Security

VendorPal™ is committed to maintaining a platform where our customer's data is held confidentially and securely. To that end, VendorPal™ will implement the following security measures.

Our servers will be collocated in Cedar Falls, Iowa at a facility that provides 24-hour physical security, palm print and picture identification systems, redundant electrical generators, redundant data center air conditioners, and other backup equipment designed to keep servers continually up and running.

The network perimeter will be protected by multiple firewalls and monitored by intrusion detection systems - all sourced from industry-leading security vendors. In addition, VendorPal™ will monitor and analyze firewall logs to proactively identify security threats. VendorPal™will also contract with a third-party security firm that will proactively monitor our security configurations for changes, vulnerabilities, and errors and regularly conduct vulnerability threat assessments including penetration tests.

VendorPal™will leverage the strongest encryption products to protect customer data and communications, including 128-bit Network Solutions SSL Certification and 1024-bit RSA public keys. The lock icon in the browser will indicate that data is fully shielded from access while in transit.

Users access VendorPal™only with a valid username and password combination, which is encrypted via SSL while in transmission. An encrypted session ID cookie is used to uniquely identify each user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals.

Our robust application security model prevents one VendorPal™ customer from accessing another's data. This security model is reapplied with every request and enforced for the entire duration of a user session.

VendorPal™will enforce tight operating system-level security by using a minimal number of access points to all production servers. We will protect all operating system accounts with strong passwords, and production servers will not share a master password database.

Whenever possible, database access will be controlled at the operating system and database connection level for additional security. Access to production databases will be restricted to a limited number of points, and production databases will not share a master password database.

All data entered into the VendorPal™application by a customer will be owned by that customer. VendorPal™employees do not have direct access to the VendorPal™servers, except where necessary for system management, maintenance, monitoring, and backups. VendorPal will not utilize any managed service providers. The VendorPal™systems engineering team will provide all system management, maintenance, monitoring, and backups.

All networking components, SSL accelerators, load balancers, Web servers, and application servers will be configured in a redundant configuration. All customer data will be stored on a database served by a database server cluster for redundancy. All customer data will be stored on carrier-class disk storage using RAID disks and multiple data paths. All customer data, up to the last committed transaction, will be automatically backed up to a primary tape library on a nightly basis. Backup tapes will be immediately cloned to verify their integrity, and the clones will be moved to secure, fire-resistant, off-site storage on a regular basis.

VendorPal™ will enter into an agreement with a third-party provider of availability services to provide access to a geographically remote disaster recovery facility - along with required hardware, software and Internet connectivity - in the event our production facilities were to be rendered unavailable. VendorPal™ will have disaster recovery plans in place and tests them regularly - in our QA environment on a quarterly basis and off-site with the third-party provider on an annual basis.