O.C. Tanner Security Standards

These Security Standards supplement the agreement in place between Customer and Supplier governing Customer’s use of the Services (“Agreement”). Unless otherwise defined in these Security Standards, capitalized terms used in these Security Standards have the meanings given to them in the Agreement. Supplier has established and maintains the following technical and organizational standards and safeguards to protect Personal Data:

1. Security Program. Supplier maintains a security management program that includes:

  • 1.1. A controls framework based on formal audit standards such as the AICPA SOC 2 Type II report;
  • 1.2. Written information security policies that meet or exceed industry standards;
  • 1.3. Periodic risk assessments of all systems Processing Personal Data;
  • 1.4. Executive review, support, and accountability for all security related policies and practices; and
  • 1.5. Processes to identify and quantify security risk, develop mitigation plans, and track implementation.

2. Employee Screening and Training. Supplier maintains policies and procedures applicable to Supplier employees who have access to Personal Data or provide Services to Customer, including: (i) pre-hire background checks conducted by a third-party provider (subject to applicable law and industry standards); and (ii) regular information security training.

3. Encryption. Personal Data is encrypted in transit using TLS 1.2 or greater to protect against unauthorized disclosure or modification. Personal Data is encrypted at rest using industry standard, AES 256 encryption.

4. Vulnerability Scanning. Supplier has established processes in line with industry standards to conduct routine vulnerability scanning to test Supplier’s network, infrastructure, applications, and services. Supplier will apply security patches as soon as commercially practicable.

5. Vulnerability Testing. Supplier conducts routine internal vulnerability testing, including penetration testing conducted by third parties in line with industry standards. Supplier will use commercially reasonable efforts to address identified security vulnerabilities.

6. Network Configuration. Networks used to Process Personal Data use the following configuration standards:

  • 6.1. The internal network that supports Personal Data Processing is configured using RFC 1918 IP addresses.
  • 6.2. A stateful firewall controls access between the Internet and workstations used to Process Personal Data.
  • 6.3. Controls are implemented to protect inbound Internet access from malicious code intrusion (e.g., scanning at email gateways, blocking links, stripping executables).
  • 6.4. Outbound Internet access has controls to prevent leakage and misdirection of Personal Data (e.g., proxy server, content filtering, or other network control).
  • 6.5. The wireless network is secured using the WPA2 standard.
  • 6.6. Supplier implements an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).

7. Transmission. Personal Data is transmitted between the parties using cryptographic means (e.g., SFTP, HTTPS) or file sharing services agreed upon by the parties.

8. Storage

  • 8.1. Supplier will ensure that its data hosting providers store or Process Personal Data in facilities that: (i) are secured in an access-controlled location and protected from unauthorized access; and (ii) employ physical security appropriate to classification of Personal Data being stored or Processed; and
  • 8.2. Supplier will ensure that Personal Data is kept logically segregated from other customer’s data.
Download PDF