Last updated: April 4, 2025

Purpose
At Neology, safeguarding our information assets is a top priority, ensuring that our data remains secure from unauthorized access, alteration, or loss, while maintaining the ongoing availability and reliability of our systems. This policy defines the information security requirements for all third-party vendors, contractors, subcontractors, consultants, and service providers (‘Third Parties’) who are granted access to Neology’s information, systems, or data. The purpose is to mitigate potential risks associated with data breaches, unauthorized access, and non-compliance with regulatory requirements.

1. Scope

This policy covers Third Parties who interact with or manage sensitive information belonging to Neology, encompassing those with direct or indirect access to our data when accessed or handled by external entities. It sets forth the responsibilities and expectations for Third Parties to ensure the confidentiality, integrity, and availability of Neology’s information assets.

This policy applies to:

  • Third Parties that have access to or manage Neology’s sensitive data (including Personally Identifiable Information (PII), financial data, proprietary data, and intellectual property).
  • Third Parties providing services such as cloud hosting, data management, software development, IT maintenance, and infrastructure support.
  • Any subcontractors or agents engaged by the Third Parties who will process or store Neology’s data.

2. Information Security Governance and Responsibility

All Third Parties are required to implement and maintain rigorous information security practices to protect its data. The following guidelines outline the key responsibilities and governance measures that Third Parties must adhere to:

  • Security Frameworks and Standards: Third Parties are required to develop and uphold a comprehensive security framework grounded in global standards, including but not limited to ISO 27001, NIST CSF, SOC 2, and PCI DSS, to address all aspects of information security. The program should be comprehensive and address both technical and organizational security measures.
  • Ownership and Accountability: The Third Party shall assign a designated Information Security personnel or a security team that is responsible for overseeing the implementation and maintenance of security controls, as well as liaising with Neology on security issues.
  • Governance and Auditing: Neology reserves the right to periodically review Third Party’s compliance with this policy, including conducting audits of security practices, and security assessments. Any identified security gaps or weaknesses must be addressed and mitigated within a defined timeline.

3. Risk Management

Third Parties are expected to proactively manage risks related to the handling of its data. The following practices must be adhered to:

  • Risk Assessment and Mitigation: Third Parties must conduct periodic risk assessments that evaluate potential threats, vulnerabilities, and impacts to Neology’s data, systems, and processes. Risks should be documented, and effective mitigation measures must be implemented to address these risks.
  • Continuous Monitoring and Improvement: Third Parties must maintain systems for continuously monitoring for new vulnerabilities or threats, and they must demonstrate a proactive approach to identifying and addressing emerging risks, including a system for performing periodic vulnerability assessments and penetration testing.

4. Access Control and Authentication

To ensure the security and integrity of Neology’s data and systems, Third Parties must implement comprehensive user access and authentication controls. These controls are essential for protecting sensitive information and preventing unauthorized access. The following guidelines outline the key requirements that Third Parties must adhere to:

  • User Access and Role Management: Third Parties must implement Role-Based Access Control (RBAC) to ensure that users only have access to the data and systems necessary to perform their specific job duties. All access controls must be reviewed at regular intervals (e.g., annually).
  • Authentication Protocols: Access to Neology’s systems, applications, and data must be protected through mandatory multi-factor authentication (MFA), ensuring robust security beyond just passwords. Access should be secured through a combination of strong passwords and secondary authentication factors (e.g., token-based, SMS-based, or biometrics).
  • User Privileges: Access rights to critical systems and data should follow the principle of least privilege (PoLP), ensuring that users and systems only have access to the minimum data required for their tasks. This access must be regularly reviewed, and access rights must be promptly revoked when no longer needed (e.g., during employee role changes or contract terminations).

5. Data and Privacy Protections

Third Parties are required to implement comprehensive and rigorous data and privacy protection measures to ensure the security of sensitive information. This includes:

  • Data Encryption: Third Parties must apply end-to-end encryption for all sensitive data (including PII) both at rest (in storage) and in transit (during transmission). Encryption must comply with industry standards such as AES-256.
  • Data Masking and Anonymization: Where feasible, Third Parties must use data masking or anonymization techniques to obfuscate sensitive data during processing or analysis. This helps minimize exposure during data processing tasks.
  • Data Localization and Transfers: Third Parties must not store or process any Neology data outside of the specified jurisdiction without explicit, prior written consent from Neology. Any cross-border data transfer must be done in compliance with data protection regulations such as GDPR, and the Third Party must ensure that adequate safeguards are in place.
  • Data Retention and Destruction: Neology’s data should only be retained for as long as necessary to fulfill the contract or legal requirements. Third Parties must ensure secure destruction of data when it is no longer needed, using recognized data wiping methods (e.g., NIST SP 800-88).

By adhering to these data and privacy protection measures, Third Parties can help ensure the confidentiality, integrity, and availability of Neology’s sensitive information. This commitment to robust data protection practices is essential for maintaining trust, ensuring compliance with regulatory requirements, and safeguarding the privacy of individuals whose data is managed by Neology.

6. Incident Management Response

Third Parties are required to establish comprehensive measures for detecting and responding to security incidents involving Neology’s data and systems. This involves:

  • Incident Detection and Reporting: An Incident Response Plan (IRP) must be created and maintained by Third Parties to promptly identify, report, and mitigate any security breaches or incidents. This plan should incorporate real-time monitoring systems to detect suspicious activities and potential data breaches. The IRP must detail procedures for incident detection, initial assessment, containment, eradication, recovery, and reporting.
  • Incident Notification: In the event of a security breach or data loss, Third Parties must notify Neology immediately, and no later than 24 hours from the discovery of the incident. The notification should include:
    • Detailed information about the breach or incident, including the affected systems, data, and the scope of the incident.
    • Actions taken to contain and mitigate the incident, including any immediate measures implemented to prevent further damage.
    • Steps being taken to prevent a recurrence of the incident, including any long-term remediation plans and security enhancements.
  • Root Cause Analysis and Remediation: After each incident, Third Parties must conduct a thorough Root Cause Analysis (RCA) to identify the underlying causes of the incident. They must provide Neology with a comprehensive report detailing the findings of the RCA, the actions taken to address the incident, and any necessary remedial actions to prevent future occurrences. This report should include timelines, responsible parties, and any changes to policies or procedures that will be implemented as a result of the incident.

7. Human Resources and Security

Third Parties must implement comprehensive human resources and security measures to ensure that personnel handling Neology’s data and systems are trustworthy and adequately trained. This includes:

  • Background Checks: Third Parties must ensure that all employees, contractors, and subcontractors involved in the processing of Neology’s data undergo comprehensive background checks, including criminal records and identity verification. These checks must be conducted before personnel are granted access to sensitive information or systems.
  • Training and Awareness: Third Parties must provide regular security training and awareness programs for their personnel to ensure understanding of data protection requirements, secure data handling practices, and incident reporting procedures. Training should be conducted upon hiring, and at regular intervals thereafter.
  • Security Policies for Personnel: Third Parties must enforce strict employee conduct policies that address issues such as information security, confidentiality, and data protection. All personnel must sign confidentiality agreements before access is granted to Neology’s sensitive data.

8. Business Continuity and Disaster Recovery

All Third Parties must ensure the resilience and reliability of services, Third Parties must implement comprehensive business continuity and disaster recovery measures. This includes:

  • Business Continuity Plan (BCP): Third Parties must develop and maintain a Business Continuity Plan (BCP) to ensure that services remain uninterrupted during disasters or system failures. The BCP should identify critical business functions, outline strategies for maintaining operations, and include procedures for communication, resource allocation, and recovery. Regular testing and updates of the BCP are essential to ensure its effectiveness.
  • Disaster Recovery Plan (DRP): Third Parties must implement a Disaster Recovery Plan (DRP) that details the steps to restore critical data and systems following a disruption. The DRP should include procedures for data recovery, system restoration, and infrastructure rebuilding. It should also specify roles and responsibilities, recovery time objectives (RTOs), and recovery point objectives (RPOs). Regular drills and simulations should be conducted to validate the DRP and ensure readiness.
  • Data Backup and Redundancy: Third Parties must ensure that data is regularly backed up and stored securely in geographically separate locations to prevent data loss. Backup procedures should include regular, automated backups, secure storage of backup media, and periodic testing of backup integrity. Redundant systems and infrastructure should be in place to provide failover capabilities and minimize downtime in the event of a system failure.

9. Cloud Security

To ensure the security and integrity of Neology’s data in cloud environments, Third Parties must implement robust cloud security measures. This includes:

  • Cloud Security Framework: Third Parties must adhere to established cloud security frameworks such as ISO 27017. These frameworks provide comprehensive guidelines for implementing security controls in cloud environments, covering aspects such as data protection, access management, and incident response. Compliance with these frameworks ensures that cloud services meet industry standards for security and risk management.

10. Third Party Vendor Management

  • Third-Party Risk Management: Third Parties must perform thorough due diligence and risk assessments on all vendors and subcontractors before engaging them. This process should evaluate the vendor’s security posture, compliance with relevant regulations, and ability to protect Neology’s data. Risk assessments should include reviewing the vendor’s security policies, past security incidents, and overall reputation. Based on the assessment, appropriate risk mitigation measures should be implemented.
  • Ongoing Vendor Monitoring: Third Parties must continuously monitor and report on the security practices of their vendors. This involves regular audits, security assessments, and performance reviews to ensure that vendors maintain high security standards. Any identified security gaps or non-compliance issues must be promptly addressed. Additionally, Third Parties should establish clear communication channels with their vendors to stay informed about any changes in their security practices or potential security incidents.

11. Conclusion

Neology values long-term relationships based on trust, mutual respect, and a shared commitment to maintaining the highest standards of information security. Compliance with this Information Security Policy is required to maintain a business relationship with Neology. By upholding these standards, Third Parties contribute to the protection of sensitive data, the integrity of systems, and the overall security posture of Neology. This commitment to robust information security practices ensures the confidentiality, integrity, and availability of data, fostering a secure and trustworthy environment for all stakeholders.

For any questions regarding this Information Security Policy, please contact our CISO at ciso@neology.com

12. Reporting Concerns

If you wish to report questionable behavior or a possible violation of this Code, please contact the Neology Helpline at 844-233-8723 or report online at Neology Helpline.

If you have any questions about this Policy, you can contact us:

  • By mail: 1917 Palomar Oaks Way Suite 110, Carlsbad, CA 92008
  • By electronic mail: info@neology.net