Terms of Service

1.1 Cloud Services

Cloud Services means CXPoint-operated cloud offerings that are based on CXPoint proprietary software deployed in a CXPoint-managed Cloud Services Environment, and the support for such offerings.

1.2 Cloud Services Environment

Cloud Services Environment means the CXPoint-controlled infrastructure, including equipment, servers and software, within Data Centers used to provide Cloud Services.

1.3 Customer Data

Customer's data that is inputted, or generated from Customer-inputted data, and stored in the Cloud Services. Customer Data does not include any anonymized data incorporated into Service Improvements pursuant to the Master Agreement.

1.4 Data Center

Data Center means a data center where CXPoint houses the Cloud Services Environment.

1.5 Industry Standard

Industry Standard means generally accepted cloud information security practices as reflected in CXPoint' policies and procedures.

1.6 Malicious Code

Malicious Code means viruses, worms, time bombs, corrupted files, Trojan horses and other harmful or malicious code, files, scripts, agents, programs, or any other similar code that may interrupt, limit, damage the operation of CXPoint' or another's computer or property.

1.7 Organisation/Org

Organisation/Org means a dedicated Cloud Services instance. Each Client Org is assigned to a single AWS Cloud Services region and has a unique Org Name and Org ID.

1.8 Security Incident

Security Incident means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.

1.9 User

User means an individual who: (i) is authorized by Customer and has been supplied a user identification and password(s) by Customer to access the Cloud Services on Customer's behalf, or (ii) a person licensed to use the Cloud Services for one or more roles (e.g. agent, supervisor, administrator).

2.1 Shared Responsibility

Security of Customer Data is a shared responsibility between CXPoint and Customer, as set out in these Cloud Security Terms.

2.2 Security of the AWS Cloud Services

Amazon Web Services is responsible for protecting the infrastructure that runs AWS services, including the Cloud Services, in the AWS Cloud. Oversight of AWS’ security posture is managed in accordance with the agreement between AWS and CXPoint. AWS-specific certifications are available at https://aws.amazon.com/compliance/programs. Security and compliance certifications and/or attestation reports for Data Centres must be obtained directly from AWS. AWS may require Customers to execute additional non-disclosure agreements. Third-party auditors also regularly test and verify the effectiveness of AWS security as part of AWS’ internal compliance programs. Details on AWS data center specific security controls can be found here: https://aws.amazon.com/compliance/data-center/controls/.

2.3 Security of the Cloud Services Platform

CXPoint is responsible for the security of the CXPoint Cloud Services that run on the AWS cloud infrastructure. This includes the cloud-hosted application and related Cloud Services applications, including but not limited to CXPoint Cloud Auth clients, CXPoint Nexa, CXPoint voyage, CXPoint APIX and CXPoint Genops and so on

2.4 Security of Customer's Cloud Services Org

The Customer is responsible for the security of its Cloud Services Org. This security is dependent on Org-specific configurations, and user access restrictions, both of which fall under the Customer's control.

3.1 Security Standards

CXPoint has implemented and will maintain an information security program designed to protect Customer Data processed in the Cloud Services that follows generally accepted system security principles embodied in the ISO 27001 standard, as appropriate to the nature and scope of the Cloud Services provided. For CXPoint Cloud Commercial AWS regions, the Cloud Services may maintain any, as a minimum, industry standard certifications such as SOC2 Type 2, ISO 27001, C5 and PCI DSS or all.

3.2 Security Awareness and Training

CXPoint has developed and will maintain an information security and awareness program that is delivered to all CXPoint employees and appropriate contractors at the time of hire or contract commencement, and annually thereafter. The awareness program is delivered electronically and includes a testing aspect with minimum requirements to pass. Specifically, this includes annual compliance training on information security, privacy, HIPAA security & privacy, and PCI. Access to CXPoint' code repository requires additional annual training in secure development.

4.1 Policy Review

CXPoint will maintain appropriate policies and procedures to support the information security program. Policies and procedures will be reviewed at least annually and updated as necessary with the aim of increasing the level of security protection for the Cloud Services. Customers in future may have options to subscribe to updates to the Cloud Services Security Policy at this page - https://www.cxpoint.co.uk

The Cloud Services utilize a change management process based on ISO 27001 standards to ensure that all changes to the Cloud Services Environment are appropriately reviewed, tested, and approved. CXPoint targets to achieve ISO organisational certification in the year 2024-25

CXPoint will create backups of Customer Data. Customer Data will be stored in the same AWS Region as the Customer's Cloud Services Org and maintained using Server-Side Encryption (SSE). Backup data will not be stored on portable media. Customer Data backups are protected from unauthorized access and are encrypted.

Industry Standard anti-malware protection solutions are used to protect the infrastructure that supports the Cloud Services against threats such as Malicious Code. CXPoint deploys management and monitoring solutions on all production systems, as well as robust monitoring of system access and command use.

CXPoint will maintain a vulnerability management program as per CXPoint risk management process, that ensures compliance with Industry Standards. CXPoint will assess all critical vulnerabilities to the Cloud Services Environment using industry standard CVSS and CVE scores or other similar approach for access/vector complexity, authentication, impact, integrity, and availability. If CXPoint deems the resulting risk to be critical to Customer Data, CXPoint will endeavour to patch or mitigate affected systems within thirty (30) working days. Certain stateful systems cannot be patched as quickly due to interdependencies and customer impact, but will be remediated as expeditiously as practicable. In normal operation OS patch management operations will be performed in 30 (thirty) days or less.

CXPoint will follow, and will ensure that its sub-processors will follow, Industry Standard processes to delete obsolete data and sanitize or destroy retired equipment that formerly held Customer Data. Customer Org related activity records and app activity and detailed record retention policies are customer configurable. All other retention policies are managed by CXPoint at platform level. Termination of the Cloud Services (embedded or non-embedded ) for Customer will be subject to the Exit Plan in Exhibit A.

10.1 Independent Testing

On at least an annual basis, CXPoint will conduct a vulnerability assessment and penetration testing engagement with an independent qualified vendor. Issues identified during the engagement will be appropriately addressed within a reasonable time-frame commensurate with the identified risk level of the issue. Test results will be made available to Customer upon written request and will be subject to non-disclosure and confidentiality agreements.

10.2 Customer Testing

Customers have the option to run a penetration test in conjunction with CXPoint Security teams within agreed parameters. This service is chargeable at CXPoint' then-current rates. Customer will be required to enter into a Services Order for two Test Orgs and a Statement of Work for related cxpoint professional services support. This service is available once per year. Customer will not perform any type of penetration testing, vulnerability assessment, or denial of service attack on cxpoint cloud Services in production, test, or development environments as set out above.

11.1 Logical Separation Controls

At CXPoint we take security very seriously. Hence all our CXP Cloud Services are single tenant Software as a Service (SaaS) platform. As such, it means customers using cxpoint cloud platform do not share resources such as server instances, services, data storage locations and databases. All these resources are being natively in dedicated cloud instance configured just for the customer in the region of use. CXPoint will employ effective physical and logical separation controls based on Industry Standards to ensure that Customer Data is not only logically separated from other customer data but also physically within the AWS Cloud Services Environment. More detail can be found here: https://www.cxpoint.co.uk

11.2 Firewall Services

CXPoint uses Security Groups and appropriate firewall services to protect the Cloud Services Environment. CXPoint maintains granular ingress and egress rules, and changes must be approved through CXPoint' change management system which are managed centrally for each region separately (UK, Europe, APAC, North and South America regions).

11.3 Intrusion Detection System

CXPoint has implemented intrusion detection across the Cloud Services using AWS CloudWatch and AWS inspector that meets PCI DSS requirements.

11.4 No Wireless Networks

CXPoint will not use wireless networks within the AWS Cloud production Services. Wireless Networks are only used within the CXPoint corporate office locations worldwide.

11.5 Data Connections between Customer and the Cloud Services Environment

All connections to browsers, mobile apps, and other components are secured via Hypertext Transfer Protocol Secure (HTTPS) and Transport Layer Security (TLS v1.2 or higher) over public Internet.

11.6 Data Connections between the Cloud Services Environment and Third Parties

Transmission or exchange of Customer Data with Customer and any CXPoint vendors will be conducted using secure methods (e.g. TLS 1.2 or higher) and secure FTP site with strictly controlled access.

11.7 Encryption Protection

11.7.1 Encryption Methods. The Cloud Services use Industry Standard encryption methods to uphold confidentiality, integrity and availability of data being stored, processed and transmitted. The Cloud Services provide a. at rest and in transit encryption of all processed Customer Data; b. at rest encryption, which is AES 256-based meeting FIPS 197 standard, using encryption keys to which neither of AWS and its subcontractors have access. In certain cases CXPoint' subcontractors would be given or have access for the platform maintenance; and access in such cases would be controlled via encrypted keys, Multifactor authentication and secure cisco firewall rules/access from cxpoint owned and managed devices in controlled facilities. c. in transit encryption, which is TLS 1.2 or higher using encryption keys to which neither AWS and its subcontractors nor CXPoint' subcontractors have access.

11.8 Logging and Monitoring

CXPoint will log security events for the Cloud Services. CXPoint will continuously monitor and investigate events that may indicate a Security Incident for the Cloud Services. Platform-related event records will be retained for at least one year. Audit log data related to Customer's Org is available to customers via the Cloud Services UI of the cxpoint client application or the Cloud Services REST based API's. Cxpoint currently does not offer real-time stream of events using AWS event bridge currently. CXPoint Platform security logs are not available to customers.

12.1 Access Control

CXPoint will implement appropriate tools for access controls to ensure that only authorized Users with right security clearance have access to Customer Data within the Cloud Services Environment.

12.2 Customer's User Access

12.2.1 Usernames and Passwords. Customer is solely responsible for managing User access controls within Customer's Org. The application password requirements are configurable by Customer. Native Multi-Factor Authentication (MFA) is available as part of the Cloud Services and is configurable by Customer. Password Parameters that can be set include minimum length, minimum letters, minimum numerals, minimum special characters, password expiration, and minimum age. Customer defines usernames and roles in a granular access permissions model. Customer is entirely responsible for any failure by itself, its agents, business users, developers, contractors or employees (including without limitation all its Users) to maintain the security of all usernames, passwords and other account information under its control.

12.3 CXPoint' User Access

CXPoint will follow strict protocol, and authorisation flows to create individual user accounts for each of CXPoint' employees that have a business need to access Customer Data or Customer's systems within the Cloud Services Environment.

13.1 Business Continuity

13.1.1 Availability Zones. The Cloud Services are deployed and configured in a load balanced active/active/active design and are deployed across at least three AWS Availability Zones ('AZs') within a single region to provide high availability and performance of the Cloud Services. The Cloud Services are physically separated from CXPoint' corporate network environment so that a disruption event involving the corporate environment does not impact the availability of the Cloud Services.

13.2 Disaster Recovery

For the Cloud Services, disaster recovery (DR) tests are performed at least annually. Backup data is not stored off-site or on portable media. CXPoint creates backups of Customer Data according to documented backup procedures. Customer Data is stored and maintained solely in Amazon AWS S3 with SSE in the same AWS region where Customer Data resides.

13.3 Business Continuity and Disaster Recovery Plans

13.3.1 Corporate Business Continuity Plan. CXPoint will maintain a corporate business continuity plan designed to ensure that ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.

13.4 Customer's Responsibility

Customer is responsible for building and maintaining business continuity and disaster recovery plans for its operations, connectivity to the Cloud Services and other third-party services.

14.1 Security Incident Response Program

CXPoint will maintain a Security Incident response program based on Industry Standards designed to identify and respond to Security Incidents involving Customer Data. The program will be reviewed, tested and, if necessary, updated on at least an annual basis.

14.2 Notification

In the event of a Security Incident or other security event requiring notification under applicable law, CXPoint will notify Customer within twenty-four (24) hours and will reasonably cooperate so that Customer can make any required notifications relating to such event, unless CXPoint specifically requested by law enforcement or a court order not to do so.

14.3 Notification Details

CXPoint will provide the following details regarding any Security Incidents to Customer: (i) date on which the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions CXPoint has already taken; (iv) corrective measures planned to be taken; and (v) evaluation of alternative measures and next steps.

14.4 Ongoing Communication

CXPoint will continue providing status updates to Customer regarding the resolution of the Security Incident and continually work in good faith to correct the Security Incident and prevent future such Security Incidents. CXPoint will cooperate, as reasonably requested by Customer, to further investigate and resolve the Security Incident.

15.1 VoIP Services Lines

Customer shall maintain security over all VoIP Services of their respective contact centres platform. CXPoint application does not replace any core telephony features as offered within customer contact centre platform used by the customer.

15.2 Records and logs

Customer acknowledges that use of user activity logs and levels are within Customer's sole discretion and control. Without limiting the foregoing: (i) Customer accepts sole responsibility for determining the method and manner of performing user activity records such that it is compliant with all applicable laws and for configuring and using the Cxpoint Cloud Services accordingly; and (ii) Customer shall ensure that activity stores on client instances shall be stored and activated only for purposes required by and/or in compliance with, all applicable laws. Customer will ensure that any information uploaded, updated or logged into the Cxpoint application will not knowingly include any bank account number, credit card number, authentication code, social security number or personal data in the form of CSV, excel, media prompts, application flows or application logs but not limited to, except as permitted by all applicable laws.

16.1 Customer Audit

Provided that Customer has demonstrated that it has a reasonable belief that CXPoint is not in compliance with the security standards in Section 3.1 above and subject to CXPoint' reasonable confidentiality and information security policies, Customer or a qualified third party chosen by Customer shall have the right, upon at least thirty (30) days' written notice, to perform a remote audit of CXPoint' compliance with the terms of these Cloud Security Terms, limited to review of CXPoint policies, interviews of key personnel, and the completion of a security assessment questionnaire provided by Customer.

16.2 Audit Requirements

Customer may undertake an audit without reasonable belief described in 16.1, provided that: a. The audit is performed during normal business hours, b. CXPoint will invoice Customer a fee for CXPoint' costs incurred (including internal time spent) in connection with any Customer audit, whether the audit was performed remotely or on-site, c. The scope and price of the audit will be agreed upon by the parties in a Statement of Work, d. Customer agrees that such audit will not include the right to on-site inspections or audits of any of CXPoint' subcontractors, including CXPoint' third-party hosting facilities and equipment, e. The audit will not violate CXPoint' obligations of confidentiality to other customers or partners, or reveal CXPoint' intellectual property, and f. Any assessment performed pursuant to this section shall not interfere with the normal conduct of CXPoint's business.

16.3 Cooperation

CXPoint shall cooperate with Customer on any reasonable requests made by Customer during such assessments.

1. Initiation

The Exit Plan process will be initiated upon expiration or receipt of formal notice of termination of contract by either party, as detailed in the Master Agreement.

2. Exit Plan and Data Transfer Approach for the Cloud Services

Customer will be able to offline request or use the Cloud Services APIs to retrieve the following customer data as stated in the customer Master Agreement: a. Customer Data (Reporting Metrics) Handover: Customer data can be exported during or at contract termination by using CXPoint' APIs provided upon request. b. Customer Data Handover: Customer data can be exported during the contract term or at the contract termination by using CXPoint' Customer Record Export APIs with access provided upon request of customer offboarding.

3. Extensions

In the event that Customer requires additional time to export customer data beyond the date of contract termination or expiry, Customer shall request an extension of the Subscription Term before the termination or expiry date, as set out in the Master Agreement.

4. Professional Services

Customers can use the CXPoint and it's cloud Services API to build their own applications or engage with CXPoint professional services for further assistance.

5. Troubleshooting

Troubleshooting and other platform logs are not provided or returned. CXPoint is required to keep such logs for a minimum of one (1) year as part of its compliance program.

6. Third Party Applications

Any Third-party applications (for example, other AppFoundry Apps or tools, accelerators used or integrated by service integrators) are outside the scope of the Cloud Services exit/offboarding plan.