WINDA Security, Privacy and Architecture Published: December 16, 2019

GWO’s Trust Commitment GWO is committed to achieving and maintaining the trust of our Stakeholders. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by Stakeholders to our services (“Customer Data”).

Services Covered This documentation describes the architecture of, privacy-related certifications received for, and the administrative, technical, and physical controls applicable to, the services known as WINDA.

Architecture and Data Segregation WINDA is operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on their needs. The architecture provides an effective logical data separation via a customer-specific unique identifier ( WINDA-ID) and allows the use of customer and user role based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production. The specific infrastructure used to host Customer Data is described in the “Infrastructure and Sub-processors” documentation available.

Control of Processing GWO has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by GWO. The “Infrastructure and Sub-processors” documentation describes the sub- processors material to GWO’s provision of the WINDA Services.

Functionality WINDA includes email and reporting features. Analytics, templates and other data associated with these features will not be accessed or stored by any third-party.

Audits and Certifications WINDA undergoes security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on a regular basis.

Security Controls WINDA includes a variety of configurable security controls. These controls include: • Role-based Access Controls (RBAC): Customers are configured with their permissions and privileges based on their roles within the organization and their use of the WINDA Services, e.g., Training Provider, Delegate or Organisation. • Email Login Verification on registration. • The WINDA IDs will be semi-randomly generated to ensure that they are not guessable and unique. They will be composed of upper case letters and numbers and a randomly generated value. • Training providers can upload and purchase uploads via a HTTPS JSON API. All requests to the API are authenticated using HTTP Basic Authentication. The username and password will be checked against the system, using the same logic as if the user was logging into the website. • Lost Passwords can only be send to the Email Address in the Database connected to the Profile.

Security Policies and Procedures WINDA is operated in accordance with the following policies and procedures to enhance security: • User passwords are stored using a salted hash format and are not transmitted unhashed. • User access log entries will be maintained, containing date, time and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP. • If there is suspicion of inappropriate access to the WINDA Services, GWO can provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis. • Audit and security logs will be kept as long as the profile is active. • Logs will be kept in a secure area to prevent tampering. • Passwords are not logged. • GWO personnel will not set a defined password for a user nor can GWO personnel see or change current passwords. Users are provided unique links via email. Upon clicking such links, a user must create a password in accordance with password length and complexity requirements. Intrusion Detection GWO, or an authorized independent third party, will monitor WINDA for unusual behaviour using network-based intrusion detection mechanisms. GWO may analyse data collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that WINDA function properly.

Security Logs All GWO systems used in the provision of the WINDA Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized log server (for network systems) in order to enable security reviews and analysis. Incident Management GWO maintains security incident management policies and procedures for the WINDA Services. GWO notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data of which GWO becomes aware to the extent permitted by law. User Authentication Access to WINDA requires identity verification, which are encrypted via TLS while in transmission.

Physical Security Production data centres used to provide the WINDA Services are hosted by Microsoft Azure. The IT infrastructure that Azure provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which Azure complies: • SOC 1/ISAE 3402, SOC 2, SOC 3 • FISMA, DIACAP, and FedRAMP • PCI DSS Level 1 • ISO 9001, ISO 27001, ISO 27018

Reliability and Backup All networking components, SSL accelerators, load balancers, Web servers and application servers are configured in a redundant configuration. All Customer Data submitted to WINDA is stored on a primary database server within Azure datacentres in Northern Europe. All Customer Data submitted to WINDA is stored on enterprise-class disk storage using an Azure SQL Database to ensure DTU-based purchase model provide flexibility of changing compute sizes with minimal downtime. All Customer Data submitted to WINDA is backed up in an encrypted form on a regular basis. Any backups are verified for integrity.

Disaster Recovery GWO has disaster recovery plans in place through Azure where the data is stored. The WINDA Services utilize disaster recovery facilities that are geographically remote from their primary data centres and currently have the following target recovery objectives: (a) restoration of the WINDA Service within two DK business days after GWO’s declaration of a disaster; and (b) maximum Customer Data loss of one business day; excluding, however, a disaster or multiple disasters causing the compromise of all data centres at the same time, and excluding development and test bed environments.

Viruses WINDA does not scan for viruses that could be included in attachments or other Customer Data uploaded into WINDA by a customer. Uploaded attachments, however, are not executed in WINDA and therefore will not damage or compromise WINDA by virtue of containing a virus.

Data Encryption WINDA uses industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer's network and the WINDA Services, including 128-bit SSL certificates signed by a Root Certificate Authority and / or 2048-bit RSA public keys at a minimum.

Deletion of Customer Data Data submitted to WINDA is retained in inactive status for 48 months for Delegates and 12 months for Organisations, after which it is securely overwritten or deleted. In accordance with the Reliability and Backup section above, Customer Data submitted to WINDA (including Customer Data retained in inactive status) will be encrypted and stored on an off-site backup location for an additional 90 days, after which it is securely overwritten or deleted. This process is subject to applicable legal requirements. GWO will update the WINDA Security, Privacy, and Architecture Documentation in the event of a change.

Sensitive Data Important: The following types of sensitive personal data may not be submitted to WINDA: birthdates; financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and information related to the provision or payment of health care. For clarity, the foregoing restrictions do not apply to financial information provided to GWO for the purposes of checking the financial qualifications of, and collecting payments from, its customers, the processing of which is governed by the GWO Website Privacy Statement. GWO may request government issued documentation to be uploaded to WINDA if a Delegate wants to change name for example after marriage. This Documentation will be deleted once the delegate has taken a Training Course and being verified in person by a Training Provider or the Account is deleted due to inactivity (see Deletion of Customer Data above)

Analytics GWO may track and analyse the usage of WINDA for the purposes of security and helping GWO improve both the WINDA Services and the user experience in using WINDA. For example, we may use this information to understand and analyse trends or track which of our features are used most often to improve product functionality. GWO may share anonymous usage data with GWO’s service providers for the purpose of helping GWO in such tracking, analysis and improvements. Additionally, GWO may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.

Interoperation with Other Services WINDA may interoperate or integrate with other services provided by GWO or third parties. Security, Privacy and Architecture documentation for services provided by GWO is available on their respective Websites. Details about those Services can be obtained from the Document “WINDAInfraSubprocessors”. Additionally, GWO may contact users to provide transactional information about the WINDA; for instance, through system-generated messages, such as Chat notifications or emails