This policy defines security requirements for:

• All Sherpa employees, contractors, consultants and other third parties providing services to Sherpa (the “Personnel”);
• Management of systems, both hardware and software and regardless of locale, used to create, maintain, store, access, process or transmit information on behalf of Sherpa, including all systems owned by Sherpa, connected to any network controlled by Sherpa, or used in the service of Sherpa’s business, including systems owned by third party service providers; and
• Circumstances in which Sherpa has legal, contractual, or fiduciary duty to protect data or resources in its custody.

In the event of a conflict, the more restrictive measures apply.

Sherpa vets third parties’ information security policies and keeps the number of third parties with access to Sherpa’s data to a minimum. The following third parties have access to Sherpa’s data in the regular course of business:

• As a Google Cloud Platform and GSuite contractee, Sherpa has a GDPR-friendly back-end, and maintains minimal managed physical storage;
• As a Stripe contractee, Sherpa has a PCI-friendly payment process; and
• As a Freshworks contractee, Sherpa’s Customer Support practices are done in a secure way.

Email for formal notices regarding compliance: notices@joinsherpa.com

The Sherpa Information Security Team oversees the implementation of this Policy, including:

• Procurement, provisioning, maintenance, retirement, and reclamation of corporate computing resources;
• All aspects of service development and operation related to security, privacy, access, reliability, and survivability;
• Ongoing risk assessment, vulnerability management, incident response; and
• Security-related human resources controls and personnel training.

Information Security Team email: information.security@joinsherpa.com

Our Safeguards include the following:

• Personal information is protected against loss, theft, unauthorized access, disclosure, copying, use or modification regardless of format;
• The relative sensitivity of information is taken into account when designing systems and classifying data;
• Protection methods take into account physical measures, technological measures, and systems design;
• The whole Sherpa team is made aware of the Policy on an ongoing basis; and
• Information that is no longer useful should be destroyed in a careful manner.

The list below is not exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use.

• Under no circumstances are personnel of Sherpa authorized to engage in any activity that is illegal under local, provincial, federal, or international law while using Sherpa-owned resources.
• Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations including but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Sherpa.
• Violating or attempting to violate the terms of use or license agreement of any software product used by Sherpa.
• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Sherpa or the end user does not have an active license.
• Exporting software, technical information, encryption software, or any other technology may result in the violation of international or regional export control laws. The appropriate management should be consulted prior to export of any material that is in question.
• Revealing an account password for a personal account to another person or allowing use of an account by other people. This includes colleagues, as well as family and other household members when work is being done at home.
• Making fraudulent offers of products, items, or services originating from any Sherpa account.
• Making statements about warranty, expressly or implied, unless it is a part of normal job duties and then only to the extent the warranties are consistent with Sherpa’s authorized warranties.
• Introduction of malicious programs into the network, development environment, or product environment (eg. viruses, worms, Trojan horses, email bombs, etc.)
• Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a network or account that the employee is not expressly authorized to access. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious or unlawful purposes.
• Using port scanning or security scanning software, or other such software designed to exploit or find computer, software, or network vulnerabilities on Sherpa products or networks, except by or under the direct supervision of the security team.
• Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal duties.
• Circumventing user authentication or security of any host, network, or account, or attempting to break into any information resource or to bypass a security feature. This includes running password-cracking programs or sniffer programs, and attempting to circumvent file or other resource permissions.
• Attempting to interfere with or deny service to any user.
• Providing information about, or lists of, Sherpa personnel to parties outside Sherpa.
• Installing software which includes any form of malware, spyware, or adware as determined by the Information Security Team.
• Crashing an information system. Deliberately crashing an information system is strictly prohibited. Users may not realize that they caused a system crash, but if it is shown that the crash occurred as a result of user action, a repetition of that action by that user may be viewed as a deliberate act.
• Attempting to subvert technologies used to effect system configuration of Sherpa-managed devices or personal devices voluntarily used for company purposes (eg. having separate user profiles).
• Social Media and Blogging by personnel should not include Sherpa Data or other proprietary information, and should reflect a high ethical standard if personnel are presenting themselves as representatives or relatives to Sherpa.

2.2 Personnel Systems Configuration, Ownership, and Privacy

Centralized System Configuration

The following activities are prohibited. Under certain conditions and within the explicit written consent of the Information Security Team, personnel may be exempted from certain of these restrictions during the course of their legitimate job responsibilities (eg. planned penetration testing, systems administration staff may need to disable the network access of a host if that host is disrupting production services).

Retention of Ownership

All software programs, data, and documentation generated or provided by personnel while providing services to Sherpa or for the benefit of Sherpa are the property of Sherpa unless otherwise covered by a contractual agreement.

Privacy of Personnel

While Sherpa’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Sherpa. Due to the need to protect Sherpa’s network, management does not intend to guarantee the privacy of personnel’s personal information stored on any network device belonging to Sherpa. Personnel are responsible for exercising good judgement regarding the reasonableness of personal use such as general web browsing or personal email. If there is any uncertainty, personnel should consult the Information Security Team.

Personnel should structure all electronic communication with recognition of the fact that the content could be monitored and that any electronic communication could be forwarded, intercepted, printed, or stored by others.

Sherpa reserves the right, at its discretion, to review personnel’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as Sherpa’s policies.

Sherpa reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. For security and network maintenance purposes, authorized individuals within Sherpa may monitor equipment, systems, and network traffic at any time.

2.3 Human Resources Practices

Background Checks

Background checks are conducted on all employees prior to their start date. The consequences of problematic background check results may range from a limitation of security privileges, to revocation of an employment offer, to termination.

Training

The Sherpa Information Security Policy training covers security awareness, policies, processes, and training to ensure that personnel are sufficiently informed to meet their obligations. Those most responsible for maintaining security at Sherpa, including the Information Security Team itself as well as key engineering/operations staff, should undergo more technical training.

Separation

In the case of personnel termination or resignation, the Information Security Team will coordinate with human resources to implement a standardized separation process to ensure that all accounts, credentials, and access of outgoing employees are reliably disabled.

3.1 User Accounts and Authentication

Each individual having access to any Sherpa-controlled system does so via a G Suite user account denoting their system identity. Such user accounts are required to have a unique username, a strong password, and two-factor authentication (“2FA”) mechanism.

Logging Into Sherpa Systems

Logins by personnel may originate only from Sherpa-managed devices. Authentication is performed by Google’s account  management system, details of which can be found at https://gsuite.google.com/security. Sherpa leverages G Suite’s facilities of detecting malicious authentication attempts. Repeated failed attempts to authenticate may result in the offending user account being locked or revoked.

Logging Into Third Party Systems

Whenever available, third-party systems must be configured to delegate authentication to Sherpa’s G Suite account authentication system (described above) thereby consolidating authentication controls into a single user account system (“Single Sign In”) that is centrally managed by the Information Security Team.

Revocation and Auditing of User Accounts

User accounts are revoked (that is, disabled but not deleted) immediately upon personnel separation. As a further precaution, all user accounts are audited at least quarterly, and any inactive user accounts are revoked.

3.2 Access Management

Sherpa adheres to the principle of “least privilege,” where personnel only have access to systems and information relevant to their job and no more, and every action attempted by a user account is subject to access control checks.

Role-Based Access Control

Sherpa employs a role-based access control (RBAC) model utilizing Google-supplied facilities such as organizational units, user accounts, user groups, and sharing controls.

Web Browsers and Extensions

Sherpa may require use of specified web browsers for normal business use and for access to corporate data such as email. For certain specified roles such as software development and web design, job activities beyond those mentioned above necessitate the use of a variety of browsers, and these roles may do so as needed for those activities.

Any browser that is allowed to access corporate data such as email is subject to a whitelist maintained by the Information Security Team that restricts which browser extensions can be installed.

Administrative Access

Access to administrative operations is strictly limited to Information Security Team members and further restricted as a function of tenure and the principles of least privilege.

Regular Review

Access control policies are reviewed regularly with the goal of reducing or refining access whenever possible. Changes in job function by personnel trigger an access review.

System configurations must address the following controls in a risk-prioritized fashion in accordance with the rest of this policy:

• Encryption-at-Rest for stored data;
• Encryption-in-Transit protection of confidentiality, authenticity, and integrity for incoming and outgoing data;
• Minimization of data in transit;
• Data and file integrity;
• Malware detection and resolution;
• Capturing redacted event logs;
• Authentication of administrative users;
• Access control enforcement;
• Removal or disabling of unnecessary software; and
• Allocation of sufficient infrastructure and resources to support loads that are expected at least twelve months into the future.

Sherpa’s use of cookies falls into two categories:

1. “Experience Cookies” - Enable information to be carried from one part of a service to another. Without cookies the site may forget a person’s basic information, like the passports they hold or the details of their trip, requiring a user to provide that information more than once, especially if there is a significant time delay between entering different information.
2. “Analytics Cookies” - Enable analysis of Sherpa’s products, showing us things like which pages and links are most popular, including information from our emails, and which ones don’t get used as often to help us make sure that our websites and emails are relevant and effective. We also use these cookies to customize a user’s visits to the site, and measure the effectiveness of different designs.

Data is prioritized by risk into the following four categories:

1. “Restricted” (Highest) - Data whose unauthorized access or loss could seriously or adversely affect Sherpa, a partner, or the public. This includes Passport Details, Personal Identification Numbers, Authentication Credentials, Service Account Information, Government Visa Verdict Communications, and other such data.
2. “Protected” - Data with a less high level of importance, but that should be protected from general access. This includes General Government Communications, User Travel Information, Sherpa’s Service Communications, Visa Application Systems Information, and other such data.
3. “Confidential” - All other non-public data not included in the Restricted or Protected classes. This includes User Event Metadata, General Partner Information, and other such data.
4. “Public” (Lowest) - All public data. This includes Marketing Information, Published Information, and other such data.

Data is categorized in the following groups:

• “Partner Account Data” - This is data pertaining to the accounts of Sherpa’s partners. This data will be encrypted-at-rest so as to protect the data in the event of unauthorized access attempts. Partner credentials shall be hashed in such a matter that plaintext keys cannot be recovered.
  
• “User Identification Data” - This is data pertaining to the documentation of users. This is the most highly protected class of data, where all useful safeguards are used to protect against leak or breach.
  
• “User Personal Data” - This is data pertaining to the physical characteristics and preferences of users.
  
• “User Travel Data” - This is data pertaining to the travel behaviour of users.
  
• “User Contact Data” - This is contact data about Sherpa users.
  
• “User Event Metadata” - This is metadata about behaviour conducted on all classes of user data. This includes standard syslog data pertaining to users, and instances of User Identification Data, User Travel Data, and User Contact Data.
  
• “User Transaction Metadata” - This is metadata about purchases of services. This data does not include Credit Card Data.
  
• “Credit Card Data” - This includes credit card numbers, expiry dates, and other unique identifiers. Sherpa should avoid collecting this information, using third parties that comply with ISO and other similar standards.

Data is categorized in the following groups:

Sherpa employees may access User Data only under the following Conditions:

• From managed devices;
  
• For the purpose of incident response, customer support, or feature testing;
  
• For no longer than is needed to fulfill the purpose of access; and
  
• In an auditable manner.

The Sherpa Information Security and Product Development teams shall use all the following methods to detect vulnerabilities that may arise from Sherpa’s information systems:

• Cross-checking vulnerabilities databases with all systems and software packages that support critical Sherpa services;
  
• Automated source code scanners;
  
• Code reviews on every security-sensitive code commit;
  
• Vulnerability scanning on Sherpa services;
  
• Maintaining a bug bounty program; and
  
• Annual penetration testing with an independent provider.

The Information Security Team will use all the following measures to detect security incidents:

• Monitor logs to detect potentially malicious or unauthorized activity;
  
• Conduct reviews on the causes of any service outages; and
  
• Respond to notices of potential incidents from employees, contractors, or external parties.