Technical and Organizational Measures

Date: 15^th April 2025

Purpose

The purpose of this document is to define Therefore Corporation’s current technical and organizational measures. This document can be amended at any time at the sole discretion of Therefore Corporation.

Physical & Information Asset Access Controls

Therefore Corporation employs varying levels of physical security controls commensurate to the risks associated with the information and IT assets stored and accessed within these areas.

Therefore™ Online is a SaaS offering hosted within Microsoft Azure Data Centers. The security and controls of these data centers is managed by Microsoft and employs industry-leading security, resilience, redundancy, and compliance measures. Further information can be found at Azure infrastructure security | Microsoft Docs (https://docs.microsoft.com/bs-latn-ba/azure/security/fundamentals/infrastructure) and a full compliance listing is available from Microsoft Compliance in the trusted cloud | Microsoft Azure (https://docs.microsoft.com/en-us/azure/compliance/).

Measures

Access to Therefore Corporation premises is physically controlled and granted to staff (team members) on an as-needed basis. Therefore Corporation headquarters has implemented security and intrusion detection with 24/7 monitoring.

Access to information assets is managed within Therefore Corporation’s Access Control Policy and Access Review Procedures. These well-defined documents, together with other policies and procedures of the Information Security Management System, ensure that:

Authorization to critical systems or sensitive information is strictly maintained in accordance with Therefore Corporation security policies.
All personnel access Therefore Corporation systems with a unique identifier.
Monitoring is in place of any access requests to critical systems. In case personnel leaves the company, their access rights are revoked.
Therefore Corporation has established a password policy that defines the minimum complexity, prohibits password sharing, and requires passwords to be changed on a regular basis, as well as using MFA for authentication.
The company network is protected from the public network by firewalls.
Therefore Corporation uses up–to–date enterprise antivirus software at access points to the company network, as well as on all file servers and all workstations.
Security patch management is implemented to provide regular and periodic deployment of relevant security updates.
Remote access to Therefore Corporation’s network and critical infrastructure is protected by strong multi-factor authentication.

Personally Identifiable Information Access Control

Personnel entitled to use data processing systems gain access only to the personal data that they have a right to access, and personal data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.

Measures

Personal data is classified as “Privileged” information within Therefore Corporation’s systems.
Access to personal data is granted on a need-to-know basis and always includes a written consent for processing.
All production servers are operated in the data centers. Security measures that protect applications processing data are regularly checked. To this end, Therefore Corporation conducts internal and external security checks and penetration tests on its IT systems.
Therefore Corporation does not allow the installation of software on server infrastructure that has not been authorized by Therefore Corporation’s IT department.

Data Transmission Controls

If customer data is transferred between Therefore Corporation and its customers, the customer assumes responsibility for any data transfer in all such scenarios.

Data Input Controls

Therefore Corporation personnel will never enter, modify or remove personal data from any data processing systems.

Job Control

Job control is required to ensure that personal data processed on behalf of others is processed strictly in compliance with the customer’s instructions.

Measures

As part of Therefore Corporation’s Security Policies, personal data is classified as “Restricted” information according to the Therefore Corporation Information Classification Policy.
All Therefore Corporation employees and contractual subprocessors or other service providers are contractually bound to respect the confidentiality of all sensitive information including trade secrets of Therefore Corporation customers and partners.

Availability Control

All customer data will be protected against accidental or unauthorized destruction or loss.

Measures

Therefore Corporation employs regular backup processes to provide restoration of business-critical systems as and when necessary.
Therefore Corporation has defined business continuity plans for business-critical processes.
Emergency processes and systems are reviewed regularly.

Data Separation Control

Personal data collected for different purposes is processed separately.

Measures

Therefore Corporation uses appropriate technical controls to achieve customer data separation at all times.
A Customer (including its approved controllers) will have access only to their own data based on secure authentication and authorization.
If personal data is required to handle a support incident from a customer, this data is stored in dedicated support systems.
For the exchange of data in the course of a support session, data can be provided over a customer managed secure file exchange. All information related to a support case that contains personal information in alignment to European and GDPR regulations is deleted at the end of a support ticket where practical.

Data Integrity Control

Personal data will remain intact, complete and current during processing activities.

Measures

Therefore Corporation takes reasonable steps to ensure personal data is accurate, protecting against unauthorized modifications with the following:

Firewalls
Security monitoring tools
Antivirus software
Backup and recovery
External and internal penetration testing and vulnerability assessments