Security Addendum

Narrative Legal

Narrative Security Addendum

Last Modified: September 22, 2023

This Security Addendum is incorporated into and made a part of the written agreement between Narrative I/O, Inc. (“Narrative”) and the Client that references this Security Addendum (“Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.

Narrative is committed to maintaining industry-standard security controls and best practices designed to protect our systems and the data we handle as described in this Addendum.

1. Security Program and Policies

  • 1.1. Narrative maintains a comprehensive security program based on industry standard security frameworks that includes physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Narrative Services and Provided Data (the “Security Program”).
  • 1.2. The Security Program includes documented policies and procedures that are approved by management, published internally, and reviewed and updated annually or as needed.
  • 1.3. Narrative regularly tests and evaluates its Security Program, and may review and update this Security Addendum at any time by updating the Last Revised by date of this Addendum, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection.

2. SOC Reports

  • 2.1. Narrative maintains Service Organization Controls (“SOC”) auditing standards for service organizations issued under the AICPA. SOC reports will be provided upon request.
  • 2.2. To the extent Narrative decides to discontinue a standard or certification, Narrative will adopt or maintain an equivalent, industry-recognized framework.

3. Audits and Continuous Monitoring

  • 3.1. Independent third-party audits and assessments are performed at least annually to validate the effectiveness of Narrative’s security controls and procedures.
  • 3.2. In addition to periodic and targeted internal and third-party audits, Narrative continuously monitors its security controls and devices to detect and respond to any potential security incidents and ensure our controls and procedures are properly enforced at all times.

4. Risk and Asset Management

  • 4.1. Narrative performs risk assessments, and maintains controls for risk identification, analysis, monitoring, reporting, and remediation.
  • 4.2. Narrative maintains an asset management program that appropriately classifies and controls hardware and software assets throughout their life cycle.

5. Vulnerability Detection and Management

  • 5.1. Narrative performs regular vulnerability scanning and penetration testing of our applications and systems to identify and address any potential security weaknesses.
  • 5.2. Vulnerabilities are reported, evaluated, tracked, and resolved according to standardized procedures and time requirements. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Service.

6. Data Encryption

  • 6.1. Encryption standards are regularly reviewed and will be updated in accordance with assessed risk and market acceptance of new standards.
  • 6.2. Encryption at rest. All Provided Data is encrypted "At-Rest" using industry-accepted algorithms (e.g., AES-256, RSA-2048).
  • 6.3. Encryption in transit. All Provided Data is encrypted "In-Transit" using Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols with a minimum of TLS v1.2.

7. Secure Development Lifecycle

  • 7.1. Our Software Development Lifecycle policy covers all stages of development and requires — among other things — separation of duties, code review, approval processes, and change control standards.

8. Personnel Training & Controls

  • 8.1. All Narrative employees and independent contractors who have access to Provided Data complete ongoing security training and awareness programs and are required to regularly review and accept our security policies. Engineers are also required to complete additional training, which includes content provided by OWASP.
  • 8.2. All Narrative employees are pre-screened, required to sign confidentiality agreements upon hiring, and subject to disciplinary processes for violations of security policies and procedures.
  • 8.3. Upon employee termination or applicable role change, Narrative removes or updates employee access rights.

9. Access Controls and Authentication

  • 9.1. Narrative implements role-based access controls based on the “least-privilege” principle to ensure employees only have access to systems and applications necessary for their role.
  • 9.2. Narrative management regularly reviews access and can revoke it as needed.
  • 9.3. Multi-factor authentication is required for systems that provide the option.

10. Incident Management and Notification

  • 10.1. Narrative implements a security incident management program that addresses how Narrative manages Security Incidents.
  • 10.2. Narrative will notify impacted Narrative clients and Governmental Authorities (where applicable) of Incidents in a timely manner as required by law.

11. Data Retention and Deletion

  • 11.1. Narrative implements and maintains data retention policies and procedures related to Provided Data and reviews these policies and procedures as appropriate.
  • 11.2. Narrative provides Client with functionality that permits Client to configure retention for each Provided Data dataset and/or delete any Provided Data dataset under Client’s control.

12. Physical Access Controls

  • 12.1. Narrative’s cloud infrastructure is provided and hosted by Amazon Web Services, Inc. ("AWS"). Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on SOC reports, is available from the AWS Compliance website.

13. Shared Security Responsibilities

  • 13.1. Security of Provided Data is a shared responsibility. Client agrees that:
    • a) Narrative has no obligation to assess the content, accuracy, or legality of Provided Data, including to identify information subject to any specific legal, regulatory, or other requirement and Client is responsible for making appropriate use of Narrative Services to ensure a level of confidentiality, integrity, availability, and security appropriate to the particular content of Provided Data;
    • b) Client is responsible for managing and protecting the user credentials used to authenticate and access Client account, including but not limited to (i) ensuring that all users keep credentials confidential and not share such information with unauthorized parties, (ii) promptly reporting to Narrative breach or any suspicious activities related to Client’s account or authenticating accounts, and (iii) maintaining appropriate password uniqueness, length, complexity, and expiration.
< Back
Rosetta

Hi! I’m Rosetta, your big data assistant. Ask me anything! If you want to talk to one of our wonderful human team members, let me know! I can schedule a call for you.