Conductor LLC Security Policy (v. 10-6-22) Conductor LLC (“Conductor”) considers protection of its customers’ and Users’ personal data and confidential information a top priority. As further described in this Security Policy. Conductor uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Content stored on systems under Conductor’s control. In order to protect our network from evolving threats and disruptions and to maintain current with improved threat resistance technologies, and with the intention of ensuring effective security controls, Conductor may modify this Security Policy, with notice to Customer, to reflect new features and updated practices, but any such modifications will not materially decrease Conductor’s security obligations during a Subscription Term. This policy is issued under and forms part of the Terms of Service or other Conductor agreement which references this policy, and any capitalized terms not defined herein shall have the meanings ascribed to them in such Conductor agreement.
  1. Certifications, Attestations and Frameworks. Conductor maintains active ISO 27001 certification, which proves our organization has established a mature ISMS (Information Security Management System), a systematic approach consisting of processes, technology and people that helps us protect and manage our organization’s information through effective risk management. You can access this current certification at the following link: https://www.schellman.com/certificate-directory?certificateNumber=1255898-3
  2. Customer Content Access and Management Controls. Conductor implements formal procedures to limit its personnel’s access to Customer Content as follows:
  • Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for cloud hosting administrator access and individually assigned Secure Socket Shell (SSH) keys for external engineer access; TLS 1.2+);
  • Limits the Customer Content accessible to Conductor personnel on a “need to know basis”;
  • Limits access to Conductor’s production environment by Conductor’s personnel on the basis of business need;
  • Prohibits Conductor personnel from storing Customer Content on electronic portable storage devices, such as computer laptops, portable drives and other similar devices;
  • Logically separates each of Conductor’s users’ data and maintains measures designed to prevent Customer Content from being exposed to or accessed by other users.
  1. Data Encryption. Conductor provides industry standard encryption for Customer Content as follows:
  • and employing encryption of data in transit between Users and the Services and between the Services and third party data sources (e.g. Salesforce);
  • Uses strong encryption methodologies to protect Customer Content, including AES 256-bit encryption for Customer Content stored in Conductor’s production environment;
  • Encrypts all Customer Content located in cloud storage while at rest; and
  • Implements full-disk encryption for hard-drives on all personnel individual workstations.
  1. Network Security, Physical Security and Environmental Controls.
  • Conductor implements properly configured and patched firewalls, network access controls and other technical measures designed to prevent unauthorized access to systems processing Customer Content;
  • Conductor maintains effective controls to ensure that security patches for systems and applications used to provide the Services are properly assessed, tested and applied;
  • Conductor monitors privileged access to applications that process Customer Content, including cloud services;
  • Remote access to Conductor’s environments is controlled with a virtual private network or other device (“VPN”) or private lines, consistent with industry best practices. Two-factor authentication is required for all remote access;
  • Conductor operates on Amazon Web Services (“AWS”) and is protected by Amazon’s security and environmental controls. Detailed information about AWS security is available at https://aws.amazon.com/security/, and http://aws.amazon.com/security/sharing-the-security-responsibility/. AWS ISO certification and SOC Reports are available at https://aws.amazon.com/compliance/iso-certified/, and https://aws.amazon.com/compliance/soc-faqs/, respectively; and
  • Customer Content hosted in AWS is AES-256 encrypted both in transit and at rest. AWS does not have access to unencrypted Customer Content.
  1. Independent Security Assessments. Conductor periodically assesses the security of its systems and the Services as follows:
  • Annual penetration testing of the Services is conducted by independent third-party security experts that includes black box automated and manual penetration testing of the infrastructure and application (including mobile versions). At Customer’s request, Conductor will provide to Customer a high-level summary of the most recent penetration test, subject to reasonable confidentiality protections;
  • Conductor is engaging an accredited third parties to perform audits and to attest to SOC 2, Type 2 compliance standards in 2023; and
  • Monthly vulnerability scanning.
  1. Incident Response. If Conductor becomes aware of unauthorized access or disclosure of Customer Content under its control (an “Incident”), Conductor will:
  • Take reasonable measures to mitigate the harmful effects of the Incident and prevent further unauthorized access or disclosure;
  • Upon confirmation of the Incident, notify the Customer’s designated security contact by email within 72 hours. Notwithstanding the foregoing, Conductor is not required to make such notice to the extent prohibited by Laws, and Conductor may delay such notice as requested by law enforcement and/or in light of Conductor’s legitimate need to investigate or remediate the matter before providing notice; and
  • In the notifications provided by Conductor to its Customers in the event of an Incident, Conductor will communicate to Customer the following, as to the extent relevant to the incident:
    • the extent to which Customer Content has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Incident;
    • A description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
    • The scope of the Incident, to the extent known; and
    • A description of Conductor’s response to the Incident, including steps Conductor has taken to mitigate any harm caused by the Incident.
  1. Business Continuity Management. In the event of an unexpected or unavoidable situation that prevents Conductor from its normal operations, it has established a business continuity plan to ensure it can recover from such situation and restore Services promptly to its customers:
  • The plan is tested at least annually to ensure the objectives are attainable.
  • Includes backups of all customer data made at regular daily intervals and stored off-site at a secure third party facility;
  • Consists of monitoring the integrity of such backups including by testing a recovery at least annually; and
  • Established processes to ensure failover redundancy with its systems, networks and data storage. Conductor uses AWS for its cloud hosting provider with the Services fully hosted in the AWS Virginia region data centers and Northern California for backups.
  1. Personnel Management.
  • Conductor performs background checks on employees including employment verification, proof of identity validation, check of education records and employment track, and criminal background checks for new hires in positions requiring access to systems and applications storing Customer Content in accordance with applicable law;
  • Conductor provides training for its personnel who are involved in the processing of Customer Content to ensure they understand their obligations to not collect, process or use Customer Content without authorization and to keep Customer Content confidential, including following the termination of any role involving Customer Content;
  • Conductor conducts routine and random monitoring of employee systems activity; and
  • Upon employee termination, whether voluntary or involuntary, Conductor immediately disables all access to Conductor systems, including Conductor’s physical facilities.
       For security related questions or to report an incident please contact us via email: security@conductor.com