1. Purpose and Overview
This Vendor Privacy and Security Policy (this “Policy”) is one part of our efforts to work with Vendors, such as yourself, to reduce the risks to Safe Software Inc. and its customers. In today’s interconnected world, the security of information placed on any set of networked systems is dependent upon the security of all of the participants in that network. This Policy establishes a minimum set of controls that must be followed by all Safe Software’s Vendors in order to protect Safe Software Information and, where applicable, Safe Software Systems (and Your Systems if they interface with ours).
2. Defined Terms and Scope
2.1 Defined terms
- Agreement: means any written document or verbal agreement that memorializes and governs the relationship between you and Safe Software.
- Safe Software Information, or SSI: means any information received from or about Safe Software, either directly or indirectly in any form, and any data, materials, processes, or information you develop for us or receive as a result of this relationship. Whether a safeguard is “appropriate” to protect SSI depends on the nature of the information.
- Safe Software Systems, or SSS: means computer systems owned, licensed or otherwise used by Safe Software which process, transmit, store, or maintain SSI.
- Safe Software, us, our, or we: means Safe Software Inc.
- You or your: means the Vendor and also the Vendor’s Third Party Providers which have access to SSI or SSS.
- Your Systems: means computer systems owned, licensed or otherwise used by you which process, transmit, store, or maintain SSI.
- Third Party Providers: means any entity other than Safe Software which provides you products or services which relate to the subject of this Policy or the Agreement.
- Third Party Provider Systems: means computer systems owned, licensed or otherwise used by your Third Party Providers which process, transmit, store, or maintain SSI.
All SSI is subject to this Policy. In the event of any conflict between this Policy and any Agreement, the conflict will be interpreted and construed in a manner which provides the broadest security and protection of SSI.
3. Policy Statement
You will implement appropriate administrative, technical, and physical safeguards to ensure the security, privacy, confidentiality, integrity, and availability of SSI. Whether SSI is stored on, processed on, or transmitted by SSS, Your Systems, or Third Party Provider Systems, you (and your Third Party Providers if applicable) will use information security controls to: (1) protect any and all SSI and SSS you have access to while performing your obligations under any Agreement; and (2) protect Your Systems and your Third Party Provider Systems on which SSI is stored, processed, or transmitted.
4. Termination of Access
Your access to any SSI and/or SSS, including but not limited to any Safe Software customer and/or employee information, is subject to your continuing compliance with this Policy. We may immediately, automatically, and unconditionally revoke your access, and all links and interfaces, to SSI and/or SSS without liability for any reason or no reason.
5. Information Retention & Disposal
You will, at no additional charge to Safe Software, retain SSI as required by the Agreement or, if there is no agreed-upon retention requirement outside of this Policy, as directed by Safe Software in writing. At the end of our specified retention period, or upon our written request at any time, you will return or destroy, and certify in writing that you have destroyed or returned, all SSI, as we direct. If we require information destruction, you will destroy SSI in a confidential manner. This means you will shred paper copies of SSI and you will destroy electronic copies in a confidential manner so that they are no longer usable, readable, or decipherable, and the information on them is not retrievable. Nothing in this Policy will prevent you from maintaining information, still subject to confidentiality obligations, as required by law or any regulatory authority to which you are subject.
6. Minimum Information Security Controls
You must implement and maintain the minimum information security controls set forth below. You may implement additional controls as appropriate for your business.
6.1 Application of Security Controls
These security controls shall apply to personnel, processes and/or technology involved in the work you or your Third Party Providers do with or on behalf of Safe Software.
6.2 Audit of Security Controls
- If we request, you will provide a written description of compliance with this Policy, which includes, at a minimum, how you implement each security control set forth below. This written description will be completed at your expense and certified in writing by your authorized representative.
- In addition, if we request, you will allow us, or our independent third party, to audit your compliance with this Policy (including without limitation performing penetration testing and vulnerability scans). You will work with us, at your own expense, to remedy any deficiencies identified in the audit.
- Nothing in this section limits our audit or other rights we may have in any other Agreement with you or your Third Party Providers.
6.3 Security Controls Catalog
1. Security Management: Must have a comprehensive written information security program, based on best practices standards for your industry, which is designed to protect the confidentiality, integrity, and availability (“CIA”) of assets under your management
|1.1||Policy framework||Security program must develop and maintain operational information security policies aligned to relevant standards, such as ISO 27001/27002 or NIST|
|1.2||Policy review||Information privacy and security policies reviewed and revised on a regular basis|
|1.3||Program manager||Person(s) designated to coordinate and be responsible for the program and privacy and security-related activities and incidents|
|1.4||Training and awareness||Security training and awareness activities performed regularly and designed to enable employees to identify risks to CIA|
|1.5||Communication||Information privacy and security policies regularly communicated to appropriate personnel and your Third Party Providers|
2. Risk Management: Must perform risk assessments to evaluate risk profile regarding collection, storage, and use of information. Information classification and ownership must be defined for all information assets allowing for inventorying and management, controls application, and compliance with relevant data retention policies.
|2.1||Risk mitigation||Continually identify and mitigate internal and external risks that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of confidential information including SSI|
|2.2||Risk assessment||Regular (but not less than annual) information privacy and security risk assessments in each area of relevant operation|
|2.3||Testing and monitoring||Regular testing and monitoring of the effectiveness of your safeguards’ key controls, systems, and procedures|
|2.4||Information classification||Appropriate classification, labeling, and handling of information|
3. Personnel Security: Controls must be implemented to enable employees, contractors/contingent workers, and service providers to adhere to policies and standards according to roles and access and to reduce the risk of theft, fraud, loss, and misuse of facilities or information.
|3.1||Personnel Screening||To reduce the risk of theft, fraud, and/or misuse of facilities, assure that employees, contractors and third party users understand their responsibilities and are suitable for the roles for which they are considered, including through any appropriate personnel screening|
|3.2||User acknowledgment of security awareness||All employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, are regularly required to acknowledge awareness, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error|
4. Physical and Environmental Security: Appropriate physical controls commensurate to risk must be implemented, managed, and reviewed to prevent unauthorized physical access, damage, and interference to information assets and IT infrastructure and equipment. In addition, physical protection against external and environmental threats such as natural disasters, malicious attacks, or accidents must be implemented, managed, and reviewed.
|4.1||Implementation of controls||Implement physical and environmental security controls that address purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance (a freely available reference is NIST 800-53 rev. 4 (Information Security and Privacy Controls), Appendix F (Controls catalog), Family PE (Physical and Environmental Protection))|
5. Operations Management: Organization must securely operate IT infrastructure and applications supporting information assets through the application of key operational management controls, including but not limited to the maintenance of system and network documentation, employment of consistent and secure change and incident management processes, and maintaining vendor- supported and patched infrastructure and software.
|5.1||Responsibility for assets||Appropriate protection of assets based on classification, information sensitivity, and other factors|
|5.2||Ownership of assets||Assignment of responsibility to a designated part(s) of the organization for all information and assets associated with information processing facilities|
6. Security Monitoring and Response: Vendor must leverage appropriate network and endpoint-based controls to facilitate security logging and monitoring of user activities, exceptions, faults, and events in accordance with business, legal, and regulatory requirements. Collected logs and associated analysis must be appropriately archived, protected from unauthorized access, and regularly reviewed.
|6.1||Incident Response||Comply with specified incident response process for SSI and SSS|
|6.1.1||Reporting information security events and weaknesses||Communicate information security events and weaknesses associated with information systems in a manner allowing timely corrective action to be taken|
|6.1.2||Reporting information security events||Report information security events through appropriate management channels as quickly as possible|
|6.1.3||Management of information security incidents and improvements||Provide a consistent and effective approach to managing information security incidents|
|6.2||Responsibilities and procedures||Follow documented responsibilities and procedures to respond to information security incidents quickly, effectively, and in an orderly way|
|6.3||Cooperation with Safe Software & external parties||Cooperate with Safe Software in investigations of any incidents involving SSI or SSS; in addition, fully cooperate with any reviews, audits, or assessments Safe Software requests, and any financial institution, law enforcement and credit card brand organizations associated with the investigation of the incident and underlying causes|
7. Cryptographic controls: Cryptographic controls to protect the confidentiality, integrity, and availability of information assets in transit and at rest including controls for the management and use of cryptographic keys must be developed, implemented, and reviewed on a periodic basis.
|7.1||Use of information||Only use SSI for the purposes for which it was provided and for no other purpose; comply with any cryptographic controls specified by Safe Software, which will be reasonable for the circumstances|
|7.2||Encryption of PII and portable devices||Encrypt (i) laptops and all other portable devices storing SSI which is personally identifiable information; as well as (ii) files containing personally identifiable information on all laptops or other portable devices|
|7.3||Encryption of PII in transit||Encrypt (i) all messages containing SSI which is personally identifiable information (or files containing personally identifiable information) during transit over public networks; as well as (ii) all files containing personally identifiable information included in a message sent over public networks|
8. Access Control: Access to resources must be regulated through the use of information security access controls and robust authorization mechanisms commensurate to risk.
|8.1||Minimum access necessary||Access must be limited to the minimum necessary to perform the required function|
|8.2||Password Policy||Maintain and enforce a password policy which addresses password length, composition, complexity, lockout, history, and expiration|
|8.3||Remote Access Policy||Maintain and enforce a remote access policy which addresses connectivity, software and hardware requirements, encryption and secure computing, and device management|
|8.4||Termination of access||Revoke access for any Vendor employee, contractor, or third party user to SSI and facilities which process SSI or provide access to SSS upon termination of their employment, contract or agreement, or adjust access upon change to responsibility|
9. Network Security: Network specific information security controls must be leveraged to protect information assets that traverse the Vendor's network.
|9.1||Firewalls||Vendor must appropriately leverage firewall infrastructure to segregate sensitive environments, and restrict the use of insecure protocols|
10. Vendor management: Vendor must manage its third parties to protect Safe Software resources and ensure the confidentiality, integrity, and availability of SSI and assets.
|10.1||Written Agreements with Third Party Providers||Assess, select, and retain Third Party Providers capable of appropriately safeguarding SSI and establish agreements with Third Party Providers which require compliance with the these security controls and a comprehensive information privacy and security program|
|10.2||Notification of Material Changes||Promptly notify Safe Software in writing of any changes which may have a material adverse impact on obligations under this Policy or on the effectiveness of your or your Third Party Providers’ information privacy and security program|
12. Business Continuity and Disaster Recovery: Vendor must have appropriate BC and DR capabilities to prevent or mitigate business interruption and associated impact. Vendor must test its BC and DR capability regularly.
|12.1||Information security aspects of business continuity management||Counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and ensure their timely resumption|
13. Compliance: Information security and data protection controls and processes must comply with applicable law, statutory, regulatory or contractual obligations, and any Industry Standard Information Security requirements to avoid breach and/or compromise of SSI and SSS.
|13.3||PCI Data Security Standards [ONLY APPLICABLE TO VENDORS WITH ACCESS TO PAYMENT CARD INFORMATION]||
If you have access to or will create, receive, store, process, or transmit Safe Software’s or our customers’ cardholder information (e.g. credit, debit, stored value, or prepaid card information), you, at your own expense, warrant (for as long as you maintain custody, care, or control of such cardholder data):
(i) you are, and will remain, responsible to secure cardholder information in its care, custody, possession, or control; and
(ii) you will comply with the applicable then-current Payment Card Industry Data Security Standards (“PCI Standards”).
If Third Party Providers will have access to or will create, receive, store, process, or transmit Safe Software’s or our customers’ cardholder information, you warrant that you will require these requirements of your Third Party Providers.
|13.5||Compliance with International Laws||
If you have access to or will create, receive, store, process, or transmit SSI of our customers, you agree and warrant all processing, storage, retention, and destruction of personal data by you and your Third Party Providers will be in compliance with all then-current applicable international, federal, provincial, state, and local laws, rules, regulations, and ordinances, including without limitation data breach notification laws. For purpose of clarification and without limiting the foregoing, if you collect, receive, process, store, retain, or destroy personal information of any citizen of Canada, California, or the European Union in connection with performing services for Safe Software, then:
1. all processing, storage, retention and disposal of personal data of citizens of Canada will comply with Canada’s law on Personal Information Protection and Electronics Document Act and any provincial laws which may apply based on location;
2. all processing, storage, retention and disposal of personal data of citizens of California will comply with the California Consumer Privacy Act; and
3. all processing, storage, retention and disposal of personal data of citizens of European Union comply with EU’s General Data Protection Regulation 2016/679, including all implementing legislation and successor statutes, laws, rules, regulations and directives.