Data Security Exhibit
This Data Security Exhibit (“DSE”) describes the measures Fideo takes to protect Submitted Information when it resides in, or is transferred through, the Fideo Data Services. Capitalized terms that are not otherwise defined herein have the meaning given to them in the Services Agreement or the applicable Order Form. If and to the extent language in this DSE conflicts with the Services Agreement or an Order Form, this DSE will control for purposes of this DSE.
1. Security Policy. Fideo will maintain a written and comprehensive information security program, which includes appropriate physical, technical, and administrative controls to protect the security, integrity, confidentiality, and availability of Submitted Information, including without limitation, protecting Submitted Information against any unauthorized or unlawful acquisition, access, use, disclosure, or destruction (“Security Policy”). Fideo may periodically review and update the Security Policy to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the commitments, protections or overall level of service provided to Customer as described herein.
2. Security Attestations. Fideo has established and will maintain sufficient controls to meet the objectives stated in SSAE-18 SOC 2 Type 2 attestation or other similar attestation (collectively, the “Standards”) for the information security management system supporting the Fideo Data Services. Fideo contracts with an independent and reputable thirty party to perform an assessment against such Standards (“Assessment”) at least once per year. Fideo will provide an executive summary of the Assessment(s) to Customer upon Customer’s written request, which may not be more than once per year. The Assessments and any summaries thereof are Confidential Information of Fideo.
3. Compliance with Applicable Laws. Fideo’s Security Policy will comply in all material respects with all applicable laws, regulations, and government orders relating to the provision of the Fideo Data Services. Without limiting the foregoing, applicable law includes data protection, privacy or similar laws and regulations applicable to persons in possession of “Personal Information” (as defined in the applicable law, regulations, or government orders) or to the processing of “Personal Information.”
4. Data Return and Destruction. Upon Customer’s request, Fideo will: (i) promptly provide to Customer, in the then-existing format, all or any part of Submitted Information in Fideo’s possession or control; and (ii) delete or destroy all or any part of Submitted Information and will certify in writing that it has done so, provided that such obligations will not extend to any of Submitted Information, which is stored on encrypted media as part of a backup, so long as such Submitted Information is deleted in the ordinary course of business of Fideo.
5. Physical Security Controls. Fideo will maintain the following physical security controls while providing the Fideo Data Services:
(a) Physical Access. Restricted physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) only to authorized personnel.
6. Technical Security Controls. Fideo will maintain the following technical security controls while providing the Fideo Data Services:
(a) Access Administration. Access to the Fideo Data Services by Fideo employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationship. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, and a multi-factored authenticated connection) and is accessible for administration.
(b) Logging and Monitoring. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team.
(c) Vulnerability Management. Fideo conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a patch, Fideo will build or obtain the patch, and apply it within an appropriate timeframe in accordance with the Security Policy.
(d) Antivirus. Fideo updates anti-virus, anti-malware, and anti-spyware software on regular intervals and logs events for evaluating effectiveness of such software.
(e) Change Control. Fideo evaluates changes to its platform, applications, and production infrastructure in a manner that minimizes risk and such changes are implemented only in accordance with the Security Policy.
(f) Encryption. Fideo utilizes industry standard encryption methods to encrypt Submitted Information at rest and in transit.
7. Administrative Security Controls. Fideo will maintain the following administrative security controls while providing the Fideo Data Services:
(a) Data Center Reviews. Fideo routinely reviews the attestations maintained by the applicable provider of its data center to maintain the security controls necessary to comply with the Security Policy.
(b) Background Checks. Fideo performs background screening on all employees and all contractors who have access to Submitted Information in accordance with Fideo’s then current applicable standard operating procedure and subject to applicable law.
(c) Security Awareness Training. Fideo maintains a security awareness program, which includes appropriate training of Fideo personnel on the Security Policy. Training is conducted at time of hire and periodically throughout employment with Fideo.
(d) Personnel. Subcontractors who have access to Submitted Information (“Personnel”) have executed written agreements or policies with Fideo that protect the confidentiality and use of Submitted Information in a manner no less stringent than this DSE. Fideo is responsible and liable for the acts and omissions of Personnel.
8. Fideo Data Services Capabilities. The Fideo Data Services has the capability to: (i) authenticate Users through multi-factor authentication before access; (ii) allow Users to manage passwords; and (iii) allow Customer to manage each User’s level of access.
9. Data Centers. Fideo will host the Fideo Data Services in SSAE-18 SOC 2 Type 2 or ISO 27001 certified (or equivalent) data centers. Each data center includes full redundancy (N+1) and fault tolerant infrastructure for electrical, cooling and network systems. The deployed servers are enterprise scale servers with redundant power to ensure maximum uptime and Fideo Data Services availability. Each Fideo Data Services instance is supported by a network configuration with multiple connections to the Internet.
10. Business Continuity; Disaster Recovery; Data Backup. Fideo will maintain an adequate and appropriate business continuity and disaster recovery plan, which allows for the Fideo Data Services to be restored quickly in the event of an outage. Such plans will be in accordance with industry standard practices and applicable laws. Fideo will not be liable for failing to maintain a backup of Submitted Information. Customer may, at its sole expense, keep backup copies of any Submitted Information in Fideo’s possession.
11. Incident Monitoring and Management. Fideo will monitor, analyze and respond to security incidents in a timely manner in accordance with the Security Policy. Depending on the nature of the incident, Fideo’s security team will escalate and engage response teams necessary to address an incident. Customer agrees to cooperate with Fideo in maintaining accurate contact information and by providing any information reasonably requested to resolve any security incident, identify its root cause(s), and/or prevent a recurrence.
12. Security Breach Notification. Unless notification is delayed by the actions or demands of a law enforcement agency, Fideo will report to Customer the unauthorized acquisition, access, use, disclosure or destruction of Submitted Information (a “Security Breach”) promptly, but in no case later than seventy-two (72) hours, following a determination by Fideo that a Security Breach occurred. The initial report will be made to Customer’s designated technical contact(s). Fideo will take reasonable measures to promptly mitigate the cause of the Security Breach and will take reasonable corrective measures to prevent future Security Breaches. As information is collected or otherwise becomes available to Fideo, and unless prohibited by law, Fideo will provide information regarding the nature and consequences of the Security Breach as reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus. Customer is solely responsible for determining whether to notify impacted individuals, for providing such notice, and for determining if regulatory bodies or enforcement agencies applicable to Customer or Submitted Information need to be notified of a Security Breach.
13. Penetration Tests. Fideo contracts with reputable third party vendors to perform an annual penetration test on the Fideo Data Services to identify risks and remediation. Fideo will, consistent with industry standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the Fideo Data Services.
14. Audit. At Customer’s sole expense and upon ninety (90) days advance written notice, Customer may conduct an audit of Fideo’s systems, infrastructure, and procedures to confirm Fideo is meeting its obligations under this DSE (a “DSE Audit”) provided that: (i) such DSE Audit will occur at a mutually agreeable time, during normal business hours, not more than once during any twelve (12) month period (unless more frequent audits are required by law or by any governmental regulators with authority to request same), and of a duration lasting no more than two (2) days; (ii) such DSE Audit will not unreasonably interfere with Fideo’s operations; and (iii) any third party performing such DSE Audit on behalf of Customer will execute a nondisclosure agreement with Fideo in a form reasonably acceptable to Fideo with respect to the confidential treatment and restricted use of Fideo’s confidential information. Access to Fideo’s offices will be subject to Fideo’s reasonable access requirements and security policies. Customer will provide Fideo with a list of information or controls Customer would like to inspect (“DSE Records Request”) at least sixty (60) days prior to a scheduled DSE Audit. If during a DSE Audit, Customer discovers an issue with security or other operational matters that are inconsistent with this DSE, Customer and Fideo will work in good faith to agree on a plan to remediate such problems (“DSE Remediation Plan”). Once the parties agree on a DSE Remediation Plan, Fideo will timely execute and complete the DSE Remediation Plan and notify Customer when such actions are completed.
15. Limitations. Fideo’s obligations extend only to those systems, networks, network devices, facilities and components over which Fideo exercises control. This DSE does not apply to: (i) information shared with Fideo that is not data stored in its systems using the Fideo Data Services; (ii) data in Customer’s virtual private network (VPN) or a third party network; or (iii) any data processed by Customer in violation of the Services Agreement.