laws of Cyprus with registered offices at Gladstonos 55 Str., 3040, Limassol, Cyprus, TIC number 123189502Z (“Omilia”) and describes the contractual requirements for information security and assurance provided by Omilia to the Customer, related either to the provision of OCP Services that the Partner has licensed from Omilia and transferred or sublicensed to the Customer, or to the provision of OCP Services that the Customer has licensed directly from Omilia. This OCP Security Policy is applicable to the extent that Omilia has access and control over the Customer’s data (herein “Customer Data”).
1. Security Program
Security Standards. Omilia has implemented and maintains an Information Security and Assurance program that follows generally accepted system security principles embodied in the ISO 27001 standard designed to protect Customer Data as appropriate to the nature and scope of the OCP Services provided. Also, Omilia, acting as a service provider and being compliant with PCI DSS, is responsible for the security of cardholders’ data which Omilia possesses or otherwise stores, processes, or transmits within OCP on behalf of the Customer, unless defined or configured otherwise by the Customer.
Security Awareness and Training. Omilia has developed and maintains a Security Education Training and Awareness program that is delivered to all employees and contractors involved in the delivery of OCP Services, at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically or in person and includes a testing aspect with minimum requirements to pass. The provided training also covers requirements of the applicable Data Protection legislation.
Policies and Procedures. Omilia maintains appropriate policies and procedures to support the Information Security and Assurance program. Policies and procedures are reviewed annually and updated as necessary.
Change Management. Omilia utilizes a change management process based on best practices and industry standards to ensure that all changes to the OCP Services’ environment are appropriately reviewed, tested, approved, and able to be traced back to accountable personnel.
Data Storage and Backup. Customer Data are stored in facilities that ensure 99.999999999% of durability and are retained for a period of sixty (60) days after the collection date. Critical components are backed up according to formalized and documented backup policies and procedures. The critical components' backup data are not stored on portable media and are protected from unauthorized access via appropriate encryption and logical access control mechanisms
Anti-Virus and Anti-Malware Protection. Omilia utilizes industry-standard anti-virus and anti-malware protection solutions to ensure that all non-Linux servers in OCP Services’ environment are appropriately protected against malicious software such as trojan horses, viruses, worms, ransomware, and other malicious code and zero-day threats. Omilia uses industry-standard practice to ensure that the OCP Services as delivered to the Customer do not include any program, routine, subroutine, or data (including malicious software or “malware,” viruses, worms, ransomware, and trojan horses) that are designed to disrupt the proper operation of the OCP Services, or which, upon the occurrence of a certain event, the passage of time, or the taking of or failure to take any action, will cause the OCP Services to be destroyed, damaged or rendered inoperable. The Customer and/or the Partner acknowledge that the use of license keys will not be a breach of this section.
Vulnerability and Patch Management. Omilia maintains a vulnerability management program that ensures compliance with the standards of its Information Security and Assurance program and industry best practices.
Data Destruction. Omilia and its subcontractors follow industry-standard processes to destroy obsolete data and retired equipment that formerly held Customer Data.
Penetration Testing. On at least an annual basis, Omilia conducts a vulnerability assessment and penetration testing engagement with an independent qualified vendor. Issues identified during the engagement are appropriately addressed within a reasonable time frame commensurate with the identified risk level of the issue. A cleansed version of the executive summary of the test results is made available to the Customer and/or the Partner upon written request and is subject to non-disclosure and confidentiality agreement
2. Network Security
Network Controls. Omilia employs effective network security controls based on its Information
Security and Assurance program, best practices, and industry standards to ensure that Customer
Data is segmented and isolated from other customer environments within the Data Center. Controls
include but are not limited to:
(a) Firewall Services. Omilia uses firewall services to protect the OCP Services infrastructure. Omilia maintains granular ingress and egress rules and changes must be approved through Omilia’s change management system.
(b) Intrusion Detection System. Omilia has implemented intrusion detection systems across the OCP Services Environment which may be either network-based, host-based, or a combination of the two.
(c) No Wireless Networks. Omilia does not use wireless networks within the Data Center environments.
(d) Data Connections between the Customer and/or the Partner and the OCP Services Environment. Omilia uses TLS, VPN, and/or MPLS circuits to secure connections between browsers, client apps, and mobile apps to the OCP Services. Connections traversing an untrusted network (e.g., the Internet) will use TLS 1.2 or greater.
(e) Data Connections between OCP Services Environment and Third Parties. Transmission or exchange of Customer Data with the Customer and/or the Partner and any third parties authorized by the Customer and/or the Partner to receive the Customer Data is conducted using secure methods (e.g., TLS, HTTPS, SFTP).
(f) Encrypted Recordings. Omilia encrypts call/audio recordings and chat sessions to ensure the confidentiality of sensitive data, using best practices and standards with regard to the encryption key and certificate management.
(g) Encryption Protection. Omilia uses industry-standard methods to support encryption, and - where required by the applicable regulations or the Customer - irreversible masking.
(h) Logging and Monitoring. Omilia logs security events from the operating perspective for all building blocks providing the OCP Services to the Customer. Omilia monitors and investigates events that may indicate a security incident or problem. Event records are retained for at least two (2) years.
3. User Access Control
Access Control. Omilia implements appropriate logical access controls to ensure only authorized Users have access to Customer Data within the OCP Services environment.
User Access Management. The Customer and/or the Partner is responsible for managing User Access controls within the application. The Customer and/or the Partner define(s) the usernames, roles, and password characteristics (length, complexity, and expiration timeframe) for its users. The Customer and/or the Partner is entirely responsible for any failure by itself, its agents, contractors, or employees (including, without limitation, all its users) to maintain the security of all usernames, passwords, and other account information under its control. Except in the event of a security lapse caused by Omilia’s gross negligence or willful action or inaction, the Customer and/or the Partner is entirely responsible for all use of the OCP Services through the respective Customer’s and/or the Partner’s usernames and passwords whether or not authorized by the Customer and/or the Partner, and all charges resulting from such use. The Customer and/or the Partner will immediately notify Omilia if the Customer and/or the Partner becomes aware of any unauthorized use of the OCP Services.
Omilia User Access. Omilia creates individual User accounts for each of Omilia employees or contractors
that have a business need to access Customer Data or the Customer’s and/or the Partner’s systems within
the OCP Services environment. The following guidelines are followed regarding Omilia’s user
(a) User accounts are requested and authorized by Omilia management.
(b) Strong password controls are systematically enforced.
(c) Connections are required to be made via secure VPN, using MFA mechanisms and strong passwords that expire every sixty (60) days.
(d) Session time-outs are systematically enforced.
(e) User accounts are promptly disabled upon employee termination or role transfer, eliminating a valid business need for access.
4. Business Continuity And Disaster Recovery
Disruption Protection. The OCP Services is deployed and configured in a high-availability design and the OCP Services are deployed across separate Data Centers to provide optimal availability of the OCP Services. The Data Center environment is physically separated from Omilia’s corporate network environment so that a disruption event involving the corporate environment does not impact the availability of the OCP Services.
Business Continuity. Omilia maintains a corporate business continuity plan designed to ensure that ongoing monitoring and support services continue in the event of a disruption event involving the corporate environment. The Business Continuity Plan is tested at least annually.
Disaster Recovery. The OCP Services are deployed in a high-availability, redundant design. A disruption event at a single Data Center will trigger a system fail-over to the back-up Data Center to minimize disruption to OCP Services. For these OCP Services, the Customer and/or the Partner is responsible for defining specific parameters regarding fail-over.
5. Security Incident Response
Security Incident Response Program. Omilia maintains a Security Incident response program based on its information security program, best practices, and industry standards, designed to identify and respond to suspected and actual Security Incidents involving Customer Data. The program is reviewed, tested, and, if necessary, updated on at least an annual basis. “Security Incident” means a confirmed event resulting in unauthorized use, deletion, modification, disclosure, or access to Customer Data
a. In case of a Partnership Agreement, in the event of a Security Incident or other security event requiring notification under applicable law, Omilia notifies the Partner within forty-eight (48) hours and will reasonably cooperate so that the Partner can make any required notifications to Customers relating to such events, unless Omilia is specifically requested by law enforcement or a court order not to do so. It is the Partner’s legal responsibility to forward such notifications to Customers in a timely manner and as per applicable law.
b. In case of a Customer Agreement, in the event of a Security Incident or other security event requiring notification under applicable law, Omilia notifies the Customer within forty-eight (48) hours, unless Omilia is specifically requested by law enforcement or a court order not to do so.
Notification Details. Omilia provides the following details regarding any Security Incidents to the Customer and/or the Partner: (i) the date that the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions Omilia has already taken; (iv) corrective measures to be taken; and (v) evaluation of alternatives and next steps.
Ongoing Communications. Omilia continues providing appropriate status reports to the Customer and/or the Partner regarding the resolution of the Security Incident, continually working in good faith to correct the Security Incident and prevent such Security Incidents in the future. Omilia cooperates, as reasonably requested by the Customer and/or the Partner, to further investigate and resolve the Security Incident.
6. Data Center Protections
Data Center. Omilia contracts with third-party providers for Data Center space. Data Center providers and related services are reviewed on an annual basis to ensure that they continue to meet Omilia and Customer and/or Partner needs. Each Data Center provider maintains certification based on its independent business models. Security and compliance certifications and/or attestation reports for the Data Center(s) relevant to the Customer’s and/or the Partner’s OCP Services are provided upon written request and may require additional non-disclosure agreements to be executed.
Physical Security. Each Data Center is housed within a secure and hardened facility with the following minimum physical security requirements: (a) secured and monitored facility; (b) on-site access validation with identity check; (c) access only to persons on an access list approved by Omilia; (d) on-site network operations center staffed 24x7x365; (e) surveillance cameras in the points of entry.
Environmental Controls. Each Data Center is equipped to provide redundant external electrical power sources, redundant uninterruptible power supplies, backup generator power, and redundant temperature and humidity controls
7. Use of the OCP Services
The Customer and/or the Partner will not, and will not permit or authorize others to use the OCP Services for any of the following: (i) to violate applicable Law; (ii) to transmit Malicious Code; (iii) to transmit 911, 112 or any emergency services (or reconfigure to support or provide such use); (iv) to interfere with, unreasonably burden, or disrupt the integrity or performance of the OCP Services or third-party data contained therein; (v) to attempt to gain unauthorized access to systems or networks; or (vi) to provide the OCP Services to non-User third parties, including, by resale, license, lend or lease.
The Customer and/or the Partner will use commercially reasonable efforts to prevent and/or block any prohibited use by others.
The Customer and/or the Partner will maintain any reasonable, appropriate administrative, physical, and technical level of security regarding its account ID, password, antivirus and firewall protections, and connectivity with the OCP Services.
The Customer and/or the Partner shall maintain strict security over all VoIP Services lines. The Customer and/or the Partner acknowledges that Omilia does not provide the Customer and/or the Partner with the ability to reach 911, 112, or other emergency services and the Customer and/or the Partner agrees to inform any individuals who may be present where the OCP Services are used, or who use the OCP Services, of the non-availability of 911, 112 or another emergency dialing.
If the OCP Services will be used to transmit or process Personal Data, the Customer and/or the Partner will ensure that all Personal Data is captured and used solely via the use of available Security Features and clear, solid and undisputed consent/ authorization has been received and recorded by the Customer for its data subjects (i.e., Customer’s End-Users), if applicable.
Recordings. As between Omilia and the Customer, Omilia acknowledges that the use of Recordings is solely within the Customer’s discretion and control. Without limiting the foregoing: (i) Omilia accepts sole responsibility for determining the method and manner of performing recording as part of the OCP Services such that it is compliant with all applicable Laws and for instructing the services accordingly; and (ii) The Customer shall note that Recordings may be made only for diagnostic, quality assurance, and/or Support purposes, and in any event only for purposes required and/or in compliance with all applicable Laws. The Customer will ensure that (a) Recordings will not knowingly include any bank account number, credit card number, authentication code, Social Security number, or Personal Data, except as allowed or required by all applicable Laws; or (b) Recordings are encrypted at all times. To the extent Recordings are encrypted or where encryption is electable by the Customer as part of the OCP Services, the Customer shall elect such encryption. The Customer shall not modify, disable, or circumvent the Recording encryption feature within the OCP Services and shall otherwise ensure that it will use the OCP Services in compliance with the encryption feature
8. Industry-Specific Certifications
Omilia’s security and operational controls are based on industry standard practices and are designed to meet the guidelines, as well as to comply with the provisions of, and be certified against well-known, industry-approved Standards / Frameworks, such as:
- Information security, cybersecurity and privacy protection — Information Security Management Systems Standard (ISO/IEC 27001 Standard)
- AICPA Service Organization Controls, relevant to Security, Availability, Confidentiality, and Privacy (SOC 2 Type-II Attestation Standard)
- Payment Card Industry Data Security Standard (PCI-DSS)
Nevertheless, the Customer and/or the Partner is solely responsible for achieving and maintaining any industry-specific certifications required for its business.
Subject to Omilia’s reasonable confidentiality agreements and information security policies, the Customer or a qualified third party chosen by the Customer, shall have the right, once a year at a maximum, and upon ninety (90) days written notice, to perform a security assessment of Omilia’s compliance with the terms of this Policy, provided that the Customer has demonstrated that has a reasonable belief that Omilia is not in compliance. During normal business hours, the Customer or the Customer’s authorized representatives may inspect Omilia’s policies and practices implemented to comply with this Policy, which may include a site visit and a review of reasonable supporting documentation, provided that the Customer and/or the Partner agree(s) that such right shall not include the right to on-site inspections or audits of Omilia’s third-party hosting facilities and equipment. No such assessment shall violate Omilia’s obligations of confidentiality to customers or reveal Omilia’s Intellectual Property. Any assessment performed pursuant to this Section shall not interfere with the normal conduct of Omilia’s business. Omilia shall cooperate in a commercially reasonable manner with any such assessment and reserve the right to charge the Customer for Omilia’s reasonable costs incurred in connection with any such assessment.
Subject to Omilia’s reasonable confidentiality and information security policies, the End User or a qualified third party chosen by the End User, shall have the right, once a year at a maximum, and upon ninety (90) days’ written notice, to perform a security assessment of Omilia’s compliance with the terms of this Policy, provided that the End User has demonstrated that the End User has a reasonable belief that Omilia is not in compliance. During normal business hours, the End User or the End User’s authorized representatives may inspect Omilia’s policies and practices implemented to comply with this Policy, which may include a site visit and a review of reasonable supporting documentation, provided that the End User and/or the Partner agree(s) that such right shall not include the right to on-site inspections or audits of Omilia’s third-party hosting facilities and equipment. No such assessment shall violate Omilia’s obligations of confidentiality to customers or reveal Omilia’s Intellectual Property. Any assessment performed pursuant to this Section shall not interfere with the normal conduct of Omilia’s business. Omilia shall cooperate in a commercially reasonable manner with any such assessment and reserve the right to charge the End User for Omilia’s reasonable costs incurred in connection with any such assessment.
11. Customer Data
As between Omilia and the Customer and/or the Partner, the Customer retains ownership of all intellectual property rights in the Customer Data and grants Omilia a non-exclusive, non-sublicensable (except to parties working on Omilia’s behalf), non-transferable, royalty-free license to access, process, store, transmit, and otherwise make use of the Customer Data as necessary to provide the Services and to otherwise fulfill Omilia’s obligations under the Agreement.
The Customer agrees that the Customer Data may be transferred or stored outside the country where the Customer and/or the Partner and the Customer’s customers or users are located, in order to carry out the Services and Omilia’s other obligations under the Agreement.
The Customer represents and warrants that has obtained all consents and authorizations necessary for Omilia to collect, access, process, store, transmit, and otherwise use Customer Data in accordance with the Agreement.
The Customer shall comply with all requirements of integrity, quality, legality, and all other similar aspects in respect of Customer Data. Omilia may, but is not obligated to, review or monitor any Customer Data. Omilia expressly disclaims any duty to review or determine the legality, accuracy, or completeness of Customer Data.
Omilia may aggregate data and information related to the performance, operation, and use of the OCP Services to create statistical analyses, perform benchmarking, perform research and development, and perform other similar activities (“Service Improvements”). Omilia does not incorporate Customer Data in Service Improvements in a form that could identify the Customer and/ or the Partner and/or the Customer’s customers or users and will use industry-standard techniques to anonymize Customer Data prior to performing Service Improvements. Omilia retains all intellectual property rights in Service Improvements and may make them publicly available.