Terms and Conditions of Security
"The Lynn Cloud Security Terms" are incorporated by reference into the Terms and Conditions agreement for the Lynn products and describe the contractual requirements for the security of the information provided by Lynn to the Customer in connection with the provision of the Lynn Cloud Services that the Customer has obtained under license from Lynn, in accordance with an agreement executed by both parties governing such provision and use of the Lynn Cloud Services (the "Agreement"). These terms apply to the extent that Lynn has access to and control over the Customer Data.
1.1. Security Standards. Lynn has implemented and will maintain an information security program that follows generally accepted system security principles incorporated in the ISO 27001 standard designed to protect Customer Data, as appropriate to the nature and scope of the Lynn Cloud Services provided.
1.2. Security Awareness and Training. Lynn has developed and will maintain an information security awareness and training program delivered to all relevant employees and contractors at the time of hire or contract initiation and annually thereafter.
1.3. Policies and Procedures. Lynn will maintain appropriate policies and procedures to support the information security program. Policies and procedures will be reviewed annually and updated as necessary.
1.4. Change Management. Lynn will use an industry-standard change management process to ensure that all changes to the Lynn Cloud environment are properly reviewed, tested, and approved.
1.5. Data Storage and Backup. Lynn will create backups of critical customer data. Customer data will be stored and maintained solely on Microsoft Azure. Backup data will not be stored on portable media. Backups of customer data will be protected against unauthorized access.
1.6. Antivirus and Antimalware. Standard antivirus and antimalware protection solutions are used on systems that may be affected by malware to protect their infrastructure, as well as on systems that support Lynn Cloud to prevent malware such as Trojans, viruses, worms, and denial of service attacks.
1.7. Vulnerability and Patch Management. Lynn will maintain a vulnerability management program that ensures compliance with industry standards. Lynn will assess all critical vulnerabilities in the Lynn Cloud MS Azure production environment for access/vector complexity, authentication, impact, integrity, and availability. If Lynn deems the resulting risk to be "critical" to customer data, Lynn will strive to patch or mitigate affected systems within 3 business days. Certain stateful systems cannot be patched as quickly due to interdependencies and impact to the customer, but will be remediated as soon as possible.
1.8. Data elimination and destruction. Log elimination processes are supported by indexes associated with logical instances of applications that expire 2 years after their creation. If extended persistence is required, it can be enabled at the client's request. Similarly, the complete removal can be requested within a different timeframe if necessary. It should be understood that this policy strictly applies to data originated in production environments. Other data sources such as development environments will have their own persistence ranges, always respecting a minimum storage period of one month.
2. Product Architecture Security
2.1. Logical Separation Controls. Lynn will employ effective logical separation controls based on industry standards to ensure that customer data is logically separated from other customer data within the Lynn Cloud.
2.2. Firewall Services. Lynn maintains granular inbound and outbound rules, and changes must be approved through Lynn's change management system. Rule sets are reviewed semi-annually.
2.3. No Wireless Networks. Lynn will not use wireless networks within the MS Azure cloud service environments.
2.4. Data Connections between the Client and the Lynn Cloud service environment. All connections to browsers, mobile applications, and other components are protected using Hypertext Transfer Protocol Secure (HTTPS), Secure Real-time Transport Protocol (SRTP), and Transport Layer Security (TLS v1.2) over the public Internet (Please note that some Lynn Voice Gateways may not adhere to this transport layer protection due to limitations imposed by the telecommunications operator).
2.5. Data Connections between the Lynn Cloud service environment and third parties. Transmission or exchange of Customer Data with the Client and any Lynn providers will be performed using secure methods (e.g., TLS 1.2, HTTPS, SFTP).
2.6. Logging and Monitoring. Lynn will log security events from an operational perspective for all infrastructure that provides Services in the Lynn Cloud to the Client. Lynn will monitor and investigate events that may indicate a security incident or problem. Event logs will be retained according to the event persistence statement, and these persistence ranges may be adjusted or modified in whole or in part subject to prior notification. Clients can access limited audit data through the Graphical User Interface (GUI) and the Application Programming Interface (API).
3. User Access Control
3.1. Access Control. Lynn will implement appropriate access controls to ensure that only authorized users have access to customer data within the Lynn Cloud environment.
3.2. Client User Access. The Client is responsible for managing user access controls within the application. Lynn has requirements for valid passwords and a lockout system for retry attempts. Most users experience a lockout period in case of failed retries, and if necessary, they should request the unlocking of their account through the support channel. Lockout settings are not configurable. The client defines usernames and roles in a granular access permission model. The Client is fully responsible for any failure by themselves, their agents, contractors, or employees (including, among others, all their users) to maintain the security of all usernames, passwords, and other account information under their control. Except in the case of a security failure caused by Lynn's gross negligence or deliberate action or inaction, the Client is entirely responsible for all use of Lynn's cloud services through the Client's usernames and passwords, whether or not authorized by the Client, and all charges resulting from such use. The Client will immediately notify Lynn if they become aware of any unauthorized use of Lynn's cloud services.
3.3. Lynn User Access. Lynn will create individual user accounts for each of its employees or contractors who have a business need to access Customer Data or Customer systems within the Lynn Cloud environment. The following guidelines will be followed regarding the management of Lynn user accounts:
3.3.1. User accounts are requested and authorized by Lynn management.
3.3.2. Strict password controls are consistently applied.
3.3.3. Session timeouts are consistently applied.
3.3.4. User accounts are immediately disabled upon employee termination or transfer of roles or if there is no valid business or operational need for such access.
4. Business Continuity and Disaster Recovery.
4.1. Protection against outages. Lynn Cloud services will be implemented and configured in a high availability design and will be deployed across different Availability Zones and Microsoft Azure (MS AZ) regions to provide optimal availability of Lynn Cloud services. The Lynn Cloud environment is physically separated from the Lynn corporate network environment so that any outage event involving the corporate environment does not affect Lynn Cloud availability.
4.2. Business continuity. Lynn will maintain a corporate business continuity plan designed to ensure ongoing support and monitoring services in the event of an outage event involving the corporate environment.
4.3. Disaster recovery. Lynn Cloud's MS AZ platform leverages the distributed nature of MS AZ infrastructure to enable full disaster recovery across multiple sites by operating across multiple AZs; distinct locations that are designed to be isolated from each other. Independent application stacks run across multiple AZs. In the event of loss of a single AZ or datacenter, the remaining Lynn Cloud services remain operational and are designed to automatically scale to replace the lost system capacity, effectively ensuring a zero Recovery Time Objective (RTO).
5. Answer to Security Incidents
5.1. Security Incident Response Program. Lynn will maintain an industry-standards-based security incident response program designed to identify and respond to suspected and actual security incidents involving customer data. The program will be reviewed, tested and, if necessary, updated at least once per year. “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, alteration, disclosure or access to Customer Data.
5.2. Notification. In the event of a Security Incident or other security event requiring notification under applicable law, Lynn will notify the Customer within twenty-four (24) hours and will cooperate reasonably for the Customer to make any required related notifications, unless Lynn is specifically requested by law or a court order not to do so.
5.3. Notification Details. Lynn will provide the following details with respect to any Security Incident to the Customer: (i) the date the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions Lynn has already taken; (iv) corrective measures to be taken; and (v) assessment of alternatives and next steps.
5.4. Comunicaciones en curso. Lynn continuará brindando informes de estado apropiados al Cliente con respecto a la resolución del Incidente de seguridad y trabajará continuamente de buena fe para corregir el Incidente de seguridad y prevenir futuros Incidentes de seguridad. Lynn cooperará, según lo solicite razonablemente el Cliente, para seguir investigando y resolver el Incidente de seguridad.
6. Data Center Protections
Lynn has a contract with MS AZ for Platform as a Service (PaaS) subject to service subscription. Security and Compliance certifications and/or Assurance Reports for MS AZ must be obtained directly from MS AZ. MS AZ may request the Client to execute additional confidentiality agreements.
7. Uso de los servicios en la nube de Lynn
7.1. Use Restrictions. The Customer shall not use the Lynn Cloud Services for any of the following reasons: (i) violate applicable law; (ii) transmit malicious code; (iii) transmit on emergency numbers or channels or spoof any emergency services (or reconfigure to support or provide for such use); (iv) interfere, overburden, or disrupt the integrity or performance of the Lynn Cloud Services or third party data contained therein; (v) attempt to gain unauthorized access to systems or networks; or (vi) provide the Lynn Cloud Services to third parties that are not Users, including without limitation unauthorized resale by Lynn of licenses, loans, or leases.
7.2. Test Client Restrictions. The Client shall not perform any type of penetration test, vulnerability assessment or denial of service attack on Lynn Cloud's production, testing, or development environments. Authorized penetration tests in a test environment are available at a fee and must be coordinated with the Lynn Sales Team and the Lynn Cloud Security Team.
7.3. Prohibited Use. The Client shall make all commercially reasonable efforts to prevent and/or block any prohibited use by Users.
7.4. Client Warranties. The Client shall maintain a commercially reasonable and appropriate administrative, physical, and technical security level with respect to their application or account, passwords, antivirus and firewall protections, and connectivity to Lynn Cloud Services.
7.5. Voice Service Lines. The Customer must maintain strict security on all voice service lines. The Customer acknowledges that Lynn does not provide the Customer with the ability to communicate with emergency numbers or other emergency services, and the Customer agrees to inform any person present where Lynn cloud services are used, or using Lynn cloud services, of the lack of availability of emergency numbers or other emergency dialing.
7.6. Security Features. If Lynn Cloud Services will be used to transmit or process Personal Data, the Client will ensure that all Personal Data is captured and used only by use of security features made available to the Client by Lynn.
7.7. Recordings. The Client acknowledges that the use of recordings is solely under the Client’s control and discretion. Without limiting the foregoing: (i) the Client accepts the sole responsibility for determining the method and manner of recording so as to comply with all applicable laws and configuring and using the Services accordingly; and (ii) the Client will ensure that recordings are made only for the required purposes and/or in compliance with all applicable laws. The Client will ensure that: (a) recordings shall not knowingly include any bank account number, credit card number, authentication code, Social Security number or Personal Data, except as allowed by all applicable laws; or (v) recordings are encrypted at all times. The Client shall not modify, disable or circumvent the recording encryption function within Lynn’s Cloud Services.
8. Industry Specific Certifications
Lynn's operational and security controls are based on industry standard practices. However, the Client is solely responsible for achieving and maintaining any industry specific certifications required for the Client's business.
Lynn has developed and will maintain a privacy program designed to respect and protect Customer Data under Lynn's control.
10. Customer Data
10.1. Ownership and License. Between Lynn and the Customer, Customer retains ownership and all intellectual property rights in the Customer Data and grants to Lynn a non-exclusive, non-sublicensable (except to parties working on Lynn’s behalf), non-transferable, and royalty-free license to access, process, store, transmit, and use the Customer Data as necessary to provide the Lynn Cloud Services and to fulfill Lynn’s obligations under the Agreement.
10.2. Processing Locations. The Customer agrees that Customer Data may be transferred or stored outside the country where Customer and its customers are located to provide support services and troubleshooting pursuant to the Agreement.
10.3. Consents. The Customer warrants that it has obtained all necessary consents for Lynn to collect, access, process, store, transmit, and use the Customer Data in accordance with the Agreement.
10.4. Quality. The Client acknowledges that Lynn has no control over the content or quality of the Client Data sent to the Cloud Services by Lynn. The Client shall comply with all applicable requirements of integrity, quality, legality and all other similar aspects with respect to the Client Data. Lynn expressly disclaims any obligation to review or determine the legality, accuracy or integrity of the Client Data.
10.5. Service Improvements. Lynn may aggregate and use data and information related to the performance, operation and use of the Cloud Services by the Client to create statistical analysis, perform comparative evaluations, conduct research and development and perform other similar activities ("Service Improvements"). Lynn shall not incorporate the Client Data into the Service Improvements in a manner that can identify the Client or its customers. Lynn shall use industry standard techniques to anonymize the Client Data if required prior to making Service Improvements. The anonymized data and resulting Service Improvements shall not be considered Client Data. The Client Data and resulting anonymized data shall, at all times, be subject to the security controls established in these Lynn Cloud Security Terms. Lynn retains all intellectual property rights in the Service Improvements and may make them available to the public.
For the purposes of these Lynn Cloud Security Terms, the following defined terms shall have the meanings set forth below.
11.1. Customer Data: Customer-owned information and information about Customer's customers (including Personal Data) uploaded through the Lynn Cloud Services by the Customer or its Users.
11.2. Data Center: a data center where Lynn hosts the Lynn Cloud environment.
11.3. Industry Standard(s): generally accepted cloud information security practices as described in Section 8 (Specific Industry Certifications) as such standards may be updated from time to time due to changes in applicable law and accepted industry practices.
11.4. Personal Data: any information related to Customer's customers that is protected by applicable privacy law.
11.5. Lynn Cloud Services: Lynn's patented multi-user cloud services made available to the Customer on the MS AZ environment.
11.6. User: an individual who (i) is authorized by the Customer and to whom the Customer has provided a user ID and passwords to access the Lynn Cloud Services on behalf of the Customer.