Security Terms
The terms and conditions in this attachment (the “Security Terms”) shall apply when, during the course of providing Services to Customer, Incorta (a) Processes Personal Data or (b) requires access to Customer’s computer network or telecommunications systems (“Customer Network”). Nothing in these Security Terms is intended to limit or relieve Incorta of its most basic obligation to implement and maintain an effective information security program.
-
-
- Definitions
- Industry Standard Safeguards means those safeguards widely accepted by information security professionals as necessary to reasonably protect data during storage, processing and transmission consistent with the sensitivity of and widely recognized threats to such data. Examples of Industry Standard Safeguards include those practices described in ISO/IEC 27002:2013, NIST 800-44, Microsoft Security Hardening Guides, OWASP Guide to Building Secure Web Applications, and the various Center for Internet Security Standards.
- Other capitalized terms used and not defined in these Security Terms have the respective meanings given in the DPA or elsewhere in the Agreement.
- General Information Security Standards
- Incorta represents and warrants that:
- it has in place and will maintain a comprehensive, written information security program pursuant to which it has implemented administrative, technical and physical safeguards designed to: (1) ensure the confidentiality, integrity, availability and security of Personal Data; (2) protect against any foreseeable threats or hazards thereto; (3) protect against unauthorized, accidental or unlawful access to or use of Personal Data and Incorta systems; (4) protect against unauthorized, accidental or unlawful destruction, loss, alteration, encryption or misuse of Personal Data and (5) ensure that Incorta’s personnel are appropriately trained to maintain the confidentiality, integrity, availability and security of Personal Data, consistent with the terms of the DPA, these Security Terms, other provisions of this Agreement and all applicable laws and regulations;
- Such safeguards will include, without limitation, the application of Industry Standard Safeguards to protect Incorta’s systems used to Process Personal Data, and to limit access to Personal Data to only those employees, agents or service providers of Incorta who need the information to carry out the purposes for which Personal Data was disclosed to Incorta;
- Such safeguards are no less rigorous than those used by Incorta for its own information of a similar nature;
- Incorta is in and will remain in compliance with its information security program in all material respects; and
- Without limitation of the foregoing, Incorta has implemented and will maintain the following minimum controls with respect to Personal Data:
- Incorta represents and warrants that:
- Definitions
-
Security Control Category | Description |
---|---|
Information Security Program |
|
Risk Assessment |
|
Data Collection, Retention and Disposal |
|
Data Inventory |
|
Personnel Background Checks |
|
Personnel Training and Education | Regularly and periodically train personnel, subcontractors and any third parties who have access to Personal Data or relevant information systems concerning:
|
Incorta Management and Oversight |
|
Segregation of Duties | Duties and areas of responsibility of the organization’s personnel should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Personal Data or the organization’s information systems |
Access Controls |
|
Secure User Authentication | Secure User Authentication
To manage access to Personal Data and relevant information systems:
|
Incident Detection and Response | Maintain policies and procedures to detect, monitor, document and respond to actual or reasonably suspected Security Incidents, and encourage the reporting of such incidents, including through:
|
Encryption | Apply encryption with industry-standard algorithms and key lengths to Personal Data:
|
Network Security | Implement network security controls such as up-to-date firewalls, layered DMZs and updated intrusion detection/prevention systems, including firewalls between the organization’s information systems, the Internet (including internal networks connected to the Internet) and other public networks, and internal networks that are not necessary for processing Personal Data; the firewalls must be reasonably designed to maintain the security of Personal Data and relevant information systems |
Data Segregation | Physical or logical segregation of Personal Data to ensure it is not comingled with another party’s information except as approved by Customer |
Malicious Code Detection |
|
Vulnerability and Patch Management | Maintain vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies to identify, assess, mitigate and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code. |
Application Security | Maintain application security and software development controls designed to prevent the introduction of security vulnerabilities in software developed by Incorta that Processes Personal Data |
Change Controls |
|
Off-Premise Information Security |
|
Physical Security |
|
Secure Destruction | Use secure destruction procedures to sanitize any unencrypted hard disk, portable storage device or backup media containing Personal Data prior to sending it offsite for maintenance or disposal purposes |
Contingency Planning | Maintain policies and procedures for responding to an emergency or other occurrence that can compromise the privacy, confidentiality, integrity or availability of Personal Data or damage the organization’s information systems; such policies and procedures should provide for:
|
2. Incorta represents and warrants that prior to permitting any Subcontractor to access Personal Data, Incorta shall conduct a reasonable, documented investigation of such Subcontractor to verify that it is capable of maintaining the privacy, confidentiality and security of Personal Data in compliance with this Agreement.
3. Incorta will designate an individual who will serve as Customer’s ongoing point of contact for purposes of addressing issues with respect to the use and security of Personal Data during the term and following the termination or expiration of this Agreement. Such individual will be accessible to Customer and will cooperate with Customer to address such issues.
4. Incorta shall promptly notify Customer of any material change in the controls or other safeguards that affect Incorta’s ability to fulfill Security Terms.
5. On termination of this Agreement for any reason or upon request, Incorta will cease Processing Personal Data, return a copy of the Personal Data to Customer and then securely delete or destroy, as applicable, all Personal Data in Incorta’s possession (except as prohibited by law or other explicit data retention and/or return provisions in this Agreement).
3. Risk Assessments and Security Audits
-
- Incorta will perform regular (i.e. at least quarterly) vulnerability tests and assessments against all systems Processing Personal Data, and shall perform regular (i.e. at least annually) penetration tests against any Internet-facing systems used in connection with the Services. Incorta further agrees to perform regular (i.e. at least annually) risk assessments of the physical and logical security measures and safeguards it maintains applicable to its protection of Personal Data. With respect to systems Processing Personal Data, Incorta will provide Customer, upon request, a summary report of such tests and assessments, including a description of any significant (i.e. moderate or greater) risks identified and an overview of the remediation effort(s) undertaken to address such risks.
- In addition to any other audit obligations that may be contained in this Agreement, Customer or its designated third party, at its sole expense, may inspect (i) Incorta’s information security and privacy policies, practices and procedures applicable to the systems, applications, and facilities Processing Personal Data, including data centers or premises where the Personal Data is stored at or accessed from, and (ii) Incorta’s Processing practices, (“Inspection”). Incorta shall make relevant personnel available for interviews and provide all information and assistance reasonably requested by Customer in connection with any such Inspections, including, without limitation, such information as Customer requires to verify compliance with this Agreement and Data Protection Laws, provided, however that such audit activities may not unreasonably interfere with Incorta business activities. Incorta shall take such remedial actions as are reasonably required by Customer following the Inspection.
- Without prejudice to the rights granted in Section 3.2 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the
- Security Breaches and Incident Response
- Incorta agrees to notify Customer immediately (but in no case later than 24 hours) after learning of a Security Incident. Notification must include a phone call to Incorta’s primary account contact.
- Notification shall include at a minimum (a) a description of the Incident including impact and likely consequences thereof, (b) the expected resolution time (if it has not already been resolved), (c) corrective measures to be taken, evaluation of alternatives, and next steps, and (d) the name and phone number of the Incorta representative that Customer may contact to obtain further information and updates. Without limitation of the foregoing, Incorta shall promptly provide Customer with the following information as it becomes available:
- a detailed description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
- a description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects; and
- whether any regulatory authority, the Data Subjects or the media have been informed or are otherwise already aware of the Security Incident, and their response.
- Customer may require that Incorta’s access to, or processing or storing of Personal Data be suspended, connectivity with Customer be terminated, or other appropriate action be taken pending such resolution.
- Incorta agrees to keep Customer informed of progress and actions taken to address the Security Incident and prevention of future such Security Incidents, and to provide Customer with all facts about the Security Incident as appropriate for Customer to conduct its own assessment of the risk to Personal Data and of Customer’s overall exposure to such Security Incident.
- Unless such disclosure is mandated by law, Customer in its sole discretion will determine whether to provide notification to Customer’s customers or employees concerning incidents involving Personal Data. Customer agrees to coordinate with Incorta on the content of any intended public statements or required notices for affected individuals and/or notices to the relevant Regulators regarding incidents involving Personal Data.
- Without limitation of any other provisions of this Agreement, in the event of a Security Incident involving unencrypted Personal Data, Incorta agrees to provide the following at Incorta’s expense upon Customer’s request: (a) notice to individuals whose Personal Data was affected by the Security Incident in a manner and format determined by Customer, in its sole discretion, as well as to any other third parties, such as Regulators, law enforcement agencies and consumer reporting agencies, that Customer determines should be notified of the Security Incident, in its sole discretion, (b) one year of credit monitoring, (c) any other relief service(s) as required by applicable law to affected individuals; and (d) reasonable co-operation with Customer to offer any other remediation services deemed necessary by Customer or which are customarily provided to individuals impacted by a breach in confidentiality of their Personal Data in the relevant jurisdictions.