Technical and Organizational Security Measures

Information Security Organization

Mitel has an information security organization responsible for planning, implementing, and overseeing all information security measures. The Chief Information Security Officer (CISO) leads this organization, directing and coordinating information security efforts. A team of IT security experts supports the CISO in operational implementation and continuous improvement of security measures.

Security Policies

Mitel is committed to maintaining the highest security standards through policies that safeguard customer data and business operations. These policies align with industry best practices, regulatory requirements, and risk management frameworks, ensuring confidentiality, integrity, and availability. Mitel policies apply to all individuals with access to Mitel information systems and data. Policies are periodically reviewed and amended to protect employee and customer information.

Network and System Security

Network Security is crucial for Mitel's overall security posture, protecting the integrity, confidentiality, and availability of data and resources within Mitel's network.

• Secure Configuration: Mitel ensures network devices and systems are securely configured, including applying security patches and updates.
• Network Segmentation: The Mitel network is segmented to limit the impact of security breaches. Customer data is segmented physically and logically for all cloud platforms and separated from the corporate network. Production, test, and development environments are also kept separate.
• Monitoring and Logging: Mitel implements monitoring and logging to track network activity and identify unusual or suspicious behavior.
• Firewalls: Mitel uses firewalls to monitor and control incoming and outgoing network traffic based on security rules, allowing only authorized and secure communications.
• IDS/IPS: Mitel implements Intrusion Detection/Prevention Systems (IDS/IPS) at perimeter firewalls. High-severity real-time threats against known vulnerabilities are blocked by IPS, and alerts are forwarded to the Security Information and Event Management (SIEM) system for triage and analysis.
• Secure Remote Access: Mitel employs Secure Remote Access technology to encrypt all network traffic between remote devices and the corporate network.
• Media Handling: Mitel implements protections for portable storage media against damage, destruction, theft, or unauthorized copying. Personal data on portable media is secured through encryption and secure removal when no longer needed. Similar measures are applied to mobile computing devices to protect personal data.

Workstations Security

Mitel implements endpoint protections on end-user devices and monitors them to ensure adherence to best practice security standards. These include strong authentication, screen saver/lock for idle time, up-to-date antivirus with regular scans, real-time software protection, firewall software, supported operating systems with automated patching, critical software patching, and hard disk encryption. Controls are in place to detect and remediate workstation compliance deviations.

Data Center Cloud Infrastructure Partners

Mitel's data center cloud infrastructure partners adhere to Tier III data center requirements. These facilities feature 24/7 on-site security with access control for authorized personnel. Data centers have redundant power, cooling, and network connectivity. Cloud partners maintain a comprehensive disaster recovery (DR) plan, including backup strategies and procedures for recovering data and applications.

Data Encryption

• Encryption at Rest: All sensitive data stored on company servers or storage devices is encrypted using strong encryption algorithms.
• Encryption in Transit: Data transmitted over the network is encrypted according to Mitel corporate standards.

Access

Physical Access Control and Security

Mitel's access controls ensure that only authorized individuals can access systems processing personal data and the facilities where this processing occurs.

• Mitel Data Center sites are secured against unauthorized access through automated access control systems and monitoring.
• Office ingress points and secured areas are protected by an electronic access control system with real-time monitoring where appropriate.
• Employee and visitor access rights are reviewed and controlled by Mitel policy, including employee-assisted visitor logging and escorts.
• A clean desk, secure disposal, and physical security policy is in place.

Logical Access Control

The objective of logical access control is to ensure that only authorized individuals can access systems processing personal data, based on a legitimate and authorized need. Access to data terminals (workstations, servers, network components, devices) is managed through authorization and authentication in all systems. Mitel's access control regulations include:

• Strong authentication mechanisms, including passwords and multi-factor authentication (MFA), verify user identity.
• A strong and complex password policy with regular password changes is enforced.
• Role-based access control (RBAC) restricts access to data and systems based on the principle of least privilege.
• Access to sensitive data is logged and monitored to detect and respond to unauthorized access attempts.
• Tracking and regular review of all privileged accounts are conducted.
• Rights management for onboarding and offboarding is controlled by Mitel policy.

Incident Response

Mitel maintains an incident response plan and follows documented policies, including data breach notification to the Data Controller without undue delay when a breach is known or reasonably suspected to affect Client Personal Data.

Risk Management

Mitel assesses risks related to Personal Data processing, Security, and Business Operations, developing action plans to mitigate identified risks.

Vulnerability Management

The Vulnerability Management process systematically identifies, reviews, addresses, and remediates vulnerabilities within Mitel-managed computing environments. This includes:

• Vulnerability Assessment: Mitel conducts regular vulnerability assessments using automated scanning tools and manual techniques to identify vulnerabilities in systems, applications, and network infrastructure.
• Patch Management: Mitel has a patch management policy and process to promptly apply security patches and updates.
• Security Advisories: Mitel actively monitors and assesses security threats, notifications, and advisories applicable to the Mitel environment.

Business Continuity

• Data Backup: Regular backups of critical data are performed. Immutable backups are stored off-network and encrypted.
• Regular Testing: Backup and restore procedures are regularly tested to validate effectiveness and identify improvement areas.
• Monitoring and Alerts: Monitoring and alerting are in place for backup processes and storage usage to identify issues and ensure timely resolution.
• Hybrid Workforce: In case of facility closures or disruptions, Mitel's workforce is equipped to work remotely to ensure business continuity.
• Industry Standard Technologies: To protect against service loss from system component failures, Mitel uses technologies like redundant power, cooling, and networking with failover capabilities, and data backups stored separately from the primary site. Access to these backups is restricted to authorized personnel.

Organizational Measures

Data Protection Officer

Mitel has appointed a Group Data Protection Officer, based in Germany (EU), responsible for monitoring Mitel's personal data processing activities and providing advice on compliance with data protection laws. The Group Data Protection Officer leads a global team of data protection specialists with expertise in data protection law, AI, and digital ethics across various jurisdictions.

Employee Confidentiality Obligation

Mitel employees are obligated to maintain Mitel's business and professional secrets through confidentiality clauses in their employment agreements or specific confidentiality agreements when necessary.

Training and Awareness

All Mitel employees receive mandatory global data protection and security awareness training during onboarding and annually thereafter. Training completion is tracked, and non-compliance may result in disciplinary action. Mitel Data Protection training is reviewed and updated annually to reflect new legislative and jurisprudential developments. Training covers handling, transferring, and storing Personal Data, and responding to security events. The security and awareness training program aims to educate and empower employees to recognize, report, and respond to potential security risks and incidents, fostering a culture of security consciousness.

Contractor and vendor management: Mitel takes commercially reasonable steps to select and retain third-party providers that offer guarantees to implement appropriate technical and organizational measures, ensuring processing meets privacy regulations and protects data subjects' rights.

Data Processing Agreements

Where applicable, Mitel enters into Data Protection Agreements with customers, partners, and sub-processors, clearly defining roles, rights, and obligations for personal data processing.

International Transfers of Personal Data

For transfers of personal data outside the EU, without an adequacy decision from the EU Commission, Mitel may transfer data to a third country or international organization by concluding Standard Contractual Clauses (SCCs). For transfers within the Mitel Group, an Intra-Group Personal Data Transfer Agreement is executed, incorporating the EU Commission 2021 SCCs and UK SCCs.