LighthouseAI Services Security Exhibit
Last Revised: May 1, 2023
This is the Services Security Exhibit (“Exhibit”) of Pharma Solutions USA, Inc., DBA LighthouseAI (“LighthouseAI”, “We”, “Our”). It describes the security controls implemented in connection with the performance of Cloud services, technical support services or consulting services (the “Services”) delivered to subscribers (“Subscriber”, “You”, “Your”) under the relevant LighthouseAI license and/or services agreement and the applicable order for the Services (collectively, the “Agreement”). Our internal IT systems not involved in the delivery of Services are outside this Exhibit’s scope.
Capitalized terms have the meaning stated in the Agreement or as defined herein. “Subscriber Content” means any data that We access or receive or that You send or upload for storage or processing for us to perform Services. “Logs” means information related to performance, stability, usage, security, support, hardware, software, services or peripherals associated with using Our products or Services.
This Exhibit describes the administrative, physical and technical security controls We employ to maintain Our Services’ confidentiality, integrity and availability. These controls apply to Our operational and Services systems and environments. LighthouseAI employs ISO/IEC 27001/27002 as the baseline for Our Services security program and has obtained industry certifications and assessments for specific Services.
We seek to continually strengthen and improve Our security practices and reserve the right to modify the controls described herein. Any modifications will not diminish the level of security during the relevant term of Services.
2. Security Program and Policy Framework
LighthouseAI has a security program and policy framework that is established and approved by senior and executive management representing various business areas throughout the company.
2.1 Security Risk Oversight
The Information Security Committee (ISC) governs security risk management activities. The ISC consists of cross-functional management and leadership. The executive leadership team reviews committee membership annually to confirm adequate coverage of business and operational areas.
The ISC meets at least half yearly and provides guidance, insight, and direction in identifying, assessing and addressing security risks in corporate operations and service delivery infrastructure.
2.2 Security Risk Management
LighthouseAI utilizes a security risk management (SRM) program that (i) identifies potential threats to Our products and Services; (ii) rates the significance of the risks associated with those threats; and (iii) develops risk mitigation strategies, and partners with Our Product and Development teams to implement those mitigation controls.
2.3 Information Security
LighthouseAI has appointed a Chief Technology Officer (CTO) responsible for security oversight, policy strategy, compliance, and enforcement. The Information Security Manager leads the incident response process, including investigation, containment and remediation.
3. Access Control
We require access control measures designed to ensure appropriate privileges are assigned and maintained for access to company systems, assets, data and facilities to protect against potential damage, compromise, or loss. We follow role-based security, limiting users’ access to only what is necessary to perform job functions or roles.
Managers design roles in providing adequate segregation of duties and distribute tasks and privileges among multiple people to safeguard against fraud and error.
3.1 New Accounts, Roles, and Access Requests
LighthouseAI requires a formal request for access to company systems or data. Each access request requires a minimum approval of the user’s manager to confirm the user’s role and access. Access administrators confirm that necessary approvals are obtained before granting access to systems or data. The principle of least privilege is applied.
3.2 Account Review
We perform, at minimum, bi-annual reviews of user accounts and assign permissions for critical systems. Any changes required because of the reviews are subject to a formal access request process to confirm the user and the user’s role requires access to the relevant system(s).
3.3 Account, Role, and Access Removal
We require user access to be disabled, revoked or removed promptly upon notification of a user’s role change (if applicable), termination, the user’s conclusion of the engagement, or departure from the company. Access removal requests are documented and tracked.
LighthouseAI requires multi-factor authentication for remote access to Our systems by employees and enforces the following password handling and management practices:
- Passwords are rotated regularly, as dictated by system requirements we set
- Passwords must meet length and complexity requirements, including a mix of digits, special characters and upper- and lower-case letters, a minimum number of characters, and not allowing common or dictionary words
- Deactivated or expired user IDs are not granted to other individuals
- We maintain procedures to deactivate passwords that have been inadvertently disclosed
- We monitor repeated attempts to gain access to the Services using an invalid password and take automated actions to block repeated attempts
LighthouseAI uses practices designed to maintain the confidentiality and integrity of passwords when they are assigned, distributed and stored, such as:
- Requiring that passwords remain hashed and/or encrypted throughout their lifecycle
- Prohibiting the sharing of passwords
4. System Development and Maintenance
We maintain a Secure by Design process, which includes standards and change control procedures designed to address security requirements of the information systems, code review and testing, and security around the use of test data. This process is managed and monitored by a specialized quality/security team responsible for design review, threat modelling, manual code review and spot checks, and penetration testing.
4.1 Secure Design Principles
LighthouseAI has adopted a formal systems development life cycle (SDLC) methodology that governs the development, acquisition, implementation, and maintenance of computerized information systems and related technology requirements. We have documented information security policies available to all employees and training for developers and their management on secure code best practices.
4.2 Change Management
Our infrastructure and software change management process addresses security requirements. It requires software and infrastructure changes to be authorized, formally documented, tested (as applicable), reviewed, and approved before deployment to the production environment. Infrastructure and software changes are managed and tracked using work management systems.
The change management process is appropriately segregated, and access to migrate changes to production is restricted to authorized personnel.
5. Asset Management
5.1 Physical and Virtual Asset Management
LighthouseAI maintains a dynamic inventory of the physical and virtual systems we manage and use to perform the Services (“Service Assets”). System owners are responsible for maintaining and updating their Service Assets consistent with Our security standards. Formal disposal procedures are in place to guide the secure disposal of LighthouseAI and Customer data. We dispose of data when no longer required based on classification and use deletion processes designed to prevent data from being reconstructed or read.
Our technology assets are sanitized and disposed of when they are no longer needed within their designated or assigned area. Technology assets include but are not limited to individual computing devices, multifunction computing devices, storage devices, imaging devices, and network appliances. Disposal is coordinated through Information Security.
5.2 Application and System Management
Application and system owners are responsible for reviewing and classifying the data they store, access, dispose of, or transmit. Among other controls, employees and contractors are required to:
- Classify Customer Content as among the highest two categories of confidential information, and apply appropriate access restrictions
- Restrict the printing of Customer Content and dispose of printed materials in secure containers
- Not store corporate or Confidential Information on any equipment or device that does not meet the requirements of security policies and standards
- Secure computers and data while unattended
5.3 Data Retention
Customer Content stored as part of our Services may be made accessible by the Customer for a limited period following the termination of Services and then deleted (except for backup copies) as part of standard data clean-up processing for terminated accounts. Additional details are provided in the specific services documentation. Customer Content may also be retained following the completion of the Services if required for legal purposes. LighthouseAI will comply with the requirements of this Exhibit until such Customer Content has been permanently deleted.
6. Human Resources Security
Maintaining the security of Customer Content is one of the core requirements for all employees and contractors. Our Code of Business Conduct requires all employees and contractors to adhere to Our security policies and standards and addresses explicitly protecting the confidential information and personal information of Customers, partners, suppliers and employees.
All employees and contractors are subject to confidentiality agreements that cover Customer information. The LighthouseAI organization also regularly communicates to employees on communication and physical security topics to maintain security awareness on specific issues.
6.1 Background Screening
We currently use background screening vendors for all new hires globally and require the same for its third-party supplier personnel, except where limited by local law or employment regulations.
All employees are required to take training on data protection and company policies designed to protect the security of our confidential information, including the confidential information of our customers, partners, suppliers and employees. The training covers privacy practices and the principles that apply to employee handling of personal information, including the need to place limitations on using, accessing, sharing and retaining personal information.
All employees must comply with our security and privacy policies and standards. Noncompliance is subject to disciplinary action, up to and including termination of employment.
7. Operations Security
7.1 Network and System Security
LighthouseAI has documented network and system hardening standards to ensure that networks and systems are securely configured. Required procedures under these standards include, but are not limited to:
- Changing or disabling default settings and/or accounts
- Controlled use of administrative access
- Restrict service accounts for only the purpose for which they were created
- Configure logging and alert settings appropriate for auditing
We require implementing anti-malware software on servers and workstations and scanning the network for malicious software.
Network controls govern access to customer Content. These include, as applicable: configuring an intermediate untrusted zone between the Internet and the internal network that includes a security mechanism to restrict access and unauthorized traffic; network segmentation to prevent unauthorized access of Customer Content; and separating web and application servers from the corresponding database servers in a tiered structure that restricts traffic between the tiers.
We collect Logs to confirm the correct functioning of our Services, assist with troubleshooting system issues, and protect and secure our networks and Customer Content. Logs may include access ID, time, authorization granted or denied, diagnostic data such as trace and crash files, and other relevant information and activity. We collect and use Logs
(i) for providing, securing, managing, measuring and improving the Services,
(ii) as requested by the Customer or its end users,
(iii) for billing, account management, internal reporting, product strategy, and/or
(iv) for compliance with agreements, policies, applicable laws, regulations or governmental requests.
This may include monitoring the Services’ performance, stability, usage and security and related components. Logs may include access ID, time, authorization granted or denied, diagnostic data such as trace and crash files, and other relevant information and activity. Customers may not block or interfere with this monitoring.
7.3 Certificate, Credential, and Secret Management
LighthouseAI maintains policies that cover the lifecycle of certificates, credentials, and secrets to ensure protection, availability, and confidentiality. Secret custodians must be documented and formally acknowledged that they accept the responsibilities as secret management personnel. Responsibilities include, but are not limited to:
An approved certificate authority must issue certificates
Cryptographic keys may not be stored or transmitted in plain text and must use robust, approved cryptographic protocols
Credentials and secrets must be rotated at least once per year and stored in an approved privileged authentication management tool
7.4 Vulnerability Management
We regularly monitor applications and systems for vulnerabilities with automated vulnerability and port scanning. We perform independent penetration testing of our licensed SaaS software systems at least once per year to identify any potential security issues or risks areas. Vulnerabilities identified must be remediated on a timeline that depends on the severity rating and vendor recommendations. In cases where a patch, update or permanent mitigation is not available, appropriate countermeasures will be used to reduce the vulnerability’s exploitation risk.
8.1 Protection of Data in Transit
LighthouseAI has deployed secure transmission protocols for transmitting information over public networks that are part of the Services. The Services are protected by encryption, and access via the Internet is protected by TLS connections.
8.2 Protection of Data at Rest
We require all workstations that provide Services to be encrypted with a minimum of 128-bit full disk encryption. Customer Content may not be stored on any portable device unless encrypted.
Some Cloud Services encrypt certain data elements by default and may provide other encryption features for customers to implement. Please consult the applicable Cloud Services documentation for additional details.
9. Physical Security
LighthouseAI uses third-party data centres or cloud services to deliver Services to its customers. We contract the cloud service providers that meet or exceed the physical and environmental security requirements per international best practices and standards, including Physical Security, Business Continuity & Disaster Recovery.
10. Incident Response
LighthouseAI maintains a Cyber Security Incident Response Plan that details the processes for detecting, reporting, identifying, analyzing, and responding to Security Incidents impacting our managed networks and/or systems or custom content. Security Incident response training and testing take place at least annually.
“Security Incident” means unauthorized access to Customer Content resulting in the loss of confidentiality, integrity or availability. If We determine that Customer Content within Our control has been subject to a Security Incident, You will be notified within the period required by law. Our notice will describe, where known, the nature of the incident, the period, and the potential impact on the Customer.
We maintain a record of each Security Incident.
11. Vendor Management
LighthouseAI may use subcontractors and agents to perform Services. Any subcontractors and agents shall be entitled to access Customer Content only as needed to complete the Services and shall be bound by written agreements that require them to provide at least the level of data protection required of us by this Exhibit, as applicable. We remain responsible at all times for its subcontractors’ and agents’ compliance with the terms of the Agreement, as appropriate.
Our Third-Party Risk Management Program provides a systematic approach to managing security risks posed by third-party suppliers. We work to identify, analyze and mitigate security risks before engaging in procuring such third parties.
LighthouseAI executes agreements with suppliers to document relevant security measures and obligations consistent with those specified in this Exhibit.
11.2 Ongoing Assessment
We perform periodic security risk assessments to ensure security measures remain in place throughout the supplier relationship. Changes to services provided or changes to existing contracts require a security risk assessment to confirm that the changes do not present additional or undue risk.
We endeavor to notify the company’s procurement organization at least 60 days before the plan to end a supplier relationship or prior to a contract expiration with a supplier (unless earlier termination is required). The company’s procurement organization coordinates the termination of the existing relationships to confirm that our corporate data and assets are secured and properly handled.
12.1 Treatment of Personal Data
Personal data is information that relates to an identified or identifiable individual. You determine the personal data that it includes in Customer Content. In performing the Services, we act as a data processor, and You remain the data controller for any personal data contained in Customer Content. We will act on Your instructions regarding processing such personal data, as specified in the Agreement.
Further information concerning the treatment of personal data subject to the General Data Protection Regulation (GDPR), including the mechanisms employed for the international transfer of such data, is provided in the LighthouseAI Data Processing Addendum.
12.2 Disclosure of Customer Content
We may disclose Customer Content to the extent required by law, including in response to a subpoena, judicial or administrative order, or other binding instruments (each a “Demand”). Except where prohibited by law, we will promptly notify You of any Demand and provide You with assistance reasonably necessary for You to respond to the Demand in a timely manner.
12.3 Customer Security and Regulatory Requirements
The Services are designed to be delivered within the Customer IT environment. So Customers retain full responsibility for all aspects of security not expressly managed by LighthouseAI, including, but not limited to, technical integration with the Services, user access management and controls, and all applications and networks that Customers may use in conjunction with the Services.
You remain responsible for determining whether Your use of Services, including providing Us with access to any Customer Content as part of the Services, is subject to regulatory or security requirements beyond those specified in the Agreement, including this Exhibit. Customers must therefore ensure that they do not submit or store any Customer Content that is governed by laws that impose specific controls that are not included in this Exhibit, which may consist of US International Traffic in Arms Regulations (ITAR) or similar regulations of any country that restricts import or export of defense articles or defense services, protected health information (“PHI”), payment card information (“PCI”), or controlled-distribution data under government regulations, unless specified in the Agreement and applicable Service Description and the parties have entered into any additional agreements (such as a HIPAA Business Associate Agreement) in advance as may be required for Us to process such data.
This Exhibit becomes effective upon Your purchase of the Services. LighthouseAI reserves the right to revise this DPA to meet changing business, regulatory and compliance needs subject to the commitments of Section 1. When it does so, LighthouseAI will update the “Last revised” date” at the top.