This Information Security Policy (“Policy”) describes the technical and organizational security measures implemented by Oxen to secure the Solution and Customer Data where Customer purchases the SaaS version of the Solution. Oxen may update or change its controls from time to time but will never materially decrease the level of security as set out in this Policy.
1. Definitions
Unless otherwise defined herein, all capitalized terms have the meaning given to them in the Oxen Master Subscription Agreement (“Agreement”).
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
“Personal Data” means any Customer Data relating to an identified or identifiable natural person or household.
“Supervisory Authority” means any regulator or regulatory body or supervisory authority in any country.
2. General Security Practices
Oxen has implemented and shall maintain appropriate technical and organizational measures designed to protect Customer Data against accidental loss, destruction, alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, procedures and internal controls as set forth in this Policy.
3. Information Security Organization
3.1 Information Security Program. Oxen shall maintain a comprehensive written information security program (“Program”) that encompasses administrative, technical and physical controls designed to protect the confidentiality, security, integrity, and availability of Customer Data and with the aim of protecting against Data Breaches. Oxen shall ensure the Program is consistent with global industry standards and appropriately tailored to the types of data processed by Oxen.
3.2 Information Security Personnel. Oxen’s Program shall be led by its Head of Engineering or other designated information security professional, who is responsible for its direction, governance and oversight. To administer the Program, the Head of Engineering shall direct a team of highly qualified personnel with training and certifications specialized in information security.
3.3 Information Security Review. Oxen’s Program and approach to managing information security shall be reviewed regularly and whenever significant changes occur, by appropriate internal and external assessors.
3.4 Information Security Governance. Oxen shall leverage a cross-functional leadership team to shape security programs and drive executive alignment in all security initiatives. Relevant Oxen personnel shall meet regularly to foster communication between operational teams and ensure security is considered in all projects.
3.5 Policies and Procedures. Oxen shall maintain policies and procedures related to information security, confidentiality and integrity. These shall be reviewed and updated at least annually and made available to employees via the Oxen intranet. Employees must review and acknowledge these policies at onboarding and on an annual basis.
3.6 Open Source. Oxen command line interface, bindings for rust and python, as well as HTTP interfaces are open source (github: https://github.com/Oxen-AI/Oxen), providing the community visibility into the implementation and the ability to both test and contribute to code. Oxen maintains robust documentation thereof here https://docs.oxen.ai/.
4. Human Resources Security
4.1 General. Oxen shall ensure all personnel are subject to written confidentiality obligations and the Oxen Code of Conduct and Business Ethics, and shall inform personnel of the consequences of violation. Personnel who violate these shall be subject to disciplinary action up to and including termination.
4.2 Training and Awareness. Oxen shall ensure that mandatory information security and data privacy training is provided to employees at onboarding and on a regular basis throughout employment to aid in the prevention of unauthorized or unintended disclosure of Customer Data. Training shall be regularly reinforced by security awareness communications, events and phishing campaigns.
4.3 Background Checks. Oxen shall conduct background checks on personnel in compliance with applicable law, which may include employment history, foreign employment, criminal background, credit check (when applicable), education verification, sex offender register, OFAC/Global Sanctions, SSN Tracing.
5. Business Continuity Management
5.1 Business Continuity Management Program. Oxen shall maintain a Business Continuity Management Program (“BCM Program”) designed to manage significant disruptions to operations and infrastructure, including cybersecurity incident response. The BCM Program shall include the following elements:
defined global and regional governance bodies and executive ownership;
BCM professionals responsible for creating, managing and monitoring preparedness;
defined crisis management organizations and escalation protocols;
established crisis communications strategies for all stakeholders;
identification of critical activities and planned recovery time objectives;
thorough risk and impact assessments of locations and processes, including critical suppliers;
testing on at least an annual basis of all related systems and components, including staff recovery, and tracked remediation for any issues identified during testing; and
continued maintenance and review of arrangements to respond to changing business requirements and risks.
5.2 Data Recovery. Where and as applicable, Oxen shall design redundant storage and procedures for recovering data in its possession or control in a manner sufficient to reconstruct Customer Data in its original state on the last recorded backup.
6. Physical Controls
6.1 Physical Access to Facilities. Oxen shall limit access to all Oxen controlled office locations to authorized individuals. All such office building entryways shall be monitored by building security personnel and/or CCTV and shall be access controlled at all times.
All personnel shall be issued entry and identification badges which must be carried at all times. Badges shall be deactivated upon employment termination.
All office visitors shall be logged and accompanied throughout the office.
6.2 Remote Employees. Oxen shall ensure that all personnel are aware of physical security policies including:
Securing of company physical devices - laptops, phones, etc.
Use of two-factor authentication (2FA) wherever possible.
7. Audits
7.1 General. Oxen shall cooperate with reasonable requests by Customer for legally required audits of Oxen’s security and privacy practices. The time, duration, place, scope and manner of the audit must be mutually agreed by the parties.
7.2 Audit Procedure. On written request from Customer, Oxen shall answer Customers’ written questions about Oxen’s security and privacy practices and shall provide Customer with information necessary to demonstrate Oxen’s compliance with the terms of this Information Security Policy and the Oxen Data Processing Policy. Customer may make one request per calendar year except if a Data Breach has occurred.
7.3 Regulatory Compliance. Taking into account the nature of the request and to the extent reasonably feasible from a technical perspective, Oxen shall provide Customer with any information necessary to enable Customer to comply with any applicable law or any request from a Supervisory Authority.
7.4 Cooperation with Supervisory Authorities. If a Supervisory Authority wishes to carry out an audit of Oxen or its activities under the Agreement, Customer shall provide Oxen with no less than 10 business days’ notice, unless the Supervisory Authority has given less notice to Customer. Oxen shall cooperate with the Supervisory Authority as they require.
8. Customer Data
8.1 Where Customer Data includes Personal Data, the parties will comply with their obligations in the Data Processing Policy found at https://www.Oxen.com/legal/data-processing-policy. Where Oxen has provided to Customer a SaaS-version of the Solution with the express right to include Protected Health Information (“PHI”) in the Customer Data, with respect to such PHI the parties will comply with their obligations in the Business Associate Agreement found at https://www.Oxen.com/legal/BAA, unless the parties have executed a separate Business Associate Agreement in which case such executed Business Associate Agreement shall apply.
8.2 Cloud Data Storage. Oxen’s multi-tenant SaaS offering (“MTS”) is hosted on AWS servers located in the United States. Customers located in other countries will be provisioned on the US AWS instance. To review AWS’s security documentation, please visit https://aws.amazon.com/compliance/data-center/controls/. Oxen’s single-tenant SaaS offering (“STS”) can be hosted by various service providers (e.g., AWS, GCP, Azure) in various locations. Customer shall choose its hosting provider and data storage location based on available offerings at the time of product purchase and may review the applicable hosting provider’s security documentation at such time.
8.3 Data Backups. For MTS, AWS Elastic Block Store (EBS) volumes are backed up using EBS Snapshots. Backups shall be automated, encrypted, and performed multiple times daily. For STS, please review applicable hosting providers data-backup policies at the time of purchase.
8.4 Logging and Monitoring. Oxen shall maintain logs of administrator and operator activity and data recovery events.
8.5 Data Encryption. Oxen shall encrypt all Customer Data residing in or transiting to or from the Solution. Customer Data in transit is encrypted using HTTPS (TLS 1.2/AES-256 or better). Data at rest in cloud environments is encrypted with SSE-S3 object level data encryption (AES-256) available from the cloud supplier.
8.6 Return of Data. Customer may export its data from the Solution at any time during the Subscription Term in accordance with the instructions in the Documentation.
8.7 Data Disposal. Within 30 days of termination of Subscription Term, Oxen will delete all Customer Data that is not required to be retained by law. Any Customer Data that is retained will be managed in accordance with the terms of this Policy and the Data Processing Policy (where applicable) and deleted according to our retention policy.
9. Access Controls
9.1 Access Management. Oxen shall employ access control mechanisms to prevent unauthorized access to Customer Data and systems that have access to Customer Data. Oxen shall restrict access to Customer Data only to personnel whose access is necessary to provide the Solution.
Oxen shall maintain a record of personnel authorized to access Customer Data and review user access rights at regular intervals.
Oxen shall have controls designed to avoid personnel assuming access rights beyond those that they have been assigned to limit unauthorized access to Customer Data.
At Customer’s reasonable request, Oxen shall promptly suspend or terminate access rights to Customer Data for Oxen personnel reasonably suspected of breaching any of the provisions of this Policy. Oxen shall remove access rights of all personnel upon termination of their employment.
9.2 Secure Access Protocols. Oxen shall use secure access protocols and solutions such as LDAP, firewalls, and VPN to enforce logical access in the internal network environment.
9.3 Application Password Management. For users attempting to access the Solution, Oxen shall require complex user passwords with length, character complexity, and non-repeatability requirements. Oxen shall ensure that deactivated or expired login credentials are not granted to other individuals. User passwords shall be encrypted and salted using PBKDF2 (SHA512+128bit salt).
9.4 Application Authentication Controls. Oxen shall monitor repeated failed attempts to gain access to the Solution and shall lock out user accounts after five failed authentication attempts. Oxen shall ensure that two factor authentication is available for user accounts, and provide for unique user API tokens. Oxen shall allow for Single Sign On (SSO) authentication with any standard SAML 2.0 identity provider.
9.5 Role Based Access. Oxen shall provide granular user application privilege controls. User administrative accounts shall have the ability to assign user and group roles with varying levels of access privileges based on the user’s or group’s use of the Solution.
10. Data Breaches
Oxen shall maintain procedures to ensure a timely and efficient response to a Data Breach. Oxen shall:
notify Customer without undue delay but no later than 48 hours after becoming aware of a Data Breach;
provide assistance and available information to Customer as reasonably requested to enable Customer to investigate, mitigate the effects of and remediate the Data Breach and comply with any breach notification obligations that apply to Customer under applicable law;
take steps to identify the cause of any Data Breach and put in place measures and take steps that Oxen deems necessary to mitigate the effects of and remediate the Data Breach;
retain appropriate information and records about any Data Breach for a reasonable period of time;
cooperate with Customer, law enforcement and any applicable Supervisory Authorities as reasonably required in relation to a Data Breach;
not reference or identify Customer when making any notification to a third party about a Data Breach unless required to do so by applicable law.
11. Communications Security
11.1 Networks. Oxen shall use the following controls designed to secure its networks that access or process Customer Data:
Network traffic shall pass through firewalls, which are monitored at all times. Oxen shall implement intrusion detection and/or prevention systems.
Network devices used for administration shall utilize industry standard cryptographic controls when processing Customer Data.
Anti-spoofing filters and controls shall be enabled on routers. Network, application and server authentication passwords shall have complexity requirements. Oxen shall have a policy prohibiting the sharing of user IDs, passwords or other login credentials.
Firewalls shall be deployed to protect the perimeter of Oxen’s networks.
11.2 Virtual Private Networks. Oxen shall employ the following controls when remote connectivity to Oxen’s network is required for processing Customer Data:
Connections shall be encrypted using industry standard cryptography (i.e. a minimum of 256 bit encryption);
Connections shall only be established using VPN servers;
Multifactor authentication shall be required for access.
12. Secure Development
12.1 Development Requirements. Oxen shall have policies for secure development, system engineering, change control, and support. Oxen shall conduct appropriate tests for system security as part of acceptance testing processes. Oxen shall supervise and monitor the activity of outsourced system development.
12.2 Change Management. Oxen shall follow industry best practices for the tracking of application projects and source code changes. Task tracking software shall be used to provide an audit trail of all software changes and pull requests. All code shall be subject to extensive testing, stakeholder signoffs, and code review prior to release.
12.3 Application Code Security Analysis. Oxen shall adhere to the OWASP Top 10 for secure coding practices. Static, dynamic and software composition analysis scans shall be performed on each major application release. If the scans reveal any material deficiencies or weaknesses, Oxen shall promptly take such steps as may be required, in Oxen’s reasonable discretion, to remediate, taking into consideration their criticality based on their nature, severity and likelihood.
12.4 Application Environment Security Analysis. For each major application release, Oxen shall perform static and dynamic analysis scans and container environment scans. If the scans reveal any material deficiencies or weaknesses, Oxen shall promptly take such steps as may be required, in Oxen’s reasonable discretion, to remediate, taking into consideration their criticality based on their nature, severity and likelihood.
12.5 Supply Chain Management. Oxen shall manage and regularly scan its software supply chain libraries for vulnerabilities and license compliance. Oxen shall promptly remediate any material vulnerabilities or instances of noncompliance that are identified.
13. Security Testing and Monitoring
13.1 Testing and Monitoring Requirements. Oxen shall maintain policies and procedures for the ongoing testing and monitoring of Oxen environments by internal and/or external parties, using industry standard tools and methodologies.
13.2 Threat Management. Oxen shall maintain a threat management program to monitor both malicious and non-malicious threats. Identified issues shall be reviewed and investigated.
13.3 Remediation. If the testing and monitoring described in this Section 13 reveal any material deficiencies or weaknesses, Oxen shall promptly take such steps as may be required, in Oxen’s reasonable discretion, to remediate, taking into consideration their criticality based on their nature, severity and likelihood.