Security Addendum

 

LinkSquares will maintain and enforce safety, physical and computer system security procedures consistent in all material respects with the provisions outlined within this Schedule B. To the extent that any provisions of this Schedule B conflict with any provisions of the TOS, the terms of the TOS shall control. Capitalized terms that are not defined in this Schedule B shall have the meaning ascribed to them in the TOS.

This Security Addendum shall apply to LinkSquares treatment of Client Data. LinkSquares shall use commercially reasonable efforts to implement the following processes and procedures with regard to the treatment of Client Data:


I. Infrastructure Security Requirements. LinkSquares shall use
commercially reasonable efforts to:

a. Adopt, implement and maintain appropriate policies and procedures to protect the confidentiality, security, integrity and availability of ClientData.

b. Comply with each of the following requirements for securing Client Data materially consistent with prevailing industry standards andpractices:

i. Promptly document and communicate the LinkSquares Security Requirements set forth herein to all LinkSquares personnel prior to providing with access to the Client Data;

ii. Use effective and current anti-virus protection on all network connected assets, Intrusion Detection System (IDS) and process managing event data, including a requirement to establish an incident response team and document device hardening and configuration standards;

iii. Publish Software Development Life Cycle (SDLC);

iv. Use Industry-standard tools and processes for removing the Data; and

v. Implement and maintain:

1. a software and system vulnerability environment that detects critical security infrastructure issues and is
capable of providing a record of LinkSquares’ routine and regular use of such system at Client’s reasonable
request;

2. effective system access and control policies;

3. effective backup and recovery capability of all Client Data;

4. physical security of all offices and data centers (e.g., locks, badges, cameras, access logs);

5. production change management and problem management processes;

6. for hosted applications, Demilitarized Zone (DMZ) architecture with a commercially reasonable segmentation architecture and an application assessment/vulnerability assessment process;

7. standardized two-factor remote access architecture with documented controls for usage to access the Client Data;

8. network topology diagram of data center;

9. effective encryption architecture for saving and transmitting the Client Data;

10. effective personnel background checks for associates with access to the Client Data; and

11. internal and external audit and compliance processes for the network including but not limited to blocking
unauthorized ingress, egress and exfiltration through technologies such as firewalls.

c. When permitted by law to do so, promptly notify Client in the event that LinkSquares is required by law, court order, warrant, subpoena, or any other legal or judicial process to disclose any of the Client Data to any person other than Client (or another party expressly approved by Client to receive such Client Data).


II. Operational Security Requirements. LinkSquares shall use commercially
reasonable efforts to:

a. Restrict and limit access to the information system and use of the Client Data to only those persons who have been properly authorized to access and/or use the Client Data;


b. Use the information system in an efficient, ethical and lawful manner;


c. Diligently act to prevent LinkSquares’ employees, agents and representatives from performing any act or failing to act in a manner that causes or is reasonably foreseeably likely to cause a security breach;

d. Promptly advise Client of all known occurrences of any material performance or security risk;

e. If requested, reasonably assist Client with any and all inquiries into any suspected breach of, or non-compliance with, any of the LinkSquares Security Requirements;

f. Only permit the use of any Client facilities, Client Data or other Client property to the extent reasonably necessary to perform the Services; and

g. Not decompile or reverse engineer any Client Data.

 

III. Security Breach Obligations. LinkSquares will notify Client of any Security Incident of which LinkSquares becomes aware as soon as practicable via electronic mail to the Client’s email address listed on the Order Form. If LinkSquares suspects a Security Incident has occurred LinkSquares will promptly notify Client. LinkSquares will provide reasonable assistance in the Client’s investigation of the Security Incident. LinkSquares will provide to the Client any material information related to the Security Incident requested by Client, consistent with prevailing industry standards.

IV. Information Security and Policy Addenda.

a. Throughout the term, LinkSquares agrees to conduct its operations in fulfilling its obligations under the Agreement consistent with the standards, processes, and guidelines contained in the Information Security Exhibit attached as Exhibit 1 and the Company Policy Packet attached as Exhibit 2.


b. LinkSquares may, from time to time in LinkSquares’ sole discretion, make changes to the Information Security Exhibit and the Company Policy Packet; provided, however, that LinkSquares will not implement any such change that would materially diminish the efficacy of the controls contained in each policy or otherwise run contrary to the purposes of those policies without providing prior written notice to the Client.

V. Miscellaneous.

a. Annually during the Term, LinkSquares shall, upon receipt of a written request from Client, provide to Client reasonable assurances of LinkSquares’ continued maintenance of its certification under the Service Organization Control (SOC) (the “Certification”).

b. To the extent applicable, Client remote access services are only to be used by approved workstations meeting Client’s conditions of usage/specifications.


c. Except as authorized in writing by Client’s senior management or as reasonably necessary to perform the Services in accordance with the Agreement, no Client Data shall be transmitted over the Internet without industry best security protections in place.

d. Any use of the Client Data, Client’s facilities and/or Client property for any purpose other than for the provision of the Services under the Agreement is prohibited.

 

VI. Definitions. For purposes of this Schedule B, each of the following terms shall have the meaning ascribed to each such term below:

a. “Process” and other derivations such as “Processed” and “Processing” means any use of or processing applied to any Client Data and includes “process” or “processing” as defined in applicable data protection legislation. For the avoidance of doubt, this includes, without limitation, storing, accessing, reading, using, copying, printing, revising, deleting, disclosing, transferring or otherwise using Client Data.

b. “Security Incident” shall mean:

i. any disclosure of Client Data and/or Confidential Information by
LinkSquares in violation of the Agreement or applicable laws
pertaining to privacy or data security;


ii. any other unauthorized acquisition, disclosure or use of Client
Data and/or Confidential Information; or


iii. any adverse event or activity that materially threatens or may
reasonably materially threaten LinkSquares’ systems, Client’s
systems, or Client Data, including a material violation,
compromise or breach of the security of LinkSquares’ systems,
Client’s systems or Client Data.

 

Exhibit 1 – Information Security Exhibit
Version 1.9
Updated 2/21/2020

 

Introduction
The LinkSquares Information Security Exhibit was developed to demonstrate the LinkSquares commitment to the protection of information entrusted to the company and to outline how the information security safeguards appropriately protect non-public information.

LinkSquares management team recognizes that the information security landscape is constantly changing and that management must implement, interpret, and, at times, modify the control documents to reflect the changing security landscape.

LinkSquares is a Rails-based web application. We use this common framework to provide the foundation of multi-tenant cloud based environments using databases.


Information Security Policy
The LinkSquares Information Security Policy was created to disseminate and solidify a consistent and thoughtful approach to information security at LinkSquares. The document is approved by the management team is the central point of contact for changes to the policy. This document will continue to be expanded, updated and disseminated as the security landscape evolves.

Since 2020, LinkSquares has undergone, on an annual basis, a Service Organization Control (SOC) 2® examination resulting in an independent CPA firm’s audit report stating that management of LinkSquares maintained effective controls over the security and availability of its production web application system. The report is available to be shared under a Non-Disclosure Agreement.

All existing and new employees are required to familiarize themselves with the contents of the policy and are held to the standards defined within. Each employee receives annual security training and the company requires acknowledgement from each employee.

Furthermore, LinkSquares provides a specific privacy policy outlining assurances of security and privacy of customer data which can be read here at https://www.linksquares.com/privacy. In the event of a disruption, LinkSquares is also insured with an Errors and Omissions policy.


Human Resources Security
As part of the hiring process, all employees that have access to customer data undergo criminal background and reference checks. These checks ensure that prior to establishing a professional relationship with the employee they have been vetted as suitable for their specific initial roles.

After being hired they are introduced to the LinkSquares Information Security Policy and made aware of the expectations regarding the controls and systems in place to protect the company as well as any non-public information.

Following any severing of the work relationship, the employee must surrender all assets and all access is revoked. A termination checklist covers all aspects of access revocation including credentials, assets, and both internal and external data. It also reiterates the responsibility to protect customer data obtained throughout the employee’s tenure even after termination and are asked to sign a document to that effect.

Physical Security and Hosting Environment
All customer data is secured and access is limited to only the systems and employees that need access to facilitate providing services to the customer.

The production servers are hosted at the Amazon Web Services (AWS) US East data center. This AWS data center has completed SSAE16 SOC-2 Type II audits to help promote proper methods and procedures and to assure security compliance. Each site is staffed 24/7/365 with onsite security and to protect against unauthorized entry. Each site has security cameras that monitor both the facility premises as well as each area of the datacenter internally. There are biometric readers for access as well as at least two factor authentication to gain access to the building. Each facility is unmarked so as not
to draw any additional attention from the outside and adheres to strict local and federal government standards. A full overview of AWS’ security program can be found here, https://aws.amazon.com/security/.

LinkSquares has the ability to provide file storage in any available region that can be provided by AWS Simple Storage Service (S3). See here for more information https://docs.aws.amazon.com/general/latest/gr/rande.html.

Application Security and Access Control
There are two major types of access privileges at LinkSquares.

System Administration
System administration access to the production environment is limited to Lead Engineering and Technical Operations employees at this time. These employees have been trained to understand the consequences and increased responsibilities of having elevated access. All access is authenticated via SSH keys through specific IP addresses to the production server. All access is logged and those logs are replicated, and preserved on a machine that only the security team has access to. These logs are periodically audited and also provide an accurate and immutable historical record if needed.

Customer Data
Employees that need to access customer data to do their jobs may only do so under the following conditions:

– There is no other way accomplish the task.
– Only the minimal amount of data required is accessed.
– Any captured information is destroyed once no longer needed.

Access is granted on a per-user basis, based on job role and requirements, and only to the appropriate level of customer data in accordance with least privilege. User authentication is controlled using multiple security factors including username, password, and SSH keys. Passwords are safeguarded and never stored in plain text, either at rest or in transit.

To ensure the safeguarding of customer data, all access to the product is logged. The logging and auditing mechanisms capture page accesses, page views, configuration modifications, and logins.

Software Development, Deployment and Updates
The LinkSquares product is deployed as a Software as a Service (SaaS) application with access available from anywhere. A major advantage of the SaaS model is that updates to the product can be deployed frequently and without service disruption to the users. While this model minimizes downtime, occasional system upgrades and transitions are required. In the event of anticipated service interruptions, advance notice will be given to application administrators and a site message will be posted for users prior to the maintenance work.

The application itself is also updated regularly, usually several times per day. Development is done using an agile methodology and all product changes and updates are tested and reviewed prior to deployment. Additionally, all revisions go through several automated testing frameworks, adding to the assurances of safety and correctness of user data.

All of LinkSquares’ production code is stored on GitHub’s data center. The GitHub data center is regularly audited by independent firms against an ISAE 3000/AT 101 Type 2 Examination standard. In addition, all systems access logged and tracked for auditing purposes and there is a secure document-destruction policies for all sensitive information. GitHub has dedicated firewall and VPN services to help block unauthorized system access. They also provide Distributed Denial of Service (DDoS) mitigation services powered by industry-leading solutions.

GitHub employs a team of 24/7/365 server specialists to keep their software and its dependencies up to date, eliminating potential security vulnerabilities. They employ a wide range of monitoring solutions for preventing and eliminating attacks to the site. In addition, GitHub has 24×7 onsite staff that provides additional protection against unauthorized entry. They use unmarked facilities to help maintain low profile and their physical security is audited by an independent firm. All private data exchanged with GitHub is always transmitted over SSH (Secure Socket Shell). All communication between the LinkSquares team and Production code based stored on GitHub is done over SSH authenticated with keys.

The procedure to deploy code to the production server is as follows. Production code is first checked into GitHub. LinkSquares utilizes the open-source deployment framework Capistrano to update the server the same way each time (idempotent operations) in order to minimize server configuration errors and production downtime. Capistrano first
connects to the GitHub repository where the production code lives over SSH. From there it connects directly to the AWS servers via SSH and begins the procedure of updating the production server code. At all times during the deployment of production code, SSH is used to encrypt all data transfers and messages.

LinkSquares conducts a yearly penetration test with an independent third party against the production server. A particular emphasis is placed on the OWASP Top 10 that include topics such as SQL injection, Cross-Site Scripting and using components with known vulnerabilities. LinkSquares utilizes Detectify to perform continuous vulnerability scanning of our application. As a part of our development process we use Brakeman to also conduct static analysis at the code level. Internal peer and security reviews are conducted for all new features. LinkSquares monitors the use of all open-source software components used within the application. In the event that a component is rated as high risk due to a security vulnerability, LinkSquares is notified and a patch is applied immediately. Lastly the operating system on the production server is updated with the latest patches as they are released.

Information Security and Incident Management
While a strong security posture is paramount at LinkSquares, policies are also in place to both ensure the continued strength and hardening of the LinkSquares architecture as well as timely and appropriate measures for handling any incidents.

The operating system is Ubuntu all ports but 443 (SSL) and 80 (HTTP) closed to the internet at large. Our entire production environment is housed in a Virtual Private Cloud (VPC) where a connection via a Virtual Private Network (VPN) must be made to gain access SSH access to the production environment.

Through the use of AWS Web Application Firewall (WAF), we have set up a geofence to restrict access to our production environment from only a whitelist of IP addresses originating by countries we define. We also can provide IP whitelisting for specific customer instances.

Monitoring for breaches and atypical behavior is in place and systems are updated on a regular basis. Critical patches are applied with urgency commensurate with the vulnerability severity. For example, a major vulnerability (CVSS base score between 4.0. and 6.9) will be patched within 12 hours and otherwise security updates are installed nightly once released by the operating system vendor. In addition vulnerability digests are monitored daily for new issues in any software LinkSquares relies on.

LinkSquares uses AWS Security Hub along with AWS Trusted Advisor to ensure our entire infrastructure is configured  according to AWS best practices. Our team is alerted to any misconfigurations that could lead to unauthorized access.

The process for triage and escalation are clear and documented. LinkSquares uses AWS GuardDuty to continuously monitor for malicious activity and unauthorized behavior.

LinkSquares utilizes Tripwire Intrusion Detection System to detect unauthorized entry.

The system catalogs configuration and file details when in a known-good state. It then runs comparisons against these recorded states to find out if files have been changed or settings have been modified. In addition to file modification detections, a summary report is generated each day and reviewed.

LinkSquares uses Application Performance Monitoring (APM) via Datadog for monitoring all production environments for availability, CPU, memory and internal processes. Datadog is tied to PagerDuty, which is an incident management and response platform that notifies on-call Technical Operations and Engineering team members if a production environment experiences downtime. This enables LinkSquares to meet requirements as defined in our Service Level Agreement. Lastly, we utilize RollBar for all error reporting in production environments. Rollbar provides our Engineering team detailed stack traces and localization of errors.

Agreements uploaded through email to LinkSquares are received using AWS Simple Email Service (SES). SES uses a number of spam and virus protection measures. It uses block lists to prevent mail from known spammers from entering the system in the first place. It also performs virus scans on every incoming email that contains an attachment. Amazon SES makes its spam detection verdicts available to you, enabling you to decide if you trust each message. In addition to the spam and virus verdicts, Amazon SES provides the DKIM and SPF check results.

Additionally, a transparent customer relationship is fostered at LinkSquares. All issues relating to data integrity, service disruptions, and data security are promptly communicated by the LinkSquares team to each impacted customer. An open dialog is created and expectations are set clearly with a defined timeline for expected resolutionand return to normal service.

Data Protection and Encryption

Customer Data Lifecycle
Before introducing the protections, it is useful to understand the lifecycle of customer data within the system.

Raw data is uploaded and input into the application from users. The raw data takes form as two main pieces – assets (document files) and database entries. All the rawdata is preserved onto the data storage server.

Raw data is then transformed into output data with our proprietary analysis. The output of this removes much of the form and contents of the original raw in favor of a more concise and useful format. This output data is ultimately what powers the application in the front end.

Secure Sockets Layer
All communication to and from the production server happens over SSL (Secure Sockets Layer) connections using a server side certificate. LinkSquares uses AWS SSL which is a 2048-bit industry standard certificate with AES (Advanced Encryption Standard) 256-bit encryption. HTTPS is required for all access to the product.

Data Encryption
LinkSquares encrypts all data at rest on our production environment using two, industry standard AES 256-bit encryption algorithm managed through AWS’ Key Management Service. Our encryption infrastructure is set up with each customer’s account having a unique master key. Each document stored inside of LinkSquares also has a unique data key. Both keys are required to decrypt a file on LinkSquares or perform a restoration from a production backup. This ensures the highest level of protection of encrypted customer data. LinkSquares offers the ability for our customers to manage one of these two keys. In addition, LinkSquares encrypts all password based information using the industry standard bcrypt hashing algorithm.

Business Continuity Management
To continue to provide ongoing and interrupt-free service, there are a many facets that must be considered, but most importantly how to protect customer specific data and configuration.

Customer Data

Production customer data (defined as data that is uploaded and inputted by the customer) is fully backed up by LinkSquares, and stored on a data storage server located on AWS. As a part of our ISO 27001 Business Continuity and Disaster Recovery policies, we test a full production restore from backups quarterly. In the event of a catastrophic failure the procedure is to re-fetch the data from the backup data storage server.

Customer Configuration
To provide the necessary customer experience, additional metadata is stored to facilitate application configuration. In the event of a catastrophic failure this data is recoverable and the customer experience can be re-established quickly.

 

Exhibit 2 – Company Policy Packet


Last Revised: December 7, 2020

Overview
The management of LinkSquares has implemented the information security policies outlined in this document. LinkSquares’s management team deems these policies essential to ensure confidential information is protected.

These policies set the direction, provide guidance, and demonstrate senior management support for the information security-related procedures across the organization.

Violation of policies within this manual may lead to in disciplinary action, which including suspension or employment termination. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may, at their discretion, report such activities to the applicable authorities

Document Approvals

 

Policy Document LinkSquares Company Policy Packet
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Acceptable Use Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Asset Management Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Backup Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Business Continuity Plan
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Change Management Plan
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Code of Conduct
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Cryptography Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Data Classification Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Data Deletion Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Data Protection Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Disaster Recovery Plan
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Incident Response Plan
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Information Security Plan
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Password Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Physical Security Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Responsible Disclosure Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Risk Assessment Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document System Access Control Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Vendor Management Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021
Policy Document Vulnurability Management Policy
Approver Eric Alexander
Approval Date December 7, 2020
Next Renewal Date December 7, 2021

 

LinkSquares Acceptable Use Policy
Our customers trust us, and they expect us to protect the data and resources they’ve shared with us. Part of how we’ll uphold that trust is through pre-established policies so we don’t need to make key decisions in critical moments.

Below, we explain the sections of our acceptable use policy: what each protects against, why a customer may care, and why we think each is important. We don’t mean for the Acceptable Use Policy to intimidate, but we do aim for it to be clear.

General Use and Ownership
This section explains policy around separating work activities from personal activities as much as possible. Understand that the systems you use for work, including a company-provided laptop, have a much lower expectation of privacy than systems you own. You may use your company devices for reasonable personal use, but those devices are not yours because:

If the company is sued, all its devices are subject to discovery, which means opposing
counsel will have access to your data.
When we troubleshoot our systems, company administrators may have access to your data.
We may terminate an employee, which may include giving another employee access to
the terminated employees’ devices and accounts.
If we are breached, outside investigators will likely inspect all use of an account and/or
device, no matter its purpose.

Please limit personal use of company-provided devices as much as possible and remember that corporate devices are not your personal property. Our policies are strict so that we do not have to make judgment calls on a case-by-case basis in high-stress situations.

Security and Proprietary Information
This section describes behaviors the company expects of you, including password hygiene and the use of multi-factor authentication.

Acceptable Use
The first part of this section details the consequences for malicious, negligent, and/or delinquent behavior. Neither intentionally harm others nor break laws.


The section’s second part emphasizes that your employment by the company does not make you one of the company’s public representatives. Instead, public communication and brand are controlled centrally at the company. While email and social media are mentioned specifically, please be conservative overall in how you represent yourself as an employee.

Policy Compliance
This section details the information security team’s role in measuring, enforcing, and making exceptions to the policy and the potential consequences, including termination, for policy violations.

Acceptable Use Policy

1. Overview

LinkSquares’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to LinkSquares’s established culture of openness, trust and integrity. Instead, the team is committed to protecting LinkSquares’s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of LinkSquares. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations

Effective security is an organizational effort involving the participation and support of every employee and afiliate who deals with LinkSquares information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2. Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at LinkSquares. These rules are in place to protect the employee and LinkSquares. Inappropriate use exposes LinkSquares to risks including virus attacks, compromise of network systems and services, and legal issues.

3. Scope

This policy applies to the use of information, electronic and computing devices, and network resources to conduct business or interact with internal networks and business systems, whether owned or leased by LinkSquares, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with policies and standards, and local laws and regulation. Exceptions to this policy are documented in section 5.2

This policy applies to employees, contractors, consultants, temporaries, and other workers at LinkSquares, including LinkSquares-afiliated personnel employed with third parties. This policy applies to all equipment that is owned or leased by LinkSquares.

4. Policy

4.1 General Use and Ownership

4.1.1 Proprietary information stored on electronic and computing devices whether owned or leased by LinkSquares, the employee or a third party, remains the sole property of LinkSquares. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Policy.


4.1.2 You have a responsibility to promptly report the theft, loss or unauthorized disclosure of proprietary information.


4.1.3 You may access, use or share proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.


4.1.4 Employees are responsible for exercising good judgment regarding the reasonableness of personal use. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.


4.1.5 For security and network maintenance purposes, authorized individuals within LinkSquares may monitor equipment, systems and network trafic at any time, per the company’s auditing practices, details of which are documented in relevant technology and security-related policies.


4.1.6 LinkSquares reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

4.2 Security and Proprietary Information

4.2.1 All mobile and computing devices that connect to the internal network must comply with the Asset Management Policies.

4.2.2 Providing access to another individual, either deliberately or through failure to secure access, is prohibited.

4.2.3 Postings by employees from a email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of LinkSquares, unless posting is in the course of business duties.

4.2.4 Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.

4.2.5 Employees must use multi-factor authentication to authenticate to corporate accounts whenever available.

4.2.6 Employees must use a password manager to avoid insecure or shared passwords with accounts.

4.2.7 Employees must encrypt their devices if asked, and must not interfere or otherwise reduce the level of encryption on their devices.

4.2.8 Employees must install OS updates onto their devices if asked or prompted. Employees should also be proactive about applying OS updates to their devices.

4.2.9 Employees must use antivirus software to protect the integrity and confidentiality of their laptops if asked, and must not interfere or otherwise prohibit antivirus activities on their devices.

4.3 Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing LinkSquares-owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

4.3.1 System and Network Activities: the following activities are strictly prohibited, with no exceptions:

1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by the company.

2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the end user does not have an active license is strictly prohibited.

3. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.

4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).

5. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

6. Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.

7. Making fraudulent offers of products, items, or services originating from any account.

8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.


9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network snifing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes. LinkSquares Security team members providing pre-planned penetration testing and vulnerability scans on corporate networks, infrastructure and end user devices are exempt from this due to the nature of their job duties.

10. Port scanning or security scanning is expressly prohibited unless the Security team is notified in advance. LinkSquares Security team members providing pre- planned penetration testing and vulnerability scans on corporate networks, infrastructure and end user devices are exempt from this due to the nature of their job duties.

11. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty. LinkSquares Security team members providing pre-planned penetration testing and vulnerability scans on corporate networks, infrastructure and end user devices are exempt from this due to the nature of their job duties.

12. Circumventing user authentication or security of any host, network or account. LinkSquares Security team members providing pre-planned penetration testing and vulnerability scans on corporate networks, infrastructure and end user devices are exempt from this due to the nature of their job duties.

13. Introducing honeypots, honeynets, or similar technology on the network.

14. Interfering with or denying service to any user other than the employee’s host (for example, distributed denial of service (DDoS) attack).

15. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Inter- net/Intranet/Extranet.

16. Providing information about, or lists of, employees to parties outside LinkSquares.


4.3.2 Email and Communication Activities: When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an afiliation to the company, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of the company.” Questions may be addressed to LinkSquares management.

LinkSquares was featured in
Gartner’s “Cool Vendors in CLM and Advanced Contract Analytics”
Read the Report