Client partners trust iMerit with one of their most valuable assets – their data. iMerit has developed best practices across the organization to keep huge data volumes safe throughout the labeling process. A dedicated Information Security Manager is responsible for maintaining security, and he or she works in tandem with key internal and external stakeholders. The company is ISO27001:2013 certified, SOC 2 compliant and has been audited based on AICPA guidelines. During the rigorous process, internal controls for security, availability, confidentiality, privacy, and processing integrity, were closely studied through documentation reviews and onsite visits.
Access control: Physical access restricted through biometric readers and access cards and virtual access through Active Directory Services (ADS) and limited project access.
Network security: Next-generation firewalls, demilitarized zone for servers, IPS for protection from attacks, MAC-based Wi-Fi.
Periodic reviews: User rights, vulnerability assessment testing, penetration tests.
Risk management: Central patch management system, encrypted data backup and restore checks, two-factor authentication, hardening of end-user nodes.
Access to the company’s nine delivery centers, where data labeling is administered, is restricted with biometric readers and access cards. All centers are monitored by security cameras, and employee arrivals and departures are logged using a biometric system. Guest access is restricted and requires authorization from an employee. Inside the facilities, environmental controls like temperature, humidity, and airflow are carefully monitored to ensure the integrity of the computer equipment. For some clients, physical client delivery devices are secured in restricted areas, and can only be used or moved with the approval of team leaders.
All iMerit employees, vendors, and contractors go through a screening process and sign NDAs at the beginning of their association with the company. The NDA covers trade secrets, information pertaining to software usage, data non-disclosure, and other notables. New employees undergo an onboarding program specifically focused on security policies and procedures. The sharing of passwords is strictly prohibited inside iMerit. During the annotation process, project-specific data is available only to the teams allocated to that engagement. Access rights are managed using Active Directory Services (ADS).
In addition to oversight by the Information Security Manager, each center has a dedicated Information Security Monitor. The iMerit network boasts next-generation stateful firewalls and deep packet inspection techniques. These are deployed to examine and manage all web and site traffic. Only authorized traffic can pass through the firewall. Servers are placed in a “demilitarized” zone, to add an extra layer of security. An Intrusion Prevention System (IPS) guards against malicious attacks. Preventive measures like vulnerability assessments, user access reviews, and penetration tests are carried out on a regular basis.
iMerit often works with customers who have detailed security and regulatory requirements and it has devised its on-boarding process with these clients in mind. For every new client system, a Security Manager is nominated to coordinate with the customer. The Security Manager reviews the security requirements and identifies any specific controls or procedures that need to be implemented. Once deployed, the manager tracks and documents the processes and trains iMerit staffers in its use. The single point of contact streamlines communication with customers, as well as internal stakeholders.