OCP Security Policy

1.1.

Security Standards. Omilia has implemented and will maintain an Information Security and Assurance program that follows generally accepted system security principles embodied in the ISO 27001 standard designed to protect Customer Data as appropriate to the nature and scope of the OCP Services provided.

1.2.

Security Awareness and Training. Omilia has developed and will maintain a Security Education Training and Awareness program that is delivered to all employees and contractors involved in the delivery of OCP Services, at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically or in person and includes a testing aspect with minimum requirements to pass.

1.3.

Policies and Procedures. Omilia will maintain appropriate policies and procedures to support the Information Security and Assurance program. Policies and procedures will be reviewed annually and updated as necessary.

1.4.

Change Management. Omilia will utilize a change management process based on best practices and industry standards to ensure that all changes to the OCP Services’ environment are appropriately reviewed, tested, approved and able to be traced back to accountable personnel.

1.5.

Data Storage and Backup. Omilia will create backups of critical Customer Data according to formalised and documented backup policy and procedures. Customer Data will be stored and maintained solely on designated backup storage media within the Data Center(s). Backup data will not be stored on portable media. Customer Data stored on backup media will be protected from unauthorized access via appropriate encryption and logical access control mechanisms

1.6.

Anti-Virus and Anti-Malware Protection. Omilia will utilize industry standard anti-virus and anti-malware protection solutions to ensure that all non-Linux servers in OCP Services’ environment are appropriately protected against malicious software such as trojan horses, viruses, worms, ransomware and other malicious code and zero day threats. Omilia will use standard industry practice to ensure that the OCP Services as delivered to the End User do not include any program, routine, subroutine, or data (including malicious software or “malware,” viruses, worms, ransomware and Trojan Horses) that are designed to disrupt the proper operation of the OCP Services, or which, upon the occurrence of a certain event, the passage of time, or the taking of or failure to take any action, will cause the OCP Services to be destroyed, damaged or rendered inoperable. The End User and/or the Partner acknowledges that the use of license keys will not be a breach of this section.

1.7.

Vulnerability and Patch Management. Omilia will maintain a vulnerability management program that ensures compliance with the standards of Our Information Security and Assurance program and industry best practices.

1.8.

Data Destruction. Omilia and its subcontractors will follow industry standard processes to destroy obsolete data and retired equipment that formerly held Customer Data.

1.9.

Penetration Testing. On at least an annual basis, Omilia will conduct a vulnerability assessment and penetration testing engagement with an independent qualified vendor. Issues identified during the engagement will be appropriately addressed within a reasonable time-frame commensurate with the identified risk level of the issue. A cleansed version of the executive summary of the test results will be made available to the End User and/or the Partner upon written request and will be subject to non-disclosure and confidentiality agreements.

2.1.

Network Controls. Omilia will employ effective network security controls based on our Information Security and Assurance program, best practices, and industry standards to ensure that Customer Data is segmented and isolated from other customer environments within the Data Center. Controls include, but are not limited to:
(a) Firewall Services. Omilia use firewall services to protect the OCP Services infrastructure. Omilia maintains granular ingress and egress rules and changes must be approved through Omilia’s change management system.
(b) Intrusion Detection System. Omilia has implemented intrusion detection systems across the OCP Services Environment which may be either network based, host based or a combination of the two.
(c) No Wireless Networks. Omilia will not use wireless networks within the Data Center environments.
(d) Data Connections between the End User and/or the Partner and the OCP Services Environment. Omilia uses TLS, VPN and/or MPLS circuits to secure connections between browsers, client apps, and mobile apps to the OCP Services. Connections traversing an untrusted network (e.g. the Internet) will use TLS 1.3.
(e) Data Connections between OCP Services Environment and Third Parties. Transmission or exchange of Customer Data with the End User and/or the Partner and any third parties authorized by the End User and/or the Partner to receive the Customer Data will be conducted using secure methods (e.g. TLS, HTTPS, SFTP).
(f) Encrypted Recordings. Omilia encrypts call/audio recordings and chat sessions to ensure the confidentiality of sensitive data, using best practices and standards with regards to encryption key and certificate management.
(g) Encryption Protection. Omilia uses industry standard methods to support encryption.
(h) Logging and Monitoring. Omilia will log security events from the operating perspective for all building blocks providing the OCP Services to the End User. Omilia will monitor and investigate events that may indicate a security incident or problem. Event records will be retained for at least one year.

3.1.

Access Control. Omilia will implement appropriate logical access controls to ensure only authorized Users have access to Customer Data within the OCP Services environment.

3.2.

User Access Management. The End User and/or the Partner is responsible for managing User Access controls within the application. The End User and/or the Partner define(s) the usernames, roles, and password characteristics (length, complexity, and expiration timeframe) for its users. The End User and/or the Partner is entirely responsible for any failure by itself, its agents, contractors or employees (including without limitation all its users) to maintain the security of all usernames, passwords and other account information under its control. Except in the event of a security lapse caused by Omilia’s gross negligence or willful action or inaction, the End User and/or the Partner is entirely responsible for all use of the OCP Services through the respective End User’s and/or the Partner’s usernames and passwords whether or not authorized by the End User and/or the Partner and all charges resulting from such use. The End User and/or the Partner will immediately notify Omilia if the End User and/or the Partner becomes aware of any unauthorized use of the OCP Services.

3.3.

Omilia User Access. Omilia will create individual User accounts for each of Omilia employees or contractors that have a business need to access Customer Data or the End User and/or the Partner’s systems within the OCP Services environment. The following guidelines will be followed regarding Omilia’s user account management:
(a) User accounts are requested and authorized by Omilia management.
(b) Strong password controls are systematically enforced.
(c) Connections are required to be made via secure VPN using MFA mechanisms and strong passwords that expire every ninety (90) days.
(d) Session time-outs are systematically enforced.
(e) User accounts are promptly disabled upon employee termination or role transfer, eliminating a valid business need for access.

4.1.

Disruption Protection. The OCP Services will be deployed and configured in a high-availability design and the OCP Services will be deployed across separate Data Centers to provide optimal availability of the OCP Services. The Data Center environment is physically separated from Omilia’s corporate network environment so that a disruption event involving the corporate environment does not impact the availability of the OCP Services.

4.2.

Business Continuity. Omilia will maintain a corporate business continuity plan designed to ensure that ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.

4.3.

Disaster Recovery. The OCP Services will be deployed in a high-availability, redundant design. A disruption event at a single Data Center will trigger a system fail-over to the back-up Data Center to minimize disruption to OCP Services. For these OCP Services, the End User and/or the Partner is responsible for defining specific parameters regarding fail-over. With regard to OCP Services, Omilia employs an active-active-active configuration.

5.1.

Security Incident Response Program. Omilia will maintain a Security Incident response program based on our information security program, best practices and industry standards designed to identify and respond to suspected and actual Security Incidents involving Customer Data. The program will be reviewed, tested and, if necessary, updated on at least an annual basis. “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.

5.2.

Notification.
a. In case of a Partnership Agreement, in the event of a Security Incident or other security event requiring notification under applicable law, Omilia will notify the Partner within thirty-six (36) hours and will reasonably cooperate so that the Partner can make any required notifications to End Users relating to such events, unless Omilia is specifically requested by law enforcement or a court order not to do so. It is the Partner’s legal responsibility to forward such notifications to End Users in a timely manner and as per applicable law.
b. In case of an End-User Agreement, in the event of a Security Incident or other security event requiring notification under applicable law, Omilia will notify the End-User within seventy-two (72) hours, unless Omilia is specifically requested by law enforcement or a court order not to do so.

5.3.

Notification Details. Omilia will provide the following details regarding any Security Incidents to the End User and/or the Partner: (i) date that the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions Omilia has already taken; (iv) corrective measures to be taken; and (v) evaluation of alternatives and next steps.

5.4.

Ongoing Communications. Omilia will continue providing appropriate status reports to the End User and/or the Partner regarding the resolution of the Security Incident, continually work in good faith to correct the Security Incident and to prevent future such Security Incidents. Omilia will cooperate, as reasonably requested by the End User and/or the Partner, to further investigate and resolve the Security Incident.

6.1.

Data Center. Omilia contracts with third-party providers for Data Center space. Data Center providers and related services are reviewed on an annual basis to ensure that they continue to meet Omilia and End User and/or the Partner needs. Each Data Center provider maintains certification based on its independent business models. Security and compliance certifications and/or attestation reports for the Data Center(s) relevant to End User and/or the Partner OCP Services will be provided upon written request and may require additional non-disclosure agreements to be executed.

6.2.

Physical Security. Each Data Center is housed within a secure and hardened facility with the following minimum physical security requirements: (a) secured and monitored facility; (b) on-site access validation with identity check; (c) access only to persons on an access list approved by Omilia; (d) on-site network operations center staffed 24x7x365; (e) surveillance cameras in the points of entry.

6.3.

Environmental Controls. Each Data Center is equipped to provide redundant external electrical power sources, redundant uninterruptible power supplies, backup generator power and redundant temperature and humidity controls.

7.1.

The End User and/or the Partner will not, and will not permit or authorize others to use the OCP Services for any of the following: (i) to violate applicable Law; (ii) to transmit Malicious Code; (iii) to transmit 911, 112 or any emergency services (or reconfigure to support or provide such use); (iv) to interfere with, unreasonably burden, or disrupt the integrity or performance of the OCP Services or third-party data contained therein; (v) to attempt to gain unauthorized access to systems or networks; or (vi) to provide the OCP Services to non-User third parties, including, by resale, license, lend or lease.

7.2.

The End User and/or the Partner will use commercially reasonable efforts to prevent and/or block any prohibited use by others.

7.3.

The End User and/or the Partner will maintain any reasonable, appropriate administrative, physical, and technical level of security regarding its account ID, password, antivirus and firewall protections, and connectivity with the OCP Services.

7.4.

The End User and/or the Partner shall maintain strict security over all VoIP Services lines. The End User and/or the Partner acknowledges that Omilia does not provide the End User and/or the Partner with the ability to reach 911, 112 or other emergency services and the End User and/or the Partner agrees to inform any individuals who may be present where the OCP Services are used, or who use the OCP Services, of the non-availability of 911, 112 or other emergency dialing.

7.5.

If the OCP Services will be used to transmit or process Personal Data, the End User and/or the Partner will ensure that all Personal Data is captured and used solely via the use of available Security Features and clear, solid and undisputed consent has been received and recorded by the End User for its data subjects, if applicable.

7.6.

Recordings. As between Omilia and the End User, Omilia acknowledges that use of Recordings is solely within the End User’s discretion and control. Without limiting the foregoing: (i) Omilia accepts sole responsibility for determining the method and manner of performing recording as part of the OCP Services such that it is compliant with all applicable Laws and for instructing the services accordingly; and (ii) The End User shall note that Recordings may be made only for diagnostic, quality assurance, and/or Support purposes, and in any event only for purposes required and/or in compliance with all applicable Laws. The End User will ensure that (a) Recordings will not knowingly include any bank account number, credit card number, authentication code, Social Security number or Personal Data, except as allowed or required by all applicable Laws; or (b) Recordings are encrypted at all times. To the extent Recordings are encrypted or where encryption is electable by the End User as part of the OCP Services, the End User shall elect such encryption. End User shall not modify, disable, or circumvent the Recording encryption feature within the OCP Services and shall otherwise ensure that it will use the OCP Services in compliance with the encryption feature.

11.1.

As between Omilia and the End User and/or the Partner, the End User retains ownership of all intellectual property rights in the Customer Data and grants Omilia a non-exclusive, non-sublicensable (except to parties working on Omilia’s behalf), non-transferable, royalty-free license to access, process, store, transmit, and otherwise make use of the Customer Data as necessary to provide the Services and to otherwise fulfill Omilia’s obligations under the Agreement.

11.2.

The End User agrees that the Customer Data may be transferred or stored outside the country where the End User and/or the Partner and the End User’s customers or users are located in order to carry out the Services and Omilia’s other obligations under the Agreement.

11.3.

The End User represents and warrants that the End User has obtained all consents necessary for Omilia to collect, access, process, store, transmit, and otherwise use Customer Data in accordance with the Agreement.

11.4.

The End User shall comply with all requirements of integrity, quality, legality and all other similar aspects in respect of Customer Data. Omilia may, but is not obligated to, review or monitor any Customer Data. Omilia expressly disclaims any duty to review or determine the legality, accuracy or completeness of Customer Data.

11.5.

Omilia may aggregate data and information related to the performance, operation and use of the OCP Services to create statistical analyses, to perform benchmarking, to perform research and development and to perform other similar activities (“Service Improvements”). Omilia will not incorporate Customer Data in Service Improvements in a form that could identify the End User and/ or the Partner and/or the End User’s customers or users and will use industry standard techniques to anonymize Customer Data prior to performing Service Improvements. Omilia retains all intellectual property rights in Service Improvements and may make them publicly available.