Information Security Policy

Last Updated: May 27, 2020

Table of Contents

Purpose

1.1 This Policy defines the requirements for information security management within SingleStore to ensure all information is adequately protected from unwanted or unauthorised disclosure, alteration, or unavailability.

Scope

2.1 This Policy applies to all SingleStore personnel irrespective of status, including temporary staff, contractors, consultants, and third parties who have access to SingleStore’s data and systems. The scope of this Policy includes, but is not limited to:
  • All information processed by SingleStore in pursuit of its operational activities, regardless of whether it is processed electronically or in paper form, including but not limited to:
    • External customer products, materials, information and reports
    • Operational documents, plans, and minutes
    • Financial and compliance records
    • Employee records
  • All information processing facilities used in support of SingleStore’s operational activities to store, process and transmit information
  • All external organisations that provide services to SingleStore in respect of information processing facilities.

Introduction to the Policy

3.1 In order to prevent information security breaches, including losses of information confidentiality, integrity and availability, and to prevent any breaches of legal, regulatory and contractual requirements, it is important that SingleStore has appropriate information security controls in place. As we grow as a business and SingleStore Managed Service becomes a more prominent product our security posture is integral to our success as a business and the success of the SingleStore Managed Service proposition.
  • Confidentiality of information assets – for example, that access is only permitted to those with a justified business need;
  • Integrity of assets is maintained – for example, that authenticity of data is assured;
  • Availability of information assets – for example, ensuring information necessary to deliver our core business services is available when it is needed;
  • Compliance – legislative, regulatory, contractual and industry standard security requirements are met.

Policy

4.1 This Policy establishes the necessary policies and an organisational structure that will:
  • Ensure SingleStore’s information, systems and infrastructure are appropriately protected and secure, yet remain available in line with business requirements, preserving confidentiality of information, integrity (completeness and accuracy) of information, and availability of information and the systems and places where it is stored and processed
  • Ensure SingleStore’s information security related legal and regulatory requirements are met, including:
    • The European Union General Data Protection Regulation (GDPR)
    • California Consumer Privacy Act (CCPA)
    • ISO/IEC 27001:2013
    • SOC 2 (System and Organizational Controls)s
    • HIPAA (Health Insurance Portability and Accountability Act of 1996)
    • (These are ongoing efforts currently not obtained certifications)
  • Ensure that SingleStore meets its customers’ contractual information security obligations and provides assurance of its capability and capacity to manage information security adequately and meet its customer needs. This applies to both the products being hosted by SingleStore and being hosted by the customers of SingleStore.
4.2 Compliance with this Policy is mandatory to minimise business damage by preventing and minimising the impact of information security incidents. Incidents can result in legal, regulatory or contractual breaches and financial or reputational loss to the organisation and/or its customers.

Responsibilities

5.1 VPs and Directors are directly responsible for ensuring their areas of responsibility are adhering to this Policy.
5.2 All authorised users shall adhere to this Policy. Non-compliance shall be subject to investigation and may result in disciplinary action.
5.3 The Head of Information Security is responsible for ensuring the maintenance, regular review and updating of this Policy. Revisions, amendments or alterations to the Policy shall be issued and communicated as appropriate.

Information Security

6.1 It is the policy of SingleStore to ensure that:
  • Information security supports SingleStore’s business objectives
  • SingleStore’s information security responsibilities are defined and communicated
  • Information security related policies, processes and procedures are in place to identify and mitigate information security risks to an acceptable level, to protect SingleStore’s systems, infrastructure, and the information security requirements of interested parties, including the organisation’s customers
  • The confidentiality, integrity and availability of SingleStore’s information and the places where that information is stored, handled and processed are maintained
  • Information security objectives are established for relevant functions
  • In the event of a disruption, SingleStore can continue to deliver an acceptable level of service of its critical activities to its interested parties
  • Appropriate information security measures are included in contracts with third parties, where possible.

Information Security Compliance Management

7.1 Activities related to the use of SingleStore’s information including the systems and places where it is stored and processed shall be monitored to ensure that SingleStore’s requirements for confidentiality, integrity, and availability are maintained. Compliance activities are managed & evidenced with SingleStore’s GRC tool.
7.2 Staff or third parties with access to SingleStore’s information, systems or premises are responsible for reporting any suspicious activity, security breaches or security violations to their Manager, Head of Information Security or other authorised SingleStore contact, in accordance with the Incident Reporting and Escalation Process.
7.3 The Executive Committee, with guidance from the Head of Information Security, may authorise deviation from the organisation’s information security related policies only when:
  • It has been clearly demonstrated that a cost/benefit analysis of the available compliance options and risks of not complying has been performed
  • Analysis results indicate that compliance will have a significant and unacceptable business impact
  • Risk acceptance has been formally approved
  • SingleStore remains compliant with legal and regulatory requirements.

Information Security Risk Acceptance

8.1 SingleStore’s Executive Committee must formally accept responsibility for all identified information security risks when deviating from the organisation’s information security related policies. Information security risk acceptances must, in advance, be:
  • Documented by the relevant manager
  • Filed with, and approved by, SingleStore InfoSec Steering Committee
  • Managed within Risk Register in SingleStore’s ZenGRC tool

Security Awareness and Training

9.1 Staff with access to SingleStore’s information, systems and the places where information is processed, shall be educated on their security responsibilities. Education shall be provided at induction so that new employees understand their responsibilities in respect of the protection of information and places where information is processed and stored.
9.2 Staff shall be provided with annual information security education and supporting reference materials as required by ISO 27001, SOC 2, GDPR and CCPA. Information Security will provide additional updates and other related materials to regularly remind staff about their obligations with respect to security.
9.3 The security responsibilities of third parties shall be defined and agreed in accordance with SingleStore’s Third Party Management Policy.

Policy Review Date

10.1 This Policy document will be reviewed and appropriately updated on an annual basis. It shall also be reviewed and appropriately updated when there are any changes to ISO 27001, SOC 2, GDPR and CCPA.