Security Policy

HYPR SECURITY POLICY

LAST UPDATED: May 8, 2023; Last Reviewed: September 24, 2024  | Previous Versions

This Data Security Policy describes the minimum technical, organizational and physical security measures HYPR takes to protect Customer Data. 

1. DEFINITIONS
 
1.1. Agreement” means the applicable master agreement, contractor services agreement, terms of service, order form, purchase order, contract or other legal document that governs HYPR’s provision of the Services or relationship of the Parties. 
 
1.2. “Controller” means the legal person or entity which alone or jointly with others, determines the purposes and means of Processing of Personal Data and shall also mean a “Business”, where applicable, as defined by the CCPA.

1.3.Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal Data, including, where applicable, the GDPR, the UK Data Protection Act 2018 and the California Consumer Privacy Act of 2018 effective as of January 1, 2020 (“CCPA”), each as may be amended from time to time.

1.4. “Data Subject” means an identified or identifiable natural person. For clarity, Data Subject includes any “consumer” as that term is defined by the CCPA.
 
1.5. “GDPR” means the European Union’s General Data Protection Regulation (EU) 2016/679.  For the purposes of this Data Security Exhibit, “GDPR” shall be construed as also referring to the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”).

1.6. “Personal Data” means any information relating to, directly or indirectly, a Data Subject or household that is collected, accessed, used, disclosed or otherwise Processed by HYPR in its provision of Services.

1.7. “Process”, “Processes” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
 
1.8. Processor” means the legal person or entity that Processes Personal Data on behalf of the Controller and shall also mean a “Service Provider”, where applicable, as defined by the CCPA.

1.9. Restricted Transfer” means any transfer of Personal Data from within the European Economic Area (EEA) to countries outside of the EEA which are not subject to an adequacy decision by the European Commission, where such transfer would be prohibited by Data Protection Laws.

1.10.Customer Data” means all Customer data processed by HYPR pursuant to the terms of the Agreement.

1.11. “Services means any products or services, including professional services, provided by HYPR pursuant to the Agreement and/or any related statements of work or order forms.

1.12. “Sub-Processor” means any party engaged by HYPR (when acting as Processor on behalf of Customer) that Processes Personal Data.

.

2. SECURITY PROGRAM

While providing Services, HYPR will maintain a written information security program of policies, procedures and controls?governing the Processing, transmission and security of Customer Data (the “Security Program”) to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. 

HYPR shall regularly test, assess and evaluate the effectiveness of the Security Program and at least annually review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing threats to the security, confidentiality and integrity of Customer Data, and to ensure that these risks are addressed. For clarity, no such update shall materially reduce the commitments, protections or overall level of service provided to Customer as described herein.

3. Physical, Technical and Administrative Security Measures

3.1. PHYSICAL SECURITY MEASURES.

3.1.1. Data Center Facilities. HYPR hosts its platform and customer data with third party data hosting providers, which maintain physical security measures designed to  provide physical data security and formal physical access procedures. (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (e.g. fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor.

3.1.2. Systems, Machines and Devices. (i) Physical protection mechanisms; and (ii) entry controls to limit physical access.

3.1.3. Media. (i) Industry standard destruction of sensitive materials before disposition of media; (ii) secure safe for storing damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Customer Data.

3.2. TECHNICAL SECURITY MEASURES.

3.2.1. Access Administration. Access to Customer Data by HYPR’s employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to Customer Data. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationships. Production infrastructure includes appropriate user account and password controls (e.g., the required use of VPN connections, complex passwords with expiration dates, and a two-factored authenticated connection) and is accessible for administration.

3.2.2. Service Access Control. The Services provides user and role-based access controls. 

3.2.3. Firewall System. An industry-standard firewall is installed and managed to protect Customer Data by residing on the network to inspect all ingress connections routed to the environment.

3.2.4. Vulnerability Management. HYPR conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and remediate any identified vulnerabilities in a timely manner. When software vulnerabilities are revealed and addressed by a vendor patch, HYPR will obtain the patch from the applicable vendor and apply it promptly and only after such patch is tested and determined to be safe for installation in all production systems.

3.2.5. Antivirus. HYPR updates antivirus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software.

3.2.6. Change Control. HYPR ensures that only authorized changes are made to the platform, applications and production infrastructure. The risk to Customer Data shall be assessed and the results of the assessment documented.

3.2.7. Separation. Customer Data is maintained in a separate logical environment from HYPR’s other customers and HYPR’s corporate infrastructure.

3.2.8. Encryption. Customer data is encrypted in transit and at rest in line with Industry best practice guidelines.

3.2.9.    Minimization. HYPR attempts to minimize amount, categories and sensitivity of Customer data collected and stored in connection with providing a service.

3.2.10.  Quality. HYPR attempts to leverage input validation controls to ensure Customer data quality where possible.

3.2.11.  Retention. HYPR maintains an active data retention policy located at https://www.hypr.com/datasec-policy as it applies to Customer’s data.

3.2.12.  Portability. HYPR and its customers can support portability and access to account data through their account dashboard or via available APIs.

3.2.13.  Audit Logs. HYPR maintains audit logs with retention duration settings as defined in the data retention policy.

3.2.14.  Systems Hardening. HYPR performs systems hardening according to vendor recommendations and Industry best practice standards.

3.3. ADMINISTRATIVE SECURITY MEASURES.

3.3.1. Data Center Assessments. HYPR uses third-party data center providers when providing the Services. In connection therewith, HYPR must perform routine reviews at each data center to ensure that it continues to maintain the security controls necessary to comply with the Security Program. Where HYPR uses a third-party data center provider, HYPR must perform, at least an annual assessment, to include, where permitted by such third party vendor, an onsite review of the security controls at each data center to ensure continued compliance to the agreements in place, including this Data Security Exhibit. 

3.3.2. Personnel Security. HYPR performs background screening on all employees and all contractors who have access to Customer Data, subject to applicable law.

3.3.3. Security Awareness and Training. HYPR maintains a privacy and security awareness program that includes appropriate training of HYPR personnel on data privacy and the Security Program. Training is conducted at time of hire and at least once per year.

3.3.4. Vendor Risk Management. HYPR maintains a vendor management program that assesses all vendors that access, store, process or transmit Customer Data for appropriate security controls, business disciplines and that requires vendors to enter into a data processing addendum containing comparable obligations with respect to the protection of Personal Data as those contained in HYPR’s Data Processing Addendum located at hypr.com/data-processing-addendum.

3.3.5. Risk Management. HYPR maintains an audited risk management program to support and protect the organization and its ability to fulfill its mission.

4. SERVICE CONTINUITY AND DISASTER RECOVERY

HYPR shall implement and document appropriate and adequate business continuity and disaster recovery plans to ensure that HYPR can continue to or resume providing the Services promptly after a disruptive event. HYPR will regularly test and monitor the effectiveness of its business continuity and disaster recovery plans at least annually or as otherwise requested by Customer. HYPR shall provide Customer with its written business continuity and disaster recovery plan upon request. 

5. CERTIFICATIONS AND AUDITS

5.1. CERTIFICATIONS AND ATTESTATIONS. HYPR holds the following security certifications (collectively, the “Standards”):

Certification Covered Services
ISO 27001 Information security Management system supporting the Services.
ISO 27017 Information security management system supporting the Services.
ISO 27018 Information security management system supporting the Services.
SOC 2 Type 2 Information security management system supporting the Services.

At least once per calendar year, HYPR shall obtain an assessment against such Standards by an independent third-party auditor. 

5.2. AUDITS AND CORRECTIVE ACTIONS.

5.2.1. Audits. HYPR shall make available to Customer all information necessary to demonstrate compliance with its obligations under the Agreement and this Data Security Exhibit and allow for and contribute to audits, including onsite inspections, conducted by Customer or another auditor mandated by Customer. Such information shall be treated as Confidential Information under the Agreement.

5.2.2. Corrective Actions. Upon request by Customer, HYPR shall discuss the results of the audit conducted pursuant to Clause 5.2.1 (Audits) above. If Customer identifies a material deficiency between HYPR’s commitments this Data Security Exhibit, and the information gathered during an audit, then HYPR shall take, at its own cost, the necessary corrective actions reasonably satisfactory to Customer or Customer shall be entitled to terminate the Agreement and receive all prepaid and unused fees back. 

6. MONITORING AND INCIDENT MANAGEMENT

6.1. MONITORING, MANAGEMENT AND NOTIFICATION.

6.1.1. Incident Monitoring and Management. HYPR will monitor, analyze and respond to security incidents promptly. 

6.1.2. Breach Notification. HYPR will report to Customer any Breach without undue delay but in no event later than seventy-two (72) hours of becoming aware a Breach has occurred.

6.1.3. Report. The initial report will be made to Customer’s security and legal teams at respectively. As information is collected or otherwise becomes available to HYPR, and unless prohibited by applicable law, HYPR shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Customer to notify relevant Parties, including affected Data Subjects, government agencies and data protection authorities, in accordance with Data Protection Laws. The report will include the name and contact information of HYPR contact from whom additional information may be obtained. HYPR shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches.

7. PENETRATION TESTS

7.1. BY A THIRD-PARTY. If applicable to the Services, HYPR shall provide Customer with a penetration test on HYPR’s application annually to identify risks and remediation that help increase security.

7.2. BY CUSTOMER. If applicable to the Services, Customer may request to perform penetration test with reasonable advance notice, but no more than once per calendar year. Prior to conducting any penetration test, Customer shall notify HYPR by submitting a written request to schedule such a test. Customer shall not perform a penetration test without HYPR’s express written authorization, which shall not be unduly withheld. In the event Customer authorized penetration testing identifies vulnerabilities that HYPR is able to reproduce, HYPR shall, consistent with industry-standard practices, use commercially reasonable efforts to promptly make any necessary changes to improve the security of the Services. HYPR’s approval for Customer to perform a penetration test as set forth in this Section includes the ability for Customer to retest the detected vulnerabilities from the initial penetration test. All testing results shall be the Confidential Information of HYPR.

Previous Versions

2021

November 15, 2021 – Security Policy