Security Policy

NTC maintains SOC 2 Type 2 certification for cloud services, pursuant to the Cloud Addendum.

NTC utilizes cloud-based infrastructure to:

• leverage advanced encryption techniques and advanced access controls;
• allow for scalability and flexibility with geographic diversity within the United States while still allowing global accessibility.
• reduced physical security risks and enhances our business continuity planning; and
• provide robust disaster recovery capability and prevent data loss with low overhead for personnel.

NTC:

• limits elevated access within NTC systems to necessary individuals;
• reviews elevated access reviews quarterly;
• implements changes in access permissions due to termination or change in job duties within a target of three Business Days, using automation where feasible.

NTC implements the Principle of Least Privilege to protect Customer Personal Data.

NTC implements Role-Based Access Control to restrict access to Customer Personal Data to personnel who require it to perform their duties.

NTC requires passwords for access to systems with Customer Personal Data to be no less than twelve characters long, randomly generated, or secure passphrases.

NTC requires relevant personnel to store passwords in company-issued password managers.

NTC strictly prohibits the sharing of usernames and passwords outside of approved service accounts.

NTC requires multi-factor authentication wherever possible for access to systems Processing Customer Personal Data.

NTC prohibits text messaging for multi-factor authentication, unless it is the only protocol  supported.

NTC encrypts all data at rest and in transit, according to modern industry standards.

NTC requires disk-level encryption on all employee workstations.

NTC requires endpoint detection and response and mobile endpoint management software on all employee workstations.

NTC logically separates cloud infrastructure accounts for different customers, such as Amazon Web Services subaccounts, to prevent unauthorized access across customer systems.

NTC requires virtual private network access to internal systems using modern industry standards, including multi-factor authentication requirements.

NTC reviews and updates security policies no less than annually.

NTC requires security training for all employees and requires it be renewed no less than annually.

NTC enables logging on all systems to support internal audits and incident investigations.

NTC maintains and updates a Risk Registry to assess risks across company operations.

NTC implements a systematic vendor-management policy, reviewing and updating it no less than annually.