Common use of User Passwords Clause in Contracts

User Passwords. Passwords are case sensitive and support any visible extended characters. The Customer can configure: • The minimum password length • The required mixture of character types that Authorised Users and Learners must adhere to • The password expiry interval All passwords are encrypted in storage; hashed and salted with SHA2_512. Authorised Users and Learners may choose to authenticate via third parties (Facebook, Azure AD) by setting up a "OneFile Keychain". In these cases, a token provided by that third-party is stored to authenticate the Authorised User or Learner. A single superuser account is initially created for the Customer to create the different accounts it requires for its Authorised Users and Learners. Some Authorised Users will have different roles to fulfil in the Software so these are designated when the user accounts are created. For more details on what the different roles are, what their functions, permissions and restrictions are, please consult the relevant Documentation for the Software that you have subscribed to. Our Software keeps an audit trail of Authorised Users and Learners logging in and how they interact with certain functions. These audit trails can be accessed online and through reports. Our Software is hosted at two physically different data centres. The primary centre hosts the live, production Software that is used by everyone under normal circumstances. The secondary centre is used as a disaster recovery centre that constantly receives backups from the first centre, enabling us to elevate the second centre should the first centre become inoperable. Each centre uses a different Active Directory domain to keep them isolated from other networks. There is no Virtual Private Network (VPN) to the secondary centre, and multi-factor authentication is used by our administrators for management. A business continuity plan is maintained that provides guidance on when and how to elevate our secondary centre. We currently work to a recovery point objective (RPO) of 30 minutes and a recovery time objective (RTO) of 30 minutes.

User Passwords. Passwords are case sensitive and support any visible extended characters. The Customer can configure: • The minimum password length • The required mixture of character types that Authorised Users and Learners must adhere to • The password expiry interval All passwords are encrypted in storage; hashed and salted with SHA2_512. Authorised Users and Learners may choose to authenticate via third parties (Facebook, Azure AD) by setting up a "OneFile Keychain". In these cases, a token provided by that third-party is stored to authenticate the Authorised User or LearnerUser. A single superuser account is initially created for the Customer to create the different accounts it requires for its Authorised Users and LearnersUsers. Some Authorised Users will have different roles to fulfil in the Software so these are designated when the user accounts are created. For more details on what the different roles are, what their functions, permissions and restrictions are, please consult the relevant Documentation for the Software that you have subscribed to. Our Software keeps an audit trail of Authorised Users and Learners logging in and how they interact with certain functions. These audit trails can be accessed online and through reports. Our Software is hosted at two physically different data centres. The primary centre hosts the live, production Software that is used by everyone under normal circumstances. The secondary centre is used as a disaster recovery centre that constantly receives backups from the first centre, enabling us to elevate the second centre should the first centre become inoperable. Each centre uses a different Active Directory domain to keep them isolated from other networks. There is no Virtual Private Network (VPN) to the secondary centre, and multi-factor authentication is used by our administrators for management. A business continuity plan is maintained that provides guidance on when and how to elevate our secondary centre. We currently work to a recovery point objective (RPO) of 30 minutes and a recovery time objective (RTO) of 30 minutes.