Technical and organizational measures

Last modified: June 12, 2018

Nuance maintains adequate technical and organizational measures, through the implementation and enforcement of the following policies:

Security Organization, Risk Analysis and Risk Management
Nuance has a professional information security organization, headed by a Chief Security Officer and Chief Information Security Officer, that works to provide robust information security controls for Nuance products and environments. Nuance performs annual assessments of the compliance of Nuance security controls with industry standard controls.

Workforce Clearing, Training and Sanctions
All Nuance personnel are subject to background checks before access to restricted data is permitted. All personnel receive regular security training. Nuance has adopted policies and procedures to apply workforce sanctions to employees who fail to comply with Nuance security policies and procedures

Physical Controls
All Nuance facilities are protected by physical security controls including perimeter controls, electronic access systems, locks and cameras. Nuance stores all production data in physically secure data centers that also maintain additional access restrictions including: caged, locking racks along with secondary authentication and access. Nuance’s infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks.

Access
Nuance has located all equipment that stores Personal Data in controlled access areas. Nuance will only allow employees and contingent workers with a business purpose to have access to such controlled areas.

Access Points
Nuance’s externally-facing web servers and third-party access points are configured securely, including (but not limited to) implementing a properly constructed dedicated firewall, requiring a virus check before granting access to any third-party network, and disabling or removing routing processes to minimize access.

Business Continuity, Disaster Recovery
Nuance has implemented and documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in a timely manner after a disruptive event. Nuance regularly tests and monitors the effectiveness of its business continuity and disaster recovery plans.

Network Security
Nuance has implemented appropriate supplementary measures to protect Personal Data against the specific risks presented by the Services. All data is protected by encryption in transit over open, public networks. Data at rest is protected either by encryption or compensating security controls, which include segmented networks, tiered architecture, firewalls with intrusion protection and anti-malware protections, and limiting of port access.

Portable Devices
Nuance will not store Personal Data on any portable computer devices or media (including, without limitation, laptop computers, removable hard disks, USB or flash drives, personal digital assistants (PDAs) or mobile phones, DVDs, CDs or computer tapes) unless it is encrypted with a minimum of 128-bit, or such higher bit encryption in accordance with then current industry best practice.

Monitoring
Nuance takes appropriate steps to monitor the security of Personal Data and (if appropriate) to identify patterns of suspect activity. Nuance designs applications and services to suppress sensitive data being stored by Nuance. For every identified hosted change, security and QA teams review the data mapping requirements to validate the intended fields continue to be suppressed. Nuance also monitors security logging events which include log-on violations or attempts.