All employees must take security, privacy, and compliance training when they start their employment with Medius and they must acknowledge that they have reviewed the Information Security Policy which dictates the rules and guidelines to avoid or minimize security risks on an ongoing basis via trainings and awareness programs.

Medius adheres to the principle of least privilege and has internal processes and controls to reduce the number of employees that have access to customer data, including controls, access reviews, and strict on and off boarding routines.

Our customers serve as the data controller while Medius is the data processor for any customer data processed in our cloud services. This means that you have full control of the data entered into services, as well as all setup and configurations. Because you control your data—and we only process it—you won’t have to rely on us to perform day-to-day tasks such as:

• Assigning security authorization and manipulating roles
• Configuring business process flows, alerts, rules, and more
• Monitoring business transactions
• Looking at historical data and configuration changes

Medius is built upon the Microsoft Azure platform from Microsoft. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. The Security Token Service is responsible for authenticating the end user.

Medius AP uses a role-based framework to control what an authenticated user can do within the application. All users are connected to one or more roles. A role defines what data objects and services users connected to the role can access and in what way. Roles are also used to define the user rights.

Medius applications are hosted in state-of-the-art Microsoft Azure data centers designed to protect mission-critical computer systems. Customer data is separated in unique SQL databases for each customer. All customer data in Microsoft Azure is stored in Europe, US or Australia depending on the customer's primary location and data is not transferred between locations.

We periodically perform vulnerability scanning on our web application service to verify our security standards and resiliency.

Security testing is part of our Secure Software Development Lifecycle (SSDLC), and external penetration testing, conducted by an independent third party, is performed at least annually.

We conduct annual independent audits for compliance and industry standards certifications.