1. Information Security Program

Templafy shall, at a minimum:

1.1.           Implement and maintain a comprehensive, up-to-date, written information security program of the organizational, operational, administrative, physical, and technical safeguards governing the processing, storage, and transmission of Customer Data and appropriate to the risks represented by the processing of Customer Data within the context of services under the Agreement and to prevent any access to Customer Data in a manner not authorized by the Agreement.

1.2.           Define responsibility for the ongoing audit or review of information security program to reasonably ensure its continuing suitability, adequacy, and effectiveness.

1.3.           Establish a management-approved process for handling any deviations and exceptions as a result of such audit or review.

1.4.           Implement and maintain an information security program that aligns with industry-recognized security standards, including but not limited to ISO/IEC 27001 (Information Security Management), ISO/IEC 27017 (Cloud Security), and SOC 2 (Trust Services Criteria) for the duration of the contract.

2. Risk Management

Templafy shall, at a minimum:

2.1            Establish a formal risk management program with clearly defined roles in order to identify, quantify, prioritize, treat, accept, mitigate, and monitor risks in relation to information security and privacy, including utilization of sub-processors, if relevant.

2.2            Ensure risk assessments are conducted and reviewed annually.

3. Human Resource Security

Templafy shall, at a minimum:

3.1            Establish and maintain controls to ensure that employees who require access to Customer Data are suitably screened.

3.2            Conduct criminal background checks as part of pre-employment and pre-contracting screening practices for employees and other third parties commensurate with the employee’s or other third parties’ position and level of access to the Templafy’s data processing service infrastructure.

3.3            Provide an appropriate level of supervision, guidance, and awareness training on information security program safeguards, data protection requirements, and acceptable use policy to its employees and any other third parties who require access to Customer Data before such access is granted and subsequently on an annual basis.

3.4            Ensure employees and other third parties enter into written agreements that include a confidentiality or non-disclosure clause that is valid during and after employment or contracting.

4.  Asset Management

Templafy shall, at a minimum:

​4.1            Use a documented process and tools for inventorying both physical and data assets on a periodic basis, including unique identification, asset owners, and physical location or logical environment.

​4.2            Ensure controls are established and maintained for classifying information according to legal or regulatory requirements, business value, and/or sensitivity to unauthorized disclosure or modification.

​4.3            Ensure an appropriate level of protection of information assets in accordance with their classification level.

​4.4            Maintain an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate personnel, and assigned an owner to maintain and periodically review the policy.

​4.5            Establish and apply offboarding procedures for returning physical and electronic assets owned by or entrusted to Templafy upon termination of employment or contracting.

5.  Access Control

Templafy shall, at a minimum:

​5.1            Ensure Customer Data is available only to its employees or third parties who have a legitimate business need to assess Customer Data.

​5.2            Establish a formal user access management process whereby user access is formally requested and is granted based on the need to know utilizing the concept of least privilege.

​5.3            Ensure access of terminated employees or those who no longer need such access is revoked without undue delay.

​5.4            Establish processes to periodically review user access.

​5.5            Use only secure user authentication protocols, including assigning unique identifications and strong passwords to every user.

​5.6            Provide and support Enterprise Single Sign-On (SSO) functionality for Customer using industry-standard authentication protocols, including but not limited to SAML 2.0, OAuth 2.0, or JWT-based authentication.

​5.7            Ensure accounts do not use vendors-supplied default passwords and are kept in a location and/or format that does not compromise their security.

​5.8            Mask, suppress, or otherwise obscure the display and printing of passwords, so that unauthorized parties are not able to observe or subsequently recover passwords.

​5.9            Ensure that passwords and authentication credentials are never stored in human-readable format and are only stored using a secure, salted, one-way cryptographic hash (e.g., PBKDF2, bcrypt, or Argon2) that meets industry-recognized security standards.

​5.10            Configure privileged user accounts (e.g., administrators) with Multi-Factor Authentication (MFA).

​5.11            Enforce phishing-resistant Multi-Factor Authentication (MFA) for all users accessing Customer Data. Traditional SMS-based MFA shall not be used for high-risk systems.

​5.12            Establish reasonable monitoring of systems for unauthorized use of or access to Customer Data.

​5.13            Ensure separation of duties for any potentially conflicting roles related to Customer Data.

​5.14            Ensure no direct remote access to Customer endpoints, networks or devices is required for Customer Success and support purposes.

6.  Transfer and Encryption

Templafy shall, at a minimum:

​6.1           Ensure that all Customer Data is encrypted both at rest and in transit using industry-standard cryptographic protocols. At a minimum:

​6.1.1        Encrypt data at rest using AES-256 or an equivalent strong encryption standard.

​6.1.1        Encrypt data in transit using TLS 1.2 or higher, with a preference for TLS 1.3 where supported.

​6.2        Implement key management best practices, including secure key storage, rotation, and access control, to prevent unauthorized decryption of Customer Data.

7.  Physical and Environmental Security

Templafy shall, at a minimum:

7.1            Implement and maintain reasonable physical security measures to protect Customer Data processed on Templafy-managed devices and facilities even if Templafy does not host data at its own locations.

​7.2            Ensure that all subcontracted data centers used for storing, processing, or transmitting Customer Data are reputable providers that comply with internationally recognized security standards. These providers must implement industry-standard physical security controls to protect against unauthorized access, environmental risks, and physical threats. Templafy shall enforce these requirements through contractual agreements and conduct periodic reviews to verify compliance.

8.  Malware Protection

Templafy shall, at a minimum:

8.1            Deploy industry-standard malware controls, including the installation, regular update and routine use of anti-malware software products on all systems and user endpoint devices.

​8.2            Reasonably ensure malware scanning is periodically performed and promptly remove any detected malware.

​9.  Infrastructure Security

Templafy shall, at a minimum:

9.1            Use reasonably up-to-date versions of system security software such as firewalls, proxies, and interfaces.

​9.2            Have a patch management process that covers all the systems used for processing, storing, accessing, and transmitting Customer Data or are used to deliver Customer services.

​9.3            Maintain intrusion detection and/or prevention as well as monitoring and response processes in a manner that shall identify both internal and external threats, vulnerabilities, and risks that could impact the security of Templafy infrastructure and services.

​9.3            Conduct continuous vulnerability scanning on infrastructure that hosts Customer Data and address actively exploited vulnerabilities immediately. Corrective actions shall be taken within 30 days for all high-risk vulnerabilities, within 60 days for medium and 90 days for low. If remediation cannot occur within these timeframes Templafy shall inform Customer and agree on an appropriate time frame.

10.  Network Security

Templafy shall, at a minimum:

​10.1            Continuously monitor network traffic for unauthorized access, anomalies, and security threats.

​10.2            Enforce firewall protections, network segmentation, and access control policies to prevent unauthorized access to application infrastructure.

​10.3            Implement threat detection and response mechanisms, including automated alerts and security event logging, to identify, investigate, and mitigate security incidents.

​10.4            Conduct regular patching and vulnerability management activities to remediate security risks in network infrastructure.

11.  Software Application Development and Change Management

Templafy shall, at a minimum:

​11.1            Follow secure application development and coding practices as per industry best practices and establish a formal application development and maintenance framework.

​11.2            Provide all members of the development team with training in secure coding and programming techniques on an appropriate frequency.

​11.3            Separate non-production systems and data from production systems and data.

​11.4            Not copy production data to development and test environments unless appropriate masking is performed, or appropriate controls are in place to prevent compromise of production data.

​11.5            Establish a change management process which includes recording and formal approval of changes and back out procedures.

​11.6            Ensure changes are communicated to all relevant stakeholders and thoroughly tested in a test environment prior to implementation in a production environment.

​11.7            Ensure software provided to Customer is free of any viruses, malicious code, undisclosed features designed to access, disable, damage, impair, erase, deactivate or electronically repossess Customer Data.

​11.8            Ensure source code is protected from unauthorized copy, use, duplication, modification, and is securely stored.

​11.9            Conduct continuous vulnerability scanning of the software that stores and processes Customer Data and address actively exploited vulnerabilities immediately. Corrective actions are taken within 30 days for all high-risk vulnerabilities, 60 days for medium and 90 days for low. If remediation cannot occur within these timeframes, Templafy shall inform applicable Customer and agree on an appropriate time frame.

​11.10          Monitor third-party software dependencies and remediate vulnerabilities in open-source libraries used in their applications where possible from open-source vendor community.

12.  Logging and Monitoring

Templafy shall, at a minimum:

​12.1            Provide Customer with access to application-specific logs within the SaaS portal. Logs must be accessible in a structured and searchable format, retained for a reasonable period, and made available for Customer review and export as needed for security monitoring, compliance, and forensic investigations.

​12.2            Implement and maintain security monitoring of infrastructure logs and security-related events when developing, deploying, and operating the SaaS application. This includes, but is not limited to, logging and monitoring activities related to network traffic, system access, authentication attempts, security configurations and infrastructure anomalies.

​12.3            Access to security logs is restricted to authorized individuals and protected from unauthorized modification.

​12.4            Retain logs for a reasonable 180-day period to support forensic investigations, compliance requirements and the overall security of the application.

13.  Third Party Templafy Management

Templafy shall, at a minimum:

​13.1            Periodically review the third parties to validate that information security and data protection requirements remain appropriate.

​13.2            Restrict third party access to Customer Data to only as necessary to perform the Services under the scope of that third party agreement.

14.  Information Security Incident Management

Templafy shall, at a minimum:

​14.1            Maintain an information security incident management program with clearly defined roles for identifying, handling, escalating, solving, and documenting information on security-related events.

​14.2            Maintain a documented incident response plan and test it on a regular basis.

​14.3            Provide Customer with reasonable channels for reporting incidents and contacting the information security incident management team: security@templafy.com or the following form.

​14.4            Notify affected Customer within 48 hours after becoming aware of a Security Incident relating to Customer Data, providing relevant facts reasonably available at the time.

​14.5            Assist and cooperate with affected Customer with any necessary or appropriate disclosures and other investigative, remedial and monitoring measures as a result of the Security Incident.

​13.2            Provide a post-mortem report with further details on Security Incident, upon a Customer’s request submitted to security@templafy.com.

For the purposes of Sections 14.4. – 14.6., a “Security Incident” means any successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with systems operations, that affects Customer’s tenant, regardless of whether such information constitutes Personal Data or other types of data. This definition does not include minor incidents that occur on a daily basis, such as scans, “pings”, or unsuccessful random attempts to penetrate computer networks or servers maintained by Templafy.

15.  Customer Business Continuity and Disaster Recover

Templafy shall, at a minimum:

​15.1            Establish business continuity and disaster recovery plans to maintain a level of service consistent with its contractual obligations with Customer.

​15.2            Ensure business continuity and disaster recovery plans are periodically reviewed and tested.

​15.3            Provide disaster recovery test reports to Customer, upon request.

​15.4            Define and implement procedures to ensure appropriate backup of Customer Data.

​15.5            Ensure backup datasets are appropriately protected via strong access controls and encryption.

​15.6            Implement and maintain redundancy and geographically distributed availability zones.

​15.7            Utilize industry-standard cloud infrastructure and failover mechanisms to minimize service disruptions and ensure continuity in the event of system failures or regional outages.

​15.8            Ensure an RTO and an RPO of 24 hours, respectively.

16.  Compliance and Accreditations

Templafy shall, at a minimum:

​16.1            Undergo at its expense a third-party audit and/or attestation annually performed by an independent organization and shall provide a report and/or certificate upon Customer request.

​16.2            Undergo at its expense a third-party penetration testing annually performed by an independent organization and shall provide a report and/or certificate upon Customer request.

​16.3            Report in a timely manner to Customer any changes that adversely affect security in Templafy’s delivery of Services.