Showrunnr Security Policy

General

Showrunnr understands Customer’s need to know that their data is protected and secure when using Showrunnr Services. This document describes the practices and safeguards, which include physical, organization, and technical measures, utilized by Showrunnr that are designed to preserve the security, integrity, and confidentiality of the online Services and Customer Data.

Showrunnr's security program includes:

Security Awareness and Training

A mandatory security awareness and training program for all members of Showrunnr’s workforce (including management), which includes:

• Training on how to implement and comply with its Information Security Program;
• Promoting a culture of security awareness through periodic communications from senior management with employees.

Access Controls

Policy, procedures, and logical controls:

• To limit access to its information systems and the facility or facilities in which they are housed to
• properly authorized persons;
• To prevent those workforce members and others who should not have access from obtaining
• access; and
• To remove access in a timely basis in the event of a change in job responsibilities or job status.

Physical and Envrionmental Security

Controls that provide reasonable assurance that access to physical servers at the production data center, if applicable, is limited to properly authorized individuals and that environmental controls are established to detect, prevent and control destruction due to environmental extremes. These controls are implemented by Amazon Web Services (AWS) and they are listed here: https://aws.amazon.com/compliance/data-center/controls/.

The controls include:

• Logging and monitoring of unauthorized access attempts to the data center by the data center security personnel;

• Camera surveillance systems at critical internal and external entry points to the data center, with retention of data per legal or compliance requirements;
• Systems that monitor and control the air temperature and humidity at appropriate levels for the computing equipment; and

• Redundant power supply modules and backup generators that provide backup power in the event of an electrical failure, 24 hours a day.

Security Incident Procedures

A security incident response plan that includes procedures to be followed in the event of any SecurityBreach. Such procedures include:

• Roles and responsibilities: formation of an internal incident response team with a respons leader;

• Investigation: assessing the risk the incident poses and determining who may be affected;
• Communications:internal reporting as well as a notification process in the event of unauthorized disclosure of Customer Data;

• Record keeping: keeping a record of what was done and by whom to help in later analysis andpossible legal action; and

• Audit: conducting and documenting root cause analysis and remediation plan.

Contingency Planning

Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Customer Data or production systems that contain Customer Data. Such procedures include:

• Data Backups: A policy for performing periodic backups of production data sources, as applicable, according to a defined schedule;

• Disaster Recovery: A formal disaster recovery plan for the production data center, including:
  
  • Requirements for the disaster plan to be tested on a regular basis, currently once a year; and
  • A documented executive summary of the Disaster Recovery testing, at least annually, which
    is available upon request to customers.
• Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.

Audit Controls

Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information.

Data Integrity

Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.

Storage and Transmission Security

Security measures to guard against unauthorized access to Customer Data that is being transmitted over a public electronic communications network or stored electronically. Showrunnr uses industry-standard encryption to protect data at rest and in transit. Showrunnr at minimum uses AES 256-bit encryption to protect data at rest in the Product data stores and TLS 1.2 (or higher) to protect data in transit.

Secure Disposal

Policies and procedures regarding the secure disposal of tangible property containing Customer Data, taking into account available technology so that Customer Data cannot be practicably read or reconstructed.

Assigned Security Responsibility

Assigning responsibility for the development, implementation, and maintenance of Showrunnr’s security

program, including:

• Designating a security official with overall responsibility;
• Defining security roles and responsibilities for individuals with security responsibilities.

Security Compliance and Testing

Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified. Where applicable, such testing includes:

• Internal risk assessments;
• Service Organization Control 2 (SOC2) audit reports .
• On an annual basis, Showrunnr engages with skilled penetration testing organizations to perform extern penetration testing of Showrunnr Product. The scope this testing involves testing our application from both an Authenticated and Unauthenticated session. Our penetration testing follow known industry standard for good application security, including vetting our applications against OWASP’s Top 10.

Monitoring

Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes:

• Reviewing changes affecting systems handling authentication, authorization, and auditing;
• Reviewing privileged access to Showrunnr production systems.

Change and Configuration Management

Maintaining policies and procedures for managing changes Showrunnr makes to production systems, applications, and databases. Such policies and procedures include:

• process for documenting, testing and approving the changes to Showurnnr’s Product;
• A security patching process that requires patching systems in a timely manner based on a risk analysis; and

Program Adjustments

Monitoring, evaluating, and adjusting, as appropriate, the security program in light of:

• Any relevant changes in technology and any internal or external threats to Showrunnr or the Customer Data;
• Security and data privacy regulations applicable to SHOWRUNNR; and
• SHOWRUNNR’s own changing busines arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

Devices

Ensuring that all laptop and desktop computing devices utilized by SHOWRUNNR and any subcontractors when accessing Customer Data:

• will be equipped with a minimum of AES 128 bit full hard disk drive encryption;
• have up to date virus and malware detection and prevention software installed with virus definitions updated on a regular basis; and
• will maintain virus and malware detection and prevention software so as to remain on a supported release. This will include, but not be limited to, promptly implementing any applicable security-related enhancement or fix made available by the supplier of such software.