Data Processing Addendum
This Data Processing Agreement (“DPA”) supplements the Agreement between Fullcast, Inc., a Delaware corporation (“Provider”) and the Customer identified on the Order Form (“Customer”), each on behalf of themselves and their Affiliates (together, the “Parties”). This DPA governs the processing of any Personal Data that Customer may make accessible to Provider and is effective as of the Agreement’s effective date (“Effective Date”).
1. PRECEDENCE; SURVIVAL
Terms not defined in this DPA or in applicable Data Protection Laws, have the meaning assigned to them in the Agreement. In the event of any conflict or inconsistency, this DPA supersedes and prevails over any conflicting terms in the Agreement. The provisions of this DPA survive any termination of the Agreement to the extent necessary.
2. DEFINITIONS
- 2.1. “Affiliate” means an entity that now or hereafter controls, is controlled by or is under common control with a specified entity, where “control” means beneficial ownership, directly or indirectly, of more than fifty percent (50%) of the outstanding shares or other ownership interest (representing the right to vote for the election of directors or other managing authority or the right to make the decisions for such entity, as applicable) of an entity. Such entity is deemed to be an Affiliate only so long as such control exists.
- 2.2. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term “Controller” also includes the definition for a “business” under the CCPA and any similar designation under the U.S. Privacy Laws.
- 2.3. “Anonymized Data” means a compilation of data which does not relate to an identified or identifiable individual or to Personal Data or data rendered anonymous in such a manner that the individual is not or no longer identifiable.
- 2.4. “Customer Data” means Personal Data that is directly or indirectly supplied by Customer to Provider under the applicable Agreement or which Provider is required to Process pursuant to the Agreement.
- 2.5. “Data Protection Laws” means all applicable legislation relating to data protection and privacy including, without limitation, the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR and the UK GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, and the U.S. Privacy Laws, as amended, repealed, consolidated or replaced from time to time.
- 2.6. “Data Subject” means the individual to whom Personal Data relates.
- 2.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- 2.8. “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.
- 2.9. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data or Personal Data, transmitted, stored, or otherwise Processed.
- 2.10. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data.
- 2.11. “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller. The term “Processor” also includes the definition for a “service provider” under the CCPA and any similar designation under the U.S. Privacy Laws.
- 2.12. “Sensitive Data” means a class of Personal Data including but not limited to (a) social security number, passport number, driver’s license number, or similar identifier, (b) credit or debit card number (other than truncated digits), financial information, banking account numbers or passwords, (c) employment, financial, genetic, biometric or health information, (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation, (e) account passwords, (f) criminal history, or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable Data Protection Laws. Provider will not Process or transfer any Sensitive Data unless specifically instructed by Customer; provided, however, that any transfer or request by Customer for Provider to Process Sensitive Data constitutes Customer’s assent for Provider to Process Sensitive Data.
- 2.13. “Services” means the services provided by Provider to Customer pursuant to the Agreement.
- 2.14. “Standard Contractual Clauses” means Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- 2.15. “Subprocessor” means a natural or legal person, public authority, agency, or other body engaged by a Processor who has or may potentially have access to Personal Data, or processes Personal Data.
- 2.16. “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
- 2.17. “UK Transfer Addendum” means the addendum pursuant to the International Commissioner’s Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.
- 2.18. “U.S. Privacy Laws” means collectively the California Consumer Privacy Act, or its successor the California
Privacy Rights Act (collectively the “CCPA”); the Colorado Privacy Act, (“CPA”); the Connecticut Data Privacy
Act (“CTDPA”); the Utah Consumer Privacy Act (“UCPA”); and the Virginia Consumer Data Protection Act,
(“VCDPA”).
3. DETAILS OF PROCESSING
- 3.1. Classification of the Parties. To the extent that Provider Processes Customer Data, Provider is deemed a
Processor. For the purposes of this DPA and the Agreement, Customer is deemed a Controller.
- 3.2. Categories of Data Subjects. Customer may submit, transfer, or grant access to, Personal Data to Provider, or direct Provider to Process Personal Data as part of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Data Subjects including Customer’s employees, contractors, collaborators, customers, prospects, suppliers, agents, and subcontractors.
- 3.3. Categories of Personal Data. Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, including but not limited to name, address, phone number, email address and associated email data, navigational data (including website usage information), system usage data, and other electronic data submitted, stored, sent, or received by Customer, or the Customer’s end users, including where applicable Sensitive Data.
- 3.4. Sensitive Data. The Parties do not anticipate the transfer of Sensitive Data.
- 3.5. Frequency of Transfer. Provider will Process Personal Data on a continuous basis for the duration of the Agreement, subject to limiting provisions in this DPA.
- 3.6. Purpose of the Processing. Provider will Process Personal Data for purposes of providing the Services, as further instructed by Customer in its use of the Services, and otherwise agreed to in the Agreement.
- 3.7. Retention. Provider will Process Personal Data for the duration of the Agreement, subject to other limited
provisions of this DPA.
4. CUSTOMER RESPONSIBILITY
Within the scope of the Agreement and in its use of Provider’s Services, Customer shall be solely responsible for complying with the statutory requirements relating to the Data Protection Laws, in particular regarding the disclosure and transfer of Personal Data to Provider and the Processing of Personal Data. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data must comply with Data Protection Laws. This DPA is Customer’s complete and final instruction to Processor in relation to Personal Data and that additional instructions outside the scope of this DPA would require prior written agreement between the Parties. Instructions must initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified, or replaced by Customer in separate written instructions (as individual instructions).
Customer shall inform Provider without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data, including if Customer’s instructions or transfer of Personal Data to Provider violate Data Protection Laws.
5. PROVIDER OBLIGATIONS
- 5.1. Compliance with Instructions. The Parties acknowledge that Customer is the Controller of Personal Data and Provider is the Processor of Personal Data. Provider shall Process Personal Data only within the scope of Customer’s instructions. If Provider believes that an instruction of Customer violates Data Protection Laws, it will immediately inform Customer without delay. If Provider cannot process Personal Data in accordance with the instructions due to a legal requirement under any applicable Data Protection Laws, Provider will (i) promptly notify Customer of that legal requirement before the relevant Processing to the extent permitted by Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new instructions with which Provider is able tocomply. If this provision is invoked, Provider will not be liable to Customer under the Agreement for any failure to perform the applicable services until such time as Customer issues new instructions regarding the Processing.
- 5.2. Security. Provider shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Appendix C.
- 5.3. Confidentiality. Provider shall ensure that any personnel whom Provider authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality continues after the termination of the above-entitled activities.
- 5.4. Personal Data Breaches. Provider will notify Customer without undue delay, and at least within the time required by Data Protection Laws, after it becomes aware of any Personal Data Breach affecting any Personal Data. At Customer’s reasonable request, Provider will promptly provide Customer with all reasonable assistance necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities or affected Data Subjects, if Customer is required to do so under the Data Protection Laws.
-
5.5. Deletion or Retrieval of Personal Data. Other than to the extent required to comply with Data Protection Laws, following termination or expiration of the Agreement, Provider will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA. If Provider is unable to delete Personal Data for technical or other reasons, Provider will apply reasonable measures to ensure that Personal Data is blocked from any further Processing.
Customer shall, upon termination or expiration of the Agreement and by way of issuing an instruction, stipulate, within a period of time set by Provider, the reasonable measures to return Personal Data or to delete stored Personal Data. Customer shall pay any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement.
- 5.6. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is available to Provider and Customer does not otherwise have access to the required information, Provider will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any Data Protection Laws, in each case solely in relation to the processing of Personal Data.
- 5.7. U.S. Specific Terms. Provider will Process Personal Data pursuant to all applicable U.S. Privacy Laws. Specifically, Provider will not “sell” or “share” any Personal Data as defined in the CCPA, unless permitted through CCPA or the Agreement.
6. DATA SUBJECT REQUESTS
Provider will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws. If such request is made directly to Provider, Provider will promptly inform Customer and will advise Data Subjects to submit their request to Customer. Customer is solely responsible for responding to any Data Subjects’ requests.
7. AUDITS
Provider shall, in accordance with Data Protection Laws and in response to a reasonable written request by Customer,
make available to Customer such information in Provider’s possession or control related to Provider’s compliance with
the obligations of data processors under Data Protection Laws in relation to its Processing of Personal Data.
Customer may, upon written request and at least thirty (30) days’ written notice to Provider, during regular business
hours and without interrupting Provider’s business operations, allow for a mutually agreed upon third-party auditor to
conduct an inspection of Provider’s business operations solely to determine Provider’s compliance with this DPA.
Provider shall, upon Customer’s written request and on at least thirty (30) days’ written notice to Provider, provide
Customer with all information necessary for such audit, to the extent that such information is within Provider’s control
and Provider is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed
to a third party.
8. SUBPROCESSORS
-
8.1. Appointment of Subprocessors. Customer acknowledges (a) the engagement as Subprocessors of Provider’s Affiliates and the third parties listed, if any, on Appendix D, and (b) that Provider and its Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Provider may add to or delete from the list of Subprocessors at any time, and Customer’s consent extends to any third parties added thereto. For the avoidance of doubt, the above authorization constitutes Customer’s general authorization to the subprocessing by Provider for purposes of Clause 9(a), option 2 of the Standard Contractual Clauses.
Where Provider engages Subprocessors, Provider will enter into a contract with the Subprocessor that imposes on the Subprocessor the same or substantially similar obligations that apply to Provider under this DPA. Where the Subprocessor fails to fulfil its data processing obligations, Provider remains liable to Customer for the performance of such Subprocessors obligations.
Where a Subprocessor is engaged, Customer must be granted the right to monitor and inspect the Subprocessor’s activities in accordance with this DPA and Data Protection Laws, including to obtain information from Provider, upon written request, on the substance of the contract and the implementation of the data protection obligations under the subprocessing contract, where necessary by inspecting the relevant contract documents.
The provisions of this Section mutually apply if Provider engages a Subprocessor in a country outside the European Economic Area (“EEA”) or the United Kingdom (“UK”), not recognized by the European Commission or UK government, respectively, as providing an adequate level of protection for Personal Data. If, in the performance of this DPA, Provider transfers any Personal Data to a Subprocessor located outside of the EEA or UK, Provider shall, in advance of any such transfer, ensure that a legal mechanism in respect of that Processing is in place.
- 8.2. Current Processor List and Notification or Objection to New Subprocessors. If Provider intends to engage Subprocessors other than the companies listed on the Subprocessors list on Appendix D, Provider will notify Customer in writing. Upon receiving such notification, Customer may object to any Subprocessors within thirty (30) days after any addition. The objection must be based on reasonable grounds. If Provider and Customer are unable to resolve such objection, either Party may terminate the Agreement by providing written notice to the other Party.
9. DATA TRANSFERS
Customer acknowledges that, in connection with the performance of the Services under the Agreement, Personal Data will be transferred to Provider in the United States and to its Subprocessors. Provider may access and perform Processing of Personal Data on a global basis as necessary to provide the Services.
The Standard Contractual Clauses apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws). Details of the Standard Contractual Clauses are attached as Appendix A.
The UK Transfer Addendum applies with respect to Personal Data that is transferred outside the UK, either directly or via onward transfer, to any country not recognized by the International Commissioner’s Office as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws). Details of the UK Transfer Addendum are attached as Appendix B.
To the extent that Customer or Provider are relying on a specific statutory mechanism to normalize international data
transfers and that mechanism is subsequently revoked or held in a court of competent jurisdiction to be invalid, Customer
and Provider shall cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer.
10. DISPOSITION OF PERSONAL DATA
At your request or at termination of the Agreement, whichever is sooner, Provider shall delete or return to Customer all Customer Data, including any Personal Data subcontracted to a third party for Processing, except as required by applicable law. At that time, with respect to Customer Data that Provider is required by applicable law to retain, Provider will isolate and protect Customer Data from further Processing, except as required by applicable law. Provider will use commercially reasonable efforts to ensure that any Subprocessors who are in possession of Customer Data will also comply with this provision. Provider’s obligation under this Section does not apply to Anonymized Data that Provider can continue to use for any legal purpose.
11. CONFIDENTIALITY
Provider will keep Customer Data strictly confidential and ensure that any employees, Subprocessors, or other agents who have access to Customer Data (1) are informed of and subject to this strict duty of confidentiality; (2) access and Process only such Customer Data as is strictly necessary to perform Provider’s obligations under the Agreement; and (3) not permit any person to Process Customer Data who is not subject to the foregoing duties.
12. SECURITY
Provider will at all times take reasonable measures to ensure that Customer Data is adequately protected in accordance with the requirements of the Data Protection Laws. To this end, Provider will implement appropriate technical and organizational measures to protect Customer Data from security incidents. These measures are described in Appendix C attached to this DPA.
When Provider becomes aware of any security incident, which consists of the unpermitted, accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any of Customer Data, Provider will inform Customer without any undue delay, and in no event longer than forty-eight (48) business hours after discovery of the security incident. Provider will cooperate reasonably with Customer and provide information to fulfil Customer ’s data breach obligations under the Data Protection Laws. Provider will also take additional measures and actions, in its sole discretion or as required by Data Protection Laws, that are necessary to remedy or mitigate the effects of the security incident, and keep Customer informed of every material development connected with the security incident. Except as required by law, Provider will not take action to notify Data Subjects of any security incident.
13. PARTIES TO THIS DPA
Agreed to as of the Effective Date of the Agreement.
Address:
16710 NE 79 th Street, Suite 202
Redmond, WA 98052
Signature: See signature on signature block of
the Order Form.
Name: Bala Balabaskaran
Title: CTO
Email: bala@fullcast.io
Role: Data Importer / Processor
Address:
See contact information on Order Form
Signature: See signature and contact
information on signature block of Order
Form.
Role: Data Exporter / Controller
APPENDIX A
Details of the Standard Contractual Clauses
When applicable, the Parties fully incorporate the Standard Contractual Clauses, including the following options and provisions:
- Module One (Controller to Controller)
X Module Two (Controller to Processor)
Module Three (Processor to Processor)
Module Four (Processor to Controller)
A. APPLICABLE MODULE
Based on the nature of the Services, the module indicated below applies:
- 1. Clause 7: the optional docking clause does not apply.
- 2. Clause 9(a): Option 2 applies. “ten (10) business days” replaces [Specify time period].
- 3. Clause 11: the optional language does not apply.
- 4. Clause 13(a): The data exporter is considered established in an EU Member State.
- 5. Clause 17: Option 1 applies; Ireland law governs.
- 6. Clause 18(b): The courts of Ireland have jurisdiction.
B. OPTIONS
For each module, where applicable, the Parties agree on the following options:
C. DATA EXPORTER & IMPORTER
Pursuant to Annex I, Part A, the Parties have identified the data exporter and data importer in Section 13 of the DPA.
D. DESCRIPTION OF TRANSFER
Pursuant to Annex I, Part B, the Parties agree that the data transfers are consistent with the descriptions noted in Section 3 of the DPA.
E. COMPETENT SUPERVISORY AUTHORITY
For the purposes of Annex I, Part C of the Standard Contractual Clauses, the country in which the Data Exporter is established, if applicable, shall determine the competent supervisory authority.
F. SECURITY OF PROCESSING
For the purposes of Annex II of the Standard Contractual Clauses, Appendix C describes the required Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data.
APPENDIX B
Details of the UK Transfer Addendum
This Appendix forms part of the DPA and supplements the Standard Contractual Clauses, pursuant to the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.
- Part 1 is as follows:
- (a) The information required on Table 1 is found in Section 13 of the DPA.
- (b) The information required on Table 2 is found on Appendix A.
- (c) The information required on Table 3 is found on Appendix A.
- (d) Table 4 is Data importer.
Part 2 is as follows:
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
APPENDIX C
Security Measures
Provider has implemented the following minimum security standards. These standards may not apply to Customer depending on the engagement between Provider and Customer.
1. POLICIES AND PROCEDURES
Information Security Policies. Provider shall establish, document, implement, and maintain policies and procedures related to information security, including but not limited to those listed herein, which align with a common security framework (e.g., ISO/IEC 27001, NIST CSF). Provider shall update the policies and procedures, as necessary, whenever material changes to the company, its systems, or applications are made. The policies and procedures will be reviewed and approved, at least annually, by an executive-level representative of Provider’s company, such as the Chief Information Security Officer or equivalent. All Provider Personnel (as defined herein) will have access to policies and procedures that impact their role and employment.
- 2.1 Personnel Management. Provider shall maintain an organizational chart with clear lines of responsibility and management. Provider shall take appropriate measures to ensure that all Provider Personnel conduct themselves in accordance with Provider’s established company guidelines and policies. Provider shall maintain a code of conduct and acceptable use policy, or equivalent, governing permitted and prohibited activities of personnel and establishing discipline for non-compliance.
- 2.2 Confidentiality. Provider shall require that Provider Personnel commit to non-disclosure and confidentiality provisions as it relates to customer data, including Customer’s data, that the Provider Personnel may access through the course of their employment.
- 2.3 Background Checks. Provider shall perform due diligence and background checks on prospective employees and contractors as appropriate to their role. Where permitted by law, these background checks must include identity verification, criminal history check, and verification of past experience and credentials. Provider shall provide training to personnel at least annually on security and privacy best practices.
- 2.4 Qualifications. Provider shall employ (or contract) duly skilled, qualified, and experienced personnel whose primary responsibility is maintaining and enforcing Provider’s information security standards to ensure the confidentiality, integrity, and availability of customer data.
2. PERSONNEL
3. DISASTER RECOVERY AND BUSINESS CONTINUITY MANAGEMENT
Disaster Recovery and Business Continuity Plan. Provider shall establish, document, implement, and maintain a disaster recovery and business continuity plan (“DR/BCP”) that follows industry standards and best practices. The DR/BCP and its associated policies and procedures must be reviewed and approved, at least annually, by an executive-level representative of Provider’s company. The DR/BCP must establish strategies to reduce the impact of, withstand, and recover from potential business disruptions, natural disasters, and man-made disasters. The DR/BCP must consider redundancy in equipment and technology to ensure the continuity of services to Customer in the event of a disruption or disaster. Additionally, the DR/BCP must incorporate capacity and resource planning to ensure the availability, quality, and adequate capacity of resources to deliver required performance as defined in this DPA. Provider shall exercise and test the DR/BCP at least once annually.
4. INCIDENT RESPONSE
Incident Response Procedures. Provider shall establish, document, implement, and maintain procedures or plans for the consistent identification, classification, response, notification, and timely remediation of security and privacy incidents. Provider’s incident response procedures or plans must follow industry standards and best practices. Provider’s incident response procedures or plans must include, at a minimum: (1) incident definitions; (2) an outlet for internal (Provider Personnel) and external (customers, security researchers, and other external parties) to report confirmed and suspected incidents to Provider; (3) roles and responsibilities for responding to incidents; (4) notification procedures, both internal and external; (5) documentation procedures; (6) response steps; and (7) standardized reporting procedures for Provider’s personnel to follow and learn from to prevent future incidents.
5. PHYSICAL SECURITY
Physical Security. Provider shall ensure that all facilities used for accessing, processing, or storing Customer’s data are physically safe and secure, following industry standards and best practices. At a minimum, Provider shall: (1) control access to facilities through locks, electronic key cards, biometrics, or similar means; (2) ensure that only Provider Personnel and approved third-parties have access to facilities; (3) implement and maintain closed circuit television (CCTV) cameras minimally at entrances and exits, where permitted by law, and store recordings for a reasonable period of time; (4) log, monitor, and retain access logs to facilities for a reasonable period of time; (5) maintain environmental control systems to protect against fire, flood, and other environmental concerns; and (7) ensure the secure disposal of equipment, including data storage, following industry best practices.
- 6.1 Vulnerability Management Policies and Procedures. Provider shall establish, document, implement, and maintain policies or procedures governing its threat and vulnerability management program, following industry standards and best practices. For the purpose of this section, and the corresponding threat and vulnerability management program, the term “threat” refers to any activity whose goal is to negatively impact the confidentiality, integrity, or availability of systems or data. The threat and vulnerability management program shall include a timeline for addressing threats and vulnerabilities based on criticality in accordance with industry standards. The threat and vulnerability management program must take into consideration all potential threats, including internal and external risks, across Provider’s entire technical infrastructure.
- 6.2 Testing. Provider shall perform regular testing for vulnerabilities. Additionally, Provider shall at least annually engage one or more qualified third-party individuals or organizations to perform penetration testing. All vulnerabilities and issues identified in testing must be logged and addressed timely, following Provider’s threat and vulnerability management program.
- 6.3 Infrastructure. Provider shall ensure the protection of all components of its infrastructure including, but not limited to servers, networking equipment, and endpoints. All components of the infrastructure must be inventoried and centrally managed. All components of the infrastructure that process customer data, including but not limited to servers and endpoints, shall have their data stores encrypted at-rest. Provider shall ensure that all operating systems and firmware are updated to a version that still receives security updates and support from the original equipment/software manufacturer, and that no end-of-life versions of software or firmware are in use. Provider shall implement antivirus/ anti-malware protection, as applicable, on all components of the infrastructure to protect against viruses and malware. Provider shall additionally implement and maintain software or hardware firewalls, or equivalent services, to protect against unauthorized ingress/egress, with appropriate rules and configurations based on industry standards and best practices.
6. VULNERABILITY MANAGEMENT
- 7.1 Identity Management Policies and Procedures. Provider shall establish, document, implement, and maintain policies or procedures governing its identity and access management system. Appropriate separation of duties must be implemented for access to systems by Provider’s personnel, and access must follow the principle of least privilege. Provider shall define and implement a process for timely provisioning, modifying, and deprovisioning user accounts and identities for Provider’s personnel. Provider shall perform access reviews on a regular basis to verify that the principle of least privilege continues to be followed and that former users are appropriately offboarded/deprovisioned from systems. Privileged and administrative access roles must be granted for the least amount of time possible and such access must be logged and regularly audited.
- 7.2 Passwords. Provider shall ensure that all applications and systems processing, storing, or accessing customer data are configured with password standards that are aligned with industry standards and best practices. Specifically, all passwords must be a minimum of 8 characters with multi-factor authentication (MFA) enabled, or a minimum of 16 characters if MFA is not available or not enabled. Provider shall enable mechanisms that prevent automated “brute force” attacks including, but not limited to, a prohibition on repetitive or sequential characters, a prohibition on context-specific words (such as the name of the Provider’s company, or the individual’s username) and account timeout locks in the event of repeated invalid login attempts. When possible, Provider shall configure and enforce multi-factor authentication and single sign-on on all applications and systems for Provider Personnel where this is an option offered by said application or system.
- 7.3 Single Sign-On. When Provider is supplying a software product or service to Customer, said software product must support single sign-on capabilities that align with the Security Assertion Markup Language (SAML) 2.0 protocol. All passwords, tokens, and other forms of authentication shall be encrypted and hashed at rest and require annual rotation.
7. IDENTITY AND ACCESS MANAGEMENT
- 8.1 Lifecycle Management. Provider shall establish and maintain baseline requirements for application security within their organization. Provider shall have a process in place for identifying and addressing deviations from the established baselines. A software development life cycle (SDLC) process must be defined and implemented for the design, development, deployment, and operation of applications in accordance with industry standards and internal organizational policies. The SDLC process must ensure that security is implemented into application development by design.
- 8.2 Change Management. Provider shall establish, document, implement, and maintain policies or procedures governing application change management, following industry standards and best practices for quality change control, approval, and testing. Provider shall perform testing, as appropriate to the nature and size of the change, to identify and address any potential security vulnerabilities or flaws prior to releasing changes to the production environment.
- 8.3 Encryption. Provider shall establish, document, implement, and maintain policies or procedures governing cryptography and encryption, following industry standards and best practices. Provider shall ensure that all customer data, including backups, are encrypted at rest using industry standard cryptographic libraries and algorithms. Additionally, Provider shall ensure that all customer data over public networks are encrypted in transit using industry standard cryptographic libraries and algorithms. Provider shall securely store cryptographic and encryption keys and ensure that access must be limited only to personnel where required by their job duties. Provider shall document the lifecycle of keys limit the amount of information protected by a single key, perform regular audits of the keys and access thereof, and regularly rotate the cryptography and encryption keys on a regular basis and no less than once annually.
- 8.4 Data Use and Retention. Provider shall establish, document, implement, and maintain policies or procedures governing the acquisition, use, retention, and deletion of customer data, following industry standards and best practices. Provider shall logically or physically separate customer data from the data of Provider’s other customers. Access to customer data by Provider Personnel must be on a need-to-know basis and treated with no less care and diligence than Provider treats its own internal data. Provider shall limit the use of production data in non-production environments. In the event that production data must be used in non-production environments, it must be used for a limited period of time and immediately destroyed when no longer required. All data destruction shall comply with the most recent revision of NIST Special Publication (SP) 800-88 or equivalent.
- 9.1 Risk Management Program. Provider shall establish, document, implement, and maintain policies or procedures relating to the identification, assessment, ownership, control, acceptance, and mitigation of potential risks to their organization (“Risk Management Program”), in accordance with industry standards and best practices. The Risk Management Program must include both internal and external risks, across risk categories as applicable for Provider’s organization. Provider shall assess risks shall on a regular cadence and update its Risk Management Program as necessary. The Risk Management Program must be reviewed and approved, at least annually, by an executive-level representative of the company, such as the Chief Information Security Officer or equivalent.
- 9.2 Supply Chain Management. Provider shall maintain an inventory of their supply chain relationships and third-party products or services that are in use. Additionally, at least annually, Provider shall assess the other vendors, products, and services within their supply chain to ensure that said vendors, products, and services are compliant with the contractual DPAs in place. Provider shall require that each organization within their supply chain comply with a set list of information security standards.
8. APPLICATION SECURITY
9. RISK MANAGEMENT
- 10.1 Controls and Certification. For the duration of the DPA, Provider shall maintain a SOC 2 report or an ISO 27001 certification along with associated controls, regularly audited by a qualified and authorized firm.
- 10.2 Audit. No less than once annually, Provider shall make available to Customer, upon written request, all customer- facing documentation necessary to support Provider’s compliance with these Minimum Security Standards.
10. AUDIT AND ASSURANCE
APPENDIX D
Subprocessors
Please see the following link for a description of Provider’s Subprocessors: