Security Terms

The terms and conditions in this attachment (the “Security Terms”) shall apply when, during the course of providing Services to Customer, Incorta (a) Processes Personal Data or (b) requires access to Customer’s computer network or telecommunications systems (“Customer Network”). Nothing in these Security Terms is intended to limit or relieve Incorta of its most basic obligation to implement and maintain an effective information security program.

1. 1. Definitions
    1. Industry Standard Safeguards means those safeguards widely accepted by information security professionals as necessary to reasonably protect data during storage, processing and transmission consistent with the sensitivity of and widely recognized threats to such data. Examples of Industry Standard Safeguards include those practices described in ISO/IEC 27002:2013, NIST 800-44, Microsoft Security Hardening Guides, OWASP Guide to Building Secure Web Applications, and the various Center for Internet Security Standards.
    2. Other capitalized terms used and not defined in these Security Terms have the respective meanings given in the DPA or elsewhere in the Agreement.
  2. General Information Security Standards
    1. Incorta represents and warrants that:
      1. it has in place and will maintain a comprehensive, written information security program pursuant to which it has implemented administrative, technical and physical safeguards designed to: (1) ensure the confidentiality, integrity, availability and security of Personal Data; (2) protect against any foreseeable threats or hazards thereto; (3) protect against unauthorized, accidental or unlawful access to or use of Personal Data and Incorta systems; (4) protect against unauthorized, accidental or unlawful destruction, loss, alteration, encryption or misuse of Personal Data and (5) ensure that Incorta’s personnel are appropriately trained to maintain the confidentiality, integrity, availability and security of Personal Data, consistent with the terms of the DPA, these Security Terms, other provisions of this Agreement and all applicable laws and regulations;
      2. Such safeguards will include, without limitation, the application of Industry Standard Safeguards to protect Incorta’s systems used to Process Personal Data, and to limit access to Personal Data to only those employees, agents or service providers of Incorta who need the information to carry out the purposes for which Personal Data was disclosed to Incorta;
      3. Such safeguards are no less rigorous than those used by Incorta for its own information of a similar nature;
      4. Incorta is in and will remain in compliance with its information security program in all material respects; and
      5. Without limitation of the foregoing, Incorta has implemented and will maintain the following minimum controls with respect to Personal Data:

Security Control Category	Description
Information Security Program	Assign to an individual or a group of individuals the responsibility for developing, implementing, and managing a comprehensive written information security program for the organization The relevant personnel must be sufficiently trained, qualified and experienced to be able to fulfil these functions and any other functions that might reasonably be expected to be carried out by the personnel responsible for safeguarding Personal Data Develop, maintain and document reasonable technological, physical, administrative and procedural safeguards, including without limitation, policies, procedures, guidelines, practices, standards, and controls that: Ensure the privacy, confidentiality, security, integrity and availability of Personal Data Protect against any anticipated threats or hazards to the security and integrity of Personal Data Protect against any Security Incident Regularly test, and monitor and evaluate the sufficiency and effectiveness of the information security program, including Security Incident response procedures
Risk Assessment	Conduct information security risk assessments at least annually and whenever there is a material change in the organization’s business or technology practices that may impact the privacy, confidentiality, security, integrity or availability of Personal Data The risk assessment should include Identifying and assessing reasonably foreseeable internal and external threats and risks to the privacy, confidentiality, security, integrity and availability of Personal Data ; Assessing the likelihood of, and potential damage that can be caused by, identified threats and risks ; Assessing the adequacy of personnel training concerning, and compliance with, the organization’s information security program ; Assessing the adequacy of service provider arrangements ; Adjusting and updating the organization’s information systems and information security program to limit and mitigate identified threats and risks, and to address material changes in relevant technology, business practices, Personal Data practices and sensitivity of Personal Data the organization processes ; Assessing whether the organization’s information security program is operating in a manner reasonably calculated to prevent and mitigate Security Incidents Documenting the risk assessment Risk assessments should be conducted by independent third parties or internal personnel independent of those who develop or maintain the organization’s information systems or information security program
Data Collection, Retention and Disposal	Collect only as much Personal Data as needed to accomplish the purpose for which the information is collected Refrain from storing Personal Data on media connected to external networks unless necessary for business purposes Prohibit actions that can open security vulnerabilities to areas or systems that hold Personal Data Securely dispose of records containing Personal Data so that the information cannot be read or reconstructed after it is no longer needed to comply with business purposes or legal obligations Securely erase media containing Personal Data before reuse
Data Inventory	Track and periodically inventory Personal Data the organization collects, uses, maintains, discloses, disposes of or otherwise processes Periodically inventory the organization’s information systems and assets that contain Personal Data
Personnel Background Checks	Conduct reasonable background checks (including criminal background checks) of any personnel or third parties who will have access to Personal Data or relevant information systems, and repeat the checks at appropriate and adequate intervals. Maintain policy prohibiting individuals convicted of a crime of dishonesty, breach of trust or money laundering from having access to Personal Data
Personnel Training and Education	Regularly and periodically train personnel, subcontractors and any third parties who have access to Personal Data or relevant information systems concerning: The organization’s information security program The importance of the security, confidentiality and privacy of Personal Data The risks to the organization and its customers associated with Security Incidents
Incorta Management and Oversight	Take reasonable steps and conduct due diligence to select and retain subcontractors that are capable of maintaining the privacy, confidentiality, security, integrity or availability of Personal Data consistent with the organization’s contractual and other legal obligations Contractually require subcontractors to maintain adequate safeguards for Personal Data that are at least equivalent to the safeguards that the organization must implement pursuant to contractual or legal requirements Regularly assess and monitor subcontractors to confirm their compliance with the applicable privacy and information security requirements
Segregation of Duties	Duties and areas of responsibility of the organization’s personnel should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Personal Data or the organization’s information systems
Access Controls	Identify personnel, classes of personnel and third parties whose documented business functions and responsibilities require access to Personal Data, relevant information systems and the organization’s premises Permit access to Personal Data, relevant information systems and the organization’s premises only to such authorized personnel and third parties Maintain a current record of personnel and third parties who are authorized to access Personal Data, relevant information systems and the organization’s premises, and the purposes of such access Maintain logical and physical access controls, secure user authentication protocols, secure access control methods, and firewall protection Prevent terminated personnel, subcontractors or other third parties from accessing Personal Data and information systems by immediately terminating their physical and electronic access to Personal Data and relevant information systems
Secure User Authentication	Secure User Authentication To manage access to Personal Data and relevant information systems: Maintain secure control over user IDs, passwords and other authentication identifiers Require passwords controlling access to Personal Data to have minimum complexity requirements and be at least 8 characters in length Maintain a secure method for selecting and assigning passwords and use multi-factor authentication and other reasonable authentication technologies when possible. Assign unique user identifications and passwords that are not Incorta supplied default passwords Require personnel, subcontractors and other third parties to change passwords at regular intervals or based on the number of access attempts, and whenever there is any indication of possible system or password compromise Frequently (and at least every 90 days) change passwords for accounts that have access to Personal Data Avoid reusing or recycling old passwords Restrict access to Personal Data and relevant information systems to only active users and accounts Block user access after multiple unsuccessful attempts to login or otherwise gain access to Personal Data or relevant information systems Terminate user access after a predetermined period of inactivity Promptly revoke or change access in response to personnel termination or changes in job functions
Incident Detection and Response	Maintain policies and procedures to detect, monitor, document and respond to actual or reasonably suspected Security Incidents, and encourage the reporting of such incidents, including through: Training personnel with access to Personal Data to recognize actual or potential Security Incidents and to escalate and notify senior management of such incidents Mandatory post-Security Incident review of events and actions taken concerning the security of Personal Data Maintain a secure method for selecting and assigning passwords and use multi-factor authentication and other reasonable authentication technologies when possible. Policies governing the reporting of Security Incidents to regulators and law enforcement agencies
Encryption	Apply encryption with industry-standard algorithms and key lengths to Personal Data: Stored on laptops, mobile devices, portable storage devices or removable archival media Stored on file servers or in application databases Stored outside of the organization’s physical controls Transmitted across any public network (such as the Internet) or wirelessly Transmitted in email attachments In transit outside of the organization’s information systems Maintain policies prohibiting such storage or transmission unless required encryption has been applied
Network Security	Implement network security controls such as up-to-date firewalls, layered DMZs and updated intrusion detection/prevention systems, including firewalls between the organization’s information systems, the Internet (including internal networks connected to the Internet) and other public networks, and internal networks that are not necessary for processing Personal Data; the firewalls must be reasonably designed to maintain the security of Personal Data and relevant information systems
Data Segregation	Physical or logical segregation of Personal Data to ensure it is not comingled with another party’s information except as approved by Customer
Malicious Code Detection	Implement and maintain software that detects, prevents, removes and remedies malicious code designed to perform an unauthorized function on, or permit unauthorized access to, any information system, including without limitation, computer viruses, Trojan horses, worms, and time or logic bombs Run malicious code detection software at least daily Update malicious code detection software at least daily, including by obtaining and implementing the most current available virus signatures
Vulnerability and Patch Management	Maintain vulnerability management and regular application, operating system and other infrastructure patching procedures and technologies to identify, assess, mitigate and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code.
Application Security	Maintain application security and software development controls designed to prevent the introduction of security vulnerabilities in software developed by Incorta that Processes Personal Data
Change Controls	Prior to implementing changes to the organization’s information systems, follow a documented change management process to assess the potential impact of such changes on privacy, confidentiality, security, integrity and availability of Personal Data, and determine whether such changes are consistent with the organization’s information security program No changes should be made to the organization’s information systems or information security program that increase the risk of a Security Incident or fail to comply with the organization’s contractual or other legal obligations
Off-Premise Information Security	Maintain policies governing the security of the storage, access, transportation and destruction of records or media containing Personal Data outside of the organization’s business premises Monitor and document movement of records or media containing Personal Data Create copies of Personal Data before movement of records or media containing the information
Physical Security	Maintain reasonable restrictions on physical access to Personal Data and relevant information systems (e.g., clean desk policy) Maintain physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster Lock workstations with access to Personal Data when unattended Document repairs and modifications to information security-related physical components of the organization’s information systems
Secure Destruction	Use secure destruction procedures to sanitize any unencrypted hard disk, portable storage device or backup media containing Personal Data prior to sending it offsite for maintenance or disposal purposes
Contingency Planning	Maintain policies and procedures for responding to an emergency or other occurrence that can compromise the privacy, confidentiality, integrity or availability of Personal Data or damage the organization’s information systems; such policies and procedures should provide for: Creating and maintaining retrievable copies of Personal Data Restoring any loss of Personal Data Enabling continuation of critical business processes involving Personal Data in emergency mode Assessing relative criticality of specific applications and Personal Data in support of other contingency plan components Periodic testing and updates of contingency plans

2. Incorta represents and warrants that prior to permitting any Subcontractor to access Personal Data, Incorta shall conduct a reasonable, documented investigation of such Subcontractor to verify that it is capable of maintaining the privacy, confidentiality and security of Personal Data in compliance with this Agreement.

3. Incorta will designate an individual who will serve as Customer’s ongoing point of contact for purposes of addressing issues with respect to the use and security of Personal Data during the term and following the termination or expiration of this Agreement. Such individual will be accessible to Customer and will cooperate with Customer to address such issues.

4. Incorta shall promptly notify Customer of any material change in the controls or other safeguards that affect Incorta’s ability to fulfill Security Terms.

5. On termination of this Agreement for any reason or upon request, Incorta will cease Processing Personal Data, return a copy of the Personal Data to Customer and then securely delete or destroy, as applicable, all Personal Data in Incorta’s possession (except as prohibited by law or other explicit data retention and/or return provisions in this Agreement).

3. Risk Assessments and Security Audits

1. Incorta will perform regular (i.e. at least quarterly) vulnerability tests and assessments against all systems Processing Personal Data, and shall perform regular (i.e. at least annually) penetration tests against any Internet-facing systems used in connection with the Services. Incorta further agrees to perform regular (i.e. at least annually) risk assessments of the physical and logical security measures and safeguards it maintains applicable to its protection of Personal Data. With respect to systems Processing Personal Data, Incorta will provide Customer, upon request, a summary report of such tests and assessments, including a description of any significant (i.e. moderate or greater) risks identified and an overview of the remediation effort(s) undertaken to address such risks.
2. In addition to any other audit obligations that may be contained in this Agreement, Customer or its designated third party, at its sole expense, may inspect (i) Incorta’s information security and privacy policies, practices and procedures applicable to the systems, applications, and facilities Processing Personal Data, including data centers or premises where the Personal Data is stored at or accessed from, and (ii) Incorta’s Processing practices, (“Inspection”). Incorta shall make relevant personnel available for interviews and provide all information and assistance reasonably requested by Customer in connection with any such Inspections, including, without limitation, such information as Customer requires to verify compliance with this Agreement and Data Protection Laws, provided, however that such audit activities may not unreasonably interfere with Incorta business activities. Incorta shall take such remedial actions as are reasonably required by Customer following the Inspection.
3. Without prejudice to the rights granted in Section 3.2 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the
4. Security Breaches and Incident Response
  1. Incorta agrees to notify Customer immediately (but in no case later than 24 hours) after learning of a Security Incident. Notification must include a phone call to Incorta’s primary account contact.
  2. Notification shall include at a minimum (a) a description of the Incident including impact and likely consequences thereof, (b) the expected resolution time (if it has not already been resolved), (c) corrective measures to be taken, evaluation of alternatives, and next steps, and (d) the name and phone number of the Incorta representative that Customer may contact to obtain further information and updates. Without limitation of the foregoing, Incorta shall promptly provide Customer with the following information as it becomes available:
    1. a detailed description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
    2. a description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects; and
    3. whether any regulatory authority, the Data Subjects or the media have been informed or are otherwise already aware of the Security Incident, and their response.
  3. Customer may require that Incorta’s access to, or processing or storing of Personal Data be suspended, connectivity with Customer be terminated, or other appropriate action be taken pending such resolution.
  4. Incorta agrees to keep Customer informed of progress and actions taken to address the Security Incident and prevention of future such Security Incidents, and to provide Customer with all facts about the Security Incident as appropriate for Customer to conduct its own assessment of the risk to Personal Data and of Customer’s overall exposure to such Security Incident.
  5. Unless such disclosure is mandated by law, Customer in its sole discretion will determine whether to provide notification to Customer’s customers or employees concerning incidents involving Personal Data. Customer agrees to coordinate with Incorta on the content of any intended public statements or required notices for affected individuals and/or notices to the relevant Regulators regarding incidents involving Personal Data.
  6. Without limitation of any other provisions of this Agreement, in the event of a Security Incident involving unencrypted Personal Data, Incorta agrees to provide the following at Incorta’s expense upon Customer’s request: (a) notice to individuals whose Personal Data was affected by the Security Incident in a manner and format determined by Customer, in its sole discretion, as well as to any other third parties, such as Regulators, law enforcement agencies and consumer reporting agencies, that Customer determines should be notified of the Security Incident, in its sole discretion, (b) one year of credit monitoring, (c) any other relief service(s) as required by applicable law to affected individuals; and (d) reasonable co-operation with Customer to offer any other remediation services deemed necessary by Customer or which are customarily provided to individuals impacted by a breach in confidentiality of their Personal Data in the relevant jurisdictions.