These Security Sections are a formal statement of the security information by which anyone given access to Coro must be aware of.

The scope of this Security Section is illustrating the security precautions in place relatively to Coro product. It applies to all employees, partners, and third-parties with access to Coro information assets

Coro was designed with security at the forefront of priorities leveraging the application development services of Follow Analytics, recommended by our partners at Salesforce.

The Coro application is hosted within Heroku, a platform also owned by Salesforce and hosted within AWS

The Coro application is hosted on Heroku’s SOC 2 compliant platform owned by Salesforce. The platform resides within AWS infrastructure. For further information regarding the security practices in place please see the following links:

• Salesforce: https://trust.salesforce.com/en/security/stay-current-security/
• Heroku: https://www.heroku.com/policy/security
• Amazon: https://aws.amazon.com/security

Data at rest within the Coro application is encrypted using industry standards and best practices that meet the security requirements of the Client.

TLS encryption is leveraged to provide secure communication by protecting the confidentiality and integrity for all data in transit within the Coro application.

In the interest of protecting data, Coro logically and physically separates its networks. The corporate network is utilized for all corporate functions. This is separate from the production network, which is used for customer instances. To prevent inadvertent information flow between different networks, access controls are implemented and reviewed periodically.

Authentication

Authentication to the Coro application is achieved by leveraging Single Sign On through the customers Salesforce instance.

Mobile application: The Coro app establishes a new session every time the application is open. If privileges are revoked within the CRM, the Coro mobile application does not log-in. Face ID can used for faster log-ins, but does not provide access to the application itself.

Provisioning

Access is provisioned within the clients Salesforce instance. Salesforce has strong logical access controls for their production network which include:

• Manger approved production access, based on the principal of least privilege, to include necessary segregation of duties
• Timely access removal for terminated employees
• Multi-factor authentication to internal systems
• Bastion Host in place as secure perimeter between authentication and core servers
• Centralized log correlation in place to capture system activity

Clients are responsible for granting the appropriate access permissions to data within the Coro application.

Clients define the data being stored within the Coro application and can set unique data retention and disposal requirements, as well as purge data at their discretion.

Data stored within the application is housed within an AWS data center, further information regarding their disposal practices can be found at https://aws.amazon.com/security

The platform Coro is hosted on maintains redundancy to prevent single points of failure and ensure the availability of data stored within the application. In the event of an outage, the platform is deployed across multiple data centers designed for resiliency. Additionally, data within the application can also be restored from backups that have been configured to meet the requirements of the client.

The platform hosting the Coro application has a defined and implemented incident management policy in place. The response procedure identifies when events should be escalated and who should be notified. This allows for timely response and correct alignment of personnel to resolve potential incidents.

All incidents are logged into an automated workflow and online ticketing system that tracks the incident from initiation to resolution. Personnel tending to security incidents do not have access to data stored within the application unless there is explicit permission from the client.

See Application Coro Application Data Flow.

See Data Fields for Managed Package.

Coro has access to confidential and sensitive client information of numerous Fortune 100 companies as one of the top management consultancies in the world; the business model of Coro and Bain & Company is predicated on being rigorous, transparent and responsible in how it handles and secures confidential information. Data protection is one of the most important priority for Coro. Within the several precautions and processes Coro put in place, there are also:

• Regular security education sessions
• Periodic schedule of Security Testing [External and Internal]
• Automated enforcement of security analysis
• Explicit security checklists to work against all code changes