Parlor has a documented third-party risk management program in place for the selection, oversight and risk assessment of Subcontractors (e.g. service providers, dependent service providers, sub-processors). Parlor also has a third-party risk management program which explicitly requires all business units to notify management if there are new or changed subcontractors.
Parlor’s third-party risk management program requires Confidentiality and/or Non Disclosure Agreements from Subcontractors, in addition to requiring Subcontractors to notify Parlor if there are changes affecting services rendered.
For all Parlor subcontractors requiring assessment, there exists a fully executed contract. All Parlor subcontractor contracts include:
ownership of information, trade secrets and intellectual property
Indemnification/liability
permitted use of confidential information
Non-Disclosure/Confidentiality Agreements
breach of agreement terms
data breach notification
termination/exit clause
Parlor’s third party risk management program includes an assigned individual or group responsible for capturing, maintaining and tracking subcontractor Information Security or other issues. In order to support remediation reporting, Parlor also has a process to identify and log subcontractor information security, privacy and/or data breach issues.
Parlor maintains a set of information security policies and standards that are approved by our Chief Technology Officer, Jason Zopf. We review these security policies and standards annually. These security policies are published on our website and are communicated to customers at the onset of their subscription.
Parlor conducts a comprehensive information security assessment for all projects involving Scoped Systems and Data.
Parlor’s asset management program is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. We maintain an asset Inventory list and configuration management Database (CMDB). Details of this program are reviewed annually.
Parlor’s acceptable use policy is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. This policy is reviewed annually.
Upon termination of a Parlor employee, Parlor follows a documented process to verify the return of employee assets (computers, cell phones, access cards, tokens, smart cards, keys, etc.). This process is overseen by our Chief Technology Officer, Jason Zopf, and Chief Financial Officer, Matt Finn.
Parlor classifies information according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification.
Parlor assigns a named owner to all Information Assets. Owners are responsible for periodically approving and reviewing access to these Information Assets.
Parlor’s information handling policy addresses the storing, processing, and communication of information consistent with its classification. This policy is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. The information handling policy covers the following areas:
Requirement for encryption of all sensitive information.
Data retention and destruction of information including live media, backup/archived media, and information managed by Subcontractors.
Electronic transmission security requirements including email, web, and file transfer services.
Storage requirements including authorized use of Public Cloud storage.
Parlor’s Human Resource policy requires background screening of all employees, including Criminal screening as part of employee background checks.
Parlor conducts regular, mandatory Security Awareness Training for all employees. All new hires are required to complete Security Awareness Training. All employees are required to complete the program annually. Training includes an explanation of employees’ security roles and responsibilities.
Parlor’s Human Resource policy includes processes for Termination and change of status. Electronic access to systems containing scoped data is removed within 24 hours for terminated employees.
Parlor’s access control program is approved, maintained, and periodically reviewed by our Chief Technology Officer, Jason Zopf. Parlor's customers have the ability to directly manage which third party tools Parlor integrates and communicates with, in addition to being able to manage their own personal data (in the form of user and admin PII) in Parlor.
Parlor requires Unique IDs for authentication to applications, operating systems, databases and network devices. We maintain a set of rules governing the way IDs are created and assigned.
Parlor segregates duties for granting access and approving access to Scoped Systems and Data, as well as duties for approving and implementing access requests for Scoped Systems and Data.
Parlor provisions access to applications, operating systems, databases, and network devices according to the principle of least privilege.
Parlor follows a documented process to request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data.
Parlor restricts access to systems that store or process scoped data.
Parlor’s password policy is approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. This policy covers systems that transmit, process or store Scoped Systems and Data and is enforced on all platforms and network devices. The password policy:
Applies to both employee and customer passwords
Requires a minimum password length of at least eight characters
Defines specific length and complexity requirements
Defines requirements for provisioning and resetting passwords
Requires passwords to be encrypted in transit
Prohibits keeping an unencrypted record of passwords (paper, software file or handheld device)
Require changing passwords when there is an indication of possible system or password compromise
Requires multi-factor Authentication for all passwords
Parlor’s Password Policy requires the following access reviews:
Periodic reviews of all user access rights
Periodic review of privileged user access rights
Review of access rights when an employee changes roles, including upon hiring and termination, or upon transition to a separate department.
Disablement or deletion of inactive employee user IDs disabled and deleted after defined periods of inactivity
Parlor configures web applications to follow best practices or security guidelines (e.g., OWASP). Parlor validates data input into all applications.
Scoped Systems and Data are not used in Parlor’s test, development, or QA environments. We have multiple pre-production environments which are entirely separate for use in development, testing, and staging.
Parlor maintains governance policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements.
Parlor maintains a documented process to identify and assess regulatory changes that could significantly affect the delivery of products and services.
Parlor’s network security requirements are approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. The policy includes an approval process prior to installing a network device.
Parlor’s policies address payments compliance in the delivery of the product or services where required by regulation. This is periodically reviewed by our Chief Financial Officer, Matt Finn.
Parlor’s incident management and response program is approved, maintained and periodically reviewed by our Chief Technology Officer, Jason Zopf. The program includes:
Guidance for escalation procedure. The line of escalation is: VP of Engineering > CTO > CEO.
Documented actions to be taken in the event of an information security event
In the event of an incident, Parlor uses a specific methodology to review events on Scoped Systems or systems containing Scoped Data relevant to supporting incident investigation.
Parlor employees undergo annual training regarding company expectations related to non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities.
Parlor maintains documented policies and procedures to ensure compliance with applicable laws and regulations including Unfair, Deceptive, or Abusive Acts or Practices.
Parlor conducts training for employees who have direct customer contact regarding consumer protection compliance responsibilities.
Parlor maintains a documented escalation and resolution process to address specific complaints to management and the customer.
Parlor maintains documented policies and procedures to enforce applicable legal, regulatory or contractual cybersecurity obligations.
Parlor maintains documented policies and operating procedures regarding limiting the personal data collected and its use to the minimum necessary.
Parlor informs individuals about their rights to access, review, update, and correct their personal information which is maintained by the organization.
Parlor maintains a documented data protection program with administrative, technical, and physical and environmental safeguards for the protection of customer-scoped Data.
Parlor maintains documented server security configuration standards based on external industry and vendor guidance.
All Parlor servers are configured according to security standards as part of the build process.
Parlor uninstalls or disables all unnecessary/unused services on all servers.
Parlor removes, changes or disables all vendor default passwords prior to placing any device or system into production.
Parlor maintains sufficient detail in Operating System and application logs to support security incident investigations (at a minimum, successful and failed login attempts, and changes to sensitive configuration settings and files).
Parlor subcontracts Cloud Hosting services through Google Cloud Platform and Amazon Web ServicesThe Cloud Hosting Providers provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services.The Cloud Service Provider is certified by an independent third party for compliance with domestic or international control standards (e.g., the National Institute of Standards and Technology - NIST, the International Organization for Standardization - ISO)
