SECURITY ADDENDUM
(Version 1.5: 10-Aug-2023)
The terms of this Security Addendum (this “Addendum”) provide details of the information security program and policies and are incorporated into the Subscription Agreement and/or Evaluation Agreement between Customer and Precisely governing the Data Integrity Suite (the “Agreement”) for the Term of the applicable Order.
Modifications to this Agreement:
- Orders for Licensed Products and/or Services pursuant to an Agreement are governed by the version of this Addendum applicable on the Effective Date of the Order as indicated by the version date above.
- The terms of this Addendum may not be modified with respect to the Order to which they apply except by mutual agreement of Customer and Precisely.
- New versions of this Addendum will only apply to subsequent Orders.
This Addendum applies only to the extent Precisely obtains Customer Data as part of Customer’s license to Hosted Software pursuant to the Agreement.
1. DEFINITIONS
1.1 For the purposes of this Addendum, the following terms will have the corresponding definitions:
“Customer Data” has the meaning set forth in the Agreement.
“Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Precisely Systems” mean the datacenter infrastructure owned or controlled by Precisely, including through agreements with the Hosting Services Provider(s) and other Precisely subcontractors.
“Security Incident” means, with respect to any Customer Data obtained by Precisely under the Agreement or this Addendum as part of Customer’s valid use of Hosted Software: any verified, actual: (a) loss or misuse (by any means) of such Customer Data; (b) accidental, inadvertent, unauthorized or unlawful destruction, alteration, disclosure of, access to, or corruption of such Customer Data; (c) compromise of the security, confidentiality or integrity of Customer Data, including but not limited to, a compromise of any physical, technical, administrative or organizational safeguards that relate to the protection of such Customer Data or (d) any unauthorized access to Precisely Systems containing Customer Data. Security Incidents do not include events which are either (a) caused by Customer, Customer Affiliates, Users or third parties operating under their direction, including failure to (i) control user access; (ii) secure or encrypt Customer Data which the Customer transmits to and from Precisely Systems during use of Hosted Software; and/or (iii) implement security configurations to protect Customer Data; or (b) unsuccessful attempts or activities that do not or are not reasonably likely to compromise the security of Customer Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Term” with respect to this Addendum and an associated Order, means the period beginning on the Commencement Date of such Order and continuing for the Term of such Order.
“User” has the meaning set forth in the Agreement.
1.2 In the event of any conflict or ambiguity between the provisions of this Addendum, the Agreement and any Order, the conflict or ambiguity shall be resolved in the following descending order of precedence: this Addendum; the Orders (with the most recent taking precedence); and the main body of the Agreement
1.3 Other terms that have been capitalized but not defined in this Addendum shall have the same meaning as in the Agreement.
DATA SECURITY
2. OVERVIEW
2.1 Customer Data Access. Precisely acknowledges that, in the course of providing Hosted Software to Customer pursuant to the terms of the Agreement, it may have or be granted access to Customer Data. Precisely agrees to collect, process, transfer, disclose, store, and otherwise use Customer Data in the possession of Precisely consistent with the terms of this Addendum, unless otherwise required by law.
2.2 Data Security Programs. Precisely agrees to implement physical, technical, administrative or organizational safeguards that relate to the protection of such Customer Data against accidental or unlawful destruction, loss, access to or alteration of Customer Data in Precisely’s possession or control.
2.3 Data Security Policies. Precisely shall maintain policies and standards for the protection of Customer Data that originate from industry standard frameworks and establish uniform security and privacy standards for Precisely’s operations. Such policies shall be consistent with AICPA SOC 2 or another generally accepted industry standard that is applicable to Precisely as a service provider.
2.4 Third Party Subcontractors. Precisely shall be responsible for ensuring that its subcontractors who have Customer Data (including any Hosting Service Provider) maintain data security programs which are at least as stringent as Precisely’s own programs with respect to the applicable service to which such subcontractor has been engaged, and in accordance with generally accepted industry standards and practices. Precisely shall maintain a risk management program focused on the identification, evaluation, and validation of a vendor’s security controls.
2.5 On Boarding Process. The following measures are undertaken at the commencement of an individual’s employment or engagement with Precisely:
(a) Background Checks. Each individual assigned to perform Professional Services under the Agreement will have been subjected to a background check in accordance with Precisely’s background checking policies, which at a minimum includes a criminal history search in accordance with local law. Each candidate’s background check report is reviewed in determining whether employment of a candidate is consistent with the safe and efficient performance of Professional Services, taking into consideration any appropriate factors and applicable law.
(b) Training. Precisely has implemented and maintains a Data Privacy and Information Security awareness program. Upon joining Precisely, employees with access to Customer Data will be given training on data security and privacy issues as part of their orientation, including on Precisely’s current Information Security and Data Privacy Policies. Employees further agree in writing to perform their work according to Precisely’s policies, standards, and procedures regarding information security and privacy requirements. Subsequent annual training is required and is supplemented by numerous educational initiatives. Depending upon job function, certain employees receive specialized training and/or receive training on a more frequent basis.
2.6 Ongoing Assessment. Precisely will regularly test and monitor the effectiveness of its safeguards, controls, systems, and procedures by appropriate internal or external assessors. Precisely will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of Customer Data toward ensuring that these risks are addressed.
3. SECURITY MEASURES
Precisely maintains appropriate data protection and security measures for Customer Data. Such measures shall include the following:
3.1 Physical Security. Precisely takes precautions to ensure that all Precisely Systems hosting Customer Data are maintained in a physically secure environment to prevent unauthorized physical access, and that access restrictions at physical locations containing Customer Data, such as buildings, computer facilities, and records storage facilities, are designed and implemented to permit access only to authorized individuals, and to detect any unauthorized access that may occur, including without limitation 24 x 7 security personnel at all relevant locations. Set forth below are examples of such physical security controls:
(a) With respect to datacenter locations, all access is controlled and restricted by use of a defined security perimeter, appropriate security barriers, security cameras, entry and authentication controls, and access logs.
(b) Precisely implements and maintains appropriate security measures and procedures to protect and prevent the unauthorized viewing, copying, alteration or removal of any media containing Customer Data.
(c) Visitors to Precisely premises are required to be escorted at all times.
3.2 Network Security Controls. Precisely maintains the following network security controls and safeguards designed to prevent unauthorized access to Precisely Systems and network:
(a) Defense-in-depth design with perimeter routers, network switches and firewall devices and default deny-all policy to protect its Internet presence;
(b) Internet- access controlled by proxies and logged;
(c) Intrusion detection system is deployed to monitor and respond to potential intrusions;
(d) Real-time network events are logged and investigated using a security information event management tool;
(e) Content filtering and website blocking using approved lists;
(f) All wireless network devices follow the same policies and standards as wired devices; and
(g) Rogue wireless access points are detected and disassociated with the corporate wireless network.
3.3 Platform Security Controls. Precisely maintains the following security controls and safeguards designed to protect and prevent unauthorized access to Customer Data on various computing platforms and operating systems:
(a) Configuration/Hardening standards are established, documented, reviewed and updated regularly;
(b) Changes are approved and follow Precisely’s internal change control process;
(c) Unauthorized hardware and software are prohibited from being installed in Precisely Systems;
(d) Where technically feasible, a session is timed out after appropriate periods of inactivity;
(e) Any vendor-supplied defaults (accounts, passwords and roles) are removed during installation;
(f) Services and devices that are not required by valid business needs are removed; and
(g) An anti-virus program with timely updates actively runs on servers and machines.
3.4 Application Security Controls. The following security controls and safeguards are designed to ensure the integrity and security of applications developed by Precisely and are implemented and maintained by Precisely:
(a) Defense-in-depth with the use of n-tier architecture provides separation and protection of data;
(b) Application development follows a secure software development life cycle (SSDLC) that includes training, development, testing and ongoing assessments;
(c) All changes to such applications are documented, reviewed, tested and approved before being implemented into production;
(d) Application vulnerabilities and patches are identified, tested and remediated/installed in a timely manner; and
(e) Development and testing environments must not contain any production data.
3.5 Access Control and Management. Precisely maintains appropriate security measures and procedures to ensure that access to all Precisely Systems hosting Customer Data shall be protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to Customer Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events.
3.6 Annual Penetration Testing. Precisely performs penetration tests on applicable Precisely environments, including perimeter vulnerability testing, internal infrastructure vulnerability testing, and application testing. Upon Customer’s request, Precisely shall provide a redacted executive summary of process documentation and external assessment results to the extent applicable to the Hosted Software used by Customer.
4. SECURITY QUESTIONNAIRES
Upon Customer’s written request to confirm compliance with the above Data Security requirements of this Addendum, Precisely shall promptly and accurately complete a written information security questionnaire provided by Customer or a third party on Customer’s behalf regarding Precisely’s business practices and information technology environment in relation to all Customer Data being handled and/or the Hosted Software being made available by Precisely to Customer pursuant to the Agreement. Precisely shall fully cooperate with such inquiries. Such requests shall be (a) not more often than once annually, (b) upon not less than thirty days prior written notice, and (c) conducted during normal business hours in a manner designed to minimize disruption of Precisely’s business and operations.
5. SECURITY INCIDENTS
5.1 Notice. Precisely’s security incident response team is staffed by the office of the Chief Information Security Officer and is responsible for investigating and responding to information-security related events escalated to their attention and determining if a Security Incident has taken place. Upon confirmation of a Security Incident, Precisely shall promptly, but in no event later than 48 hours thereafter, notify Customer of such Security Incident and provide Customer with information about the Security Incident including, where possible, (i) the categories and approximate number of affected Customer Data records and, if applicable, the categories and approximate number of affected Data Subjects, (ii) the impact and likely consequences of the Security Incident to Customer and, if applicable, the affected Data Subjects, and (iii) the corrective action or remediation efforts taken or to be taken by Precisely.
5.2 Remediation. Following any Security Incident, Precisely shall consult in good faith with Customer regarding remediation efforts that may be necessary and reasonable. Precisely shall (i) at Customer’s direction undertake reasonable remediation efforts at Precisely’s sole expense and reimburse Customer for Customer’s reasonable expenses in connection with any remediation efforts undertaken by Customer directly arising from the Security Incident, (ii) ensure that such remediation efforts provide for, without limitation, prevention of the recurrence of the same type of Security Incident and (iii) reasonably cooperate with any remediation efforts undertaken by Customer directly arising from the Security Incident.
5.3 Incident Notification. Any notifications to customers or employees of Customer regarding Security Incidents will be handled exclusively by Customer, unless otherwise directed by Customer. Precisely shall reasonably cooperate in connection with notices to customers and employees of Customer regarding a Security Incident. Unless Precisely is legally prohibited, Precisely shall notify Customer promptly in the event that Precisely is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Customer Data to any person other than Customer or persons expressly approved by Customer to receive such information.
GENERAL TERMS
6. ENTIRE AGREEMENT
This Addendum and the Agreement, where referenced, contain the entire agreement regarding the data security of the Hosted Software and supersede any other data security agreements and communications between the parties concerning the access to or use by Precisely of Customer Data in connection with the Hosted Software.
7. LIMITATION OF LIABILITY AND INDEMNITY
The total combined liability of either party towards the other party, whether in contract, tort or under any other theory of liability, shall be limited as set forth in the Agreement and references to the liability of a party shall apply to liability arising under or in connection with this Addendum in the aggregate with the Agreement.
8. CHOICE OF LAW
This Addendum and the rights and obligations contained in it or otherwise arising between the Parties will be governed by and construed in accordance with the laws of the State of New York, without regard to any choice of law or conflicts of law principles.
9. TERMINATION
Customer shall have the right to terminate this Addendum upon written notice to Precisely.