DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Nitro Business Terms of Service and Nitro Terms of Services governing the use of Nitro’s services. (“Agreement”) entered by and between you, the Customer (collectively, “Individual”, “Entity”, “Licensee”) and Nitro Software Inc. (“Nitro”) to reflect the parties’ agreement with regard to the Processing of Personal Data by Nitro solely on behalf of the Customer. Both Parties shall be referred to as the “Parties” and each, a “Party”.
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws and the CCPA.
(c) CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder.
(d) Customer Data means information provided or made available to Nitro for Processing on Customer’s behalf to perform the Services.
(e) EEA means the European Economic Area.
(f) European Data Protection Laws means the GDPR and other data protection laws and regulations of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.
(g) GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.
(h) Information Security Incident means a breach of Nitro’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Nitro’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(i) Personal Data means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Law, or information of a similar character regulated thereby, except that Personal Data does not include such information pertaining to Customer’s personnel or representatives who are business contacts of Nitro, where Nitro acts as a controller of such information.
(j) Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(k) Security Measures has the meaning given in Section 5(a) (Provider’s Security Measures).
(l) Standard Contractual Clauses means the mandatory provisions of the standard contractual clauses for the transfer of personal data to processors established in third countries in the form set out by European Commission Decision 2010/87/EU.
(m) Subprocessors means third parties that Nitro engages to Process Personal Data in relation to the Services.
(n) Third Party Subprocessors has the meaning given in Section 5 (Subprocessors) of Annex 1.
(o) The terms controller, data subject, processor and supervisory authority as used in this DPA have the meanings given in the GDPR.
2. Duration and Scope of DPA
(a) This DPA will remain in effect so long as Nitro Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
(b) Annex 1 (EU Annex) to this DPA applies solely to Processing subject to European Data Protection Laws. Annex 2 (California Annex) to this DPA applies solely to Processing subject to the CCPA if Customer is a “business” or “service provider” (as defined in CCPA) with respect to such Processing.
3. Customer Instructions
Nitro will Process Personal Data only in accordance with Customer’s instructions to Nitro. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Nitro only pursuant to an amendment to this DPA signed by both parties. Customer instructs Nitro to Process Personal Data to provide the Services as contemplated by this Agreement.
Customer acknowledges and agrees that, as a part of the Services, Nitro may create and derive from Processing related to the Services anonymised and/or aggregated data that does not identify Customer or any natural person, and use, publicise or share with third parties such data to improve Nitro’s products and services and for its other legitimate business purposes.
(a) Provider Security Measures. Nitro will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (the “Security Measures”) as described in Annex 3 (Security Measures). Nitro may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Personal Data.
(b) Information Security Incidents. Nitro will notify Customer without undue delay of any Information Security Incident of which Customer becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Nitro recommends Customer take to address the Information Security Incident. Nitro’s notification of or response to an Information Security Incident will not be construed as Nitro’s acknowledgement of any fault or liability with respect to the Information Security Incident.
(c) Customer’s Security Responsibilities and Assessment(i) Customer’s Security Responsibilities. Customer agrees that, without limitation of Nitro’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Nitro uses to provide the Services; and (d) backing up Personal Data.(ii) Customer’s Security Assessment. Customer agrees that the Services, the Security Measures and Nitro’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.
6. Data Subject Rights
(a) Nitro’s Data Subject Request Assistance. Nitro will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Nitro’s possession or control. Customer shall compensate Nitro for any such assistance at Nitro’s then-current professional services rates, which shall be made available to Customer upon request.
(b) Customer’s Responsibility for Requests. If Nitro receives a Data Subject Request, Nitro will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request.
7. Customer Responsibilities
(a) Customer Compliance. Customer shall comply with its obligations under Applicable Data Protection Laws. Customer shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Customer has given all notices to, and has obtained all such notices from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Customer to Process Personal Data as contemplated by the Agreement.
(b) Prohibited Data. Customer represents and warrants to Nitro that Customer Data does not and will not, without Nitro’s prior written consent, contain any social security numbers or other government-issued identification numbers; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age; or any information that falls within any special categories of data (as defined in GDPR). Customer further represents that Customer Data does not and will not contain protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or any similar legislation in other jurisdiction; other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or health insurance information unless Customer and Nitro have separately entered into a HIPAA Business Associate Agreement.
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Nitro’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Nitro to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Nitro’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
ANNEX 1 TO DPA
1. Processing of Data
(a) Subject Matter and Details of Processing. The parties acknowledge and agree that (i) the subject matter of the Processing under the Agreement is Nitro’s provision of the Services; (ii) the duration of the Processing is from Nitro’s receipt of Personal Data until deletion of all Personal Data by Nitro in accordance with the Agreement; (iii) the nature and purpose of the Processing is to provide the Services; (iv) the data subjects to whom the Personal Data pertains are Customer (to the extent that Customer is an individual), users of the Services or Nitro’s software, and data subjects, the personal data of which has been generated, shared or uploaded by Customer and/or users of the Services and/or Nitro’s software; and (v) the categories of personal data are the personal data generated, shared, uploaded or requested by the Customer or users of the Services and/or Nitro’s software (which may include personal data contained in documents, pictures and other media and user-generated content such as documents, text, pictures and other content).
(b) Roles and Regulatory Compliance; Authorization. The parties acknowledge and agree that (i) Nitro is a processor of that Personal Data under European Data Protection Laws; (ii) Customer is a controller (or a processor acting on the instructions of a controller) of that Personal Data under European Data Protection Laws; and (iii) each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the Processing of that Personal Data. If Customer is a processor, Customer represents and warrants to Nitro that Customer’s instructions and actions with respect to Personal Data, including its appointment of Nitro as another processor, have been authorized by the relevant controller.
(c) Nitro’s Compliance with Instructions. Nitro will Process Personal Data only in accordance with Customer’s instructions stated in this DPA unless applicable European Data Protection Laws require otherwise, in which case Nitro will notify Customer (unless that law prohibits Nitro from doing so on important grounds of public interest).
(d) Data Deletion. Nitro shall delete all the Personal Data on Nitro’s systems on Customer’s request and after the end of the provision of Services, and shall delete existing copies unless continued storage of the Personal Data is required by (i) applicable laws of the European Union or its Member States, with respect to Personal Data subject to European Data Protection Laws or (ii) Applicable Data Protection Laws, with respect to all other Personal Data. Nitro will comply with such instruction as soon as reasonably practicable and no later than 180 days after such expiration or termination, unless Applicable Data Protection Laws require storage. Customer may choose to request a copy of such Personal Data from Nitro for an additional charge by requesting it in writing at least 30 days prior to expiration or termination of the Agreement. Upon the parties’ agreement to such charge pursuant to a work order or other amendment to the Agreement, Nitro will provide such copy of such Personal Data before it is deleted in accordance with this clause.
2. Data Security
(a) Nitro Security Measures, Controls and Assistance(i) Nitro Security Assistance. available to Nitro) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) complying with the terms of Section 5(b) (Information Security Incidents) of the DPA; and (c) complying with this Annex 1. Customer hereby acknowledges and agrees that such measures are sufficient to permit Customer to comply with these obligations.(ii) Security Compliance by Nitro Staff. Nitro will ensure that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations.
(b) Reviews and Audits of Compliance
Customer may audit Nitro’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Customer’s supervisory authority. Nitro will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Nitro may object to the auditor if the auditor is, in Nitro’s reasonable opinion, not independent, a competitor of Nitro, or otherwise manifestly unsuitable. Such objection by Nitro will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Nitro at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Nitro will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Nitro security, privacy, employment or other relevant policies). Nitro will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2(b) shall require Nitro to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Nitro has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Nitro’s safety, security or other relevant policies, and may not unreasonably interfere with Nitro business activities. Customer will promptly notify Nitro of any non-compliance discovered during the course of an audit and provide Nitro any audit reports generated in connection with any audit under this Section 2(b), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Nitro for any time expended by Nitro and any third parties in connection with any audits or inspections under this Section 2(b) at Nitro’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
3. Impact Assessments and Consultations
Nitro will (taking into account the nature of the Processing and the information available to Nitro) reasonably assist Customer in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of Nitro’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA.
4. Data Transfers
(a) Data Processing Facilities. Provider may, subject to Section 4(b) (Transfers out of the EEA), store and Process Personal Data in the United States or anywhere Provider or its Subprocessors maintain facilities.
(b) Transfers out of the EEA. If Customer transfers Personal Data out of the EEA to Nitro in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this DPA. In furtherance of the foregoing, the parties agree that(i) Customer will act as the data exporter and Nitro will act as the data importer under the Standard Contractual Clauses;(ii) for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section 1(a) to this Annex 1 (Subject Matter and Details of Processing);(iii) for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures;(iv) data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses upon data exporter’s request, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand;(v) the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 2(b) of this Annex 1 (Reviews and Audits of Compliance);(vi) Customer’s authorizations in Section 5 (Subprocessors) of this Annex 1 will constitute Customer’s prior written consent to the subcontracting by Nitro of the Processing of Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses; and(vii) certification of deletion of Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided upon data importer’s request.
Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the transfer of Personal Data outside the EEA in accordance with European Data Protection Laws applies to the transfer. In the event of any conflict or inconsistency between (a) this Annex 1 and any other provision of this DPA, this Annex 1 will govern or (b) the Standard Contractual Clauses and any other provision of this Agreement, the Standard Contractual Clauses will govern.
(a) Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of Nitro’s Affiliates as Subprocessors and generally authorizes the engagement of other third parties as Subprocessors (“Third Party Subprocessors”).
(b) Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: www.gonitro.com/legal/subprocessors as may be updated by Nitro from time to time) or such other website address as Nitro may provide to Customer from time to time (the “Subprocessor Site”).
(c) Requirements for Subprocessor Engagement. When engaging any Subprocessor, Nitro will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Nitro shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.
(d) Opportunity to Object to Subprocessor Changes. When Nitro engages any new Third Party Subprocessor after the effective date of the Agreement, Nitro will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means. If Customer objects to such engagement in a written notice to Nitro within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Nitro will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Nitro and pay Nitro for all amounts due and owing under the Agreement as of the date of such termination.
(e) Sufficiency of Consent. Customer hereby acknowledges and agrees that the foregoing procedures are sufficient to obtain Customer’s prior written consent to the subprocessing under Article 28 of the GDPR, and to the extent required under Clause 5(h) of the Standard Contractual Clauses.
ANNEX 2 TO DPA
- For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information governed by the CCPA.
- It is the parties’ intent that with respect to any personal information, Nitro is a service provider. Nitro shall not (a) sell any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; or (c) retain, use or disclose the personal information outside of the direct business relationship between Nitro and Customer. Nitro hereby certifies that it understands its obligations under this Section 2 and will comply with them.
- The parties acknowledge that Nitro’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Nitro’s provision of the Services and the business relationship between the parties.
ANNEX 3 TO DPA
Technical and Security
Overview of Nitro Sign
Application security, compliance, user authentication,
document integrity and disaster recovery
Nitro’s software solutions are designed to improve productivity and reduce paper consumption for every knowledge worker. By enabling end-to-end digital document workflows, Nitro helps organizations advance document security and corporate sustainability initiatives — essential factors in building the foundation for successful digital transformation.
Nitro Sign, a part of the Nitro Productivity Suite, is a browser-based application offering fast, secure and legally binding eSigning workflows. Designed to provide simple, delightful eSigning for everyone, Nitro Sign offers an intuitive interface and rich functionality supported by strong security fundamentals, for a truly enterprise-grade experience. With our eSigning solution, Nitro customers are transforming disconnected, time-consuming legacy processes into modern digital workflows that can be executed in minutes.
Nitro Sign provides all the functionality required to achieve fast, secure and legally binding eSignatures:
- Sequenced order of signers
- Real-time notifications
- Viewing analytics
- Multi-factor authentication for signer identity verification
- Tamper-proof signed documents
- Complete audit trail for each document
- Reusable templates
- Compliance with the highest level of global regulations and standards
The purpose of this this paper is to provide a high-level overview of Nitro Sign’s overall security framework, including but not limited to : application security, compliance, organisational security, network security, data security and disaster recovery.
Nitro Sign runs on a containerised micro-services platform hosted in a dedicated-to- Nitro VPC (Virtual Private Cloud) across multiple Availability Zones within a single EU region—Frankfurt, Germany. Nitro Customers access the Nitro Sign application through their web browsers via the public website cloud.gonitro.com.
Public internet traffic to and from cloud.gonitro.com is encrypted via TLS (Transport Layer Security) secured using a Secure Hash Algorithm (SHA-2) family extended validation digital certificate from DigiCert (www.digicert.com) with both SHA1 and SHA256 fingerprints; SHA256 is the hashing algorithm used, and the signing scheme used is 2048-bit RSA.
Nitro Sign documents are stored in secure, dedicated and managed locations, using the Advanced Encryption Standard with a 256-bit key size (AES-256). AES is included in the ISO/IEC 18033-3: Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers Standard. AES is defined as U.S. Federal Information Processing Standard: FIPS PUB 197: Advanced Encryption Standard (AES).
Data communications between the web clients and Nitro backend servers is encrypted using TLS, which protects data in transit. Document metadata is held in a Relational Database Service which provides for high availability and data durability. Storage is provided by Amazon S3 (Simple Storage Service) buckets — dedicated to Nitro — which are encrypted to protect data at rest.
Sensitive information (credentials, tokens, certificates, API keys) are managed through an encrypted vault database.
Nitro Sign supports multiple methods for managing and authenticating user's identities.
Nitro Admin, our dedicated user and license management portal, is used by designated administrators to invite new users, to manage existing users and their licenses, and to suspend or remove users, as necessary.
Nitro also offer Single Sign-On (SSO) integrations as part of our Enterprise level plan. SSO allows users to access Nitro's products by authenticating through the organization’s Identity Provider (IdP). Nitro supports SSO with any SAML-2.0 compliant IdP.
More information on enabling Nitro’s SSO integration can be found here https://www.gonitro.com/user-guide/admin/article/single-sign-on-overview
Upon completion of a signature workflow, Nitro digitally signs the PDF using a certificate issued to identify Nitro as an organization. The digital signature verifies the document integrity and confirms that the document has not been tampered with since it was completed. Please see the following image for how the Digital Signature appears on a completed document being viewed in Nitro Pro 13. The Digital Signature will be present in the copy of the document received by all parties to the request.
Nitro Software Inc. holds HIPAA, SOC2 Type 1, and SOC2 Type 2 certifications, among others. Nitro are also self-certified for Privacy Shield, and fully committed to supporting the EU General Data Protection Regulations (GDPR).
Nous abordons la sécurité des données comme notre première priorité et prérogative. Ainsi, nous assurons la sécurité à chaque étape du cycle de développement de système de tous les produits Nitro.
We follow industry best practices to transfer, process, and store customer data. All Nitro cloud–enabled features use state-of-the-art computing facilities that satisfy key industry standards, such as PCI DSS, HIPAA, and SOC. Our primary data centre is in the EU in Frankfurt, Germany.
Nitro protects documents in motion and at rest with digital audit trails and TLS AES encryption. Through extensive logging and instrumentation, we monitor our production environment to audit security, availability, access, and other metrics for our services.
We use a combination of automated tools and manual inspection to ensure constant oversight of security events. For all of our cloud infrastructure, we use Amazon Web Services (AWS), which provides extensive documentation about their security practices here. AWS employs cutting-edge data security measures, as well as physical access restrictions at server locations.
For a full list of Nitro certifications, including SOC 2 Type 2, HIPAA, and Privacy Shield, please click here.
The list of AWS certifications, including ISO 27001 and SOC reports 1, 2, and 3, is available here.
Nitro Software has developed and communicated to its users’ procedures to restrict logical access to Nitro Software’s systems. The procedures cover the following key security lifecycle areas:
- Policy management and communication
- Authorization, changes to, and termination of information system access
- Authorization, testing and approval of changes to production environment applications
- Monitoring security controls
- Management of access and roles
- Maintenance and support of the security system and necessary backups/media storage
- Disaster recovery and incident response
- Maintenance of restricted access to system configurations, administrative functionality, passwords, powerful utilities, and security devices
Background Checks: Nitro go to great lengths to ensure no one sees or processes your data unless they’re authorized to do so — and we strictly limit exceptions. All employees are subject to background checks, and access to production servers is limited solely to engineers who need to work directly with our production systems.
Nitro Information Security Standards v 1.5 exist and are in effect.
These Standards are developed under the authority of the Nitro Information Security Policy.
These Standards apply to all components of Nitro and all geographic regions where Nitro operates.
These Standards are based on and aligned with ISO/IEC 27002:2013 Information technology – Code of practice for information security controls (licensed by Nitro).
These standards are also aligned with and support the U.S. Department of Commerce NIST Special Publication 800-53.
The Nitro Information Security Policy is owned by the Global Security Lead, who has secured management approval and responsibility for developing, reviewing, and maintaining the policy.
Nitro Information Security Standards underpin the Nitro Information Security Policy. Standards are reviewed on an on-going basis with updates applied as and when required.
Nitro Information Security Standards and Policy are reviewed annually as part of our ongoing Regulatory Compliance initiatives including SOC2 and HIPAA.
Security Awareness & Training
Nitro has an information security policy to help ensure that employees understand their individual roles and responsibilities concerning processing and controls to ensure significant events are communicated in a timely manner.
These include formal and informal training programs and the use of email, Slack and other methods to communicate time-sensitive information and processes for security and system availability purposes that notify key personnel in the event of problems.
General Information Security training is delivered during the hiring and onboarding process and refreshed at least annually thereafter. Specific training dependent on roles is provided to specialist areas such as software development and systems or platforms engineering.
All systems and applications are subject to vulnerability assessment scans by an independent and accredited third party on a regular basis.
The Nitro online platform service is a cloud-based solution hosted in AWS VPC across multiple availability zones in a single region (Frankfurt, Germany), designed for failure, self-healing, robustness, and is highly available.
Automated backups are in place covering 20 generations of data.
AES-256 encryption is in place covering data at rest, and data in transit.
Multiple instances of Anti-Virus and Anti-Malware technology is in place, at the desktop layer and also at the email gateway and internet gateway layers.
Nitro also uses a Web Application Firewall and DDoS protection platform.
All Nitro systems are built to be highly resilient, highly available, and fault tolerant.
That said, we do have a Nitro Disaster Recovery Plan and Nitro Business Continuity Plan, which are reviewed and tested annually.
The most recent test of the Nitro Disaster Recovery Plan was conducted in Q3 2020.