Data Security Addendum
This Data Security Addendum (“DSA”) is attached as Exhibit D to that certain Master Services Agreement by and between Claravine and Customer. Capitalized terms used herein without definition will have the meaning ascribed to them in the Agreement. If there is a conflict between terms in this DSA and the Agreement, the terms of this DSA shall prevail.
1. Scope. To the extent Claravine may operate or be given access to Customer Systems, or Customer Facilities, or Process Customer Data, Personal Information, or Confidential Information due to the Services provided by Claravine, Claravine must comply with this DSA and any applicable security policies and/or procedures as provided and/or communicated by Customer to Claravine. The requirements of this DSA shall also apply to Claravine Systems and Claravine Facilities where such Claravine Systems and Claravine Facilities are used to collect, store, handle, Process, backup, dispose, and/or access Customer Data. Claravine shall not use any Customer Data for any reason other than providing the Services or as otherwise provided in the Agreement.
2. Data Security Program, Policy and Controls. Claravine and Claravine Personnel shall not access or Process and shall not permit unauthorized persons or entities within its control to access or Process, Customer Assets. Any actual or attempted access by Claravine Personnel must be consistent with their role and a legitimate need for such access. Claravine shall establish and, at all times during the Term of the Agreement, maintain physical, electronic and organizational security measures that are risk-based and consistent with industry best practices and standards (such as: ISO 27001/27002, CIS Critical Security Controls, NIST Standards, Cloud Security Alliance) to protect Customer Assets against any unauthorized access, use, destruction, loss, disclosure, Processing, or improper alteration. Claravine represents, warrants and covenants that its security practices and policies provide for, without limitation, the following:
2.1. Information Security Program.
a. Claravine has implemented a written information security policy available to all current Claravine Personnel; and
b. Claravine has assigned roles and responsibilities for information security, including the appointment of a Chief Information Security Officer.
2.2 Human Resources Security.
Claravine must conduct background checks on Claravine Personnel to the extent permitted by law.
2.3 Access and Data Management.
Claravine must protect Customer Data in accordance with any information security policies, procedures and protocols that have been adopted by Claravine and have formed the basis of any information security certifications or audits.
2.4 Access Control.
a. Claravine must restrict access to Customer Assets to only authorized Claravine Personnel and access to Customer Data to devices authorized explicitly by Claravine through proper separation of duties, role-based access, on a need-to-know and least privilege basis. Claravine must review and update such access on at least a quarterly basis; and
b. Claravine must assign individual user IDs and must not allow internal shared accounts;
c. Claravine must enforce industry best practices and standard requirements for strong passwords and lifecycle management for all users.
Claravine must implement and maintain industry best practices for data and content protection, including, at a minimum, encryption at rest and in transit of all Customer Data and any backup media containing Customer Data.
2.6 Physical Security.
When Customer Data is to be stored in Claravine’s data center, Claravine must implement and provide physical controls to protect Customer Data and the Claravine network.
2.7 Public Cloud Services.
If Claravine uses a public cloud service, Claravine must apply industry best practices for cloud management including:
a. Enforce “MFA” for all administrative users of Claravine cloud services; and
b. Use industry standard encryption to protect all Customer Data when:
i. Transmitted over all networks to, from, and within a public cloud service; and
ii. Stored within a public cloud service.
2.8 Operations Security.
Claravine must establish and maintain a vulnerability management program which include, at a minimum, practices of identification and remediations of critical and high vulnerabilities, including zero-day vulnerabilities.
2.9 Network Security.
Claravine must monitor, detect, and restrict the flow of information on a multilayered basis, including, at a minimum, network segmentation, Web Application Firewalls, Demilitarized Zone, and Intrusion Detection/Prevention systems.
2.10 Remote Work Management.
A. If Claravine or Claravine Personnel perform services from remote locations, Claravine shall ensure following requirements are met:
i. Remote work must be performed only within a secluded area (e.g., private residence), and with “clean desk” standards in place. The location should ensure minimal exposure to other (non-Claravine Personnel) individuals.
ii. Comprehensive logging must be in place for authorized Claravine Systems (that meet the standards specified herein).
iii. Claravine Personnel participating in the remote work management program shall use only devices authorized pursuant to Claravine’s security program (“Authorized Devices”) that meet the following standards:
1. Each Authorized Device must receive security updates on the same schedule as in-facility devices;
2. Authorized Devices must be encrypted herein;
3. Authorized Devices must be hardened to the same or more aggressive standards as Claravine Systems in Claravine Facilities;
4. Authorized Devices must have a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes;
5. Authorized Devices must be configured for VPN
- best efforts will be made to ensure that all access to company resources (software and Customer Data) are forced to flow through the VPN; and
- MFA required to access VPN.
2.11 System Acquisition, Development, and Maintenance.
If Claravine develops software for use by Customer and/or Customer Affiliates or for use in Processing Customer Data, such development must adhere to industry best practices and standards for Secure Software Development Lifecycle (SSDLC).
2.12 Claravine Management.
Claravine Personnel who access or use Claravine Systems, Claravine Facilities and/or Customer Assets must comply with the requirement of this DSA.
2.13 Incident Notification and Response.
a. Claravine must follow industry best practices in the event of a suspected or confirmed Security Incident. Claravine must, at a minimum:
i. Report such Security Incident in detail to Customer within twenty-four (24) hours after the detection, identification and initial impact analysis of the Security Incident and must take immediate and appropriate remedial and preventative actions at no additional cost to Customer;
ii. Not serve any notice of or otherwise publicize any Security Incident that affects or relates to Customer Assets without the prior written consent of Customer, unless required by law;
iii. Cooperate with any investigation concerning the Security Incident requested by Customer;
iv. Cooperate with Customer to comply with Applicable Laws concerning such Security Incident, including any notification that may be required to individuals whose Personal Information was implicated due to the Security Incident.
2.14 Compliance and Security Audit.
a. Claravine shall comply with Applicable Laws, including ensuring that the security program implements all measures required by Applicable Laws.
b. Claravine shall audit the security of Claravine Systems and Claravine Facilities used in connection with the Services provided, Processing Customer Data, or accessing Customer Systems under the Agreement and this DSA. Such audit will be performed at least annually.
3. Contract Expiry or Termination
3.1 Upon expiration or termination of the Agreement, Claravine shall return or destroy Customer Data and comply with the specifications that follow:
a. Claravine must use industry best practices and standards for destruction or returning (at Customer’s option) all Customer Data within ninety (90) days from written notice of termination or expiry of the Agreement, any applicable SOW, unless an earlier time is specified in the Agreement and/or applicable SOW (provided that Claravine may retain such data on any anonymized and aggregated basis as permitted pursuant to Section 2.4 of the Agreement).
b. The requirements in this Section include Customer Data stored on premise, in data centers, in cloud environments and on backup systems.
c. Upon request, Claravine must provide Customer with evidence and certification of destruction or return in compliance with this DSA.
d. If Customer elects to have Customer Data returned, Claravine must provide Customer Data in an industry standard portable format using a secure method approved by Customer in accordance with the terms set forth in Exhibit C of the Agreement.
3.2 Upon expiration or termination of the Agreement, Claravine must confirm that its access, and that of all Claravine Personnel, to all Customer Assets is revoked or terminated. Upon request, Claravine must provide Customer with evidence and certification of access deprovisioning/revocation.
4. Survival. Section 3 of this DSA shall survive termination of the Agreement. All other sections shall expire when Claravine has returned or destroyed all Customer Data and terminated access to Customer Assets, in compliance with Section 3.
5. Additional Data Privacy Provisions.
a. Customer Data Treatment. Claravine will not, directly or indirectly, (i) reverse engineer any Customer Data that is masked, hashed, aggregated, pseudonymized, de-identified, anonymized, or otherwise protected; (ii) use the Services to collect or otherwise attempt to discern Personal Information and/or any combination of the following data elements, in each case, with respect to any end user: (a) precise geographic location information (i.e., latitudinal/longitudinal information), (b) device IDs or other persistent or unique identifiers, and/or (c) IP addresses (collectively, the data elements described in (a) through (c) are referred to herein as “Identifiers”); (iii) combine Customer Data obtained through the Services pursuant to this Agreement with Personal Information; (iv) combine page or user-level data, including any URL or a video title (collectively, “Page-Level Data”), with Personal Information and/or any Identifiers; (v) attempt to reverse engineer, disassemble, decompile, modify or otherwise use efforts to re-identify any individual, device or household about whom data received through this Agreement (including but not limited to the combination of Personal Information or Identifiers with other non-Personal Information data); or (vi) transmit to a third party any data in connection with this Agreement if (a) it contains any Personal Information, Identifiers, URLs or otherwise sensitive information, or (b) such transmission violates the Agreement and/or any Applicable Laws.
Appendix 1 to Data Security Addendum – Definitions
- “Applicable Laws” means all applicable laws, rules, regulations and standards in all jurisdictions in which the Services are provided or where Customer Data or Confidential Information may be stored or Processed, including without limitation those relating to privacy and data security.
- “Claravine Facility(ies) ” means a facility of Claravine used in the provision of the Services to Customer or used to collect, access, store, route, transmit, display, host or process Customer Data, regardless of whether such facility is owned and operated by Claravine or by a third party on Claravine’s behalf.
- “Claravine Systems” means the systems, equipment, hardware, software, mobile and other applications, and networks of Claravine or Claravine personnel used in the provision of the Services or used to collect, access, store, route, transmit, display, host or process Customer Data, regardless of whether each of the foregoing is owned and operated by Claravine or by a third party on Claravine’s behalf, including without limitation any Services.
- “Customer Assets” means and includes all Customer Data, Customer Systems, and Customer Facilities.
- “Customer Facility(ies)” means any facility, building, structure or portion or section thereof of Customer, regardless of whether each of the foregoing is owned and operated by Customer or by a third party on Customer’s behalf.
- “Customer Systems” means the systems, equipment, hardware, software, mobile and other applications, and networks of Customer (i.e., any technology resources that comprise a technical environment or a part thereof), regardless of whether any of the foregoing are owned and operated by Customer or by a third party on Customer’s behalf.
- “Process” or “Processing” means any operation or set of operations performed upon Customer Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Security Incident” means any actual or suspected: (1) unauthorized, acquisition, loss, access, or use of any Customer Assets, Claravine Systems or Claravine Facility; and (2) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the same.