Data Protection Requirements Summary

Protection of Salesforce credentials

All credentials for accessing Salesforce are maintained by the customer, including the credentials that Industries Order Management Plus uses to access Salesforce. Vlocity provides a mechanism to enable the customer to configure these credentials on AWS and protect the configured credentials from the rest of the application in a way that is not accessible by any Vlocity user.

Protection of fulfillment system credentials

All credentials for accessing the customer's fulfillment systems are maintained by the customer. Vlocity provides a mechanism to enable the customer to configure these credentials on AWS and protect the configured credentials from the rest of the application in a way that is not accessible by any Vlocity user.

Implement access control for object parameters

Every access, such as create, update, delete and read, of any object in the system is logged to ELK using a distinct log pattern so that the customer can determine who accessed the data and what was accessed. The following operations are logged on the object level:

• Create

• Update

• Read

• Delete

For update operations, changes in attributes, such as old and new, and characteristics are also logged.

Track up-time and down-time of Vlocity Order Management Plus

The system tracks the up-time and down-time of Order Management Plus. The logs are available to the customer upon request.

Log all user accesses to production environments

The system logs all accesses to production environments. The logs are available to the customer upon request.

Control of PII encryption key generation

Order Management Plus provide a UI-based mechanism that enables only customer resources to control the PII encryption key generation and encryption process.

Disaster recovery plan

A documented disaster recovery plan can be made available to the customer.