Technical and organizational measures

Description of technical and organizational measures

Last Modified April 1, 2024 / Previous Versions

Nuance maintains appropriate technical and organizational measures, through the implementation and enforcement of the following policies:

Security Organization, Risk Analysis and Risk Management
Nuance has a professional information security organization, headed by a Chief Information Security Officer, that works to provide robust information security controls for Nuance products and environments. Nuance performs annual assessments of the compliance of Nuance security controls with current certifications and industry standard controls. For further, and more explicit, details on the Security Organization, Risk Analysis, or Risk Management programs at Nuance, please refer to https://www.nuance.com/about-us/trust-center.html.

Workforce Clearing, Training and Sanctions
All Nuance personnel are subject to background checks before access to restricted data is permitted. All personnel receive regular security training. Nuance has adopted policies and procedures to apply workforce sanctions to employees who fail to comply with Nuance security policies and procedures.

Physical Controls
Nuance Data Centers - All Nuance facilities are protected by physical security controls including perimeter controls, electronic access systems, locks and cameras. Nuance stores all production data in physically secure data centers that also maintain additional access restrictions, including: caged, locking racks along with secondary authentication and access. Nuance’s infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks.

Cloud Data Center - Microsoft Azure runs in data centers managed and operated by Microsoft. These geographically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. The data centers are managed, monitored, and administered by Microsoft operations staff. The operations staff has years of experience in delivering the world’s largest online services with 24 x 7 continuity. For additional information, please refer to https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility.

For Swiss Cloud: Hosting Services are running in data centers managed by Voicepoint. These data centers comply with key industry standards, such as ISO/IEC 27001:2013, NIST SP 800‑53. The data centers are managed, monitored, and administered by Microsoft operations staff. The operations staff has years of experience in delivering the world’s largest online services with 24 x 7 continuity.

Access
Nuance has located all equipment that stores Personal Data in controlled access areas. Nuance will only allow employees and contingent workers with a business purpose to have access to such controlled areas.

Access Points
Nuance’s externally-facing web servers and third-party access points are configured securely, including (but not limited to) implementing a properly constructed dedicated firewall, requiring a virus check before granting access to any third-party network, and disabling or removing routing processes to minimize access.

Business Continuity, Disaster Recovery
Nuance has implemented and documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in a timely manner after a disruptive event. Nuance regularly tests and monitors the effectiveness of its business continuity and disaster recovery plans.

Network Security
Nuance has implemented appropriate supplementary measures to protect Personal Data against the specific risks presented by the Services. All data is protected by encryption in transit over open, public networks. Data at rest is protected either by encryption or compensating security controls, which include pseudonymization, segmented networks, tiered architecture, firewalls with intrusion protection and anti-malware protections, and limiting of port access. Personal Data is only retained for the duration required for regulatory purposes, unless otherwise outlined by the Services.

Portable Devices
Nuance will not store Personal Data on any portable computer devices or media (including, without limitation, laptop computers, removable hard disks, USB or flash drives, personal digital assistants (PDAs) or mobile phones, DVDs, CDs or computer tapes) unless it is encrypted with a minimum of 128-bit, or such higher bit encryption in accordance with then current industry best practice. Nuance endpoints are provisioned with a default configuration, enforced at the organizational level.

Monitoring
Nuance takes appropriate steps to monitor the security of Personal Data and (if appropriate) to identify patterns of suspect activity. Nuance designs applications and services to suppress sensitive data being stored by Nuance. For every identified hosted change, security and QA teams review the data mapping requirements to validate the intended fields continue to be suppressed. Nuance also monitors security logging events which include log-on violations or attempts. Data retained from logs includes, but is not limited to, timestamp, hostname, and username for accountability.

Data Subject Requests
Nuance implements a documented process for assisting Company in responding to Data Subject Requests.

Governmental Requests
Nuance will not disclose or provide access to Personal Data being Processed under this DPA to law enforcement, unless required to by law, and only upon service of a legally‑binding request or order from a governmental authority.

If compelled to disclose or provide access to any Company Data to law enforcement, Nuance will promptly notify Company and provide a copy of the demand unless legally prohibited from doing so.

For Nordic Cloud only:

Data is hosted in a data center run by TietoEvry for which the following TOMs shall apply:

Physical Controls
Risk inherent to organizational premises. Facilities hosting information systems must have appropriate security controls including but not limited to access controls, security officers and cameras. Managed facilities must implement adequate environmental safeguards to ensure availability and protect against damage. The physical and environmental safeguards will be evaluated, implemented and maintained regularly.

Access
Ability to control access to assets based on business and security requirements. A unique user identifier shall be created for each worker upon validation of the completion of the employment screening process. Password controls should follow industry standards. Privileged access must be allocated on a “need to know” basis and the access is commensurate to the user’s position and duties. Access to networks and network services, and sensitive information must use multi‑factor authentication. Access must be logged and monitored for unauthorized usage or malicious intent. Access must be reviewed for access appropriate to role and terminations.

Network Security
Manage direction and support for information security in accordance with business requirements and relevant laws and regulations. Policies for information security approved, published and communicated. Policy review process with adoption and support of management.

Ability to ensure correct and secure operations of an organization’s assets.

  • Hardware, operating system, database and applications must be actively supported by the vendor and receive regular security updates and maintenance.
  • Information systems must have protection from malicious code with anti‑virus and anti‑malware with automatic updates.
  • Industry‑standard processes for Release, Change, Incident, and Problem management should be documented and implemented.
  • Information assets should have auditing enabled and retained for a minimum of 1 year. Auditing logs should be protected from unauthorized access and monitored on a regular basis.

Compliance
Organization’s ability to remain in compliance with regulatory, statutory, contractual, and security requirements.

  • Maintain policies and procedures to ensure compliance of systems with regulations and standards.
  • Compliance to any regulatory or security standards requirements where applicable (SOX, PCI‑DSS, GDPR, etc.).
  • Conduct periodic reviews and audits of information processing systems for compliance with information security policies and standards.

Asset Management
The ability of the security infrastructure to protect organizational assets.

  • An inventory of assets with information and processing facilities shall be identified and maintained. Ownership should be identified with rules of acceptable use.
  • Information classified with policies and controls applied appropriately to risk.
  • The disposal of data should be done in a secure, protected way to ensure the inability to recover that data.

Information Systems Development and Maintenance
Ability to control access to assets based on business and security requirements.

  • Project documentation for new information systems, or significant enhancements shall include security requirements and control as part of the functional requirements.
  • Developer will include secure code testing as part of the Software Development Life Cycle (SDLC) with review of code.
  • Input data processed shall be validated for correctness and security of data.
  • Ensure the authenticity of the messages or transactional data through digital signatures and protect the integrity of the data through the use of industry standard encryption.

Information Security Incident Management
The organization should have the ability to recover from an information security incident.

  • Employees will report incidents and follow an incident management process.
  • The incident management process shall include identification, classification, impact analysis and an escalation process.
  • The ability to perform post-mortem including follow‑up drive to root cause with corrective action must be implemented.