Technical and organizational details
Last modified: June 12, 2018
Nuance maintains adequate technical and organizational measures, through the implementation and enforcement of the following policies:
Security Organization, Risk Analysis and Risk Management
Nuance has a professional information security organization, headed by a
Chief Security Officer and Chief Information Security Officer, that works
to provide robust information security controls for Nuance products and
environments. Nuance performs annual assessments of the compliance of
Nuance security controls with industry standard controls.
Workforce Clearing, Training and Sanctions
All Nuance personnel are subject to background checks before access to
restricted data is permitted. All personnel receive regular security
training. Nuance has adopted policies and procedures to apply workforce
sanctions to employees who fail to comply with Nuance security policies and
procedures
Physical Controls
All Nuance facilities are protected by physical security controls including
perimeter controls, electronic access systems, locks and cameras. Nuance
stores all production data in physically secure data centers that also
maintain additional access restrictions including: caged, locking racks
along with secondary authentication and access. Nuance’s infrastructure
systems have been designed to eliminate single points of failure and
minimize the impact of anticipated environmental risks.
Access
Nuance has located all equipment that stores Personal Data in controlled
access areas. Nuance will only allow employees and contingent workers with
a business purpose to have access to such controlled areas.
Access Points
Nuance’s externally-facing web servers and third-party access points are
configured securely, including (but not limited to) implementing a properly
constructed dedicated firewall, requiring a virus check before granting
access to any third-party network, and disabling or removing routing
processes to minimize access.
Business Continuity, Disaster Recovery
Nuance has implemented and documented appropriate business continuity and
disaster recovery plans to enable it to continue or resume providing
Services in a timely manner after a disruptive event. Nuance regularly
tests and monitors the effectiveness of its business continuity and
disaster recovery plans.
Network Security
Nuance has implemented appropriate supplementary measures to protect
Personal Data against the specific risks presented by the Services. All
data is protected by encryption in transit over open, public networks. Data
at rest is protected either by encryption or compensating security
controls, which include segmented networks, tiered architecture, firewalls
with intrusion protection and anti-malware protections, and limiting of
port access.
Portable Devices
Nuance will not store Personal Data on any portable computer devices or
media (including, without limitation, laptop computers, removable hard
disks, USB or flash drives, personal digital assistants (PDAs) or mobile
phones, DVDs, CDs or computer tapes) unless it is encrypted with a minimum
of 128-bit, or such higher bit encryption in accordance with then current
industry best practice.
Monitoring
Nuance takes appropriate steps to monitor the security of Personal Data and
(if appropriate) to identify patterns of suspect activity. Nuance designs
applications and services to suppress sensitive data being stored by
Nuance. For every identified hosted change, security and QA teams review
the data mapping requirements to validate the intended fields continue to
be suppressed. Nuance also monitors security logging events which include
log-on violations or attempts.