Email: | Phone: +1 770-637-5024 | LOGIN

Data Protection and Information Security

This Data Protection and Information Security Exhibit (“Exhibit”) is an attachment to the Agreement and sets forth the data protection and information security requirements of 4ward USA, Inc. (“4ward”).

This Exhibit includes by reference the terms and conditions of the Agreement. In the event of any inconsistencies between this Exhibit and the Agreement, the parties agree that the terms and conditions of the Exibit will control. Throughout the term of the Agreement and for as long as CoreView controls, possesses, stores, transmits, or processes Personal Information as part of the Services provided to Client, CoreView will comply with the requirements set forth in this Exhibit.

The Parties agree that, all Data Protection and Information Security related to the Infrastructure System are exclusively regulated by the Microsoft AZURE DPA Standard Terms available at Microsoft Trust Center:


“Authorized Personnel” means CoreView’s employees or subcontractors who: (i) have a need to receive or access Personal Information to enable CoreView to perform its obligations under the Agreement; and (ii) are bound with CoreView by confidentiality obligations sufficient for the protection of Personal Information in accordance with the terms and conditions set forth in the Agreement and this Exhibit.
“Common Software Vulnerabilities” (CSV) are application defects and errors that are commonly exploited in software. This includes but is not limited to: (i) The CWE/SANS Top 25 Programming Errors – see and; (ii) The Open Web Application Security Project’s (OWASP) “Top Ten Project” – see

“Critical Infrastructure Information” (CII) means information about Client’s network architecture as well as that of its customers, including information about application access, remote access procedures, user ID’s and passwords, the location and capability of central offices, data centers, data warehouses, network access points, network points of presence and other critical network sites, as well as the network elements and equipment within them, and includes any information which Clients reasonably identifies as critical infrastructure information.
“Industry Standards” mean generally recognized industry standards, best practices, and benchmarks.

“Information Protection Laws” mean all applicable laws, standards, guidelines, policies, regulations and procedures applicable to CoreView pertaining to data security, confidentiality, privacy, and breach notification.
“Personal Information” also known as Personally Identifiable Information (PII), is information of Client customers, employees and subcontractors held or accessed by CoreView that can be used on its own or combined with other information to identify, contact, or locate a person, or to identify an individual in context. Examples of Personal Information include first and last name, address, social security number or national identifier, biometric records, geolocation information, driver’s license number, account number or username with password or PIN, either alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Personal Information includes those data elements defined under applicable state or federal law in the event of a Security Incident.
“Security Incident” is any actual occurrence of: (i) unauthorized access, use, alteration, disclosure, loss, theft of, or destruction of Personal Information or the systems / storage media containing Personal Information; (ii) illicit or malicious code, phishing, spamming, spoofing; (iii) unauthorized use of, or unauthorized access to, CoreView’s systems; (iv) inability to access Personal Information or CoreView systems as a result of a Denial of Service (DOS) or Distributed Denial of Service (DDOS) attack; and (v) loss of Personal Information due to a breach of security.
“Security Vulnerability” is an application, operating system, or system flaw (including but not limited to associated process, computer, device, network, or software weakness) that can be exploited resulting in a Security Incident.


As between CoreView and Client, Client shall be the principal and CoreView shall be its agent with respect to the collection, use, processing and disclosure of all Personal Information. The Parties shall comply with their respective obligations as the principal (e.g., data owner/controller/covered entity) and agent (e.g., data processor/business associate/trading partner) under all applicable laws relating to data privacy, information security, or security breach notification (collectively, the “Information Protection Laws”). The Parties acknowledge that, with respect to all Personal Information processed by CoreView for the purpose of providing the Services under this Agreement:

    1. Client shall determine the scope, purpose, and manner in which such Personal Information may be accessed or processed by CoreView, and CoreView will limit its access to or use of Personal Information to that which is necessary to provide the Services, comply with applicable laws, or as otherwise directed by Client;
    2. Each party shall be responsible for compliance with Information Protection Laws in accordance with their respective roles; and
    3. CoreView and Client shall implement the technical and organizational measures specified in this Exhibit and any additional procedures agreed upon pursuant to a Statement of Work (“SOW”) to protect Personal Information against unauthorized use, destruction or loss, alteration, disclosure or access.


CoreView has and maintains an information security program that has been developed, implemented and maintained in accordance with Industry Standards. At a minimum, CoreView’s information security program includes, but is not limited to, the following elements:


CoreView shall either assign a qualified member of its workforce or commission a reputable third-party service provider with expertise in information security, to be responsible for the development.

    1. Policies and Standards. To protect Client Personal Information, CoreView implements and maintains reasonable security that complies with Information Protection Laws and meets data security Industry Standards.
    2. Security Policies and Standards. CoreView maintains information security policies and standards that: (i) define the administrative, physical, and technological controls to protect the confidentiality, integrity, and availability of Personal Information, Client systems, and CoreView systems (including mobile devices and removable media) used in providing Services to Client; (ii) encompass secure access, retention, and transport of Personal Information; (iii) provide for disciplinary or legal action in the event of violation of policy by employees or Coeìre subcontractors and vendors; (iv) prevent unauthorized access to clients data, clients systems, and CoreView systems, including access by CoreView’s terminated employees and subcontractors; (v) employ the requirements for assessment, monitoring and auditing procedures and systems to ensure CoreView is compliant with the policies; and (vi) conduct an annual assessment of the policies, and upon Client written request, provide attestation of compliance.
    3. Monitoring and Enforcement. CoreView will monitor compliance with its privacy policies and procedures to address privacy related complaints and disputes.
    4. Independent Review of Information Security. The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. Independent reviews may include internal auditors or third party security or audit firms.
    5. In the SOW or other document, CoreView will identify to Client all third-party vendors involved in the provision of the Services to Client, and will specify those third-party vendors that will have access to Personal Information.


    1. Segregation of Responsibilities. CoreView will ensure that the responsibilities of their workforce are appropriately segregated to reduce opportunities for unauthorized or unintentional access, modification or misuse of the organization’s assets.
    2. Regulatory Contact: If applicable to CoreView’s business or required by law, CoreView will maintain contact with the governing regulatory authorities to ensure ongoing compliance with the mandated regulatory requirements.
    3. Monitoring of Special Interest Groups. CoreView will maintain appropriate contact with special interest groups, specialist security forums, and/or professional associations in order to remain abreast of evolving information security threats and trends.
    4. Project Management. As applicable, CoreView will ensure that Information security is addressed within its internal project management processes.


    1. Segregation of Responsibilities. CoreView will ensure that the responsibilities of their workforce are appropriately segregated to reduce opportunities for unauthorized or unintentional access, modification or misuse of the organization’s assets.
    2. Teleworking Requirements. If CoreView allows Authorized Personnel to work remotely in support of CoreView services, CoreView shall provide Authorized Personnel with one of the following technologies to mitigate the inherent security risks of remote access:
      1. A CoreView provided and controlled device (e.g., laptop or workstation) that is securely managed by the CoreView’s information technology team(s); OR
      2. A secure technology, service, or platform, that enables the CoreView to manage the security configuration of personally owned devices used to provide CoreView services, in order to meet the security requirements of both CoreView and Client, as defined within this Agreement.


    1. Screening. Background verification checks on all candidates for employment is carried out in accordance with relevant laws, regulations and ethics and it is proportional to the business requirements, the classification of the Client information to be accessed and the perceived risks.
    2. Security and Privacy Training. CoreView trains new and existing employees and subcontractors to comply with the data security and data privacy obligations under this Agreement and this Exhibit. Ongoing training is to be provided at least annually. Client may provide specific training material to CoreView to include in its employee/subcontractor training.
    3. CoreView ensures that employees, contractors, other sub-contractors or vendors are required to sign a confidentiality or non-disclosure agreement to protect Client Personal Information.
    4. Termination or Change of Employment Responsibilities. Information security responsibilities and duties that remain valid after change of employment shall be defined, communicated to the employee or contractor, and enforced.


    1. CoreView providing hosted services to Client, agrees to maintain an inventory of assets associated with information and information processing facilities.
    2. Assets maintained in the inventory must be assigned to an individual or group that is accountable and responsible for the assigned asset(s).
    3. Acceptable use of assets is defined within a formal policy or standard.
    4. The return of assets is clearly communicated, via policies and/or training, to all employees and external party users upon termination of their employment, contract or agreement. Return of assets shall be documented by CoreView.
    5. CoreView classifies data in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. Procedures for handling assets are developed and implemented in accordance with the information classification scheme adopted by the organization.


    1. Procedures must be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.
    2. Data Destruction and Data Retention. Upon expiration or termination of this Agreement or upon Client’s written request, CoreView and its Authorized Personnel will promptly return to Client all Personal Information and/or securely destroy Client Personal Information. At a minimum, destruction of data activity is to be performed according to the standards enumerated by the National Institute of Standards, Guidelines for Media Sanitization – see If destroyed, an officer of CoreView must certify to Client in writing within ten (10) business days of completed destruction that all Client Personal Information has been destroyed. If CoreView is required to retain any confidential information or metadata to comply with a legal requirement, CoreView shall provide notice to both the general notice contact in the Agreement as well as Client’s designated Security Contact.


    1. CoreView ensures that Personal Information are accessible only by Authorized Personnel after appropriate user authentication and access controls that satisfy the requirements of this Exhibit.
    2. Two-factor authentication is required for remote connectivity into CoreView systems or networks.
    3. Each Authorized Personnel has unique access credentials and receives training which includes a prohibition on sharing access credentials with any other person.
    4. User Registration and De-registration. CoreView has a formal user registration and de-registration process for enabling assignment of access rights.
    5. User Access Provisioning. CoreView has a formal user access provisioning process to assign or revoke access rights for all user types to all systems and services.
    6. Management of Privileged Access Rights. The allocation and use of privileged access rights is restricted and controlled.
    7. Management of Secret Authentication Information of Users. The allocation of secret authentication information is controlled through a formal management process.
    8. Review of user access rights. User access rights must be reviewed at regular intervals but at a minimum on an annual basis.
    9. Removal or Adjustment of Access Rights. The access rights of all employees and external party users to information and information processing facilities is removed upon termination of their employment, contract or agreement, or adjusted as appropriate upon change in role or responsibilities.
    10. Password Management System. Password management systems is interactive and ensure strong passwords.


    1. CoreView agrees to preserve the confidentiality, integrity and accessibility of Personal Information with administrative, technical and physical measures that conform to Industry Standards as applied to CoreView’s own systems and processing environment. Unless otherwise agreed to in writing by Client, CoreView agrees that any and all Personal Information is stored, processed, and maintained solely on designated systems located in the continental United States.
    2. CoreView logically segregates Personal Information from CoreView’s own data as well as from the data of CoreView’s other customers or third parties.


    1. CoreView has a formal policy on the use of cryptographic controls for protection including the use, protection and lifecycle of cryptographic keys.
    2. CoreView agrees that all Personal Information are encrypted with a Federal Information Processing Standard (FIPS) compliant encryption product, also referred to as 140-2 compliant. Symmetric keys are encrypted with a minimum of 128-bit key and asymmetric encryption requires a minimum of 1024 bit key length. Encryption is utilized in the following instances:
      1. Personal Information that is stored on any portable computing device or any portable storage medium.
      2. Personal Information that is transmitted or exchanged over a public network.
    3. Encryption may also be required for confidential information depending upon the data


    1. Physical Security. Security perimeters shall be defined and used to protect areas that contain either sensitive, critical information or information processing facilities.
    2. Physical entry controls. Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
    3. Securing Offices, Rooms and Facilities. Physical security for offices, rooms and facilities shall be designed and applied.
    4. Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.
    5. Equipment. Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
    6. Secure Disposal or Reuse of Equipment. All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
    7. Clear Desk and Clear Screen Policy. A clear desk policy for papers and a clear screen policy for facilities processing Personal Information must be adopted and adhered to.


    1. Change Management. Changes to the organization, business processes, information processing facilities and systems that affect information security shall be formally controlled.
    2. Separation of Development, Testing and Operational Environments. CoreView agrees that development and testing environments shall be separated from operational or production environments to reduce the risks of unauthorized access or changes to the operational or production environment.
    3. Malicious Code Protection. CoreView’s software development processes and environment is protected against malicious code being introduced into its product(s) future releases and/or updates.
    4. Vulnerability Management. Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
    5. Logging. CoreView software that controls access to Personal Information logs and tracks all access to the information.
      1. Logging facilities and log information are protected against tampering and unauthorized access.
      2. CoreView maintains access logs relevant to Personal Information for a minimum of six (6) months or other mutually agreed upon duration.
    6. Installation of Software on Operational Systems. Rules governing the installation of software by users shall be established and implemented on operational systems.
    7. Data Backup. The parties shall agree in an SOW or other document upon the categories of Personal Information that are required to be backed up by CoreView. Unless otherwise agreed to in writing by CoreView, backups of Personal Information shall reside solely in the United States. For the orderly and timely recovery of Personal Information in the event of a service interruption:
      1. CoreView stores a backup of Personal Information at a secure facility.
      2. CoreView encrypts all Personal Information backup data.


CoreView agrees to implement and maintain network security controls that conform to Industry Standards including but not limited to the following:

    1. Firewalls. CoreView utilizes firewalls to manage and restrict inbound, outbound and internal network traffic to only the necessary hosts and network resources.
    2. Network Architecture. CoreView d appropriately segments its network to only allow authorized hosts and users to traverse areas of the network and access resources that are required for their job responsibilities.
    3. Demilitarized Zone (DMZ). CoreView ensures that publicly accessible servers are placed on a separate, isolated network segment typically referred to as the DMZ.
    4. Wireless Security. CoreView ensures that its wireless network(s) only utilize strong encryption, such as WPA2.
    5. Intrusion Detection/Intrusion Prevention (IDS/IPS) System – CoreView has an IDS and/or IPS in place to detect inappropriate, incorrect, or anomalous activity and determine whether CoreView’s computer network and/or server(s) have experienced an unauthorized intrusion.
    6. Segregation in Networks. As appropriate, groups of information services, users and information systems is segregated on networks.


CoreView agrees to implement and maintain network security controls that conform to Industry Standards including but not limited to the following:

    1. Formal data transfer policies, procedures and controls shall be in place to protect the transfer of sensitive Personal Information within electronic messaging.
    2. CoreView executes a data protection and information security agreement with subcontractors/third party clients to ensure that security controls that meet CoreView requirements have been implemented.


    1. Security Requirements of Information Systems. Applicable information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.
    2. Securing Application Services on Public Networks. Personal Information involved in application services passing over public networks shall be protected from fraudulent activity, unauthorized disclosure and modification.
    3. Secure Development. CoreView has policies that govern the development of software and systems and how information security and integrity are established and applied during development.
    4. Secure System Engineering Principles. Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.
    5. Outsourced Development. The organization shall supervise and monitor the activity of any outsourced system development.


    1. CoreView conducts thorough background checks and due diligence on any third and fourth parties which impact CoreView’s ability to meet the requirements of the Agreement and this Exhibit.
    2. Due diligence of third parties shall include, but is not limited to, addressing information security requirements within agreements between CoreView and its clients.
    3. CoreView will not outsource any work related to its products or services provided to Client to personnel located in countries outside the United States of America, unless disclosed in the Agreement and approved by Client Information Security. If CoreView desires to outsource certain work for Client during the Term of the Agreement, CoreView shall first notify Client so that the parties can ensure adequate security protections are in place with respect to the services provided to Client.


      1. CoreView maintains an appropriate business continuity and disaster recovery plan to enable CoreView to adequately respond to, and recover from business interruptions involving services provided by CoreView to Client.


      1. At a minimum, CoreView tests the BCP & DR plan annually, in accordance with Industry Standards, to ensure that the business interruption and disaster objectives set forth in this Exhibit have been met and will promptly remedy any failures. Upon Client’s request, CoreView will provide Client with a written summary of the annual test results.
      2. In the event of a business interruption that activates the BCP & DR plan affecting the services, Personal Information of Client, CoreView will notify Client’s designated Security Contact as soon as possible.
      3. CoreView will allow Client or its authorized third party, upon a minimum of thirty (30) days’ notice to CoreView’s designated Security Contact, to perform an assessment of CoreView’s BCP and DR plans once annually. Following notice provided by Client, the parties will meet to determine the scope and timing of the assessment.


If CoreView provides hosted services to Client, CoreView agrees that its product(s) will remain secure from Software Vulnerabilities and, at a minimum, incorporate the following:

    1. Application Level Security. CoreView will use a reputable 3rd party to conduct static/manual application vulnerability scans on the application(s) software provided to Client for each major code release or at the time of contract renewal. Results of the application testing if requested by Client, will be provided to Client in a summary report and vulnerabilities categorized as Very High, High or that have been identified as part of the OWASP top 10 and SANS top 25 within ten (10) weeks of identification.
    2. Vulnerability Management. CoreView agrees at all times to provide, maintain and support its software and subsequent updates, upgrades, and bug fixes such that the software is, and remains secure from Common Software Vulnerabilities.
    3. Updates and Patches. CoreView agrees to promptly provide updates and patches to remediate Security Vulnerabilities that are exploitable. Upon Client’s request, CoreView will provide information on remediation efforts of known Security Vulnerabilities.
    4. Security Testing. CoreView will conduct static, dynamic, automated, and/or manual security testing on its software products and/or services, hardware, devices, and systems to identify Security Vulnerabilities on an ongoing basis. Should any vulnerabilities be discovered, CoreView agrees to notify Client and create a mutually agreed upon remediation plan to resolve all vulnerabilities identified.
    5. Cooperation. In the event of existence of a Security Vulnerability that results in an inquiry from a regulatory agency, law enforcement agency, or Clients Business customer, CoreView will cooperate and assist Client in providing a response to said party, including making appropriate CoreView personnel available to participate in face to face or telephonic meetings as reasonably requested by Client.


    1. CoreView agrees that any and all Personal Information shall be used and disclosed solely and exclusively for the purposes set forth in the Agreement.
    2. Personal Information shall not be distributed, repurposed or shared across other application, environments, or business units of CoreView. CoreView further agrees that no Personal Information of any kind shall be transmitted, exchanged or otherwise passed to other parties except on a case-by-case basis as specifically agreed to by Client.


    1. Upon a minimum of thirty (30) days’ written notice to CoreView, CoreView agrees to allow Client or a mutually agreed upon independent third party under a Non-Disclosure Agreement to perform an audit of  CoreView’s policies, procedures, software, system(s), and data processing environment at Clients expenses to confirm compliance with this Exhibit. Unless critical issues are identified during the audit, such audits will be restricted to one audit per any twelve (12) month period.
    2. Prior to commencement of the audit, the parties will discuss the scope of the audit and the schedule. CoreView will provide reasonable support to the audit team.
    3. If issues are identified by CoreView, CoreView will provide a remediation plan to remedy such issues.



The Security contacts identified in the Order shall serve as each party’s designated Security Contact for security issues under this Agreement.

CoreView Security Contact:
CoreView Information Security


CoreView takes commercially reasonable actions to ensure that Client is protected against any reasonably anticipated Security Incidents, including but not limited to: (i) CoreView’s systems are continually monitored to detect evidence of a Security Incident; (ii) CoreView has a Security Incident response process to manage and to take corrective action for any suspected or realized Security Incident; and (iii) upon request CoreView will provide Client with a copy of its Security Incident policies and procedures. If a Security Incident affecting CoreView products occurs, CoreView, in accordance with applicable Information Protection Laws, will take action to prevent the continuation of the Security Incident.


Within forty-eight (48) hours of CoreView’s determination that a Security Incident has occurred, or other mutually agreed upon time period, CoreView will notify Client of the incident through the email address listed above.


Upon CoreView’s notification to Client of a Security Incident, the parties will coordinate to investigate the Security Incident. CoreView will be responsible for leading the investigation of the Security Incident, but will cooperate with Client to the extent Client requires involvement in the investigation. CoreView may involve law enforcement in its discretion. Depending upon the type and scope of the Security Incident, CoreView security personnel may participate in: (i) interviews with Client’s employees and subcontractors involved in the incident; and (ii) review of all relevant records, logs, files, reporting data, systems, Client devices, and other materials as otherwise required by CoreView.

In the event of a Security Incident that results in an inquiry from a regulatory agency, law enforcement agency, or Client Business customer, Client shall cooperate and assist CoreView in providing a response to said party, including making appropriate Client personnel available to participate in face to face or telephonic meetings as reasonably requested by  CoreView. CoreView will cooperate with Client, at Client expenses, in any litigation or investigation deemed reasonably necessary by Client to protect its rights relating to the use, disclosure, protection and maintenance of Personal Information. CoreView will reimburse Client for reasonable costs incurred by Client in responding to, and mitigating damages caused by Security Incident that are under CoreView responsibility. CoreView will use reasonable efforts to prevent a recurrence of any such Security Incident.


If requested by Client CoreView will provide a final written incident report within twenty (25) business days after resolution of a Security Incident or upon determination that the Security Incident cannot be sufficiently resolved.


In the event of any change in CoreView’s data protection or privacy obligations due to legislative or regulatory actions, industry standards, technology advances, or contractual obligations, CoreView will work in good faith with Client to promptly amend this Exhibit accordingly.