Information Security Addendum
Vendor has established and agrees to maintain a written information security program (the “Information Security Program”) designed to comply with this Information Security Addendum and applicable Data Protection Law. Terms not defined herein have the meaning set forth in the rest of the DPA.
As part of its program, Vendor has implemented and agrees to maintain administrative, technical, and physical security safeguards designed to protect the confidentiality, integrity, and availability of Customer Data, including but not limited to:
Administrative and Organizational Safeguards
- Vendor maintains policies and procedures for the security of Customer Data, including the following:
◦ Written information security policies that set forth Vendor’s procedures with regard to maintaining the safeguards set forth in this Information Security Addendum.
◦ Incident Response Plan, which sets forth Vendor’ procedures to investigate, mitigate, remediate, and otherwise respond to security incidents. - Vendor conducts regular assessments of the risks and vulnerabilities to the confidentiality and security of Customer Data.
- Vendor regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
- Vendor has appointed an individual to oversee and manage its Information Security Program and lead the response to any Personal Data Breach.
- Vendor maintains role-based access restrictions for its systems, including restricting access to only those Vendor employees that require access to perform the Vendor Services or to facilitate the performance of such Vendor Services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
- Vendor periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Vendor employees that no longer need such access.
- Vendor assigns unique usernames to authorized Vendor employees and requires that Vendor employees’ passwords satisfy minimum length and complexity requirements.
- Vendor regularly provides training to employees, as relevant for their roles, on confidentiality and security.
- Vendor requires relevant Vendor employees to acknowledge Vendor’ Information Security Program annually.
- Vendor has a policy in place to address violations of its Information Security Program.
Technical Security
- Vendor logs certain system activity—including authentication events, changes in authorization and access controls—and regularly reviews and audits such logs.
- Vendor maintains network security measures, including but not limited to firewalls, to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Supplier to suspicious network activity, and anti-virus and malware protection software.
- Vendor has implemented workstation protection policies for its systems, including automatic logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
- Vendor requires multi-factor authentication on its systems for administrative users.
- Vendor conducts periodic vulnerability scans and assessments on systems storing, processing, or transmitting Personal Data to identify potential vulnerabilities and risks to Personal Data.
- Vendor remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, transmitting, or otherwise Processing Personal Data.
Physical Security
- Vendor restricts access to its facilities, equipment, and devices to Vendor employees with authorized access on a need-to-know basis.
- Vendor tracks the location of its equipment, devices, and electronic media and maintains a record of such locations.