Axiad Information Security Program Manual for Axiad Mesh

Overview

Axiad is committed to achieving and preserving the trust of our customers by providing a comprehensive information security program that carefully considers data protection matters across our suite of products and services.

Axiad’s Security Posture

Axiad holds a SOC2 type 2 Certification for the Axiad Conductor product and has implemented similar security controls for Axiad Mesh, which will undergo SOC2 certification in 2025.

Covered Products and Services

This document describes the security controls and policies that Axiad has in place in regard to its Axiad Mesh product.

PoC and Free Trials

Axiad products provided as a PoC or a Free Trial may employ lesser or different security measures than those described in this document.

Customer Data

Customer Data Definition

In the context of Axiad Mesh, Customer Data means:

• Entities, their metadata, and their relationships, collected through synchronization and events relating to identities, credentials, roles, groups, privileges, resources, services, applications, and organizational structures such as departments and locations

  • Metadata collected from these synchronizations is determined based on its relevance to identity correlation and risk determination

• Findings, assertions, and automated and customer-guided decisions about the above data as a result of analysis, correlation, and risk detection

• Customer-provided configuration and automated sync state information to facilitate secure, authenticated interactions with customer-selected external systems and to authenticate and authorize operators of the system

Retrieval of Customer Data

Upon written request by a customer made prior to the effective date of termination or expiration of the customer’s agreement, Axiad will make available to the customer, at no cost, for thirty (30) days following the end of the agreement’s term, for download, a file of Customer Data in industry-standard format (e.g. and without limitation, .json or .csv).

After such 30-day period, Axiad shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data by expunging Customer’s unique instance of the Service. During the term of the agreement, Customer may extract Customer Data from the Service in accordance with applicable Documentation. Axiad will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; provided further that in all cases Axiad will continue to protect the Customer Data in accordance with the customer’s agreement.

Security

Information Security Policies

Axiad has implemented the Information Cloud Security Policy, which is a comprehensive security policy that governs access control, configuration management, contingency planning, continuous monitoring, security acquisition, supply chain risk management, vulnerability management, and incident response.

The key objectives and principles of the information security program are to protect the confidentiality, integrity, and availability of systems and data; and to reduce the risk of third-party suppliers.

Risk Management

Axiad has a process for identifying, assessing, and mitigating risks, which are detailed in the Risk Management Procedures as well as the Supply Chain Risk Management Procedures. Roles and responsibilities in risk management have been defined and detailed within the procedural steps.

Security Controls

Axiad has implemented NIST 800-53 Revision 5 security controls that adhere with FedRAMP Moderate. The controls implemented cover technical, physical, and administrative actions.

Background Checks

Axiad performs background checks on ALL employees.

Identity and Access Management

Axiad has in place access management policies and procedures that are designed to:

• Limit access to its information systems and the facilities in which they are housed to properly-authorized persons

• Prevent personnel and others who should not have access from obtaining access

• Remove access in a timely basis in the event of a change in job responsibilities or job status

Axiad institutes the following identity management controls:

• Provisioning Axiad personnel with access to Customer Data based on need-to-know criteria and the least-privilege principle

• Requiring that User identifiers (e.g., User IDs) be unique and readily identifiable to the Axiad personnel to whom they are assigned, and no shared or group User IDs be used by Axiad personnel for access to any Customer Data

• Utilizing phishing-resistant hardware, multi-factor authentication, which employs the highest level of security controls

• Periodically reviewing to ensure that those Axiad personnel who have access to Customer Data still require access

Data Protection

Axiad has implemented data classification and mapping for customers and includes security and privacy impact assessments within its Software Development Lifecycle to ensure all impacts are identified and mitigated for the safeguarding of data.

Axiad encrypts sensitive data at rest using AES-256 and in transit at TLS 1.3, and employs equal cloud IaaS-level data protection mechanisms. Axiad collects and retains only the data necessary for business purposes and regularly backs up data and encrypts backups.

Company

Business Continuity and Disaster Recovery

Axiad maintains a Business Continuity Plan that is reviewed annually. This plan is coordinated with disaster recovery activities, contingency planning, and incident response. The plan is exercised annually with all identified roles.

Secure Development Practices

Axiad maintains a secure development practice, which includes integrating security from the planning stages of the SDLC.

• Axiad follows secure coding standards, static code analysis to test and find vulnerabilities, and implements least privilege principles to minimize permissions to code management and lifecycle

• Axiad implements strong authentication, role-based access control (RBAC), and secure APIs

• Axiad implements infrastructure security to include secure cloud resources using IAM policies, firewalls, and network implementation

• Axiad uses software defined networking to automate secure infrastructure setup, point to point security, and rules to permit traffic flow, ingress points, and egress points

Incident Response

Axiad employs procedures for detecting, reporting, and responding to security incidents for all clients and all environments. These procedures are detailed in the Incident Management Plan. Roles and responsibilities in incident management have been defined in the incident management plan and annual exercises and trainings held for all IR staff.

Compliance and Auditing

Axiad remains compliant with relevant laws, regulations, and standards. Additionally, Axiad undergoes internal security assessments as well as external assessments done by a third-party auditor. The results of these assessments are used to implement improvements and lessons learned into Axiad’s security posture.

Training and Awareness

All Axiad employees undergo annual security training and role-based training. Security training and its effectiveness is also reviewed annually and adjustments and / or additions are made on a yearly basis. Additionally, Axiad implements training and awareness initiatives through email notifications, phishing tests, and reiteration of security awareness principles throughout the year.

Continuous Improvement

Continuous improvement is an essential part of all of Axiad processes from technical, compliance, and administrative processes.

Service Architecture, Data Segregation & Data Processing.

The Service operates in a multitenant architecture that is designed to segregate Customer Data and restrict access to Customer Data based on business needs. Additional data segregation is ensured by providing separate environments for different functions, such as for testing and production.