Legal

 

Business Continuity and Disaster Recovery Procedures

This document is part of and incorporated by this reference into the agreement in which a link to this document appears (the “Agreement”).

Any capitalized terms used but not defined herein shall have the meanings given to them in the Agreement.

Definitions:

1.1 “Business Continuity Planning” means the process of developing a Business Continuity Plan (as defined below) that is designed to enable EA to respond to an event in such a manner that critical business functions related to the Services can continue within planned levels of disruption.

1.2 “Business Continuity Management Program” means the ongoing management and governance process to coordinate the efforts of Business Continuity Planning (as defined above) and Disaster Recovery Planning (as defined below), and to identify the expected material impact and potential losses, maintain reasonably viable recovery strategies and plans, and attempt to ensure continuity of Services.

1.3 “Business Continuity Plan” means EA’s or its Material Subcontractor’s policies and procedures designed to maintain or resume business in the event of a disruption or disaster.

1.4 “Disaster Recovery Planning” means the process of developing a Business Continuity Plan that is designed to enable EA to minimize loss and attempt to ensure continuity of its critical business functions in the event of a disaster, including the continued availability and restoration of information technology infrastructure and telecommunications required to provide the Services.

1.5 EA has established and will maintain during the Term, a Business Continuity Management Program that includes all aspects of Business Continuity Planning and Disaster Recovery Planning.

1.6 EA’s Business Continuity Plan shall (i) provide for off-site backup of critical data files, Confidential Information, software, Documentation and EA Content required for provision of Services; and (ii) contain testing and validation of the Business Continuity Plan, and response and recovery procedures.

1.7 No more than annually, upon Bank’s request, EA will provide Bank with the opportunity to review and evaluate the Business Continuity Management Program and shall remediate any critical findings. Bank acknowledges and agrees that the information EA provides to Bank under this subsection is and shall be Confidential Information, as defined in the Agreement, and is the valuable proprietary information of EA.

1.8 EA shall regularly assess its Business Continuity Management Program and risks to the loss of service of systems acquired or maintained by EA and its Material Subcontractors in connection with the Services, including (a) identification and monitoring of events that could cause disruption to the Services, (b) assessment of likelihood of such events and potential damage, and (c) assessment of the sufficiency of policies, procedures and systems of EA and Material Subcontractors in place to control such risks.

1.9 EA shall promptly notify Bank of any significant changes to EA’s Business Continuity Management Program and/or Business Continuity Plan(s) as affecting the Services, and upon request, provide Bank with an opportunity to review and evaluate the changes to such Business Continuity Management Program and Business Continuity Plan(s).

1.10 In the event of a disaster or any other disruption event that prevents or impairs EA from providing the Services, EA will notify Bank and implement its Business Continuity Plan to restore and continue providing the Services.

1.11 No failure, delay or default in performance of any obligation of a Party to this Agreement or any Order shall constitute an event of default or breach of this Agreement or such Order to the extent that such failure, delay or default in performance (i) arises out of a Force Majeure Event (hereinafter defined), (ii) is beyond the control and without negligence of such Party, (iii) is promptly and thereafter addressed by the affected Party to minimize the consequences, and (iv), in the case of EA, is not caused by its non-compliance with the business continuity requirements as provided in this Agreement or in any Order. “Force Majeure Event” shall mean fire; flood, earthquake, wind or other natural disaster; war, riot or civil disorder; pandemic, strike, lockout or other labor dispute; and embargo, quarantine or similar governmental action. A Party desiring to rely upon the foregoing as an excuse from performance shall give to the other Party prompt notice in writing of the facts which excuse performance including when such facts first arose. When such facts cease to exist, the Party claiming excuse from performance shall give prompt notice thereof to the other Party.

1.12 EA’s recovery objectives for the Platform are as follows, and EA agrees to use commercially reasonable efforts to achieve same:

(a) Recovery Time Objective (RTO) (the time period within which the Services must be restored after a disaster or disruption event): 72 hours.

(b) Recovery Point Objective (RPO) (maximum amount of acceptable data loss, measured in hours or minutes preceding a disaster or disruption event): 24 hours.

 

Security Controls

EA CARES Compliance LLC maintains the following security controls:

  • Designate a Chief Security Officer who will administer an Information Security Program
  • Regularly assess risks to the CARESCompliance platform and adopt reasonable controls to mitigate risk of unauthorized access to or loss of customer data (before major updates and at least annually)
  • Monitor the system for threats and vulnerabilities and respond to incidents detected within a reasonable timeframe
  • Fulfill all regulatory reporting obligations, including those within 23 NYCRR 500
  • Restrict access to customer data to only those individuals who:
    • have a job based requirement for access
    • have passed a background check
    • continue to complete ongoing security awareness training
  • Industry-standard encryption protocols will be used to protect sensitive data in transit and at rest as prescribed by risk assessment practices, including:
    • End-to-end AES-256 encryption of user data from the moment it is captured by the user’s web browser using ECDH-derived ephemeral data intake keying
    • Decryption keys available only to isolated system components that require them, and never on public-facing systems or networks
    • Data decrypted solely for the duration of the period in which it must be used
    • Storage of user data is always encrypted and never persisted on systems containing decryption keys
    • Cryptographic keys protected with private PKI and hardware security modules
    • Key management and general cryptographic practices aligned with NIST 800-53, 800-57, and 800-133
    • Mandatory multi-factor authentication for all users with SAML-based single-sign-on option
    • Extended borrower identity verification using hashed PPP loan metadata and heuristic checks
    • Extreme system functional and data segregation – any data not explicitly necessary to be accessed after intake, such as user-uploaded payroll data supporting loan forgiveness, is unidirectional (no public facility exists to retrieve the data once ingested)
    • Client-specific keying to further isolate data between lenders
    • Minimal role-based access control for all users, including system administrators
    • Two-man rule enforced for access to critical system components
    • IP-based restrictions for all non-public interfaces and high-risk geographic restrictions for borrower interface
  • Maintain controls to protect against accidental data loss or corruption and for the restoration of service after a disaster, which shall be tested at least annually
  • Perform penetration testing of the CARESCompliance product before major releases and at least annually by a qualified 3rd party
  • Use multiple factors for authentication wherever practical and always for remote administrative access to servers
  • Notify clients of any data breaches and abide by all relevant data breach notification regulations
  • Process and store customer data in the United States
  • Review vendors’ and contractors’ security practices to ensure they do not erode the standard described above, both before engaging with them and at least annually thereafter