99minds Inc (herein referred to as ‘99minds’ in this document) is committed to ensuring Confidentiality, Integrity, Availability, and Privacy and providing comprehensive protection to its information assets against the consequences of confidentiality breaches, failures of integrity interruptions to their availability.,

99minds is a SaaS-based continuous quality testing cloud platform that is used by over 2 Million developers and testers globally. With over 3000+ combinations of real browsers, mobile devices, and operating systems, it helps developers and testers to perform cross-browser and cross-platform compatibility testing at scale with blazing fast speed. Also, it helps them run tests on containers at scale and supports on-prem or private cloud deployment model. We believe in providing products that are ready to Go-To-Market, easy to set up and use, and require minimal customization. All of our products live up to this promise and are backed by our world-class support.

Our Customers include Fortune 500 & G2000 companies from across the globe and they trust us with their data security. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering, technology landscaping, and service delivery principles.

In support of the Security & Privacy by Design, security is at the heart of how we build our products, secure your data and provide high resilience. We have created and implemented security & privacy principles. These principles have a robust framework for building and maintaining secure systems, applications, and services that address and allow us to integrate a set of standards, guidelines, and best practices for managing information security, cybersecurity, data security, and privacy consideration or related risk by default and by design while ensuring its adherence to multiple requirements globally.

We have atop-down governance and security in our DNA and this helps us to constantly wade through our threat vectors and calibrate and strengthen our security posture to align with the changing business and technology landscape.

This policy applies to all 99minds employees, assignees, partners and contractors that provide services to 99minds and is an integral part of the Business Code of Conduct.

This also covers the security of information systems and data networks owned or used by 99minds as well as the information that is stored, transmitted, or processed by those systems.

99minds is committed to complying with all applicable legislation and law of the land in all locations and countries related to its operations and information processing.

Key legislation that is complied with include laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.

Executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all 99minds commitments to Customers and stakeholders are upheld.

99minds is committed to information security, protection of personal information, and privacy with applicable laws, regulations, and standards. Information Security & Compliance Steering Committee (ISCSC) members are responsible for defining and improving the Integrated Management System (IMS). The top management has demonstrated leadership and commitment to the Integrated Management System (IMS) by:

i. Ensuring the information security and personal data protection policy and its objectives are established and are compatible with the strategic direction of 99minds.

ii. Ensuring the integration of ISMS, PIMS, SOC 2, CSA, and other standards requirements into 99minds’s processes.

iii. Ensuring that the resources needed are available.

iv. Communicating the importance of an effective integrated management system and of conforming to integrated management system requirements

v. Ensuring that the IMS achieves its intended outcome(s)

vi. Directing and supporting persons to contribute to the effectiveness of IMS

vii. Promoting continual improvement

viii. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility

99minds is committed to:

i. Ensure Confidentiality, Integrity, Privacy, and Availability by adequately protecting the information and information systems against unauthorized access, modification, or alteration.

ii. Establish and implement security policies and processes while considering the protection of information and information systems from internal and external threats.

iii. Comply with legal, regulatory, and contractual security & privacy obligations as may be applicable.

iv. Ensure security and privacy awareness and competency amongst associates to enable them to meet their security & privacy obligations.

v. Provide a framework to manage and handle security incidents, privacy breaches, violations, and business disruptions.

vi. Ensure continuous improvement of the security & privacy posture to consistently meet its objectives.

99minds shall adopt leading industry security & privacy standards and practices to design and develop robust information security & privacy management framework to support this policy statement. To this effect, the policy shall be supported by domain-level security & privacy policies, procedures, guidelines, and standards, which shall be communicated and made available to relevant stakeholders.

At 99minds, the executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all 99minds commitments to Customers and stakeholders are upheld. The ISSC considers ensuring the security & privacy of Customer information and applying the right processing methods of any personal information in line with privacy regulations should be a way of working at 99minds.

While information security and privacy are an organization-wide responsibility, the ISCSC has established a dedicated information security and privacy team as independent custodians of the vision. Both teams directly report to ISCSC and independently manage the governance aspects of information security and privacy. The Information Security team is headed by the Information Security Officer (ISO) and the Privacy team is headed by Data Protection Officer (DPO) both directly report to the ISCSC. This committee is headed by the Chief Executive Officer (CEO).

The ISCSC is committed to constantly aligning its information security & privacy posture to ensure data security and assure non-repudiation for Customers' data, ensure secure and stable products that provide consistent output, ensure delivery of products and services that are highly resilient to internal and external threats and interruptions, ensure that its people are oriented to the principles of security & privacy by design as it applies to them in their respective job roles, and business processes are designed and implemented based on risk and control considerations.

On a half-yearly basis, the ISCSC reviews Information Security and Privacy in a structured manner. Following are the broad objectives of such reviews:

i. Road map: Ensure that the information security and privacy road map is well thought through after factoring in all Customer, regulatory and contractual requirements and is in sync with the internal and external threat vectors.

ii. Initiatives: Take stock of the various information security and privacy initiatives or programs and provide recommendations.

iii. Expertise: Ensure that adequate expertise is available for all information security and privacy initiatives. The ISCSC provides necessary technical inputs and ensures that 99minds leverages adequate expert opinions from various industry sources.

iv. Resources: Ensure that adequate people and financial resources are made available to various initiatives for effective execution.

v. Performance Evaluation: Ensure information security performance and the effectiveness of the information security management system and integrated management system.

In order to ensure proper internal controls and mitigate the risk of fraud and errors, 99minds is committed to maintaining a segregation of duties. The duties and responsibilities are divided among different individuals or teams to prevent any single person from having complete control over critical processes or systems.

99minds has a dedicated Information Security Officer, and Data Protection Officer, an independent team that runs information security and privacy functions. 99minds Information Security Office has the following teams:

• Security Product & Engineering (App Sec): Responsible for ensuring that information security requirements are adhered to in the platform application architecture, and technology landscape. This team ensures that all the technology components are hardened, access controlled, and monitored and ensures that all internal and external threat vectors are structurally mitigated and managed.
• Security Operation Center: Responsible for performing proactive monitoring of information security events and alerts and providing situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. The team ensures that tactical rules and data sensors are configured to provide suitable early warnings and alerts. The team works on a 24/7 basis to identify, analyze, communicate, investigate and report on critical information security events.

99minds Data Protection & Risk Office has the following teams:

• Governance, Risk and Compliance (GRC): Responsible for Risk Management ensuring the appropriate design of controls, effective implementation, and consistent operation of controls, perform and coordinate for internal and external audits, and manage information security incidents. The team ensures compliance with various information security & privacy frameworks and works towards continuous control maturity.

Also, GRC is responsible for ensuring that the company operates within the established legal, and regulatory frameworks. They are responsible for creating and implementing policies, procedures, and controls related to information security and privacy that are essential for the organization's compliance with laws and regulations, as well as mitigating risks associated with business operations. The policies and standards are reviewed by relevant stakeholders and approved by document owners at least annually. The policies and standards are made available to all 99minds employees on a centralized document repository.

• GRC Team: Responsible for providing a single-window channel to communicate with Customers regarding the information security & privacy posture at 99minds. The team would also provide feedback regarding trends that they see about the market’s expectations or requirements from an information security and privacy compliance perspective.

At 99minds, we pride ourselves on building a powerful Cloud Testing Platform application that’s secure, reliable, easy to use and high-performance. We believe that customers and employees are the foundation of a successful business.

Recruitment

We are constantly on the lookout for smart people who are passionate about building great products, designing great experiences, building scalable platforms, and making customers happy.

All intents for the recruitments are raised to the HR department along with a description of the job, roles & responsibilities. The intents are approved by the respective department or pod heads based on their function’s specific recruitment plan. The HR and respective POD managers are responsible for conducting interviews. Depending upon the seniority of the role, the HR team sets up interviews with appropriate stakeholders. Candidates are selected based on validation of both culture and skill set fitment.

Background Verification

All employees joining 99minds undergo a mandatory background verification check that is initiated once their employment offer is rolled out. 99minds engages empaneled third-party service providers to perform background verifications covering identity, whereabouts, education history, employment history, and criminal history. Risks, if any, identified from background verification checks are analyzed and are approved or rejected by the respective function HR in association with the respective business manager.

On-boarding

All new joiners are batched and they join on Mondays. They undergo a 2-3 days onboarding schedule. During the onboarding process, employees are provided with an overview of the values lived at 99minds, the vision and key objectives, the organization structure and key stakeholders, and various processes that all employees are required to follow. As a part of the employee on-boarding process, all new joinees are provided with awareness training on information security, data privacy requirements, adherence to Code of Conduct and applicable compliances, and practices followed at 99minds. This includes appraising and training the employee on their responsibilities with regard to information security, privacy and compliance requirements.

Confidentiality Undertaking

All new joinees sign a confidentiality agreement as part of their employment agreement while being on-boarded as an employee. The agreement specifies their obligations and responsibilities as an employee while handling confidential information that the employee has access to during the course of their employment.

Code of Conduct

The Code of Business Conduct and Ethics (this Code) flows directly from the commitment of 99minds Inc., a Delaware corporation (together with its subsidiaries, “99minds”, “we”, “our”), to our mission and core values. We consistently aim for excellence and to provide value for our customers, partners, and stockholders, and it is critical that we do so with integrity and high ethical standards. It is unacceptable to cut legal or ethical corners for the benefits of 99minds or for personal benefits. The purpose of this Code is to promote ethical conduct, serve as a guide, and to deter both wrongdoing and the appearance of wrongdoing. Doing the right things is more important than winning while risking our reputation or the trust of our customers, partners, and stakeholders.

The Code is designed to ensure:

• We operate our business ethically and with integrity
• The avoidance of actual or apparent conflicts of interest
• Compliances with the letter and spirit of all laws and policies of 99minds, including accurate and clear language in our reports, advertising and public communications
• The prompt internal reporting of suspected violations of this Code

The Code of Conduct (“Code”) applies to all employees, officers, directors and independent contractors of 99minds Inc., and all its subsidiaries. Every employee will be required to confirm their acceptance and understanding of this Code in our annual review cycle. All employees are required to abide by this Code, which comprises the following policies:

• Promoting Diversity and Respect
• Conflict of Interest
• Anti-Bribery, Antitrust, and Anti-Corruption
• Gifts and Entertainment
• Acceptable use of Company Assets
• No Retaliation
• Privacy and Confidentiality
• Health and Safety
• Equal Employment Opportunity
• Prevention of Harassment at Workplace
• Policy on Media (including Social Media)
• Policy on Intellectual Property Rights

Disciplinary Process

As part of the onboarding process, employees are appraised about the internal policies and process as it applies to them. Employees are also informed about the complaint reporting mechanism and the disciplinary process that may ensure. Any violation of the policies is reported as an incident and isinvestigated by the HR team. Any violation, if proved results in a warning, payment of compensation, withdrawal of promotion, suspension, or termination of employment, based on the nature of the violation.

Transfers and Movements

When associates are transferred internally, the HR Manager finalizes the last day of service along with the reporting manager which is then communicated to the new respective manager as well. Accordingly, a request is raised for aligning the access needs in line with the new job role.

Employee Exits

All resignation notices will be submitted to the reporting manager and HR. The reporting manager shall, with the consent of HR, recommend and confirm the date of relieving. The exit process will be initiated and the exit form needs to be signed off by the respective associate’s reporting manager, Cloud Infrastructure team, Administration, IT, and HR team will ensure that the accesses to all information and assets granted to the employee are returned and revoked.

Remote Working

Employees while working remotely must adhere to 99minds’s policies and procedures to protect confidential information. This includes using secure networks, ensuring passwords are strong and regularly updated, and following best practices for data protection.

99minds’s employees are security and privacy-minded through its continuous educational activities and practical exercises about evolving threats, compliance obligations, and secure workplace practices.

• Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance.
• All employees shall complete their annual information security, privacy, and compliance awareness and training program.
• As part of this program, personnel with specific job functions shall receive additional training tailored to their roles and responsibilities, emphasizing the specific security & privacy risks and controls relevant to their positions.
• Information security and privacy compliance training guide is provided as a quick reference to all employees.
• Training logs identifying the training class, attendee, and date are kept by the HR department.

99minds has established a formal Asset Management Policy; and the process is necessary to facilitate effective management, control, and maintenance of the assets/information in its operations environment by classifying assets as per the functionality or criticality.

We are committed to sustainable asset management practices that promote environmental responsibility and efficiency. The objective of our asset management program is to effectively monitor, track, and optimize the utilization of all company assets to ensure maximum efficiency, cost-effectiveness, and return on investment. Through strategic planning, proactive maintenance, and accurate data analysis, 99minds minimizes downtime, extends asset lifespan, and reducesreduce operational expenses. By implementing best practices and leveraging technology, we aim to maximize productivity, improve asset performance, and ultimately enhance overall business performance and profitability. 99minds has defined process phases for Asset Management such as Planning, acquisition, operation, maintenance, disposal and performance monitoring.

This policy is to identify, classify, label, and handle Information Assets of 99minds, and to apply protection mechanisms commensurate with the level of confidentiality and sensitivity.

• The confidentiality and sensitivity of the information will be maintained through an Information Asset classification scheme. The level of security to be accorded to the information of 99minds depends directly on the classification level of the asset, which is associated with that information.
• All new assets will be acquired in accordance with 99minds's procurement policies and procedures. A risk assessment will be conducted prior to acquiring any new asset to ensure that it aligns with the organization's strategic objectives. Asset acquisition decisions will be based on cost-effectiveness and strategic alignment with organizational goals. Asset performance metrics will be tracked and analyzed to evaluate asset ROI and inform strategic decision-making.
• The Information Asset Inventory must contain the following information as a minimum:
  • Information Asset Identification
  • Information Asset Description
  • Information Asset Location
  • Information Asset Owner/Custodian
  • Information Asset Classification
  • Information Asset Value

Acceptable Usage of Assets

Employees are educated on being responsible and exercising good judgment regarding the reasonableness of personal use. For security and network maintenance purposes, authorized individuals within 99minds, monitor equipments, systems, and network traffic. We reserve the right to suspend or disable employee network accounts for an actual or suspected security breach or policy violation. Any IT resource assigned to an employee is not transferred to another employee or group without first following a procedure of intimating IT so that the transfer is recorded. The transfer should be made post a sign-off from IT. In the event of loss of an asset post an un-intimated transfer for any purpose, the employees are held liable and appropriate fines are levied.

Information at 99minds

99minds information may include, but is not limited to:

• All computer equipment, software, operating systems, storage media, network accounts, electronic mail, etc… (“IT resources”), are the property of 99minds. These systems are to be used for business purposes in serving the interests of the company, and of our customers in the course of normal operations
• All proprietary information that belongs to 99minds, such as user manuals, training materials, operating and support procedures, business continuity plans, and audit trails.
• Personnel information relating to employees of 99minds.
• All customer information & product research-related data held by 99minds.
• All software assets such as application software, system software, development tools, and utilities.
• All physical assets, such as computer equipment, communications equipment, removable media, and equipment relating to facilities.
• All services, such as power, lighting, and HVAC associated with 99minds information systems.
• People assets.
• Intangibles assets such as the reputation and image of 99minds.

99minds maintains an inventory of all virtual devices (including servers and networking components), and physical devices. All the devices are labeled and tracked in an asset register with information about the asset owner, asset custodian, and asset location. The asset register is kept current and is updated whenever the assets are moved or retired or serviced.

99minds has developed and implemented a formal procedure for the information classification and handling standard consisting of distinct levels which must be followed by all 99minds employees. The protection level and requirements for data processing are defined for each classification category. 99minds classification model into four levels of categories:

• Restricted
• Confidential
• Internal
• Public

The classification levels of all information or data is identified, both on the data and in the asset inventory. Accessibility will enable 99minds to focus information or data protection mechanisms on those assets that are most susceptible to specific risks. Information Assets may be assigned security based on their susceptibility to risk.

99minds has adopted Zero Trust model for Identity and Access Management (IAM) to ensure the concept of “never trust, always verify”, and access rights would be provisioned on the basis of "least privilege”, “need-to-know”, and “need-to-have or need-to-do-principles”. As a part of the user lifecycle management, defined processes for adding, changing, and removing users and their access rights are applied across all information systems, applications, services and regular periodic reviews of those access rights are conducted.

IAM is paramount to protecting 99minds information resources and requires the implementation of controls and continuous oversight to restrict access.

Product Access

By default, 99minds adopted the least access privileges and role-based access principle provision in its all information system. Few employees of 99minds from Customer Success and Solution engineering have access to Customer accounts as they need this access for any configuration or troubleshooting. These privilegeaccesses are reviewed on a regular basis.

99minds provides a role-based administration for all user accounts. There are 3 roles: admin, user, and guest, each with different permissions. The administrators of the account can control the user’s permission and activity.

Sub-Processor Access

99minds partners with organizations like itself to adhere to global standards and regulations. These organizations include sub-processors or third-parties that 99minds utilizes to assist in providing its products and services.

This means, like 99minds, by default no sub-processors have access to any Test execution data of Customer. Incidents and support tickets are handled by 99minds.

Further, on a case-to-case basis, if an incident/support requirement arises that only the sub-processors can handle, access is provided by the Customer’s admin through the product as a temporary user and immediately revoked once the issue has been resolved.

Internal Systems Access

Access to 99minds internal systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. Strong identification, authentication, and logging systems are deployed and provide a centralized control to administer, monitor and review all critical access events.

Access Control Environments

At 99minds, different environments are established from a product standpoint. The product has different environments for development, testing and production purposes. Each of these environments is shielded and controlled from interactions with the other environments. Developers do not have access to the production environment (including no access to migrate changes). Access to migration changes is limited to only designated and authorized individuals.

Authorization Process

All access requests are logged, tracked, and managed through Jira (Atlassian suite). All-access requests are approved by the reporting manager and product owner. Also, the requests are approved by the respective department head or their delegated set of approval. Once approved, the request is routed to the respective system administrators for provisioning the access. Logs of all access requests raised, approval obtained and provisioning made in the systems are maintained to establish an end-to-end audit trail.

Access to all environments (development, test, and production) and resources within it are centrally managed using IAM system. The user IDs follow our internal guidelines for naming convention and are managed such that it is identifiable to a user. We have implemented strong password parameters that apply to all the systems. All accesses are permitted only from registered user systems and only from the whitelisted IP addresses of 99minds. All the access is routed through the bastion host, where the IAM solution enforces role-based access and two-factor authentication. System access logs for access to Customer data are maintained and subject to review by NOC and SOC team that operates on a 24x7 basis.

Remote Access

Accordingly, access to the 99minds production environment is limited to authorized users from the development or testing teams. All access to the 99minds production environment is allowed only from within the 99minds corporate network that’s behind VPN. For handling business continuity, disaster recovery, and pandemic scenarios, administrative and management users (Cloud Infrastructure, Database administrators, On-call Support, 24x7 Monitoring teams) have been provided with VPN access to connect to the office network. All the access is protected via Single Sign On (SSO) or Two-factor authentication and all accesses will be logged.

Access Reviews

On a quarterly basis, the ownership of all user accounts in the production environment is reviewed by the product owner. For sensitive and critical accounts, the review is performed on a monthly basis. The information security team tracks the process of user access reviews and reports the findings to the ISCSC.

Password Management

The complexity and length of passwords are set according to best practices and adapted if necessary. With processes designed to enforce minimum password requirements for 99minds products, we utilize the following requirements and security standards for user passwords on the 99minds Service:

• Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
• Five multiple logins with the wrong username or password will result in a locked account, which will be disabled to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application
• Passwords need to be changed after 60 days
• Employees need to raise a request to reset the password and the IAM administrator would send an email-based password reset links to a user's pre-registered email address and employees mobile with a temporary link
• 99minds rate limits multiple login attempts from the same email address
• 99minds prevents reuse of recently used passwords
• Passwords must be stored securely in password vaults using encryption methods approved by 99minds.
• Password hashing: User account passwords stored on 99minds Service are bcrypt hashing with a random salt using industry-standard techniques.

Single sign-on

99minds lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to the 99minds platform using their existing corporate credentials. SSO is available on select packages only, so please consult your order form for eligibility.

99minds has developed and implemented a formal process for the cryptographic protection standard and ensures the confidentiality, authenticity, and integrity of the information that is transferred through a third-party network and protects against unauthorized access or malicious activities.

i. Cryptographic controls can be used to achieve different security objectives, e.g:

a. Confidentiality:Using encryption of information to protect restricted or critical information, either stored or transmitted.

b. Integrity/Authenticity:Using encryption of information to protect restricted or critical information, either stored or transmitted.

c. Non-Repudiation:Using cryptographic techniques to obtain proof of the occurrence or nonoccurrence of an event or action.

ii. Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.

We use cryptographic methods and industry standards to protect customer data in transit and at rest. For example, all communications with 99minds platforms and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and 99minds is secure during transit. By default, encryption is also enabled on all our services that contain data at rest using AES-256 bit standards with keys being managed by key management services.

Key Management

At 99minds, we prioritize the security and integrity of our cryptographic keys through stringent key management practices. Our approach follows industry standards and best practices, encompassing key generation, distribution, storage, updates, and disposal. We maintain strict controls over key access and usage, promptly addressing any compromises or incidents. Additionally, we ensure compliance with legal requirements and safeguard key authenticity alongside integrity. Our commitment extends to protecting keys against unauthorized access and physical threats.

The following section provides an overview of the physical and environmental security safeguards at 99minds Product Development center in India and the data center where 99minds products and data are hosted

Perimeter Security at 99minds office

99minds operates out of a multi-tenant building where perimeter security is centrally provided by the Building Management System team. The building is continuously patrolled by security guards on a 24x7 basis. The guards only allow employees with a valid ID card inside the building.

Access to the 99minds office is restricted only to 99minds’s employees and authorized support staff. CCTVs are installed across all vantage points within the office including all the entry and exit points. The administration and facilities team is responsible for monitoring the CCTV footage and these are retained for a minimum of 90 days.

24x7 dedicated security guards are deployed at entry and exit points. All the entry points are further secured using a proximity-based access card system. Access reviews are carried out by the 99minds Administration team on a regular basis to ensure only authorized 99minds employees or support staff have access.

Visitor Management at 99minds office

All visitors are registered at the entrance at 99minds with details of host and purpose of visit. The visitors are provided an ID tag and are always escorted by a host while inside the premises.

Material Movement at 99minds office

99minds has procedures established for equipment’s seiting and identifications. At the entrance, the security personnel tracks the movement of equipment and consumables and verifies relevant authorizations for bringing in or removing any classified materials. The IT team ensures that all equipment movements are approved and sent to authorized recipients. Dedicated loading and unlocking areas have been identified for the movement and disposal of electronic media and equipment. Such movements are authorized by the IT Manager and tracked by the Facilities Administration team.

Environmental Safeguards at 99minds office

The office workspace has multiple controlled entry and exit points with visible markings and floor maps displayed that assist in speedy evacuation from anywhere in the office. Smoke detectors are installed throughout the facility and are supported by sprinkler-based fire suppression systems that run throughout the facility. Further, appropriate types of fire extinguishers are placed at various locations in the facility with clear markings. The facility is covered with a public address system that helps to provide any flash announcements in case of any emergency.

A centrally managed Heating, Ventilation, and Air-Conditioning system (HVAC) has been installed and managed by the facilities administration team. The power supply received for the facility is integrated with an Uninterrupted Power Supply (UPS) and Diesel-based power generator. In case of any power interruptions, automatic and uninterrupted switch-over will happen to ensure that there is no impact on the facility and its systems or equipment. All power cables and network cables are secured and shielded from interferences and are identified for supporting maintenance and troubleshooting work.

All the equipment and systems providing environment safeguards are covered under warranties and annual maintenance contracts and accordingly, these are covered under regular preventive maintenance checks to ensure its proper functionating.

Physical and Perimeter Security at Data Center

99minds hosts its products and associated data in AWS and Microsoft Azure data centers that provide cutting-edge security and resilience and are compliant with a plethora of information security standards and frameworks. The data centers are hosted in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, motion detectors, intrusion alarm systems, and other electronic means. Authorized staff must pass through two-factor authentication a minimum of two times to access data center floors.

Physical access to the hub room located at 99minds’s corporate office is restricted by professional security staff and video surveillance. Access can only be granted through the combination of access card and biometrics. Along with that, a physical logbook is also maintained where details like name of the person, purpose, in and out time are recorded.

99minds prioritizes the resilience and reliability of its utility infrastructure to support uninterrupted business operations. Our approach includes strict adherence to manufacturer specifications, regular appraisal, proactive inspection, and testing. We employ alarm systems for early detection, redundancy measures for continuity, and network segregation for security. Emergency provisions, including lighting, communications, and contact details, ensure swift response during outages or emergencies. This commitment underscores our dedication to safeguarding operations and personnel safety.

Cabling security is ensured by implementing measures such as underground installation where possible, segregation of power and communication cables, use of armoured conduit and locked rooms, electromagnetic shielding, regular inspections, controlled access to cable and hub rooms, and proper labeling of cables for physical identification.

Environmental Safeguards at Data Center

All critical IT equipment is hosted in AWS and Microsoft Azure data centers. Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments including the mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems as suitable based on the types of combustible materials in the respective zones.

Submersible pumps are installed and maintained as a safeguard against a flood event. The data centers get power from two different feeder channels and are additionally supported by the power generators and UPS all having automated switch over in case of any rare instances of power outages. The data center’s electrical power systems are designed to be fully redundant and maintainable without impact on operations, 24 hours a day, seven days a week. UPS units provide backup-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

Climate controls are required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Equipment Maintenance

99minds prioritizes equipment maintenance to safeguard our information assets. We adhere to supplier recommendations, implement a robust maintenance program, and restrict access to authorized personnel. Records are kept for all maintenance activities, and security measures are enforced for on-site maintenance. We comply with insurance requirements and conduct thorough inspections before reactivating equipment. Our goal is to ensure equipment reliability, security, and confidentiality.

Secure Disposal or reuse of equipments

99minds prioritizes the secure disposal and re-use of equipment and storage media containing confidential information. All employees must adhere to thorough verification processes, physical destruction of storage media, removal of identifying labels, and consideration of security control removal when moving premises. These measures are essential for maintaining information security and compliance.

99minds maintains a formal information security management program with dedicated security personnel reporting to 99minds's Head of Security. 99minds has established a formal policy and process for the requirements and key information security considerations for information technology operations, including the definition of standard operating procedures, change management, configuration management, release management, information backup, and restoration and cloud computing.

There are a number of security controls in place to achieve the protection of data, information, information system, and monitoring 99minds for suspicious activity.

• Documented operating procedures:Document procedures have been formally laid down for operational activities associated with information processing and communication facilities and maintained to ensure the correct and secure management of information processing facilities.
• Malware and spam protection:Anti-malware systems and services are in use to detect, prevent and report malicious software and activity. All in-scope systems are configured with malicious code protection and detection software, systems are kept up-to-date and definitions are updated regularly.
• Logging:99minds outlines the criteria for creating and managing logs, specifying the data to be collected and logged, and procedures for protecting and handling log data. All systems, devices, and applications generating logs must adhere to these guidelines. Key logging criteria include capturing user IDs, system activities, event details, and network information. Events such as access attempts, system configuration changes, and file access must be logged. Time synchronization across systems is essential for effective log correlation and analysis.
• Monitoring:99minds is dedicated to upholding a robust monitoring framework to safeguard the security and integrity of our systems, networks, and data, in alignment with our business objectives and legal obligations. These guidelines delineate the scope and protocols for monitoring activities, encompassing the determination of scope, inclusion criteria, establishment of baselines, anomaly detection, and specific measures for web monitoring. Monitoring records are maintained in accordance with organizational policy and complying with relevant laws and regulations.
  Additionally, 99minds Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems to detect potential threats. If any of the criteria thresholds or suspicious event logics are triggered, an alert is generated that notify the security team based on correlated events for investigation and response.
  After the potential risk has been determined, the security team begins incident handling and response, which includes gathering data (e.g., logs and forensic images) to help determine the root cause of the incident as well as the best course of action for mitigation.
  After an incident has been resolved, the security team enters the final phase of the incident response lifecycle, which includes processes and feedback loops, such as a port-mortem analysis. The incident post-mortem analysis is designed to highlight what was done well and what could be improved on, how to better defend 99minds from similar incidents, and where 99minds should focus resources going forward. Through this process, the security team can provide proactive guidance to and drive improvements across the entire 99minds organization and, when required, to supporting processes.
• Threat Intelligence:99minds is dedicated to maintaining robust threat intelligence practices to protect our assets and stakeholders. We have established clear objectives, vet and select relevant information sources, collect and process data, analyze findings, and communicate them effectively. Continuous improvement will be prioritized to adapt to evolving threats and organizational needs. We have tools combined with threat intelligence to detect any anomalies in our product and our infrastructure.
• Backup:All data hosted on the cloud is synced in real-time (with cross-regional network latency) across the AZs or to a separate AWS and Azure region other than the one which hosts Customer serving infrastructure. Each AWS AZ / Azure AZ or region is designed to be completely isolated from the AWS /Azure regions & hence helps achieve the greatest possible fault tolerance and stability. Data sync happens in an active-active model and is equipped to independently handle the load in case of any failures.
• Technical Vulnerability Management:99minds has a standard for vulnerability management that is CVSS based on severity (critical, high, medium, and low) as reported by our scanning vendor(s). Vulnerability scans are conducted on all production systems and endpoints on a regular basis. Remediation timeframes are determined through a combination of CVSS level, impact analysis of remediation options on our customers and business, and contractual SLAs.
• Control of operational software:Applications and operating system software should only be implemented after successful testing, the tests should cover usability, security, effects on other systems and user-friendliness and shall be carried out on separate systems. And, operational systems shall only hold approved executable code and not development code or compilers.
• Information system audit: The required guidelines are already defined internally and must be followed by all 99minds employees.
• Web Filtering:99minds is dedicated to protect the organization’s personnel and digital assets from the threats associated with accessing malicious or illegal websites. This outlines measures to mitigate risks, including blocking access to websites known for illegal content, viruses, or phishing materials. We have employed techniques such as IP and domain blocking, categorize websites based on risk, and restrict access to specific categories of sites. Furthermore, we utilize browser and anti-malware technologies to automatically block prohibited sites, safeguarding our network and data integrity.
• Installation of software on operational systems: 99minds prioritizes the security of our operational systems. To ensure secure management of software changes and installations, we adhere to strict guidelines:
• Approved executable code, rigorously tested, is installed, with no development code or compilers.
• Old software versions are archived for contingency, and upgrades consider business needs and security implications.
• Vendor-supplied software is kept up-to-date, and open-source software is maintained to the latest release.
• Access to external software is monitored to prevent unauthorized changes, and strict rules govern user-installed software.

By adhering to these guidelines, we ensure the integrity and security of our operational systems.