BigID Security Standards
BIGID DATA USE, HANDLING AND SECURITY STANDARDS
In addition to any confidentiality and data processing obligations it has under the Agreement, BigID shall comply with the following data use, handling and security requirements.
a. “Agreement(s)” shall mean the commercial agreement between Customer and BigID that outlines the commercial terms applicable to the services pursuant to which the Protected Information shall be processed. This could be, amongst others, a Master Services Agreement, Professional Services Agreement or a Software-as-a-Service Agreement and/or a Data Processing Agreement.
b. “Data Protection Law(s)” shall mean all applicable privacy and security laws, including but not limited to (i) domestic and international data privacy and data protection legislation; (ii) security and breach notification laws; (iii) regulation and industry standard practices related to marketing by telephone, text messages, direct mail, e-mail, wireless text messaging, fax, and any other mode of communication (iv) generally accepted privacy and security industry standards; (v) the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., and (vi) the European Union’s General Data Protection Regulation (“GDPR”).
c. “Encryption” means encryption that is based on industry-tested, accepted and uncompromised algorithms that meets at least the NIST recommended standards for encryption algorithms, as updated.
d. “Personal Information” or “PI” means personal information that identifies, describes, relates to, is capable of being associated with or could reasonably be linked to or used to identify (directly or indirectly) any natural person or household. Personal Information may include, without limitation: (i) first and last name, home or other physical address, telephone number, fax number, email address, social security number or other government issued identifier, credit card number, financial account information, signature, driver’s license information, government issued identification card information, photographic images, biometric information, date of birth, mother’s maiden name; political or religious affiliations; sexual orientation; professional or educational information; physiological, biological or behavioral characteristics; sleep, health or exercise data; audio, electronic, visual, thermal, olfactory or other similar information; (ii) any indicator of an individual’s health or mental condition, such as a medical record or history, medical treatment plan, or diagnosis by a healthcare professional (iii) information or data collected directly from a person’s interaction with an application’s user interface, geolocation data, or other electronic information; (iv) information or data that is gathered indirectly, such as IMEI, UDID, MAC address, IP address, cookie ID etc.; (v) information or data gathered about a person’s purchasing behavior, such as purchase and transactional history or tendencies, location data, web and/or mobile browsing data, web search history or the applications used that are linked to a unique profile; (vi) inferences that would enable a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes; and (vii) any other data elements regulated by applicable law. Personal Information expressly includes Personally Identifiable Information or PII (commonly understood as data elements sufficient to locate, contact, or otherwise identify a single person). “Customer PI” shall mean all Personal Information, including Protected Information, provided to BigID by, or on behalf of, Customer in connection with this Agreement or to facilitate the provision of Services. Except as expressly defined herein, capitalized terms used but not defined shall have the meaning ascribed to them in the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”).
e. “Protected Information” shall mean information that Customer provides to BigID during the course of the Agreement, including but not limited to, Personal Information, Confidential Information as defined in the Agreement, and other material, data, systems and other information concerning the operation, business, projections, market goals, financial affairs, products, customers and intellectual property.
f. “Security Incident” shall mean: (i) the loss, misuse or breach, by any means, of Protected Information; (ii) the inadvertent, unauthorized, and/or unlawful Processing of any Protected Information that compromises its security, confidentiality, or integrity.
2. General Controls
a. BigID agrees that all PI collected by, accessed or retained by BigID in the course of performing the Services remains the property of the Customer. Customer may provide PI to BigID under this Agreement and BigID agrees to use any Customer PI solely for the purpose of performing services for, or otherwise fulfilling its obligations to, Customer under this Agreement. The parties acknowledge and agree that the Personal Information Customer discloses to BigID is provided to BigID for business purposes only.
b. BigID shall implement and maintain a documented information security program that incorporates administrative, technical, and physical safeguards designed to reasonably ensure the security, confidentiality and integrity of PI and other data, including information it receives in connection with the Services, in compliance with Data Protection Laws. BigID’s Information Security program shall, at a minimum, use reasonable measures to: (a) ensure the security and confidentiality of any PI; (b) protect against any anticipated threats or hazards to the security or integrity of PI; (c) protect against unauthorized access to or modification, destruction, disclosure or use of PI that could result in substantial harm to any individual or Customer; and (d) address how any Security Incident (as defined herein) of PI will be handled; (e) is managed by a senior employee responsible for overseeing and implementing the program, (f) is reviewed and the goals are evaluated for efficacy at least annually, and; (g) is appropriate to the nature, size, and complexity of BigID’s business operations. Said program shall meet current industry standards, comply with any and all specific information security standards contained in applicable Data Protection Laws.
c. BigID shall only process Protected Information in accordance with the Agreement for the purpose of meeting its obligations under the Agreement, and any related SOW or amendment to the Agreement.
d. BigID shall, at all times, have in place appropriate technical and organizational security measures so that Protected Information is protected against unauthorized or unlawful processing.
e. BigID shall conduct a risk assessment no less than annually, and will promptly implement, at its sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the assessment or of any scanning, vulnerability or penetration testing. BigID shall perform at least (i) quarterly vulnerability scans and (ii) annual penetration tests.
f. Personal Information may be Deidentified or Aggregated as part of the Services, but only to the extent such Deidentification or Aggregation, as the case may be, meets the standards for such activity that is required under the applicable Data Protection Law.
3. Human Resources
a. BigID shall ensure that all of its employees are informed of the confidential nature of Protected Information and are aware both of BigID’s obligations and their personal duties and obligations under the Agreement and under applicable laws.
4. Subcontractors, Third Parties & Hosting Service
a. BigID shall (i) ensure all agents or subcontractors provide sufficient guarantees in respect of technical and organizational measures governing the processing of Protected Information and shall take reasonable steps to ensure agents or sub- contractors comply with those measures; (ii) that any written contract it has with an agent or sub- contractor requires them to act on its instructions only and imposes obligations upon them to observe the confidentiality and security of Protected Information they may be required to process; (iii) that all agents or subcontractors meet, as a minimum, all requirements detailed in this document, and; (iv) BigID will remain responsible for obligations which are performed by agents or subcontractors and for the acts or omissions of agents and subcontractors as if they were acts or omissions of BigID.
b. In the event that BigID shares or discloses any Customer PI to a third party (whether with or without Customer’s consent) BigID shall: (a) be responsible for ensuring that the individuals to whom it grants access to Customer PI comply with all of the applicable required use, security and privacy safeguards provided for in this Agreement and all Data Protection Laws; and (b) BigID shall be fully liable for any acts or omissions of the third party related to Customer PI unless otherwise specified in the associated Agreement or Order Form.
c. BigID shall make available to Customer the current list of Sub-processors on its webpage
https://bigid.com/sub-processors/, which shall include the identities and details of those Sub-processors and
their country of location, if known (“Sub-processor List”). Customer can subscribe to notifications of new Sub-
processors or changes to the Sub-processor List. The Sub-processor List as of the date of execution of this addendum
shall be considered authorized by Customer.
5. Controlling Access to Data
BigID shall utilize commercially reasonable security measures and controls to ensure that access to Customer PI is limited to BigID’s personnel and authorized agents who need to know such information solely for the purposes contemplated under this Agreement. Without limiting the foregoing, BigID agrees that:
a. BigID shall ensure that only its employees and authorized agents who may be required to assist BigID in meeting its obligations under the Agreement will have access to Protected Information.
b. BigID shall enforce the principle of least privilege (i.e. each individual is only given the minimum access capabilities necessary to meet business requirements) when providing employees and authorized agents with access to systems containing Protected Information.
c. BigID shall ensure only its system administrators have privileges to create access accounts to systems containing Protected Information.
d. Access to systems containing Protected Information shall be controlled by a secure log-on procedure. Users shall not share names, accounts or passwords, and shall be uniquely identifiable.
e. BigID shall ensure that employees accessing Protected Information remotely are authenticated using two-factor authentication mechanisms via a secure connection.
f. Access to Protected Information, including user accounts and passwords, shall be revoked immediately when no longer required.
g. BigID shall inform all such personnel with exposure or access to Customer PI of BigID’s use, confidentiality and information security requirements and shall ensure each is bound by legal obligations no less restrictive than the terms of this Agreement.
h. BigID shall perform regular reviews of user access to Protected Information.
i. BigID shall keep security event logs on systems storing, processing or transmitting Protected Information to permit tracking of system activity (e.g. date, who, where). Security event logs shall be retained in accordance with our retention policies & procedures and reviewed regularly for unauthorized or unlawful activity.
j. BigID shall not use or disclose Customer PI to contact or market to customers or employees of Customer.
6. Storing Protected Information
a. BigID acknowledges and agrees that any Protected Information collected by BigID on behalf of Customer under or pursuant to this Agreement shall be at least logically segregated from information related to any other customer of BigID. BigID represents and warrants that its database infrastructure is protected via Internet firewalls meeting current industry standards on an ongoing basis and that Customer data will be logically segregated.
b. Protected Information stored by BigID shall be secured using industry standard non-deprecated encryption.
c. BigID shall ensure appropriate anti-virus/anti-malware detection software is implemented across all information systems processing Protected Information in its organization. BigID shall also ensure the anti-virus/anti-malware software is up-to- date using the most recent virus and malware signatures and definitions.
7. Transferring Protected Information
a. BigID shall not disclose Protected Information to a third party in any circumstances other than as specified in the Agreement or at the specific written request of the Customer contact or as required by law.
b. In relation to transfers of Protected Information to and from BigID and any authorized agent or sub-contractor:
i. All electronic transfers of Protected Information shall be secured using Encryption. Protected Information shall not be sent in the clear over unencrypted connections.
8. Deletion or Return Protected Information
a. Upon termination or expiration of the Agreement or at any time per Customer’s written request, BigID shall destroy, delete and render unreadable from BigID’s systems (and where applicable, its subcontractors’) all Protected Information. BigID shall provide a written attestation of such deletion or destruction, upon request.
9. Incident Management
a. BigID shall ensure incident management procedures are in place throughout its organization and they are communicated to all staff, and incidents are logged.
b. In the event of any loss or corruption of Customer PI, BigID shall use commercially reasonable efforts to restore the lost or corrupted PI from the latest backup of such PI maintained by BigID in accordance with its archival procedures. Such incidents will be recorded and investigated in accordance with BigID’s security incident management procedures. BigID shall, where not prohibited by applicable law or any confidentiality requirements, notify Customer in writing within seventy-two (72) hours, or no later than the statutory reporting period prescribed in any applicable state or federal data breach law, when it becomes aware of an actual or reasonably suspected security breach, hacking, unauthorized disclosure, access to, acquisition of, or other loss or use of any Customer PI (“Security Incident”).
In the event of any actual Security Incident of any Customer PI, BigID shall cooperate with Customer, at BigID’s cost if such Data Breach is due to BigID’s (or any third party for which BigID is responsible under Section 4) control failure(s), error(s), or omission(s), to (a) further assess the nature and scope of any such Security Incident and review all pertinent records to the extent such records pertain to Customer and do not compromise BigID’s confidentiality obligations to any third parties; (b) take other remedial measures as may be reasonably necessary or appropriate to mitigate the risk arising out of unauthorized use or disclosure of Customer PI; and (c) provide breach notifications, as reasonably requested, provided, and approved by Customer, to affected individuals notifying them that their PI was accessed or otherwise compromised. BigID shall cooperate fully with all government regulatory agencies and law enforcement agencies having jurisdiction and authority for investigating a Data Breach.
c. BigID shall, where permitted by law, immediately notify the Customer Contact of:
i. Any request for disclosure of Protected Information by a law enforcement authority or any notice or communication from any supervisory or government body which relates directly or indirectly to the processing of Protected Information received by BigID;
ii. Any complaint, notice or communication which relates directly or indirectly to the processing of Protected Information or to either party’s compliance with any Data Protection Laws; and/or
iii. Any subject access request by an individual concerning their Personal Information in relation to the Customer and shall provide Customer with full cooperation and assistance in relation to any such request, complaint, notice or communication and shall not respond unless Customer has instructed BigID to do so or as provided in the Agreement.
d. BigID further agrees that Customer has the right to unilaterally amend, with reasonable notice provided to BigID, the requirements of this Addendum to the extent required to remain in compliance with state or federal legislation containing additional or different standards related to the handling of PI, and such amendments shall automatically take effect sixty (60) days after such notice is provided (or sooner where required to comply with law).
10. Backup and Disaster Recovery
a. BigID shall maintain a disaster recovery and business continuity plan defining how Protected Information will be recovered from backup tapes and offsite information systems, and how BigID’sbusiness will continue operating during the recovery period.
b. BigID shall perform regular encrypted backups of Protected Information processed on its information systems.
11. System Development
a. BigID shall maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Protected Information. BigID shall employ documented secure programming guidelines, standards, and protocols in the development of applications that process or store any Protected Information.
b. BigID shall have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all applications that store or process Protected Information.
c. BigID will maintain all workstations and servers run non-deprecated operating systems. Operating Systems, database and application security patches are deployed in BigID’s computing environment according to a schedule predicated on the criticality of the patch.
d. BigID will employ an effective, documented change management program with respect to the Services as an integral part of its security profile. This includes logically or physically separate environments from production for all development and testing. BigID shall not use Protected Information in development or testing environments, unless the Protected Information has been sufficiently sanitized such that it does not pose a risk of a Security Incident.
a. BigID shall ensure that all of its employees who process Protected Information are trained in Data Protection Laws and in the manner of dealing with Protected Information.
b. BigID will conduct information security awareness training for all employees involved in the delivery of service. Employees and contractors using BigID’sinformation systems and services shall be required to note and report any observed or suspected information security weaknesses.
a. BigID will maintain current applicable 3rd party assessment credentials representative of AICPA SOC2 Type 2 attestation, for the Trust Services Criteria for Security, Availability, Confidentiality, and Privacy.
b. Each audit will be performed according to the current standards and rules of the regulatory or accreditation body for each applicable control standard of privacy and security frameworks . Audit reports generated by such audits will be BigID’s confidential information and will contain material findings by the auditor. At Customer’s request and under non-disclosure agreement, BigID will provide the audit report to Customer upon request.
c. Upon request from Customer, but not more than once during each 12-month period unless preceded by a Security Incident, BigID shall complete a Customer information security program questionnaire (“Security Assessment”). BigID agrees to reasonably cooperate with such Security Assessment so as to help ensure BigID’s compliance with Customer’s Security Review.
14. Termination and Survival
a. These Terms shall be effective as of its Effective Date and continue until terminated by Customer.
b. BigID shall cease to process Protected Information upon the termination or expiration of the Agreement.
c. The provisions in these Terms relating to the protection of Protected Information shall survive termination of the Agreement or these Terms and remain in effect for as long as BigID has Protected Information in accordance with our retention policies & procedures