Annex II: Technical and Organizational Measures (TOMS)
DPA
Organization & Governance
- Meltwater has a formal Information Security program, run by the security and compliance team and overseen by VP of Engineering & Technical Operations and the CTO
- Comprehensive list of security and privacy policies, well known to employees, updated as needed but at least annually. Individual affirmation to begin in 2023. Policies topics include System Operations and Administration, Network Security, Email and Web, Data Management and Security, Disaster Recovery, Business Continuity, Physical Security, Malicious software and cyber crime, Equipment disposal, Incident Response
- Annual Security awareness training is required for all employees. Training is delivered via the Learning management system. R&D organization undergo additional annual training and upon hire on secure coding and security best practises, with a focus on OWASP Top 10
- Meltwater equipment has encrypted hard drives and corporate managed antivirus and antimalware, provided for all employees, asset tracked, centrally managed, access locked to one user per machine, and remotely lockable and erasable in the event of loss.
- Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) in place for Meltwater outbound email.
- Dedicated security team monitoring for active and passive threats internally and external to Meltwater.
- Meltwater offices have 1st level of security (guard, physical token required to access, secured doors). Visitors
are escorted. - Meltwater employees perform random spot checks to regularly review and assess the effectiveness of the
controls, processes, and procedures in place. - Standard Contractual Clauses in place, and randomly audited, for all sub-processors.
- GDPR & CCPA compliant. Spot checks are performed to ensure timely response.
- UK Cyber Essentials certified
- Published privacy policy and subprocessor list (https://www.meltwater.com/privacy).
- Published responsibility disclosure contact information (https://app.meltwater.com/.well-known/security.txt)
Internal Controls
- Azure Active Directory (Azure AD) is leveraged for central user access management
- Access to company resources requires the use of Multi Factor Authentication (MFA) and certain engineering
systems require VPN connectivity - Secure WiFi via IT deployed certificates. Guest wifi networks for non-Meltwater devices require Meltwater
employees to approve access each day. - Most of the 3rd party applications and services are tied into Meltwater’s SSO authentication system
- Default local administrator accounts are disabled.
- Access to systems, controls, and data is governed by the least access privilege and four eyes principles.
Reviews happen at least quarterly. - Meltwater office networks are not interconnected, and none are connected to our application environment.
- A departing employee’s accounts and access is removed within 24 hours of departure.
Security Tooling and Capabilities
- Both automated and manual code scanning in place to ensure OWASP Top 10 security on the entire code base. Monthly vulnerability scans are also performed.
- Inbound and outbound email scanned for viruses and malware. All URLs sent via email are pre-scanned for malicious content before employees can access them.
- Logs are aggregated into a central Security Information and event management (SIEM) with appropriate permissions to protect the authenticity.
Recovery and Resiliency
- Business continuity achieved by replication of roles and knowledge throughout the world
- For the microservices running in AWS (90%+), they are setup via Infrastructure as Code, deployed as
containers across multiple availability zones. A designated DR AWS region is in place. - Automated tools are in place to manage data back-ups, which occur at various intervals depending on the
data/system. - Stated RPO of 24 hours and RTO of 72 hours.
- Stated SLA of 99.8% achieved for each of the last 3 years. Commitment to notify clients within 48 hours of a
security incident impacting their data. - A cybersecurity insurance policy is in place, the policy has liability limit of $15M
Digital Platform Security
- All changes to production code require peer review.
- All secrets (passwords, api keys/credentials, SSH keys, DB & other system to system passwords, certificates,
encryption keys, e.t.c) are managed using Key Management systems. - Cloud and datacenter partners (where our services are deployed) are at least ISO27001 certified and have all
the protections and redundancies as expected of Tier 3 & 4 level data centers. - Staging environment available for testing with anonymized customer information and only accessible via
Engineering VPN. - Documented deployments with rollback procedures, actively monitored and tested by support.
- All data is encrypted in transit via TLS 1.2+. All client PI data is pseudonymized and encrypted at rest via
AES-256 - All backups are encrypted at rest.
- Internet traffic terminates at firewalls or load balancers, and network rules and filters segregate all traffic and
systems to ensure layers of protection between subnets. - Access to applications production environments and permissions are granted using the least privileged access
model. - Meltwater has a defined Open Source Software (OSS) policy and Software Composition Analysis (SCA) that
runs continuously on the entire codebase to detect vulnerabilities among dependencies. - All customers are strongly encouraged to use SSO with MFA for authentication into Meltwater. Where
customers choose not to use SSO, their passwords are encrypted via bcrypt with a work factor of 10.User password policy is 12 characters, 3 of 4 character types, MFA required, changed every 120 days.
Threat Identification and Response
- A documented Incident Response plan is in place that describes policies & procedures for responding to all computer security incidents affecting Company networks and client applications.
- Escalation path is defined, people available 24x7, and tested via tabletop exercises
- Annual 3rd party penetration testing is done. Regularly performed internal penetration testing performed by
qualified personnel. - Intrusion Detection Systems (IDS) is provided by our cloud and datacenter partners
- Internet traffic terminates at firewalls or load balancers, and network rules and filters segregate all traffic and
systems to ensure layers of protection between subnets.
The information in Annex II may be updated from time to time.