Security Exhibit for Services
Version: March 9, 2023
This Security Exhibit for ScaleWith’s Services (“Security Exhibit”) sets forth ScaleWith’s commitments for the protection of User Data and is made part of the Agreement as set forth here. Unless otherwise defined in this Security Exhibit, capitalized terms will have the meaning given to them in the Agreement.
“Personnel” means all employees and agents of ScaleWith engaged in the performance of ScaleWith Services to User.
“Process” or “Processing” means, with respect to this Security Exhibit, any operation or set of operations that is performed upon User Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Production Environment” means the System setting where software, hardware, data, processes, and programs are executed for their final and intended operations by end users of ScaleWith Services.
“Subcontractor” means a third party that ScaleWith has engaged to perform all or a portion of ScaleWith Services on behalf of ScaleWith.
2. INFORMATION SECURITY PROGRAM
2.1 Information Security Program. ScaleWith maintains and will continue to maintain a written information security program that includes policies, procedures, and controls governing the Processing of User Data through ScaleWith Services (“Information Security Program”). The Information Security Program is designed to protect the confidentiality, integrity, and availability of User Data by using a multi-tiered technical, procedural, and people-related control approach in accordance with industry best practices and applicable laws and regulations.
2.2 Permitted Use of User Data. ScaleWith will not Process User Data in any manner other than as permitted or required by the Agreement.
2.3 Acknowledgement of Shared Responsibilities. The security of data and information that is accessed, stored, shared, or otherwise Processed via the ScaleWith Services are shared responsibilities between ScaleWith and User. ScaleWith is responsible for the implementation and operation of the Information Security Program and the protection measures described in the Agreement and this Security Exhibit. User is responsible for properly implementing access and use controls and configuring certain features and functionalities of ScaleWith Services that User may elect to use in the manner that User deems adequate to maintain appropriate security, protection, deletion, and backup of User Data.
2.4 Applicability to User Data. This Security Exhibit and the Information Security Program apply specifically to the User Data Processed via ScaleWith Services and does not extend to data held on User’s systems or environments. To the extent User exchanges data and information with ScaleWith that does not meet the definition of “User Data,” ScaleWith will treat such data and information in accordance with the confidentiality terms set forth in the Agreement.
3. SECURITY MANAGEMENT
3.1 Maintenance of Information Security Program. ScaleWith will take and implement appropriate technical and organizational measures to protect User Data located in ScaleWith Services and will maintain the Information Security Program. ScaleWith may update or modify the Information Security Program from time to time provided that such updates and modifications do not result in the degradation of the overall security of ScaleWith Services.
3.2 Background Checks and Training. ScaleWith will ensure that reasonable and appropriate background investigations are conducted on all Personnel in accordance with applicable laws and regulations. Personnel must pass ScaleWith’s background check requirements prior to being assigned to positions in which they will, or ScaleWith reasonably expects them to, have access to User Data. ScaleWith will conduct annual mandatory security awareness training to inform its Personnel on procedures and policies relevant to the Information Security Program and of the consequences of violating such procedures and policies. ScaleWith will conduct an off-boarding or exit process with respect to any Personnel upon termination of employment, which will include the removal of the terminated Personnel’s access to User Data and ScaleWith’s sensitive systems and assets.
3.3 Subcontractors. ScaleWith will evaluate all Subcontractors to ensure that Subcontractors maintain adequate physical, technical, organizational, and administrative controls, based on the risk tier appropriate to their subcontracted services, that support ScaleWith’s compliance with the requirements of the Agreement and this Security Exhibit. ScaleWith will remain responsible for the acts and omissions of its Subcontractors as they relate to the services performed under the Agreement as if it had performed the acts or omissions itself and any subcontracting will not reduce ScaleWith’s obligations to User under the Agreement.
3.4 Risk and Security Assurance Framework Contact. User’s account management team at ScaleWith will be User’s first point of contact for information and support related to the Information Security Program. The ScaleWith account management team will work directly with User to escalate User’s questions, issues, and requests to ScaleWith’s internal teams as necessary.
4. PHYSICAL SECURITY MEASURES
4.1 General. ScaleWith will maintain appropriate physical security measures designed to protect the tangible items, such as physical computer systems, networks, servers, and devices, that Process User Data. ScaleWith will ensure that commercial grade security software and hardware are utilized to protect ScaleWith Services and the Production Environment.
4.2 Facility Access. ScaleWith will ensure that: (a) access to ScaleWith’s corporate facilities is controlled; and (b) all visitors to its corporate facilities sign in, agree to confidentiality obligations, and be escorted by Personnel while on premises at all times. ScaleWith will revoke Personnel’s physical access to ScaleWith’s corporate facilities upon termination of employment.
4.3 Data Centers. ScaleWith will use commercial-grade data center service providers in providing the ScaleWith Services and will ensure that all data centers conform to ISO 27001 or equivalent certification. At minimum, all data centers must meet the following requirements:
(a) Multi-factor physical security measures, including auditable entry/exit mechanisms that record the identity of any individual who enters and leaves the facility must be maintained.
(b) Access must be limited to authorized personnel. Third-party vendors and guests must be escorted at all times by authorized personnel while in the data center.
(c) Environmental security controls must be in place, including: (i) uninterruptible power supplies and secondary power supplies on all key systems; (ii) temperature and humidity controls for the heating, ventilation, and air conditioning equipment; (iii) heat and smoke detection devices and fire suppression systems; and (iv) periodic inspections by a fire marshal or similar safety official.
5. LOGICAL SECURITY
5.1 Access Controls. ScaleWith will maintain a formal access control policy and employ a centralized access management system to control Personnel access to the Production Environment.
(a) ScaleWith will ensure that all access to the Production Environment is subject to successful two-factor authentication globally from both corporate and remote locations and is restricted to authorized Personnel who demonstrate a legitimate business need for such access. ScaleWith will maintain an associated access control process for reviewing and implementing Personnel access requests. ScaleWith will regularly review the access rights of authorized Personnel and, upon change in scope of employment necessitating removal or employment termination, remove or modify such access rights as appropriate.
(b) ScaleWith will monitor and assess the efficacy of access restrictions applicable to the control of ScaleWith’s system administrators in the Production Environment, which will entail generating system individual administrator activity information and retaining such information for a period of at least twelve (12) months.
(c) ScaleWith will not use User Data from the Production Environment in non-production environments without User’s express permission.
5.2 Auditing and Logging. With respect to system auditing and logging in the Production Environment:
(a) ScaleWith will use and maintain an auditing and logging mechanism that, at a minimum, captures and records successful and failed user logons and logoffs (with a date and time stamp, user ID, application name, and pass/fail indicator). User access activities will be logged and audited periodically by ScaleWith to identify unauthorized access and to determine possible flaws in ScaleWith’s access control system.
(b) All application components that have logging capabilities (such as operating systems, databases, web servers, and applications) will be configured to produce a security audit log.
(c) Audit logs will be configured for sufficient log storage capacity.
(d) Each log will be configured so that it cannot be disabled without proper authorization and will send alerts for the success or failure of each auditable event.
(e) Access to security log files will be limited to authorized Personnel.
5.3 Network Security. ScaleWith will maintain a defense-in-depth approach to hardening the Production Environment against exposure and attack. ScaleWith will maintain an isolated Production Environment that includes commercial grade network management controls such as load balancers, firewalls, intrusion detection systems distributed across production networks, and malware protections. ScaleWith will complement its Production Environment architecture with prevention and detection technologies that monitor all activity generated and send risk-based alerts to the relevant security groups.
5.4 Malicious Code Protection. ScaleWith will ensure that: (a) its information systems and file transfer operations have effective and operational anti-virus software; (b) all anti-virus software is configured for deployment and automatic update; and (c) applicable anti-virus software is integrated with processes and will automatically generate alerts to ScaleWith’s Cyber Incident Response Team if potentially harmful code is detected for their investigation and analysis.
5.5 Code Reviews. ScaleWith will maintain a formal software development lifecycle that includes secure coding practices against OWASP and related standards and will perform both manual and automated code reviews. ScaleWith’s engineering, product development, and product operations management teams will review changes included in production releases to verify that developers have performed automated and manual code reviews designed to minimize associated risks. In the event that a significant issue is identified in a code review, such issue will be brought to ScaleWith senior management’s attention and will be closely monitored until resolution prior to release into the Production Environment.
5.6 Vulnerability Scans and Penetration Tests. ScaleWith will perform both internal and external vulnerability scanning and application scanning. External scans and penetration tests against ScaleWith Services and the Production Environment will be conducted by external qualified, credentialed, and industry recognized organizations on a frequency based on risk but, at a minimum, on an annual basis. ScaleWith will remedy vulnerabilities identified during scans and penetration tests in a commercially reasonable manner and timeframe based upon classified and prioritized severity level. ScaleWith will make available all third-party attestations resulting from vulnerability scans and penetration tests per independent external audit reports. For clarification, under no circumstance will User be permitted to conduct any vulnerability scans or penetration testing against the Production Environment.
6. STORAGE, ENCRYPTION, AND DISPOSAL
6.1 Storage & Separation. User Data will be stored within the physical and logical infrastructure for the ScaleWith Services at ScaleWith’s colocation or data center facilities. Exceptions with respect to storage may only be made with User’s written authorization for specific purposes, such as, for example, extraction of User Data for storage on encrypted portable media. ScaleWith will logically separate User Data located in the Production Environment from other ScaleWith customer data.
6.2 Encryption Technologies. ScaleWith will encrypt User Data in accordance with the Documentation, using industry accepted standards, strong encryption techniques, and current security protocols. Electronic transmission or exchange of User Data with ScaleWith Services will be conducted via secure means.
6.3 Disposal. ScaleWith will implement industry recognized processes and procedures for equipment management and secure media disposal under the guidelines identified in the National Institute of Standards’ Guidelines for Media Sanitization, SP800-88.
7. BUSINESS CONTINUITY AND DISASTER RECOVERY
7.1 Continuity Plan. ScaleWith will maintain written business continuity and disaster recovery plans that address the availability of ScaleWith Services (“Continuity Plans”). The Continuity Plans will include elements such as: (a) crisis management, plan and team activation, event and communication process documentation; (b) business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, system(s) details, recovery activities, and identification of the Personnel and teams required for such recovery. ScaleWith will, at a minimum, conduct a test of the Continuity Plan on an annual basis. ScaleWith’s Continuity Plans shall provide for remediation of any deficiencies discovered during any such Continuity Plan testing within timeframes reasonably commensurate with the level of risk posed by the deficiency. The internal and independent audit reports described in Section 9.1 (Independent Assurances) will evidence or report on the execution of ScaleWith’s Continuity Plan’s tests and any resulting remedial actions.
7.2 ScaleWith Service Continuity. ScaleWith’s production architecture for ScaleWith Services is designed to perform secure replication in near real-time to multiple active systems in geographically distributed and physically secure data centers. ScaleWith will ensure that: (a) infrastructure systems for ScaleWith Services have been designed to eliminate single points of failure and to minimize the impact of anticipated environmental risks; (b) each data center supporting ScaleWith Services includes full redundancy and fault tolerance infrastructure for electrical, cooling, and network systems; and (c) Production Environment servers are enterprise scale servers with redundant power to ensure maximum uptime and service availability.
7.3 Disaster Recovery. In the event of a failure of critical services or material business disruption, ScaleWith will promptly invoke its Continuity Plans and will restore critical service capability and the production capability of critical information technology infrastructure of the ScaleWith Services (including, but not limited to, data centers, hardware, software and power systems, and critical voice, data, and e-commerce communications links), and, except as otherwise provided in the applicable Continuity Plan, ScaleWith will use commercially reasonable efforts to promptly notify User’s Account Administrators of the issue. It is ScaleWith’s responsibility to cause any of its Subcontractors or outsourcers performing activities that could impact critical processes of ScaleWith Services to have plans in place that meet the same standards as required of ScaleWith hereunder. Notwithstanding anything to the contrary in the Agreement (including this Security Exhibit) and without limiting any of ScaleWith’s responsibilities thereunder, ScaleWith will not be required to provide business continuity or disaster recovery plans for its colocation or data center facilities to User. However, publicly available information and references to the capabilities of any such colocation or data center facility will be provided by ScaleWith upon request.
8. DATA INCIDENT RESPONSE AND NOTIFICATION
8.1 General. ScaleWith will maintain a tested incident response program, which will be managed and run by ScaleWith’s Global Incident Response Team. ScaleWith’s Global Incident Response Team will operate to a mature framework that includes incident management and breach notification policies and associated processes. ScaleWith’s incident response program will include, at a minimum, initial detection; initial tactical response; initial briefing; incident briefing; refined response; communication and message; formal containment; formal incident report; and postmortem/trend analysis.
8.2 Data Incident Notification. ScaleWith will comply with all applicable security breach notification laws and regulations in its provision of the ScaleWith Services and, in any event, will notify User without undue delay upon becoming aware of any breach of ScaleWith’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Data on systems managed by ScaleWith (a “Data Incident”). Without limiting the generality of the foregoing, the Parties acknowledge and agree that Data Incidents do not include unsuccessful attempts, everyday security alerts, or other events that do not materially compromise the security or availability of User Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. ScaleWith’s notification of a Data Incident under this section is not an acknowledgement by ScaleWith of any fault or liability with respect to the Data Incident.
8.3 Data Incident Response. ScaleWith shall take reasonable measures to mitigate the cause of any Data Incident and shall take reasonable corrective measures to prevent the same Data Incident from occurring in the future. As information is collected or otherwise becomes available to ScaleWith and unless prohibited by law, ScaleWith shall provide information regarding the nature and consequences of the Data Incident that are reasonably requested to allow User to notify affected individuals, government agencies, and/or credit bureaus. Due to the encryption configuration and security controls associated with ScaleWith Services, ScaleWith may not have access to or know the nature of the information contained within User Data and, as such, the Parties acknowledge that it may not be possible for ScaleWith to provide User with a description of the type of information or the identity of individuals who may be affected by a Data Incident. User is solely responsible for determining whether to notify impacted individuals and for providing such notice, and for determining if regulatory bodies or enforcement commissions applicable to User or User’s use of ScaleWith Services need to be notified of a Data Incident.
9. INDEPENDENT ASSURANCES AND AUDITS
9.1 Independent Assurances. ScaleWith uses independent external auditors to verify the adequacy of its Information Security Program. ScaleWith will provide or make available to User third-party attestations, certifications, and reports relevant to the establishment, implementation, and control of the Information Security Program.
9.2 Additional Requirements. To the extent User requires additional audit information or assistance from ScaleWith beyond those set forth in Section 9.1 (Independent Assurances) as required under applicable laws and regulations, User may submit its request for such additional information and assistance, which shall include information regarding the applicable laws or regulations forming the basis of the request, to its account management representative. ScaleWith will work with User to reach mutually agreed upon terms regarding the scope, timing, duration, and other details regarding such additionally requested information and assistance.
9.3 Audit for Data Incident. Following a Data Incident, ScaleWith will within a reasonable timeframe, engage a third-party independent auditor, selected by ScaleWith and at ScaleWith’s expense, to conduct an on-site audit of ScaleWith’s Information Security Program. Upon request, ScaleWith will provide or make available a report of such audit to User.
9.4 Conditions of Audit.
(a) Any audits conducted pursuant to this Security Exhibit must: (i) be conducted during reasonable times and be of reasonable duration; (ii) not unreasonably interfere with ScaleWith’s day-to-day operations; and (iii) be conducted under mutually agreed upon terms and in accordance with ScaleWith’s security policies and procedures. ScaleWith reserves the right to limit an audit of configuration settings, sensors, monitors, network devices and equipment, files, or other items if ScaleWith, in its reasonable discretion, determines that such an audit may compromise the security of ScaleWith Services or the data of other ScaleWith customers. User’s audit rights do not include penetration testing or active vulnerability assessments of the Production Environment or ScaleWith Systems within their scope.
(b) In the event User conducts an audit through a third-party independent contractor, such independent contractor must enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect ScaleWith’s confidential information.
(c) User must promptly provide ScaleWith with any audit, security assessment, compliance assessment reports, and associated findings prepared by it or its third-party contractors for comment and input prior to formalization and/or sharing such information with a third party.
9.5 Remediation and Response Timeline. If any audit performed pursuant to this Security Exhibit reveals or identifies any non-compliance by ScaleWith of its obligations under the Agreement and this Security Exhibit, then (a) ScaleWith will use commercially reasonable efforts to correct such issues; and (b) for no more than sixty (60) days after the date upon which such audit was conducted, User may request feedback and information regarding corrective and remedial actions taken in relation to such audit.