Last Updated: August 8, 2025

We believe in making our practices clear and accessible. The policy below outlines how we manage information security across our platform. This Information Security Policy is part of our contractual terms when incorporated by reference into our Master Services Agreement. It reflects our current security practices and controls.

HR Acuity Client Data Information Security Policy (ISP)

This Information Security Policy (“ISP”) describes the technical and organizational measures HR Acuity implements to protect the confidentiality, integrity, and availability of Client Data. This ISP is incorporated by reference into the Master Services Agreement (“Agreement”) between HR Acuity and Client. In the event of any conflict between this ISP and the Agreement, the Agreement will control with respect to matters within its scope.  Capitalized terms not defined in this ISP have the meanings assigned in the Agreement.

1. Security Program and Standards Alignment

HR Acuity maintains a comprehensive information security and privacy program aligned with industry-recognized frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (e.g., NIST SP 800-53) and ISO/IEC 27001:2022, or any successor versions of these standards. To validate the effectiveness of its controls, HR Acuity undergoes an annual independent SOC 2 Type II audit (or equivalent), covering the Trust Services Criteria for security. A summary of the most recent report will be made available to Client upon request, subject to appropriate confidentiality obligations.

HR Acuity’s security program is designed to be risk-based, continuously evaluated, and responsive to emerging threats and evolving regulatory expectations. Security controls are integrated into the development, deployment, and operation of the Platform.

2. Data Handling and Submission

HR Acuity supports secure, authorized methods for the submission and exchange of Client Data. Acceptable submission methods include:

• Secure transmission through the Platform over encrypted HTTPS
• Data import via pre-configured integrations with supported HR systems
• Import of historical case data and attachments via structured upload or ingestion tools
• Email forwarding to secure, authorized, designated addresses for case association or queue intake
• Other methods expressly authorized in an Order Form or Statement of Work

Client Data submitted via unsupported or unapproved channels may be rejected or deleted in accordance with HR Acuity’s data handling policies.

In the course of providing the Services, HR Acuity may also receive limited Personal Data that is separate from Client Data (e.g., business contact information, email signatures). This Personal Data is treated as the Client’s Confidential Information pursuant to the terms of the Agreement and is used solely to provide the Services. HR Acuity applies appropriate safeguards to protect such information and handles it in accordance with its Privacy Policy.

3. Identity and Access Management

3.1 Role-Based Access and Least Privilege

Access to Client Data is restricted to authorized personnel with a defined business need. Access is governed by role-based models, aligned with the principle of least privilege, and follows a documented provisioning process that includes supervisory approval.

All user accounts are uniquely assigned; shared credentials are prohibited. Privileged accounts are provisioned separately from standard user accounts, limited to personnel with elevated responsibilities, and monitored regularly. Privileged access is monitored, logged, and reviewed periodically.

Access rights are reviewed regularly and revoked promptly upon changes in role, termination, or end of business need.

3.2 Authentication and Session Controls

HR Acuity enforces strong authentication policies for personnel accessing production systems, including:

• Password complexity requirements
• Rotation and reuse restrictions
• Multi-Factor Authentication (MFA)
• Single Sign-On (SSO) via SAML for internal systems

Passwords may not be shared, transmitted in plaintext, or stored in unprotected formats.

Session timeouts are configured across administrative and client-facing interfaces to automatically lock inactive sessions after a period of inactivity.

3.3 Client Access and Authentication

Each Client organization manages access to its Platform environment. HR Acuity supports flexible, role-based permission structures that allow Clients to configure access based on their internal policies.

Client access features include:

• MFA enabled by default for all user accounts
• Support for SAML-based SSO integration
• Support for password complexity controls configurable by Client
• Logical data segregation between tenants to prevent cross-client access

Clients are responsible for managing user provisioning, permissions, and deactivation within their environment.

4. Organizational Security & Personnel Controls

HR Acuity maintains policies, processes, and training programs to ensure that personnel are appropriately screened, trained, and monitored when handling Client Data.

4.1 Background Checks and Access Eligibility

Background checks are conducted on all new hires at HR Acuity. Depending on the role, these checks may include verification of employment history, education, and criminal history, as well as other screenings relevant to the position. All background checks are conducted in accordance with applicable local laws.

Access to systems containing Client Data is not provisioned until required screenings are complete and access eligibility is confirmed.

4.2 Security Awareness and Training

All HR Acuity personnel complete security and privacy awareness training during onboarding and on an annual basis thereafter. This training ensures that employees understand how to recognize and respond to common threats, follow secure practices, and protect Client Data in accordance with company policy.

For personnel with access to Client Data or sensitive systems, training topics include secure data handling, protection of Client Data, password hygiene, phishing and social engineering risks, and incident reporting. Content is regularly reviewed and updated to reflect evolving security threats, internal policies, and regulatory requirements. Role-specific training is provided where appropriate.

4.3 Policy Compliance and Accountability

Personnel are required to acknowledge HR Acuity’s internal security policies, including acceptable use, confidentiality obligations, and incident response procedures.

Access privileges are reviewed on a periodic basis to ensure continued alignment with job responsibilities. Access logs and activities are monitored and may be audited to ensure policy compliance and identify anomalous behavior.

5. Infrastructure and Technical Safeguards

HR Acuity employs a layered set of technical controls to protect Client Data and prevent unauthorized access, tampering, or disruption.

5.1 Hosting and Data Segregation

The HR Acuity Platform is hosted in Microsoft Azure U.S. Data Centers. Microsoft is responsible for the physical and environmental security of its infrastructure and maintains a range of independently audited compliance certifications.  Details regarding Microsoft’s compliance posture are available in Microsoft’s Trust Center.

HR Acuity leverages logical tenant separation to ensure that each Client’s data is isolated within the Platform and inaccessible to other Clients.

5.2 Network and Endpoint Protection

HR Acuity implements multiple layers of network security, including:

• Network segmentation to separate production and non-production environments
• Firewalls and boundary protection mechanisms to restrict inbound and outbound traffic
• Intrusion detection and prevention systems (IDS/IPS) to monitor for malicious activity
• Endpoint protection implemented to detect and respond to malware and other threats
• External traffic is tightly controlled to prevent unauthorized access to internal systems.

5.3 Encryption and Data Protection

Client Data is protected using encryption in transit and at rest:

• In transit: All data transmitted over public or untrusted networks is encrypted using Transport Layer Security (TLS 1.2 or higher), with support for Perfect Forward Secrecy (PFS)
• At rest: Data is encrypted using Transparent Data Encryption (TDE) or equivalent technologies aligned with AES 256-bit standards
• Endpoint devices: Portable devices used by personnel for access to the production environment are encrypted and subject to device-level protection controls

Encryption key management follows best practices, including limited access to key custodians, periodic reviews, and backup/recovery mechanisms to ensure availability.

5.4 System Maintenance and Change Control

Changes to systems and application environments follow a formal change control process that includes:

• Documentation of changes and approvals
• Testing in staging environments
• Rollback planning where applicable
• Monitoring of post-deployment impact

System development follows a secure software development lifecycle (S-SDLC), including version control, secure coding practices, code reviews, vulnerability management, and logging. Development and production environments are logically separated.

Security patches are applied in a timely manner based on severity and vendor guidance, consistent with HR Acuity’s change control policies.

6. Logging, Monitoring & Threat Management

HR Acuity maintains continuous monitoring and detection capabilities across its systems and infrastructure to identify unauthorized activity and emerging threats.

6.1 Logging and Audit Trails

Security-relevant events are logged across infrastructure, application, and administrative systems. Logging includes (but is not limited to):

• User authentication and access events
• Administrative actions and configuration changes
• System errors, exceptions, and suspicious activity

Logs are protected from unauthorized modification or deletion and retained for a period consistent with HR Acuity’s internal policies and compliance obligations. Access to logs is restricted to authorized personnel and monitored to detect anomalies or indicators of compromise.

6.2 Threat and Vulnerability Management

HR Acuity maintains a formal threat and vulnerability management process that includes:

• Regular vulnerability scanning and internal assessments
• Annual penetration testing by an independent third-party provider
• Ongoing monitoring of security advisories and threat intelligence feeds
• Risk-based remediation of identified vulnerabilities based on severity and likelihood

HR Acuity will provide a summary of penetration test results and related remediation efforts to Client upon request.

7. Security Incident Response

HR Acuity maintains a documented Incident Response Plan (IRP) designed to coordinate detection, investigation, containment, remediation, and notification in the event of any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by HR Acuity.

7.1 Detection and Response

A dedicated Incident Response Team (IRT), supported by a 24/7 Security Operations Center (SOC), monitors HR Acuity systems for potential indicators of compromise. Upon detection of a Security Incident, the IRT follows a defined escalation process that includes:

• Identification of affected systems and data
• Containment and mitigation of impact
• Recovery of services and re-securing of environments
• Documentation and forensic investigation

7.2 Client Notification

If HR Acuity confirms a Security Incident, it will notify affected Clients in writing, without undue delay, and no later than 48 hours after confirmation (or sooner if required by applicable law). Notification will include:

• A summary of the incident and scope of impact
• Types of data involved (if known)
• Remediation steps taken
• Guidance for any recommended Client actions

For any Client whose Personal Data is impacted by the Security Incident, HR Acuity will cooperate with Client in evaluating and meeting applicable notification obligations to individuals or regulators.

7.3 Post-Incident Review

Following any significant incident, HR Acuity conducts a formal post-incident review to assess root cause, evaluate response effectiveness, and update applicable controls or procedures as necessary.

8. Vendor and Subprocessor Security

HR Acuity engages third-party vendors and subprocessors to support the delivery and operation of the Platform and to provide the Services. These relationships are subject to a formal Vendor Risk Management program.

8.1 Due Diligence and Onboarding

Vendors with access to Client Data undergo security and privacy assessments based on:

• Nature and scope of services provided
• Access to or handling of Client Data
• Independent security certifications (e.g., SOC 2, ISO 27001)
• Completion of HR Acuity’s security questionnaire (where applicable)
• Use of subcontractors or downstream providers

Vendors without current certifications may be required to submit detailed documentation of their security and privacy controls prior to approval.

8.2 Contractual Controls

Vendor agreements involving Client Data include provisions covering:

• Data use and confidentiality
• Access restrictions and scope limitations
• Security and privacy obligations
• Breach notification timelines
• Return or destruction of data upon termination

8.3 Ongoing Oversight

HR Acuity conducts periodic reassessments of vendor risk posture, certifications, and performance. Vendor access is removed promptly upon contract termination. Subprocessor disclosures and updates are available to Client in accordance with applicable terms.  Client may also be given the option to opt in to receive notifications of changes to HR Acuity’s subprocessor list by submitting a business email address through a subscription form provided by HR Acuity.

9. Business Continuity & Disaster Recovery

HR Acuity maintains formal Business Continuity and Disaster Recovery (BC/DR) plans designed to ensure the ongoing availability of the Platform in the event of a disruption. These plans are reviewed at least annually and updated as needed to reflect changes in systems, risk posture, and business operations.

9.1 Redundancy and Recovery

HR Acuity leverages cloud-based infrastructure with built-in redundancy across compute, network, and storage layers. Data replication technologies and geographically distributed resources help support service continuity and minimize data loss.

Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are defined based on system criticality and may be shared with Client upon request, subject to confidentiality obligations.

9.2 BC/DR Testing and Readiness

HR Acuity conducts periodic testing of disaster recovery procedures to validate recovery capabilities and operational readiness. Post-test reviews are used to update procedures and remediate any identified gaps.

Information security considerations are integrated into the BC/DR planning framework. Designated staff receive training on their responsibilities during a continuity or disaster scenario to ensure rapid and secure response.

10. Data Retention and Deletion

10.1 Client Data Retention

HR Acuity retains Client Data in accordance with the terms of the Agreement. Backup copies of Client Data are maintained for operational continuity and disaster recovery purposes and are stored securely using encryption in transit and at rest.

Backup data is retained for a period of up to ninety (90) days unless otherwise required by law, contractual obligation, or documented legal hold.

10.2 Client Data Deletion

Upon expiration or termination of the Agreement—or upon written request by an authorized representative of the Client—HR Acuity will delete or destroy Client Data from its systems and third-party environments under its control within a commercially reasonable timeframe, consistent with its internal data handling procedures.  All such deletions will be performed using industry-standard secure methods.  Written certification of data deletion is available upon request.

Portions of Client Data may be retained beyond that period solely as required to comply with legal, regulatory, audit, or litigation hold obligations. Any retained data remains subject to the confidentiality and security terms of the Agreement and this ISP.

11. Client Penetration Testing

Client may conduct authorized penetration testing of its own environment within the HR Acuity Platform, subject to prior written approval and testing guidelines. All testing must be:

• Limited to Client’s own environment
• Conducted during agreed-upon windows
• Non-disruptive (e.g., no denial-of-service or brute-force attacks)
• Confidential, with findings disclosed to HR Acuity promptly

HR Acuity reserves the right to restrict the frequency, scope, or duration of testing, and to prohibit certain forms of testing.  Client must request authorization, with a minimum of ten (10) days’ written notice, using this form

Additional terms and testing procedures will be provided as part of the authorization process.

12. AI Usage and Safeguards

HR Acuity offers optional AI-powered functionality within the Platform to support users in analyzing trends, drafting content, and enhancing decision support. All AI features are developed and governed in accordance with HR Acuity’s AI Governance Policy and are enabled or disabled at the Client level by HR Acuity Support.

AI functionality operates within Microsoft Azure’s enterprise-grade infrastructure, and all associated processing is subject to the same data protection, privacy, and security controls described in this ISP and in the Agreement. In particular:

• Client Data is not used to train or fine-tune third-party AI models.
• Data remains isolated and secured within each Client’s environment.
• All AI processing complies with applicable privacy and data residency requirements.
• Outputs and associated data are protected with AES-256 encryption and role-based access controls.

HR Acuity performs ongoing quality monitoring, including automated testing and regression analysis, to validate AI accuracy and performance.

13.  Policy Updates

 HR Acuity may update this ISP by posting a new version. Updates that materially affect HR Acuity’s obligations to Client will not take effect until the start of the next Order Form term, unless otherwise agreed in writing. Routine updates that do not reduce protections for Client Data — such as changes to technical measures or improvements in encryption protocols — may take effect immediately. No update will materially reduce the level of protection for Client Data under this ISP.

Updated versions will be posted on HR Acuity’s website or made available through the Platform. Clients are encouraged to review the current version periodically. Client may also be given the option to opt in to receive update notifications by submitting a valid business email address through a designated form (where available).