ISO 27001:2013 CertifiedThe International Organization for Standardization (ISO)

specifies strict requirements for establishing a security

framework for information risk management. Convercent is

ISO 27001:2013 certified.

In alignment with the standard,

Convercent safeguards the confidential

data of our customers through

rigorous legal, physical and technical

controls in the Convercent platform and information

security management system, and with our hosting

partners. Convercent is audited annually by an independent

accredited third party to validate our continued

implementation of the ISO 27001 standards.

The Convercent Ethics Cloud Platform—including Insights, Helpline, Campaigns, Disclosures and

Third Party—is the only suite of ethics and compliance applications built from the ground up on

the same platform. And importantly, our platform, data centers, and call centers have security

and high availability built into their foundations.

Convercent SaaS Platform SecurityThe Convercent Ethics Cloud Platform is a proprietary software-as-a-service (SaaS) platform that gives customers

secure access to the most up-to-date version of our applications. Authorized users have universal access via

the Internet to our platform, which is hosted by trusted partners Microsoft Azure and Amazon Web Services.

Customers benefit from the added security of having all of their data in one place on a single platform, unlike

piecemeal ethics and compliance solutions. The Convercent cloud platform also reduces the security and data

privacy issues inherent in spreadsheets and email.

CONVERCENT ETHICS CLOUD:SECURITY AND BUSINESS CONTINUITY OVERVIEW

To guide a successful information

security management system

implementation, ISO 27001 is your best

bet; it is the most frequently used and

most complete model.

– Forrester

HITRUST CSF CertifiedThe Health Information Trust Alliance Common Security Framework, also known as HITRUST CSF, is

an overarching security framework for organizations that create, access, store or exchange electronic

health and other sensitive information. Convercent is HITRUST CSF certified, which means we have

implemented a prescriptive set of controls from multiple standards, regulations (such as HIPAA and PCI), and business

requirements—elevating our security risk management practices. A SOC 2 platform audit is occurring in early 2018.

THE CALL CENTER

GEOGRAPHICALLY CLOUD DIVERSEDISASTERRECOVEERY SITE

YOU

REDUNDANTAPPLICATION SERVERS

REDUNDANTDATABASE SERVERS

SECUREBACKUP

MANAGEDFIREWALL/

IDS-IPS

THE INTERNET

Convercent Business Continuity and Disaster RecoveryConvercent maintains the security and availability of

the Convercent Ethics Cloud platform with customers

top of mind. We employ rigorous facility, network, and

data protection controls, along with stringent business

continuity and disaster recovery practices. This ensures that

your data remains secure, and the Convercent platform and

Call Center are available to you and your team 24/7.

Convercent Data CentersPrivate Convercent customer data is stored at the

Microsoft- and Amazon-hosted data center facilities,

and protected by Convercent’s strict backup and

recovery and disaster recovery processes, with multiple

safeguards incorporated.

FACILITIESConvercent’s data centers are SSAE 16 Type I, II, and III

certified; PCI Level 1 and SOC 2 compliant; UK G-Cloud

Impact Level 2 accredited; and HITRUST and ISO 27001:2013

certified. All audits and certifications are maintained

annually. Microsoft and Amazon facilities are secured and

monitored 24/7, while internal environments are carefully

controlled to protect servers and storage devices.

BACKUP AND RECOVERYReal-time data replication, daily and weekly backups,

and offsite storage are central to Convercent’s backup

and recovery policy. Backups are encrypted before

90% of Fortune 500 companies trust the

Microsoft cloud. Azure helps protect your

assets through a rigorous methodology

and focus on security, privacy, compliance,

and transparency.

– Microsoft

Data Protection and GDPRConvercent’s data protection program strictly adheres to a

“privacy and security by design” approach to development

practices as mandated by the General Data Protection

Regulation (GDPR). Convercent is well positioned for GDPR

compliance in advance of a third-party audit in early 2018.

Data is protected in a secured RDBMS and encrypted with

advanced AES-256 Encryption and digital certificate. All

communications leverage HTTPS and the TLS 1.2 protocol

to encrypt and protect the privacy of data in transit.

Threat ManagementOur dedicated security team ensures that our security

controls, processes and policies are compliant with all

relevant industry regulations. The team employs up-to-

date intrusion prevention and detection systems, with

24-hour monitoring for potential alerts. The Convercent

platform and customer data are further protected by

consistent verification and remediation of vulnerabilities

using static code analysis, dynamic scans, and system

tools. In addition, independent penetration tests are

performed annually by a third party.

transmission, stored encrypted in Microsoft Azure, and

protected by Microsoft Azure storage and data center

physical security. Convercent maintains encrypted backup

data for 365 days.

DISASTER RECOVERYConvercent, Microsoft and Amazon employ and enforce

a robust Business Continuity and Disaster Recovery Plan

to protect customer data in the event of a disaster and

ensure Convercent platform availability for our customers.

Convercent maintains a mirror of our production

environment in a dedicated, geographically remote

disaster recovery site. The Convercent SLA provides

customers a recovery point objective (RPO) and recovery

time objective (RTO) as follows:

Convercent Call CentersConvercent’s Call Center—which processes the

anonymous incident reporting for customers using

the Convercent Helpline and Case Manager solution—

provides the security and redundancy needed to

ensure the continued availability of voice and Internet

communications.

FACILITIESThe Call Center uses the proven Mitel 3300 ICP converged

communications platform, which includes resilient

telephony and network applications. A redundant,

protected network connects to multiple Tier 1 backbone

providers, while backup Internet services ensure

continuous online intake.

COMPLIANCETo protect customer data, the Call Center complies with

Payment Card Industry Data Security Standards (PCI

DSS), Health Insurance Portability and Accountability

(HIPAA), and Privacy Shield regulations.

BUSINESS CONTINUITYThe Business Continuity Plan for the Call Center ensures

that critical Convercent Helpline intake functions will

continue to operate during an unforeseen interruption

in services. The Call Center has multiple ISPs and

multiple phone providers. The Call Center also uses an

uninterrupted power supply so that power remains on

for phones and servers during a power outage.

DISASTER RECOVERYThe Call Center operates with a remote disaster

recovery site. In the event of a disaster, the Call Center

will restore operations as follows:

Call Center Disaster Recovery• Internet: 2-hour RTO• Phone: 2-hour RTO • Email: 6-hour RTO

Convercent Data Centers and Call Centers

Convercent HQ Denver, CO

1. Convercent Primary Data Center Dublin, Ireland

2. Convercent Disaster Recovery Site Frankfurt, Germany

3. Convercent Primary Call Center Sioux Falls, South Dakota

4. Convercent Secondary Call Center North Sioux City, South Dakota

1

23

4

Data Center Disaster RecoveryConvercent Ethics Cloud platform:• 1-hour RPO• 4-hour RTO

CALL OUR TEAMFOR MORE INFORMATION

US: 1-866-403-2713

EMEA: +44 77 916 20332

www.convercent.com

Convercent © December 2017. All Rights Reserved.

Share, Listen and Learn – with a comprehensive

and unified approach. Share policies, training and

disclosure questionnaires through automated campaign

workflows that replace manual processes. Listen to your

employees through helpline and ad-hoc disclosures. Learn

and understand company organizational behavior to

protect your culture.

Correlate and View Your Data in One Place

– with consolidated, accurate, real-time data from the

Convercent suite, your enterprise applications such as

human resources and procurement systems, and relevant

external data sources.

Convercent Insights

Convercent Campaigns Convercent Third Party Convercent Helpline Convercent Disclosures

External DataEnterprise Data

GDP Corruption Perception

Index

SanctionList

Learn

Share Listen

Convercent Data

Third PartiesEmployees

The Convercent Ethics Cloud PlatformThe Convercent Ethics Cloud Platform is the only suite of ethics and compliance applications built from the ground

up on the same platform. The centralized platform ensures that your teams have easy-to-use applications and the

functional coverage you need: