Technical and Organizational Security Measures

1. Privacy by Design

Adagio incorporates Privacy by Design principles for systems and enhancements at the earliest stage of development as well as educate all employees on security and privacy annually.

2. Information Security Program

Adagio maintains organizational, management and dedicated staff responsible for the development, implementation, and maintenance of Adagio’s information security program.

3. Security Policies

Adagio maintains information security policies and makes sure that policies and measures are regularly reviewed and amend such policies as Adagio deems reasonable to maintain protection of Services and data processed therein.

4. Risk Management

Adagio assesses risks related to processing of personal data and creates an action plan to mitigate identified risks.

Adagio maintains risk assessment procedures for the purposes of such periodic review and assessment of risks to the Adagio organization, monitoring and maintaining compliance with Adagio policies and procedures, and reporting the condition of its information security and compliance to senior internal management.

5. Physical Security
Adagio’s hosting providers maintains physical and environmental security of Adagio’s infrastructure containing customer confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of Adagio’s hosting providers facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.

6. System and Network Security

• Network Security. Adagio maintains network security controls such as firewalls, remote access control via virtual private networks or remote access solutions, network segmentation, and detection of unauthorized or malicious network activity via security logging and monitoring, designed to protect systems from intrusion and limit the scope of any successful attack.
• Data Security. Adagio maintains data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
• Encryption. Adagio employs encrypted and authenticated remote connectivity to Adagio computing environments and customer systems. Adagio maintains a cryptographic standard that aligns with recommendations from industry groups, government publications and other reputable standards groups. This standard is periodically reviewed, and selected technologies and ciphers may be updated in accordance with the assessed risk and market acceptance of new standards.

In-Transit Encryption. All network traffic flowing in and out of the Services data centers, including customer data, is encrypted in transit.

At-Rest Encryption. Customer data created by the customer, is encrypted at rest with 256-bit AES encryption.

7. User Access Management

Adagio maintains logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).

• Password Management. Adagio maintains password controls designed to manage and control password strength, expiration, and usage including prohibiting users from sharing passwords. Adagio shall ensure password hardening standards are in place that align with accepted industry security frameworks to ensure sufficient controls.

8. Auditing and Logging

Adagio maintains system audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

Adagio creates, protects and retains such log records to the extent needed to enable monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate information system activity, including successful and unsuccessful account logon events, account management, events, security events, object access, policy change, privileged functions, administrator account creation/deletion and other administrator activity, data deletions, data access and changes, firewall logs, and permission changes.

9. Change Management

Adagio maintains change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Adagio technology and information assets.

10. Threat and Vulnerability Management

Adagio maintains measures meant to regularly identify, manage, assess, mitigate and/or remediate vulnerabilities within the Adagio computing environments.

Measures include:

• Patch management
• Threat notification advisories
• Vulnerability scanning (all internal systems)

11. Security Incidents

Adagio maintains incident response procedures designed to allow Adagio to investigate, respond to, mitigate, and notify of events related to Adagio technology and information assets.

12. Business Continuity Plans

Adagio maintains defined business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and recovery from foreseeable emergency situations or disasters, consistent with industry standard practices.

13. Vendor Management

Adagio may engage and use vendors, acting as subprocessors, that access, store, or process certain customer data.

Adagio maintains a formal vendor management program, including vendor security reviews for critical vendors, to ensure compliance with Adagio’s information security policies.