Security

C3 Trust Center

Data Security

C3 is certified ISO/IEC 27001:2022.
Furthermore, although no other specific international standard certification has been sought by C3, efforts are dedicated to work towards ensuring compliance to AICPA’s Service Organization
Control SOC 2.
Please note that the Payment Card Industry (PCI) Data Security Standard does not apply to the
use of the C3 Hub.

In offering the C3 Hub (C3 Yard and/or C3 Reservations), C3 processes data that belongs to its
customers. Customer Data is specifically defined in the C3 Hub Terms of Use governing the use of
the C3 Hub but can generally mean the data, information or material that a customer submits or
receives via the C3 Hub and services in the course of their use.

The Customer Data can include some Personal Information, also referred to as Personal Data,
such as the name and business contact information, including business email address of C3 Hub
Users.

We encrypt data in transit using TLS 1.3 with an RSA 2048-bit key to ensure secure communication.

Encryption of Customer Data at Rest will be provided only to Pro and Enterprise customers who
have specifically selected such encryption option pursuant to the C3 Hub Order Form and Terms of Use governing the use of their C3 Hub.

When the encryption option has been selected by the Customer, its Customer Data at rest will be
encrypted using an algorithm of AES 256 bits.

Customer Data is stored on single tenant databases but kept on multi-tenant physical servers.
Thus, Customer Data will be logically segregated but may be stored alongside other Customer
Data.

C3 uses adequate backup facilities to ensure that all Customer Data can be recovered following a
disaster or media failure. Except for Customer Data contained in a test environment, if any, C3 will
ensure that the Customer Data is saved and that backups are regularly performed as more fully
described herein:

– All customer-data databases are maintained in a High-Available SQL server cluster with:
– Synchronous replication to secondary instance in primary datacenter
– Asynchronous replication to tertiary instance in secondary datacenter
– C3 maintains multiple copies of customer data backups, on different mediums, including a
copy at an offsite Disaster Recovery (DR) location.

C3 abides by the following retention policy:

  • Live data is retained for a period of 6 months
  • Historical data is retained for a period of 2 years 10 years with our Enterprise Service Level

Except for Customer Data contained in a test environment, if any, C3 will ensure that the Customer Data is saved and that back-ups are regularly performed as more fully described in the C3 Hub Customer Data Policy. Furthermore, note that all Customer Data older than 24 months will be safely purged from the Customer’s C3 Hub production environment and thus, no longer be available for reporting.

C3 does not outsource or involve any third party with the handling of Customer Data.
In accordance with our standard Terms of Use agreement, C3 shall not subcontract any of its
material obligations, namely any processing of Customer Data or Personal Information of its Users,
without prior notice to the Customer.

C3’s Workforce may access Customer Data only when required for specific tasks such as validations, troubleshooting, or maintenance. All access—logical or physical—is granted based on the principle of least privilege, strictly limited to those whose roles require it.

Customer Data is hosted in our data center facilities which are owned by a certified hosting
facility provider. We have a colocation agreement in their Canadian facilities where we are in
charge of our infrastructure within the data center.

Incident Response and Breaches

C3 has an established Incident Management Policy and Process, followed by our Cybersecurity Incident Response Team (CIRT) to handle incidents from detection to recovery. We continuously monitor our systems, prioritize incidents based on severity, and involve external experts when needed to ensure a swift and effective response.

In the event of a security breach, C3 will assess the risk, take corrective measures, and notify all legally required parties within 48 hours. If Customer Data is involved, we will first inform the customer and collaborate on any required notifications before contacting affected individuals.

Security in our Environment and Infrastructure

  • We maintain active anti-malware protection, including firewalls and antivirus software.
  • Our network is segmented, with firewall rules restricting access and only necessary ports open.
  • We monitor trusted vulnerability sources at least monthly and apply relevant updates or mitigations.
  • Security patches are assessed, tested, and applied as needed, but at minimum on a monthly basis.

In order to keep track of all changes performed in our environment and ensure that these changes
are properly assessed and their risk evaluated, we follow a strict change management process,
which abides by the following:

  • Procedures for the changes themselves are enforced by a standardized C3 Management
    Console which has role-based security and complete audit trail.
  • Production Change requests require approval of the VP in charge of the affected area.
  • The asset owner must approve changes affecting its asset.
  • Major changes that affect production, the security perimeter (firewall, etc.), and/or
    personal data have a three-tiered approval (IT, operations and security approval).
  • Minor changes only need IT approval.
  • Changes that have an approved standard of operations (SOPs) do not need further
    approval.

C3 uses a range of security tools—including firewall, IDS/IPS, vulnerability scans, OS logs, and SIEM—to detect potential threats and data loss. We track web activity, login events, and attack attempts, and supplement this with both major monitoring tools and an internally developed console.

We use a Security Information and Event Management (SIEM) tool to log, monitor, and analyze access to our IT assets. It collects and correlates logs from our servers, network, firewall, and cloud platforms to support our incident monitoring strategy.

Vendor Security

All vendors undergo a formal approval process that includes a rigorous security assessment, taking into account the sensitivity of the information we will share and the services they provide.

We review approved vendors annually to ensure continued compliance with our security standards. We also have a documented vendor termination process to manage offboarding securely and minimize risk.

Data Centers

The sites of the hosting facility provider are operated with an Information Security Management
System that conforms to high standards:

  • AICPA SOC (SSAE No. 18 SOC 2 Type II and (ISAE) 3402 combined examination)
  • ISO 27001 Certified
  • PCI
  • HiTrust

Access to the data center is strictly limited to authorized C3 employees on a controlled access list, reviewed regularly by the IT Manager. Entry is by appointment only, requires internal approval, and is secured with unique access cards and biometric verification.

The following physical security controls are in place at the data center:

  • 24×7 on-site security guards
  • Fire protection
  • CCTV with 90-day video retention
  • Temperature and humidity monitoring
  • Perimeter security
  • Visitor management procedures

Business Continuity and Disaster Recovery (BCDR)

We have a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP) in place to ensure operational resilience. Both plans are reviewed and tested on an annual basis to maintain their effectiveness.

C3’s Disaster Recovery Plan includes the following key elements:
– Geographically separated data centers, each capable of running full production.
– Fully redundant infrastructure with no single point of failure.
– Real-time database replication with 0-second RPO and RTO under 4 hours.
– Offline standby production servers available on demand.
– A documented, regularly reviewed, and tested disaster recovery procedure.

We have a public status page available for real-time system updates at https://status.c3solutions.com.

Vulnerability Management

C3 performs vulnerability scans ad hoc, but at least weekly with its Security Information and
Event Management (SIEM) tool.

Formal penetration and vulnerability tests are also performed by an independent third-party
company on an annual basis.

Compliance and Risk Management

C3 complies with best industry standards, practices, and applicable Privacy and Data Protection laws in all countries where it operates, including:

  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Quebec Act respecting the protection of personal information in the private sector
  • Quebec Act to modernize legislative provisions as regards the protection of personal information (Act 25)
  • General Data Protection Regulation (GDPR – Regulation (EU) 2016/679)
  • California Consumer Privacy Act (CCPA)

These measures are in place to ensure the adequate protection of Personal Information (also referred to as Personal Data) and Customer Data.

The C3 Hub/Reservations is a software developed, operated and maintained by C3/the Processor
accessible via the Internet. This tool enables our Customer/the Controller to submit and receive
various information to efficiently manage its dock scheduling and/or yard management operations.

C3 shall process Customer Data, including Personal Data or PII (Name and business contact
information, including business email address of the C3 Hub/Reservations Users for Customer)
only as reasonably required for the performance of its obligations under the Agreement or where
there is a legal requirement to do so. Personal Data will be used (collected, structured and stored)
by C3, on behalf of the Customer, only as necessary for such purposes and as detailed hereafter:

  • Authenticate a User;
  • Keep track of User actions within the C3 Hub;
  • Send User email notifications relating to its C3 Hub usage on behalf of the Customer; and
  • To enable us to provide adequate C3 Hub support.

Personal Data will also be used by the Customer as part of its general use of the C3 Hub
functionality, namely for reporting purposes. C3 will inform the Customer if, in its opinion, any
Customer requests relating to C3’s processing of Personal Information infringes the Privacy and
Data Protection Laws.

Risk management (including risk assessments) is an integral part of C3’s operations. C3 currently
monitors and assesses efficiently the security of its solution/network via various actions and
associated risks. We have a documented risk management policy and framework (including various
detailed procedures, traceable risk assessments, awareness and training, etc.) which ensures that
specific controls and procedures are put in place to identify, assess and manage risks associated
with our business, and that they are monitored and reviewed regularly.

Personnel Security

Our goal is to hire people that will go on to positively shape the security embedded culture we
have built, as such, in accordance with the C3 Personnel Security Policy, subject to applicable
laws and ethics, before the start of any relationship (employment, subcontracting, etc.), C3’s
Human Resources department will conduct reasonable verification checks on all new workforce
candidates. The extent of such verifications will vary depending on the business requirements
and risk assessments associated with the functions and responsibilities to be carried out by a
workforce.

  • Qualifications
  • Reasonable criminal background checks
  • Appropriate verifications must also be performed upon promotion to a higher or more
    sensitive position if not performed at the start of work relationship.

We make sure all employees undergo security awareness training during the onboarding process and then on an ongoing basis so that security remains present and fresh in their mind. We send monthly phishing tests and security awareness training videos to all employees. Plus, we have a yearly training and awareness program which covers secure working practices (based on our policies) and social engineering techniques to increase awareness and further ensure comprehension has been implemented.

Moreover, in accordance with the C3 Personnel Security Policy, every C3 employee must read and understand all C3 Policies including those related to Information Security, and review them yearly (minimally).