Laserfiche WebLink
REV: 10-03-24 MI <br />EXHIBIT F <br />SECURITY POLICY <br />The vendor must be SOC-2 compliant and provide proof of compliance. <br />The Company is SOC-2 compliant and willing to share the most recent report provided the City signs an <br />NDA. <br />The vendor will work with RWC-IT to implement SSO (single sign-on) for user authentication. MFA <br />(multi-factor authentication) is required if the user is not using RWC's network. <br />Internal and external users will have a unique user ID and password combination with multifactor <br />authentication through Azure B2C. Azure Single Sign On is available at an additional cost. MFA is <br />required when accessing the system remotely. <br />User logs are to be kept for at least 3 years. <br />Tenant-specific audit logs track all software activity with User ID and IP address logging. These logs <br />allow for comments to be added by administrative users, and all records are retained indefinitely until the <br />tenant is deleted. <br />Data storage requires encryption, and the type of encryption is to be documented and informed to RWC- <br />IT. <br />SSL 2048 bit SHA-2 encryption (https) ensures secure transmission of data over the Internet, while SQL <br />Database encryption protects and encrypts all data “at rest.” <br />Vendor security tools are to provide 24/7 monitoring to constantly watch for and identify potential <br />threats. In the event of a security breach, the vendor shall notify RWC within 48 hours. <br />The Company has implemented detection and monitoring tools to identify anomalies including potential <br />changes to configurations that result in the introduction of new vulnerabilities as well as susceptibilities to <br />newly discovered vulnerabilities. Management receives alerts based on pre-defined thresholds which are <br />logged and tracked to final remediation. Our platform is protected against OWASP Top 10 with monthly <br />vulnerability assessments using third party web application scanning tools. Source code scans are <br />performed on in-scope application source code to detect potential vulnerabilities prior to the release of <br />source code into the production environment. Any high-risk vulnerabilities are tracked to remediation <br />prior to the promotion of each change into the production environment. In the event of a security breach, <br />the Company will use commercially reasonable efforts to notify the City within 48 hours. <br />User access reviews and reports are to be provided to RWC on demand. <br />The Company will provide user access reviews and reports to the City when requested. <br />The vendor shall provide RWC with its disaster recovery plan or continuity of operations plan <br />The Neighborly Software Disaster Recovery and Business Continuity Plan defines the tools, roles, and <br />procedures to enable the recovery and continuation of services supporting our clients in the event of an <br />outage due to a natural or human-induced disaster. Neighborly Software is a Microsoft partner and <br />utilizes Microsoft Azure for all hosting and infrastructure, which includes web hosting, database hosting, <br />and blob storage. Microsoft Azure is recognized as an enterprise-grade cloud computing platform with <br />rigorous standards for security. All Customer data is be stored, processed, and maintained solely in data <br />centers located in the United States. <br />Neighborly Software leverages geo-redundancy features of Microsoft Azure for the Application/Web <br />Server, SQL database and File Storage servers. In the event of an outage at the primary data center, the <br />system will automatically fail-over to the backup data center within 5 minutes without requiring manual <br />intervention. Our primary Microsoft Tier IV FedRAMP data center is in Virginia and the backup data <br />center is in Texas. <br />ATTY/AGR.2024.180/Neighborly Software (Page 23 of 26)