Join us for ENGAGE 2025 in New York City June 17-18 for the industry’s premier fraud and financial crime risk management event! | Register now

Cloud Security Policy

This Cloud Security Policy (“Security Policy”) is incorporated into and made a part of the Agreement between Actimize and Customer for the purchase of Cloud Services. Except as otherwise set forth herein, defined terms used in this Security Policy shall have the meanings provided in the Agreement.

I. Purpose

This Security Policy describes the information security standards Actimize implements and follows in its business and in the provision of Cloud Services including the applicable technical and organizational measures. This Security Policy does not apply to trial, beta, evaluation, or free Cloud Services, nor to third-party products or services sold but not developed by Actimize.  Actimize may update this Security Policy from time to time to reflect changes in Actimize’s security program provided such changes do not materially diminish the level of security provided herein.

II. Company Security

1. Overview. This Section II (Company Security) describes the information security controls Actimize implements and follows for the protection of its IT systems, networks, facilities and assets (“Company Systems”), and any Confidential Information accessed or processed therein, from anticipated threats or hazards, unauthorized or unlawful access, use, disclosure, alteration, or destruction, and accidental loss, destruction or damage (“Company Security Program”). The Company Security Program has technical and organizational measures that are appropriate to the nature, size, and complexity of Actimize’s business operations, the resources available to Actimize, the type of information that Actimize stores, and the need for security and confidentiality of such information.

2. Company Security Policies. Actimize has and maintains company information security policies (“Company Security Policies”) designed to educate its employees, contractors, and vendors on the appropriate use, access, and storage of Confidential Information. The Company Security Policies include access restrictions for personnel who have a ‘need to know’ such information, policies preventing terminated employees from accessing Actimize’s information and information systems post-termination and imposing disciplinary measures for failure to abide by the Company Security Policies.

3. Risk Assessment and Change Management. Actimize uses a risk-based methodology to help it reasonably identify internal and external risks to the Company Systems and information resources and decide whether the Company Security Program is sufficient or needs to be updated to address any identified risks. Actimize uses a change management process to ensure any changes to the Company Security Program or Company Security Policies are reviewed, tested, and approved.

4. System Access Controls. Actimize uses monitoring and logging tools to help detect and prevent unauthorized access to Company Systems. Actimize’s monitoring includes a review of Company Systems use through authentication and privileged access controls based upon the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that take into account the risk associated with the particular information system, and the type of information stored therein. Access logs are maintained on a centralized repository, to allow for security review and analysis by the security team. Such logs include log-on, failover attempts and log off attempts. Users must authenticate with two-factor authentication prior to accessing Company Systems. Personal devices used to access Company Systems must be enrolled in the Actimize portal for security and access controls.

5. Threat and Vulnerability Management. Actimize monitors the Company Systems and the technology implemented therein for vulnerabilities that are acknowledged by third-party vendors, reported by researchers, or discovered internally. Any such vulnerabilities are identified for mitigation or fixes based on severity level. Actimize or third parties acting at its direction periodically perform network vulnerability and penetration tests on the Company Systems. Actimize uses real-time anti-virus and malware solutions to protect the Company Systems and its personnel’s computers against viruses, worms, and other forms of malicious code that may cause damage. Definition updates are performed and monitored on an automated basis.

6. Training. All Actimize employees and contractors are required to receive training on Company Security Policies upon hiring/onboarding and on an annual basis thereafter to maintain compliance with the Company Security Policies. Additional, more in-depth training may be required based on the roles and responsibilities performed by such personnel. Actimize also implements periodic security awareness campaigns to educate its personnel and to maintain a secure work environment.

7. Secure Product Development. When developing its software and technologies, Actimize employs a methodology for the acquisition, development, configuration, maintenance, modification, and management of such technology with the intent of maximizing its inherent security. Source code access is restricted to authorized personnel only. Actimize uses a risk-based approach when applying such methodology to production software, which may include activities such as performing security architecture reviews, open-source security scans, dynamic application security testing, network vulnerability scans, and code review. Actimize scans packaged software to ensure it’s free from trojans, viruses, malware and other malicious threats.

8. Storage and Secure Disposal. Actimize’s Company Security Policies contain procedures and controls regarding the secure disposal of tangible and intangible materials containing Confidential Information, which are designed to ensure such Confidential Information cannot be viewed or reconstructed when possible.

9. Third-Party Vendors. Actimize puts each third-party vendor and its partners through a rigorous due diligence process, including privacy and security reviews for those with access to Confidential Information, including Content and personal data (as defined under the General Data Protection Regulation (EU) 2016/679 (“GDPR”)) (“Personal Data”), prior to contracting with any such third party. Third-party vendors are subject to contractual obligations of confidentiality and risk assessments to determine the sensitivity of information being shared. Vendors are expected to comply with any pertinent contract terms relating to the confidentiality and security of data, as well as any applicable Actimize policies or procedures such as the Actimize Supplier Code of Conduct. Periodically, Actimize may re-evaluate a vendor and its security posture to help ensure compliance.

10. Personnel Security. Actimize requires each employee and contractor to enter into confidentiality agreements upon hire or engagement, as applicable, and to agree to its Code of Ethics and Business Conduct. Actimize performs background checks on its potential employees prior to hiring, as permitted by applicable law. In addition to the Company Security Policies, Actimize also requires its employees and contractors to agree and adhere to teleworking, internet acceptable use, social media, electronic messaging, clear desk/clear screen, and other work policies.

11. Facilities. Actimize grants physical access to its facilities based on role and logs visitor access. Actimize removes physical access when access is no longer required, including upon termination. Employees and visitors must visibly display and wear identity badges when in a Actimize facility. Visitors must always be accompanied while at a Actimize facility. Actimize reviews data center physical access, including remote access, on a regular basis to confirm that access is restricted to authorized personnel. Actimize employs additional measures to protect its employees and assets, including video surveillance systems and onsite security personnel.

12. Company Business Continuity and Disaster Recovery. Actimize endeavors to maintain continuity of its operations through business continuity, redundancy, appropriate staffing of incident response personnel, and timely recovery of critical Actimize processes and systems. Actimize has a business continuity and disaster recovery plan for its business operations (“BCP/DRP”), which is reviewed and approved by management at least annually. The BCP/DRP includes actions and procedures for Actimize facilities, business functions/operations, HR, IT, and communications, which are designed to ensure the survivability for Actimize’s internal services, mission-critical applications, infrastructure and data, and enable the recovery thereof to effective service levels as soon as possible to minimize the impact the business should a reasonably foreseeable event occur, which causes significant operational disruption and crisis to Actimize’s business and Company Systems. Training exercises and tests of the BCP/DRP are performed to ensure it is reliable and effective, and updates are made to the plan based on findings of these tests.

13. Certifications. Actimize aligns its Company Security Policies to ISO 27001 standards for information security where practical. Actimize reviews it’s Company Security Policies at least once annually.

III. Cloud Services Security

1. Overview. This Section III (Cloud Services Security) describes the information security standards and administrative, technical and organizational safeguards Actimize implements and follows to protect the confidentiality, integrity, and availability of the Content (“Cloud Services Security Program”). The Cloud Services Security Program is designed to protect the Content from and against anticipated or actual threats or hazards, unauthorized or unlawful access, use, disclosure, alteration, or destruction, and accidental loss, destruction or damage, in accordance with laws applicable to Actimize’s provision of the Cloud Service to Customer under the Agreement.

2. Cloud Services Security Program. Actimize’s Cloud Services Security Program: (a) is consistent with industry recognized information security standards; (b) includes technical, administrative, physical and organizational measures designed to protect the confidentiality, integrity and availability of Confidential Information, including Content, as well as the processing of such data by Actimize’s employees, subcontractors, and sub-processors; and (c) is appropriate given the nature, scope, and complexity of the Cloud Services and Actimize’s business operations.

3. Cloud Services Security Policies. Actimize will maintain appropriate policies, standards, and procedures designed to support the Cloud Services Security Program (“Cloud Services Security Policies”) and will review and update them from time to time to ensure relevance, accuracy, and to maintain industry standard security standards.

4. Risk Assessment and Management. Actimize uses a risk-based methodology to help it reasonably identify cybersecurity risks to its information assets.  Actimize security teams review identified risks to understand potential impact to the business, determine appropriate risk levels, and treatment options. Risk mitigation plans are implemented by Actimize to address material risks to business operations, including data protection.

5. Change Management. Actimize follows documented change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes to the Cloud Services. These changes undergo appropriate levels of review and testing, including security and code reviews, regression testing prior to approval for implementation. Software development and testing environments are maintained and logically separated from the Production environment.

6. Personal Data. The following terms apply with respect to Personal Data provided by Customer to Actimize:

a. Customer shall not share with Actimize any Personal Data beyond what is strictly necessary for Actimize to provide the Services.

b. As part of the Services provided under the Agreement, Actimize may provide Customer with a test environment (“Non-Production Environment(s)”). Unless otherwise specified in an Ordering Document, Customer agrees that it will not share live production data or any Content with Actimize for use in a Non-Production Environment that includes Personal Data and shall only use test data within a Non-Production Environment.

c. To the extent that the Cloud Services involve the processing of any Personal Data outside the United States, Actimize, as a service provider, will process such Personal Data in accordance with this Section 6 (Personal Data) and the Data Processing Agreement available at https://www.nice.com/company/legal/data-processing-agreement (the “DPA”), which is incorporated herein by reference. The parties agree that, Customer shall be the data controller and Actimize shall be the data processor. Customer warrants to Actimize that at all times during a Subscription Term: Customer has the requisite consents and is entitled to transfer the relevant Personal Data to the Cloud Services so that Actimize may process such data in accordance with this Security Policy and Applicable Data Protection Laws. Additionally, each party shall take appropriate technical and organizational measures against unauthorized or unlawful processing of Personal Data or its accidental loss, destruction, or damage.

d. Regulatory investigations. Upon prior written notice to Actimize of no less than sixty (60) days, Actimize will provide reasonable assistance to Customer, at Customer’s expense, in the event of an investigation by any law enforcement body or regulator, including a data protection or similar authority, to the extent that such investigation specifically relates to the processing of Personal Data in accordance with this Agreement.

7. Data Storage and Backup. Unless specified otherwise in an Order for Cloud Services, Content and Alerts are retained until the expiration or termination of Customer’s Order for the relevant Cloud Service, after which it is disposed of in accordance with the destruction measures in Section 8 (Data Management, Deletion and Destruction). The Cloud Services may include self-service tools that assist customers to limit data retention during the Subscription Term of the Cloud Services. Additional services to assist in managing data retention may be available as Professional Services.

8. Data Management, Deletion and Destruction. Actimize has data disposal policies in place to guide personnel on the procedure for disposal of Confidential Information, including Content in accordance with the terms of the Agreement. If deletion is required, Content will be securely deleted. Actimize uses Cloud Services hosting providers that comply with a decommissioning process that is designed to prevent Content from being exposed to unauthorized individuals, using either the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

9. Vulnerability Management. Actimize continuously monitors for vulnerabilities discovered through scans, offensive exercises, employees or externally reported by vendors or researchers. Actimize follows industry best practices to discover and address vulnerabilities in accordance with their severity level.

10. Incident Response and Breach Notification. Actimize has an Information Security Incident Response Plan (the “ISIRP”) and a Cyber Incident Response Team (“CIRT”) in place to prepare for, detect, analyze, contain, eradicate, recover, and gain lessons learned from (as appropriate) identified information security incidents affecting Actimize.  Actimize reviews and updates the ISIRP at least annually to reflect emerging risks and changes to Actimize’s operations and systems. Should a breach of security, which leads to the unauthorized or unlawful destruction, loss, modification, disclosure of or access to Content, including Personal Data, while being transmitted, stored, or otherwise processed (as defined under GDPR) by Actimize occur ( “Data Incident”), Actimize will notify Customers without undue delay after its confirmation of such Data Incident. As appropriate, Actimize will provide affected customer(s) with known details regarding the Data Incident, including the date it was identified and confirmed, the nature and impact of the Data Incident to their Content, actions Actimize intends to take or has already taken to contain, eradicate, and/or recover from effects of the Data Incident, and any impending next steps. In the event of a Data Incident involving Personal Data to which Customer is the data owner or controller, if Customer reasonably determines notification is required by applicable data breach notification laws, Actimize will provide reasonable assistance to the extent required for Customer to comply with such laws, including assistance in notifying the relevant supervisory authority and providing a description of the Data Incident. Nothing in this Security Policy shall prohibit or limit Actimize from complying with any obligations it may have under the data breach notification laws.

11. Cloud Services Security Program Audit and Assessments. Actimize conducts internal control assessments on an ongoing basis to validate that security and access controls are designed and operating effectively. Third party audits are performed as part of Actimize’s certification process to validate the ongoing governance of control operations and their effectiveness. Issues identified from assessments and audits are documented, tracked, and remediated as appropriate given the materiality.

12. Security Audits. At least once a year, Cloud Services are subject to a security audit by an independent third party auditor that attests to the effectiveness of the controls Actimize has put in place to safeguard the systems and operations where Content is processed, stored, or transmitted (e.g., System and Organizational Control (SOC 2), Type 2). For those Cloud Services subject to SOC 2, the audit will be in accordance with the Attestation Standards under Section 101 of the codification standards (AT 101) and at a minimum will cover the security, confidentiality, and availability control criteria developed by the American Institute of Certified Public Accountants (AICPA). Upon request, Actimize will supply Customer with a summary copy of Actimize’s most recent annual audit reports available for the applicable Cloud Service, which will be deemed Actimize’s Confidential Information under the Agreement.

13. Penetration Testing. At least once a year Actimize performs, or employs a third party to perform, penetration testing on its applications and infrastructure of the Cloud Services. Issues identified during the engagement will be appropriately addressed within a reasonable timeframe given their materiality. Upon request, Actimize will provide Customer with a copy of the executive summary associated with such penetration testing results, which will be deemed Actimize’s Confidential Information under the Agreement.

14. Password, Access, User Management and Authentication. Application access logs are maintained on a centralized repository, to allow for security review and analysis by the security team. Actimize maintains technical safeguards to prevent unauthorized access to Content through fraud or error. Actimize implements user access management functionality in the Cloud Services including requirements for user registration, access provisioning, management of privileged access rights to information and information systems, and the removal or adjustment of access rights. Actimize maintains policies and processes to control and secure access to the back-end production environment of the Cloud Service based upon the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that take into account the risk associated with the particular information system and the type of information stored therein. These processes include multiple layers of access controls such as firewalls, tokens, security keys, and authentication.

15. Encryption. Actimize employs encryption to mitigate the risk of unauthorized disclosure or alteration of Content in the Cloud Service. Cryptographic keys are protected against unauthorized access, disclosure, modification, and data loss.

16. Cloud Service Business Continuity. The Cloud Services environment is separate and within a reasonable distance from Company Systems. Actimize has a written business continuity plan designed to manage significant disruptions to its Cloud Services operations and infrastructure (“BCP”). Actimize reviews (and, as necessary, updates) and approves the BCP at least annually. The BCP provides steps required and expected to recover Actimize’s operations should a reasonably foreseeable disaster or force majeure event occur. Actimize personnel perform annual tests of the BCP to assess effectiveness. Test results are documented, and corrective actions are noted. Data backup, replication, and recovery systems/technologies are deployed to support resilience and protection of Content. Backup systems are configured to encrypt backup media. Disaster recovery capabilities for recovery to separate hosting service provider regions may require an additional fee for certain Cloud Services.

17. Data Center Physical Access. Data centers operated by Actimize, and those by its hosting service providers for the Cloud Services, have physical access control systems to permit only authorized personnel to have access to the secure areas. These physical controls include, but are not limited to, identification and signatures of all access requirements, escorted access of authorized personnel, intrusion detection systems, access control devices, closed circuit television cameras.

Get in Touch