OCP Security Policy
This OCP Security Policy is incorporated by reference into the OCP Service Terms and Conditions agreement with OMILIA NATURAL LANGUAGE SOLUTIONS LTD, a company incorporated and existing under the laws of Cyprus with registered offices at Gladstonos 55 Str., 3040, Limassol, Cyprus, TIC number 123189502Z (“Omilia”) and describes the contractual requirements for information security and assurance provided by Omilia to the End User related either to the provision of OCP Services that the Partner has licensed from Omilia and transferred or sublicensed to the End User, or to the provision of OCP Services that the End-User has licensed directly from Omilia. This OCP Security Policy is applicable to the extent that Omilia has access and control over End-User’s data (herein “Customer Data”).
1. Security Program
Security Standards. Omilia has implemented and will maintain an Information Security and Assurance program that follows generally accepted system security principles embodied in the ISO 27001 standard designed to protect Customer Data as appropriate to the nature and scope of the OCP Services provided.
Security Awareness and Training. Omilia has developed and will maintain a Security Education Training and Awareness program that is delivered to all employees and contractors involved in the delivery of OCP Services, at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically or in person and includes a testing aspect with minimum requirements to pass.
Policies and Procedures. Omilia will maintain appropriate policies and procedures to support the Information Security and Assurance program. Policies and procedures will be reviewed annually and updated as necessary.
Change Management. Omilia will utilize a change management process based on best practices and industry standards to ensure that all changes to the OCP Services’ environment are appropriately reviewed, tested, approved and able to be traced back to accountable personnel.
Data Storage and Backup. Omilia will create backups of critical Customer Data according to formalised and documented backup policy and procedures. Customer Data will be stored and maintained solely on designated backup storage media within the Data Center(s). Backup data will not be stored on portable media. Customer Data stored on backup media will be protected from unauthorized access via appropriate encryption and logical access control mechanisms
Anti-Virus and Anti-Malware Protection. Omilia will utilize industry standard anti-virus and anti-malware protection solutions to ensure that all non-Linux servers in OCP Services’ environment are appropriately protected against malicious software such as trojan horses, viruses, worms, ransomware and other malicious code and zero day threats. Omilia will use standard industry practice to ensure that the OCP Services as delivered to the End User do not include any program, routine, subroutine, or data (including malicious software or “malware,” viruses, worms, ransomware and Trojan Horses) that are designed to disrupt the proper operation of the OCP Services, or which, upon the occurrence of a certain event, the passage of time, or the taking of or failure to take any action, will cause the OCP Services to be destroyed, damaged or rendered inoperable. The End User and/or the Partner acknowledges that the use of license keys will not be a breach of this section.
Vulnerability and Patch Management. Omilia will maintain a vulnerability management program that ensures compliance with the standards of Our Information Security and Assurance program and industry best practices.
Data Destruction. Omilia and its subcontractors will follow industry standard processes to destroy obsolete data and retired equipment that formerly held Customer Data.
Penetration Testing. On at least an annual basis, Omilia will conduct a vulnerability assessment and penetration testing engagement with an independent qualified vendor. Issues identified during the engagement will be appropriately addressed within a reasonable time-frame commensurate with the identified risk level of the issue. A cleansed version of the executive summary of the test results will be made available to the End User and/or the Partner upon written request and will be subject to non-disclosure and confidentiality agreements.
2. Network Security
Network Controls. Omilia will employ effective network security
controls based on our Information Security and Assurance program,
best practices, and industry standards to ensure that Customer
Data is segmented and isolated from other customer environments
within the Data Center. Controls include, but are not limited to:
(a) Firewall Services. Omilia use firewall services to protect the OCP Services infrastructure. Omilia maintains granular ingress and egress rules and changes must be approved through Omilia’s change management system.
(b) Intrusion Detection System. Omilia has implemented intrusion detection systems across the OCP Services Environment which may be either network based, host based or a combination of the two.
(c) No Wireless Networks. Omilia will not use wireless networks within the Data Center environments.
(d) Data Connections between the End User and/or the Partner and the OCP Services Environment. Omilia uses TLS, VPN and/or MPLS circuits to secure connections between browsers, client apps, and mobile apps to the OCP Services. Connections traversing an untrusted network (e.g. the Internet) will use TLS 1.3.
(e) Data Connections between OCP Services Environment and Third Parties. Transmission or exchange of Customer Data with the End User and/or the Partner and any third parties authorized by the End User and/or the Partner to receive the Customer Data will be conducted using secure methods (e.g. TLS, HTTPS, SFTP).
(f) Encrypted Recordings. Omilia encrypts call/audio recordings and chat sessions to ensure the confidentiality of sensitive data, using best practices and standards with regards to encryption key and certificate management.
(g) Encryption Protection. Omilia uses industry standard methods to support encryption.
(h) Logging and Monitoring. Omilia will log security events from the operating perspective for all building blocks providing the OCP Services to the End User. Omilia will monitor and investigate events that may indicate a security incident or problem. Event records will be retained for at least one year.
3. User Access Control
Access Control. Omilia will implement appropriate logical access controls to ensure only authorized Users have access to Customer Data within the OCP Services environment.
User Access Management. The End User and/or the Partner is responsible for managing User Access controls within the application. The End User and/or the Partner define(s) the usernames, roles, and password characteristics (length, complexity, and expiration timeframe) for its users. The End User and/or the Partner is entirely responsible for any failure by itself, its agents, contractors or employees (including without limitation all its users) to maintain the security of all usernames, passwords and other account information under its control. Except in the event of a security lapse caused by Omilia’s gross negligence or willful action or inaction, the End User and/or the Partner is entirely responsible for all use of the OCP Services through the respective End User’s and/or the Partner’s usernames and passwords whether or not authorized by the End User and/or the Partner and all charges resulting from such use. The End User and/or the Partner will immediately notify Omilia if the End User and/or the Partner becomes aware of any unauthorized use of the OCP Services.
Omilia User Access. Omilia will create individual User accounts
for each of Omilia employees or contractors that have a business
need to access Customer Data or the End User and/or the Partner’s
systems within the OCP Services environment. The following
guidelines will be followed regarding Omilia’s user account
(a) User accounts are requested and authorized by Omilia management.
(b) Strong password controls are systematically enforced.
(c) Connections are required to be made via secure VPN using MFA mechanisms and strong passwords that expire every ninety (90) days.
(d) Session time-outs are systematically enforced.
(e) User accounts are promptly disabled upon employee termination or role transfer, eliminating a valid business need for access.
4. Business Continuity And Disaster Recovery
Disruption Protection. The OCP Services will be deployed and configured in a high-availability design and the OCP Services will be deployed across separate Data Centers to provide optimal availability of the OCP Services. The Data Center environment is physically separated from Omilia’s corporate network environment so that a disruption event involving the corporate environment does not impact the availability of the OCP Services.
Business Continuity. Omilia will maintain a corporate business continuity plan designed to ensure that ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.
Disaster Recovery. The OCP Services will be deployed in a high-availability, redundant design. A disruption event at a single Data Center will trigger a system fail-over to the back-up Data Center to minimize disruption to OCP Services. For these OCP Services, the End User and/or the Partner is responsible for defining specific parameters regarding fail-over. With regard to OCP Services, Omilia employs an active-active-active configuration.
5. Security Incident Response
Security Incident Response Program. Omilia will maintain a Security Incident response program based on our information security program, best practices and industry standards designed to identify and respond to suspected and actual Security Incidents involving Customer Data. The program will be reviewed, tested and, if necessary, updated on at least an annual basis. “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.
a. In case of a Partnership Agreement, in the event of a Security Incident or other security event requiring notification under applicable law, Omilia will notify the Partner within thirty-six (36) hours and will reasonably cooperate so that the Partner can make any required notifications to End Users relating to such events, unless Omilia is specifically requested by law enforcement or a court order not to do so. It is the Partner’s legal responsibility to forward such notifications to End Users in a timely manner and as per applicable law.
b. In case of an End-User Agreement, in the event of a Security Incident or other security event requiring notification under applicable law, Omilia will notify the End-User within seventy-two (72) hours, unless Omilia is specifically requested by law enforcement or a court order not to do so.
Notification Details. Omilia will provide the following details regarding any Security Incidents to the End User and/or the Partner: (i) date that the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions Omilia has already taken; (iv) corrective measures to be taken; and (v) evaluation of alternatives and next steps.
Ongoing Communications. Omilia will continue providing appropriate status reports to the End User and/or the Partner regarding the resolution of the Security Incident, continually work in good faith to correct the Security Incident and to prevent future such Security Incidents. Omilia will cooperate, as reasonably requested by the End User and/or the Partner, to further investigate and resolve the Security Incident.
6. Data Center Protections
Data Center. Omilia contracts with third-party providers for Data Center space. Data Center providers and related services are reviewed on an annual basis to ensure that they continue to meet Omilia and End User and/or the Partner needs. Each Data Center provider maintains certification based on its independent business models. Security and compliance certifications and/or attestation reports for the Data Center(s) relevant to End User and/or the Partner OCP Services will be provided upon written request and may require additional non-disclosure agreements to be executed.
Physical Security. Each Data Center is housed within a secure and hardened facility with the following minimum physical security requirements: (a) secured and monitored facility; (b) on-site access validation with identity check; (c) access only to persons on an access list approved by Omilia; (d) on-site network operations center staffed 24x7x365; (e) surveillance cameras in the points of entry.
Environmental Controls. Each Data Center is equipped to provide redundant external electrical power sources, redundant uninterruptible power supplies, backup generator power and redundant temperature and humidity controls.
7. Use of the OCP Services
The End User and/or the Partner will not, and will not permit or authorize others to use the OCP Services for any of the following: (i) to violate applicable Law; (ii) to transmit Malicious Code; (iii) to transmit 911, 112 or any emergency services (or reconfigure to support or provide such use); (iv) to interfere with, unreasonably burden, or disrupt the integrity or performance of the OCP Services or third-party data contained therein; (v) to attempt to gain unauthorized access to systems or networks; or (vi) to provide the OCP Services to non-User third parties, including, by resale, license, lend or lease.
The End User and/or the Partner will use commercially reasonable efforts to prevent and/or block any prohibited use by others.
The End User and/or the Partner will maintain any reasonable, appropriate administrative, physical, and technical level of security regarding its account ID, password, antivirus and firewall protections, and connectivity with the OCP Services.
The End User and/or the Partner shall maintain strict security over all VoIP Services lines. The End User and/or the Partner acknowledges that Omilia does not provide the End User and/or the Partner with the ability to reach 911, 112 or other emergency services and the End User and/or the Partner agrees to inform any individuals who may be present where the OCP Services are used, or who use the OCP Services, of the non-availability of 911, 112 or other emergency dialing.
If the OCP Services will be used to transmit or process Personal Data, the End User and/or the Partner will ensure that all Personal Data is captured and used solely via the use of available Security Features and clear, solid and undisputed consent has been received and recorded by the End User for its data subjects, if applicable.
Recordings. As between Omilia and the End User, Omilia acknowledges that use of Recordings is solely within the End User’s discretion and control. Without limiting the foregoing: (i) Omilia accepts sole responsibility for determining the method and manner of performing recording as part of the OCP Services such that it is compliant with all applicable Laws and for instructing the services accordingly; and (ii) The End User shall note that Recordings may be made only for diagnostic, quality assurance, and/or Support purposes, and in any event only for purposes required and/or in compliance with all applicable Laws. The End User will ensure that (a) Recordings will not knowingly include any bank account number, credit card number, authentication code, Social Security number or Personal Data, except as allowed or required by all applicable Laws; or (b) Recordings are encrypted at all times. To the extent Recordings are encrypted or where encryption is electable by the End User as part of the OCP Services, the End User shall elect such encryption. End User shall not modify, disable, or circumvent the Recording encryption feature within the OCP Services and shall otherwise ensure that it will use the OCP Services in compliance with the encryption feature.
8. Industry-Specific Certifications
Omilia’s security and operational controls are based on industry standard practices and are designed to meet the guidelines indicated in the table below. Nevertheless, the End User and/or the Partner is solely responsible for achieving and maintaining any industry-specific certifications required for its business:
|Cloud Service||PCI||SOC2 TYPE II||ISO 27001||HIPAA||SIG FULL||SIG LITE||PRIVACY SHIELD|
Subject to Omilia’s reasonable confidentiality and information security policies, the End User or a qualified third party chosen by the End User, shall have the right, once a year at a maximum, and upon ninety (90) days’ written notice, to perform a security assessment of Omilia’s compliance with the terms of this Policy, provided that the End User has demonstrated that the End User has a reasonable belief that Omilia is not in compliance. During normal business hours, the End User or the End User’s authorized representatives may inspect Omilia’s policies and practices implemented to comply with this Policy, which may include a site visit and a review of reasonable supporting documentation, provided that the End User and/or the Partner agree(s) that such right shall not include the right to on-site inspections or audits of Omilia’s third-party hosting facilities and equipment. No such assessment shall violate Omilia’s obligations of confidentiality to customers or reveal Omilia’s Intellectual Property. Any assessment performed pursuant to this Section shall not interfere with the normal conduct of Omilia’s business. Omilia shall cooperate in a commercially reasonable manner with any such assessment and reserve the right to charge the End User for Omilia’s reasonable costs incurred in connection with any such assessment.
Omilia has developed and will maintain a Privacy Program designed to respect and protect Customer Data under Omilia’s control, and this is located at https://www.ocp.ai/PrivacyPolicy/.
11. Customer Data
As between Omilia and the End User and/or the Partner, the End User retains ownership of all intellectual property rights in the Customer Data and grants Omilia a non-exclusive, non-sublicensable (except to parties working on Omilia’s behalf), non-transferable, royalty-free license to access, process, store, transmit, and otherwise make use of the Customer Data as necessary to provide the Services and to otherwise fulfill Omilia’s obligations under the Agreement.
The End User agrees that the Customer Data may be transferred or stored outside the country where the End User and/or the Partner and the End User’s customers or users are located in order to carry out the Services and Omilia’s other obligations under the Agreement.
The End User represents and warrants that the End User has obtained all consents necessary for Omilia to collect, access, process, store, transmit, and otherwise use Customer Data in accordance with the Agreement.
The End User shall comply with all requirements of integrity, quality, legality and all other similar aspects in respect of Customer Data. Omilia may, but is not obligated to, review or monitor any Customer Data. Omilia expressly disclaims any duty to review or determine the legality, accuracy or completeness of Customer Data.
Omilia may aggregate data and information related to the performance, operation and use of the OCP Services to create statistical analyses, to perform benchmarking, to perform research and development and to perform other similar activities (“Service Improvements”). Omilia will not incorporate Customer Data in Service Improvements in a form that could identify the End User and/ or the Partner and/or the End User’s customers or users and will use industry standard techniques to anonymize Customer Data prior to performing Service Improvements. Omilia retains all intellectual property rights in Service Improvements and may make them publicly available.