Skip to content

DPA – Vendor

Vendor Data Processing Addendum
(May 2023)

This Vendor Data Processing Addendum (“ Vendor DPA”) is incorporated by reference to and made a part of the agreement or Order for which BigID has obtained the right or subscription license to use the Services and is made by and between BigID and Vendor (collectively the “Agreement”).

This DPA supplements the Agreement and sets forth the terms that apply when Personal Data (defined below) is Processed (defined below) by Vendor under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable law, and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.

Vendor understands, acknowledges, and agrees that this DPA applies to itself and, to the extent required under applicable Data Protection and Privacy Laws or Regulations, to the extent Vendor processes Personal Data.

In the course of providing the Services to BigID pursuant to the Agreement, Vendor may Process Personal Data on behalf of BigID and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

Data Processing Terms

1.    Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity for so long as control exists. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Agreement(s)” hall mean the commercial agreement between BigID and the Vendor that outlines the commercial terms applicable to the services pursuant to which the Protected Information shall be processed. This could be, amongst others, a Master Services Agreement, Professional Services Agreement, a Software-as-a-Service Agreement and/or a Data Processing Agreement.

“BigID” means the BigID entity that is a party to both the Agreement and to this DPA, which may be BigID, Inc., a company incorporated in the State of Delaware.

“BigID Personal Data” shall mean all Personal Data, including Protected Information, provided to Vendor by, or on behalf of, BigID in connection with this Agreement or to facilitate the provision of Services.

“Business Purposes” means the use of Personal Data for operational purposes, or other notified purposes, provided that the use of Personal Data shall be reasonably necessary and proportionate to achieve the operational purpose for which the Personal Data was collected or processed, or for another operational purpose that is compatible with the context in which the Personal Data was collected. Categories of Business Purposes may include: (a) Auditing Interactions with Consumers; (b) Security; (c) Debugging or Repairing the Services; (d) Performing the Services of the Agreement, which may include, but is not limited to: maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying information, processing payments, providing financing, providing analytic services, or providing similar services; (e) Internal Research for Development; (f) Quality, verification, and safety maintenance of the Services; and (g) Short-term transient uses provided that Personal Data is not disclosed to another third party and is not used to build a profile about a data subject or alter an individual’s experience outside of the current transaction.

“Consumer” means the identified or identifiable person to whom Personal Data relates.

“Controller” means an entity which determines the purposes and means of the Processing of Personal Data, including as applicable any “Business” as that term is defined by the CCPA, as amended, and its implementing regulations.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Europe” means the European Economic Area (which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein), as well as, for the purposes of this DPA, the United Kingdom and/or Switzerland.

“Encryption” means encryption that is based on industry-tested, accepted, and uncompromised algorithms that meets at least the NIST recommended standards for encryption algorithms, as updated.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “EU GDPR”), as well as, for the purposes of this DPA, the UK General Data Protection Regulation as it forms part of the law of England, Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).

“Personal Data” or “Personal Information” means personal information that identifies, describes, relates to, is capable of being associated with or could reasonably be linked to or used to identify (directly or indirectly) any natural person or household. Personal Data may include, without limitation: (i) first and last name, home or other physical address, telephone number, fax number, email address, social security number or other government issued identifier, credit card number, financial account information, signature, driver’s license information, government issued identification card information, photographic images, biometric information, date of birth, mother’s maiden name; political or religious affiliations; sexual orientation; professional or educational information; physiological, biological or behavioral characteristics; sleep, health or exercise data; audio, electronic, visual, thermal, olfactory or other similar information; (ii) any indicator of an individual’s health or mental condition, such as a medical record or history, medical treatment plan, or diagnosis by a health care professional (iii) information or data collected directly from a person’s interaction with an application’s user interface, geolocation data, or other electronic information; (iv) information or data that is gathered indirectly, such as IMEI, UDID, MAC address, IP address, cookie ID etc.; (v) information or data gathered about a person’s purchasing behavior, such as purchase and transactional history or tendencies, location data, web and/or mobile browsing data, web search history or the applications used that are linked to a unique profile; (vi) inferences that would enable a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes; and (vii) any other data elements regulated by applicable law. Personal Information expressly includes Personally Identifiable Information or PII (commonly understood as data elements sufficient to locate, contact, or otherwise identify a single person). Except as expressly defined herein, capitalized terms used but not defined shall have the meaning ascribed to them in the CCPA and the GDPR.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor” means an entity which Processes Personal Data on behalf of a Controller, including as applicable any Service Provider” or “Contractor” as those terms are defined by the CCPA.

“Protected Information” shall mean information that BigID provides to Vendor during the course of the Agreement, including but not limited to, Personal Data as defined in the Agreement, and other material, data, systems, and other information concerning the operation, business, projections, market goals, financial affairs, products, customers, and intellectual property.

“Standard Contractual Clauses” means module two of the standard contractual clauses annexed to the European Commission’s decision. (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time-to-time, and completed with the details set out in Schedule 2 to this DPA. As at the date of this DPA, the Standard Contractual Clauses are available [here].

“Services” means the services provided by Vendor to BigID under the Agreement.

“Sub-processor” means any Processor engaged by Vendor. Sub-processor may also include agents and sub-contractors of the Vendor.

“Supervisory Authority” means (i) in the EU, an independent public authority which is established by an EU Member State pursuant to the EU GDPR, and (ii) in the United Kingdom, the UK Information Commissioner’s Office.

“UK Addendum” means the UK Addendum to the Standard Contractual Clauses (the UK Addendum” which, at the date of this DPA, is available [here]), under section 119A(1) of the Data Protection Act 2018 (the “Issued UK Addendum”).

“US Data Privacy Laws” means the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), and its implementing regulations, Virginia Consumer Data Protection Act (“VCDPA”), and once effective, the Colorado Privacy Act (“ColCPA”), Colorado Privacy Act Rules (“ColCPAR”), Utah Consumer Privacy Act (“UCPA”), Connecticut Personal Data Privacy and Online Monitoring Act (“CTDPA”), Iowa Consumer Data Protection Act (“ICDPA”), Indiana Consumer Data Protection Act (“INCDPA”), Tennessee Information Protection Act (“TIPA”), Montana Consumer Data Privacy Act (“MCDPA”), and any other state or federal laws relating to privacy or data protection, and their respective implementing regulations.

2.    Processing of Personal Data

  1. Role of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, BigID is the Controller, Vendor is the Processor, and Vendor will engage Sub-processors pursuant to the requirements set forth in Section 6 “Sub-processors” below.
  2. BigID’s Processing of Personal Data. BigID shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection and Privacy Laws or Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Vendor as Processor. For the avoidance of doubt, BigID’s instructions for the Processing of Personal Data shall comply with applicable Data Protection and Privacy Laws. or Regulations. BigID shall not instruct Vendor to process or disclose personal data for any other purpose than as set out in this Addendum, the Agreement, as otherwise agreed in writing between the Parties, or as permitted by law. BigID shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which BigID acquired Personal Data. BigID specifically acknowledges that its use of the Services will not violate the rights of any Consumer or Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA
  3. Vendor’s Processing of Personal Data. Vendor agrees that all Personal Data collected by, accessed, or retained by Vendor in the course of performing the Services remains the property of BigID. BigID may provide Personal Data to Vendor under this Agreement and Vendor agrees to use any Personal Data solely for the purpose of performing Services as defined in Schedule 1 (Details of the Processing), unless required to process Personal Data for other purposes by EU law or the laws of a country in the EEA, in which case Vendor shall provide prior advanced notice in writing to BigID unless the relevant law prohibits the giving of notice on important grounds of public interest.
  4. Details of the Processing. The subject-matter of Processing of Personal Data by Vendor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
  5. Additional United States Processing Terms. Where BigID discloses Personal Data subject to US Data Privacy Laws, the following provisions apply with respect to the processing of Personal Data relating to any “consumers” or “residents” under the applicable US Data Privacy Laws:
    1. Vendor agrees to comply with BigID’s instructions for processing data, including the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties as set forth in this Addendum, the Agreement, and in accordance with applicable laws and regulations.
    2. Vendor shall ensure that each individual processing personal data is subject to a duty of confidentiality with respect to the data, and that personal data remain protected by the appropriate level of technical and organizational security measures relevant to the risk and data being processed.
    3. Upon reasonable request of BigID, Vendor shall make available to BigID all information in its possession necessary to demonstrate Vendor’s compliance with the obligations set forth in the applicable US Data Privacy Laws. This provision does not apply to data processed in accordance with the UCPA.
    4. Vendor shall, at the direction of BigID, delete or return all personal data to BigID as requested at the end of the provision of the Services, unless retention of the personal data is required by law. This provision does not apply to data processed under the UCPA.
    5. After providing BigID an opportunity to object, Vendor must engage any subcontractor (or “agent” as defined by the ICDPA) pursuant to a written contract in accordance with the terms of this Addendum, the Agreement, and any applicable US Data Privacy Laws, which require the subcontractor to meet the processing obligations or duties of the Vendor with respect to the personal data.
    6. Vendor agrees to allow, and cooperate with, reasonable assessments, audits, or inspections carried out by BigID or BigID’s designated assessor. Alternatively, Vendor may arrange for a qualified and independent assessor or auditor to conduct an assessment, audit, or inspection of Vendor’s policies and technical and organizational measures in support of Vendor’s obligations pursuant to the relevant and applicable US Data Privacy Laws, using an appropriate and accepted control standard or framework and assessment or audit procedure, for such assessments, audits, or inspections. Vendor shall furnish a report of any such assessments, audits, or inspections to BigID upon request.
    7. Vendor agrees to provide the information necessary to enable BigID to conduct and document data protection assessments and shall assist BigID in complying and fulfilling its obligations with respect to data subject access requests.
    8. Vendor shall assist BigID in meeting its obligations relating to the security of processing personal data and regarding notifications in the event the security system(s) of Vendor or Vendor’s sub-processors suffer a breach.
    9. Vendor grants BigID the right, upon notice, to stop and remediate the unauthorized access and use of personal data.
    10. In the event Vendor receives or uses pseudonymous data or deidentified data in connection with the Agreement, Vendor shall implement and adhere to any protective measures that ensure processed personal data cannot be traced back to individuals, and all pseudonymous data or deidentified data requirements set forth in the relevant and applicable US Data Privacy Laws.
    11. Vendor shall not release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data to any third party, except to BigID’s sub-processors that are bound by terms consistent with those set out in this DPA.
    12. Vendor agrees to notify BigID without undue delay if Vendor determines it cannot meet its obligations.

3.    Additional California Processing Terms

Where BigID discloses Personal Data subject to the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and its implementing regulations, the following provisions apply with respect to the processing of Personal Data relating to any “consumers” or “households” under the CCPA:

  1. Vendor agrees that all Personal Data collected by, accessed, or retained by Vendor in the course of performing the Services remains the property of BigID.
  2. BigID may disclose Personal Data to Vendor under this Agreement and Vendor agrees to use any Personal Data solely for the purpose of Performing the Services. For avoidance of doubt, the parties acknowledge that the Personal Data BigID discloses to the Vendor is provided only for a Business Purposes.
  3. Vendor is a Service Provider (as that term is defined under the CCPA) to BigID, and thus shall not retain, use, modify, transform, share, or disclose Personal Data other than as set out in the Agreement or as otherwise expressly permitted by the CCPA.
  4. BigID shall not instruct Vendor to process or disclose Personal Data other than as set out in the Agreement, DPA and as otherwise agreed between the Parties, or as otherwise permitted by the CCPA.
  5. Vendor shall not sell, share, or resell Personal Data provided to Vendor in Vendor’s role as a Service Provider.
  6. Vendor shall not release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data to any third party, except to Vendor’s sub-processors that are bound by terms consistent with those set out in this DPA.
  7. Vendor agrees to inform and provide written notification to BigID if it determines that it is no longer able to meet its obligations pursuant to the CCPA, within the specified period.
  8. Vendor agrees to implement reasonable technical and organizational security measures appropriate to the nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure.
  9. Vendor grants BigID the right, upon notice, to stop and remediate the unauthorized access and use of personal data.
  10. In the event Vendor receives or uses deidentified data in connection with the Agreement, Vendor is contractually obligated to comply with all deidentified data requirements set forth in the CCPA.
  11. Nothing in this section shall require BigID to disclose trade secrets, as specified in the CCPA and its implementing regulations.

4.    Rights of the Data Subjects

  1. Data Subject Request. Vendor shall, to the extent legally permitted, promptly notify BigID in no less than five (5) business days if Vendor specifically receives a request from a Data Subject with regards to BigID’s Data in order to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, Vendor shall assist BigID by implementing the appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of BigID’s obligation to respond to a Data Subject Request under Data Protection and Privacy Laws or Regulations. In addition, to the extent BigID, in its use of the Services, does not have the ability to address a Data Subject Request, Vendor shall upon BigID’s request provide commercially reasonable efforts to assist BigID in responding to such Data Subject Request, to the extent Vendor is legally permitted to do so and the response to such Data Subject Request is required under Data Protection and Privacy Laws or Regulations. To the extent legally permitted, BigID shall be responsible for any costs arising from Vendor’s provision of such assistance.

5.    European Specific Provisions

  1. Compliance. Vendor, as Processor, has complied and will continue to comply with all applicable privacy and data protection laws including, but not limited to, the GDPR and updated legislation from the UK. BigID, as Controller, shall be responsible for ensuring that, in connection with Personal Data and the Services:
    1. It has complied, and will continue to comply, with all applicable data protection regulations and privacy laws, including EU Data Protection Legislation; and
    2. It has, and will continue to have, the right to transfer, or provide access to, the Personal Data to BigID for processing in accordance with the terms of the Agreement including this DPA.
  2. Data Protection Impact Assessment. Upon BigID’s request, Vendor shall provide BigID with reasonable cooperation and assistance needed to fulfill BigID’s obligation under the GDPR to carry out a data protection impact assessment related to BigID’s s use of the Services, to the extent BigID does not otherwise have access to the relevant information, and to the extent such information is available to Vendor. Vendor shall provide reasonable assistance to BigID in the cooperation or prior consultation with a Supervisory Authority in the performance of its tasks relating to this Section 4.2 of this DPA, to the extent required under the GDPR.
  3. Supervisory Authorities. Vendor shall, to the extent legally permitted, notify BigID without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data.
  4. Entry into the Standard Contractual Clauses: The Standard Contractual Clauses and the additional terms specified in this Section are incorporated into this DPA by reference and apply to transfers of Personal Data to Vendor from (i) Vendor if it is subject to the data protection laws and regulations of Europe, and (ii) its Affiliates. To the extent that any such transfer of Personal Data is:
    1. subject to the UK GDPR and not the EU GDPR, then the Standard Contractual Clauses shall be amended in accordance with the UK Addendum, or
    2. subject to both the UK GDPR and the EU GDPR, then BigID and Vendor shall comply with the Standard Contractual Clauses (a) as they stand, and (b) on a parallel basis, as amended by the UK Addendum, but only to the extent the transfer of Personal Data is subject to the UK GDPR and without prejudice to their obligations under the Standard Contractual Clauses.

For the purpose of the Standard Contractual Clauses (including the UK Addendum, where applicable), BigID and any Affiliates shall each be deemed a “data exporter”, and Vendor shall be deemed the “data importer”.

6.    Vendor Personnel

  1. Confidentiality. Vendor shall ensure that any personnel engaged in the Processing of Personal Data are informed of the sensitive nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Vendor shall also ensure that its employees are made aware of the Vendor’s obligations as well as their personal duties and/or obligations under the Agreement and under applicable laws.
  2. Responsibility. Vendor must inform employees that failure to meet their responsibilities for processing Protected Information may result in disciplinary action. Vendor shall remain legally responsible for obligations which are performed by employees and for the acts or omissions of employees as if they were acts or omissions of the Vendor.
  3. Reliability. Vendor shall take commercially reasonable steps to ensure the reliability of any Vendor personnel engaged in the Processing of Personal Data.
  4. Limitation of Access. Vendor shall ensure that Vendor’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
  5. Data Protection Officer. Vendor has appointed a data protection officer. The appointed person may be reached at [to be filled out by Vendor]

7.    Sub-processing

    1. Sub-processors. Vendor shall not disclose BigID Personal Data to any third party without BigID’s prior written consent. Vendor must (i) ensure all Sub-processors provide sufficient guarantees in respect of technical and organizational measures governing the processing of Personal Data and must take reasonable steps to ensure Sub-processors comply with those measures; (ii) that any written contract it has with Sub-processors requires them to act on its instructions only and imposes obligations upon them to observe the confidentiality and security of Personal Data they may be required to process; (iii) that all Sub-processors, as a minimum, meet all requirements detailed in this document, and; (iv) Vendor will remain responsible for obligations which are performed by Sub-processors and for the acts or omissions of Sub-processor as if they were acts or omissions of the Vendor.
    2. Sharing BigID Data with Sub-processors. In the event that Vendor shares or discloses any BigID Personal Data to a Sub-processor or third-party (whether with or without BigID’s consent) Vendor shall: (a) be responsible for ensuring that the individuals to whom it grants access to BigID Personal Data comply with all of the applicable required use, security and privacy safeguards provided for in this Agreement and all Data Protection and Privacy Laws or Regulations; and (b) Vendor shall be fully liable for any acts or omissions of the third party related to BigID Personal Data unless otherwise specified in the associated Agreement or Order Form.
    3. Sub-processor List. Vendor shall make available to BigID, in writing or as an amendment to this Data Protection Addendum, the current list of Sub-processors, which shall include the identities and details of those Sub-processors and their country of location, if known (“Sub-processor List”), which shall include the name of the Sub-processor, the services for which the Sub-processor is contracted for, and the region in which the Sub-processor hosts BigID Data. The Sub-processor List as of the date of execution of this DPA shall be considered authorized by BigID.
    4. Changes to Sub-processors. If Vendor needs to add or make changes to its Sub-processor List, Vendor must notify BigID within 60 days advanced notice of any changes. BigID may object to the appointment of additional Sub-processors within thirty (30) calendar days of such notice on reasonable grounds relating to the Protecting of Personal Data if such Sub-processor cannot meet the standards of this DPA, in which case Vendor shall have the right to cure the objection through one of the following options: (a) Vendor will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Services without such Sub-processor; or (b) Vendor will take the corrective steps requested by BigID in its objection (which remove BigID’s objection) and proceed to use the Sub-processor with regard to Personal Data; or (c) If none of the above options are reasonably available and the objection has not been resolved to the reasonable mutual satisfaction of the parties within a thirty (30) day period after Vendor’s receipt of BigID’s objection, either party may terminate the Agreement and BigID will be entitled to a pro-rata refund for prepaid fees for Subscription Services not performed as of the date of termination.
    5. Liability. Vendor shall be fully liable for the acts and omissions of its Sub-processors to the same extent Vendor would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

8.    Security

  1. Controls for the Protection of Personal Data
    1. Vendor shall implement and maintain a written information security program (“WISP”) that incorporates administrative, technical, and physical safeguards designed to reasonably ensure the security, confidentiality, and integrity of Personal Data and other data, including information it receives in connection with the Services, in compliance with Data Protection Laws. Vendor shall provide BigID with a copy or summary of its WISP promptly following BigID’s request. Vendor shall, at a minimum, maintain a WISP that uses reasonable measures to: (a) ensure the security and confidentiality of any Personal Data; (b) protect against any anticipated threats or hazards to the security or integrity of PIPersonal Data; (c) protect against unauthorized access to or modification, destruction, disclosure or use of Personal Data that could result in substantial harm to any individual or BigID; (d) address how any Security Incident (as defined herein) of Personal Data will be handled; (e) is managed by a senior employee responsible for overseeing and implementing the program; and (f) is appropriate to the nature, size, and complexity of Vendor’s business operations. Such WISP shall meet current industry standards, comply with any and all specific information security standards contained in applicable Data Protection Laws, specifically including as applicable the measures referred to in Article 32 of the GDPR as well as the requirements contained in the Massachusetts Code of Regulations, 201 CMR Sections 17.00 et seq.
    2. Vendor must, at all times, have in place appropriate technical and organizational security measures so that Protected Information is protected against unauthorized or unlawful processing and against accidental loss or destruction, or damage.
    3. Vendor shall conduct a risk assessment periodically, and will promptly implement, at its sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the assessment or of any scanning, vulnerability, or penetration testing. Vendor shall perform at least: (i) quarterly vulnerability scans; and (ii) annual penetration tests.
    4. Personal Information may be Deidentified or Aggregated as part of the Services, but only to the extent such Deidentification or Aggregation, as the case may be, meets the standards for such activity that is required under the relevant and applicable US Data Privacy Laws.
  2. Confidentiality of Processing BigID shall ensure that any person that it authorizes to Process the Personal Data (including its staff, agents, subcontractors, and Sub-processors) shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.
  3. Training Vendor will conduct information security awareness training for all employees involved in the delivery of service. This should ensure that everyone involved is aware of the need to protect BigID information assets and the associated policies and procedures. Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses.
  4. Hosting Vendor shall provide BigID with information regarding the location(s) and hosting service(s) Vendor is using to host BigID’s Personal Data (the “Hosting Service”). Vendor shall notify BigID, no less than sixty (60) days in advance in writing, of its intention to change the Hosting Service to another third-party service provider. Such notification shall include the name and the residency of the new Hosting Service. In any such event, BigID reserves the right to terminate the Agreement on thirty (30) days’ notice to Vendor.
  5. Controlling Access to BigID Data Vendor shall utilize commercially reasonable security measures and controls to ensure that access to BigID Personal Data is limited to Vendor’s personnel and authorized agents who need to know such information solely for the purposes contemplated under the Agreement(s). Without limiting the foregoing, Vendor agrees that:
    1. Vendor must have an inventory of all company assets (software, hardware, etc.) that may access BigID Personal Data. The inventory must record and track asset description, ownership, location, and assigned users, at a minimum.
    2. Vendor must ensure that only its employees who may be required by the Vendor to assist it in meeting its obligations under the Agreement will have access to Protected Information.
    3. Vendor must enforce the principle of least privilege (i.e., each individual is only given the minimum access capabilities necessary to meet business requirements) when providing employees with access to systems containing Protected Information.
    4. Vendor must ensure only its system administrators have privileges to create access accounts to systems containing Protected Information.
    5. Access to systems containing Protected Information must be controlled by a secure log-on procedure. Users must not share names, accounts, or passwords.
    6. Vendor must ensure that each user accessing systems containing Protected Information is uniquely identifiable.
    7. Vendor must ensure that employees accessing Protected Information remotely are authenticated using two-factor authentication mechanisms via a secure connection.
    8. Access to Protected Information, including user accounts and passwords, must be revoked immediately when no longer required.
    9. Vendor must maintain details of all employees with access to Protected Information.
    10. Vendor shall inform all such personnel with exposure or access to BigID Personal Data of Vendor’s use, confidentiality, and information security requirements and shall ensure each are bound by legal obligations no less restrictive than the terms of this Agreement.
    11. Vendor must perform regular reviews of user access to Protected Information (e.g., at least every 6 months and promptly after any changes such as promotion, demotion, or termination of employment).
    12. Vendor must keep security event logs on systems storing, processing, or transmitting Protected Information to permit tracking of system activity (e.g., date, who, where). Security event logs must be retained for a minimum period of 365 days and reviewed regularly for unauthorized or unlawful activity.
    13. Vendor must ensure that appropriate physical access controls are in place where Protected Information is stored.
    14. Access shall not be granted in public areas and output such as printouts shall be to areas where only those organization staff who are authorized to access the Protected Information can reach it.
    15. Vendor shall not use or disclose BigID Personal Data to contact or market to customers or employees of BigID.
  6. Storing Protected Information
    1. Vendor acknowledges and agrees that any Protected Information collected by Vendor on behalf of BigID under or pursuant to this Agreement shall be at least logically segregated from information related to any other customer of Vendor. Vendor represents and warrants that its database infrastructure is protected via Internet firewalls meeting current industry standards on an ongoing basis and that BigID data will be logically segregated.
    2. Electronic and paper records containing Protected Information must be stored in a locked room or area where access is controlled.
    3. Protected Information should not be stored on endpoint devices, mobile devices, external hard drives, or removable media (e.g., USB Thumb Drives, CDs, or DVDs) without BigID’s prior written consent.
    4. Backups may be taken if this provides no more access than when the information is within the computer system. Backup media must be subject to secure storage. Additional controls such as Encryption shall be used.
    5. Protected Information stored by Vendor must be secured using Encryption.
    6. Vendor must ensure appropriate anti-virus/anti-malware detection software is implemented across all information systems processing Protected Information in its organization. Vendor must also ensure the anti-virus/anti-malware software is up to date using the most recent virus and malware signatures and definitions.
  7. Transferring Protected Information
    1. Vendor must not disclose Protected Information to a third party in any circumstances other than as specified in the Data Protection Addendum or at the specific written request of BigID.
    2. Subject to Vendor’s disaster recovery and business continuity obligation under Section 11 (Backup and Disaster Recovery), Vendor must not under any circumstances transfer, use, or process Protected Information outside the jurisdiction of the Vendor’s Hosting Service under Section 4 or as described in an Amendment to this Addendum, unless authorized in writing to do so by BigID.
    3. In relation to transfers of Protected Information to and from BigID and any Sub-processor: (i) All electronic transfers of Protected Information must be secured using Encryption. Protected Information shall not be sent in the clear over unencrypted connections. (ii) When transferring Protected Information on paper, the document must be labeled ‘BigID Confidential’ and sent by secure mail courier using double-wrapped envelopes, sealed in a way that tampering with the seal is immediately evident. (iii) When transferring Protected Information using removable media (e.g., CD, memory stick, external hard drives) all media must be labeled ‘BigID Confidential’, must be secured using appropriate Encryption and sent using double-wrapped envelopes, sealed in a way that tampering with the seal is immediately evident. (iv) If Vendor uses a secure mail courier for transferring Protected Information it must ensure the courier only delivers the envelope to a specified contact after examination of an original and valid photographic identity document (e.g., BigID issued pass, driving license or passport). Following delivery, a signature must be obtained as confirmation of receipt. If the specified recipient is not available, then delivery must be delayed or if delivery cannot be completed then the envelope must be returned unopened. (v) Vendor must always seek BigID’s written permission before transferring Protected Information that does not meet the above criteria. (vi) The chain of custody for BigID Protected Information shall be clearly defined and tracked via formal handovers including signatures for acceptance. (vii) Vendor must maintain, for the duration of the Agreement and then for as long as is required by law, complete and accurate records of all transfers of Protected Information in connection with the Agreement.
  8. Deletion of Data Upon termination or expiration of the Agreement or at any time per BigID’s written request, Vendor shall, in accordance with the terms of the Agreement and upon request from BigID, delete all Protected Information in Vendor’s possession, save to the extent that Vendor is required by any applicable law to retain some or all of the Protected Information. Vendor shall delete data in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization from Vendor’s systems (and where applicable, its Sub-processors) all Personal Data. Where possible, secure destruction shall be verified by a second authorized individual. Vendor shall certify in writing within thirty (30) days of BigID’s request for destruction that these actions have been completed. Where Vendor is required by applicable law to retain some or all of the Protected Information, Vendor shall extend the protections of the Agreement and this DPA to such Protected Information, and limit any further Processing of such Protected Information to only those limited purposes that require the retention, for so long as Vendor retains the Protected Information.
  9. Incident Management
    1. Vendor must ensure incident management procedures are in place throughout its organization and they are communicated to all staff, and incidents are logged.
    2. In the event of any loss or corruption of Personal Data, Vendor shall use commercially reasonable efforts to restore the lost or corrupted Personal Data from the latest backup of such Personal Data maintained by Vendor in accordance with its archival procedures. Such incidents will be recorded and investigated in accordance with Vendor’s security incident management procedures. Vendor shall notify BigID in writing within forty-eight (48) hours when it becomes aware of a security breach, hacking, unauthorized disclosure, access to, acquisition of, or other loss or use of any BigID PI (“Security Incident”).
      1. Vendor’s notice shall include, at a minimum: (a) a description of the breach or loss, including the date it occurred; (b) the number of individuals affected and their states of residence; (c) a description of the information accessed, acquired, lost and/or misused; (d) whether the breach or loss was computerized, electronic or a paper loss; (e) whether such information was encrypted or unencrypted, (f) whether encryption keys or passwords may have been compromised; and (g) a description of the steps taken to investigate the incident, secure Vendor’s systems, or recover lost information, and prevent the recurrence of further security breaches or losses of the same type. In connection with any Security Incident, Vendor will provide BigID with a copy of applicable forensic report(s).
      2. Except as may be strictly required by applicable law, Vendor agrees that it will not inform any third party of any such Security Incident without BigID’s prior written consent. If such disclosure is required by applicable law, Vendor agrees to consult with, and obtain the approval (which shall not be unreasonably withheld or delayed) of, BigID regarding the content of such disclosure prior to making such disclosure. Without limiting the foregoing, BigID will determine the party that will make any disclosure to law enforcement or regulatory authorities regarding a Data Breach and Vendor agrees to abide by BigID’s determination.
      3. In the event of any actual Security Incident of any Personal Data, Vendor shall cooperate with BigID, at Vendor’s cost if such Data Breach is due to Vendor’s (or any third party for which Vendor is responsible under Section 5(2)) control failure(s), error(s), or omission(s), to (a) further assess the nature and scope of any such Security Incident and review all pertinent records to the extent such records pertain to BigID and do not compromise Vendor’s confidentiality obligations to any third parties; (b) take other remedial measures as may be reasonably necessary or appropriate to mitigate the risk arising out of unauthorized use or disclosure of BigID PI; and (c) provide breach notifications, as reasonably requested, provided, and approved by BigID, to affected individuals notifying them that their PI was accessed or otherwise compromised. Vendor shall cooperate fully with all government regulatory agencies and law enforcement agencies having jurisdiction and authority for investigating a Data Breach.
  10. Verification and Auditing
    1. Vendor will maintain an AICPA SOC 2 Type 2 attestation for the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy and a Privacy Impact Assessment performed by an industry recognized and qualified independent third-party auditor, at Vendor’s expense.
    2. Each audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard of privacy and security frameworks. Audit reports generated by such audits will be Vendor’s confidential information and will contain material findings by the auditor. At BigID’s request and under non-disclosure agreement, Vendor will provide the audit report so that BigID can verify Vendor’s compliance with the adopted security framework.
    3. Upon request from BigID, but not more than once during each 12-month period unless preceded by a Security Incident, Vendor shall complete a BigID provided information security program questionnaire (“Security Review”). Vendor agrees to fully cooperate with such Security Review and implement all commercially reasonable changes to its information security program, that as a result of the Security Review, are required to ensure Vendor’s compliance with this Addendum, at Vendor’s sole cost and expense.
    4. Vendor acknowledges and agrees that BigID or a BigID–appointed third-party (collectively, “Monitor”) has the right, for the purposes of verifying compliance with the requirements of these Terms, to review the terms, records and/or facilities of Vendor and Vendor’s subcontractors or affiliates that provide goods and/or services related to or involving the processing, transport, or storage of BigID Information. BigID will announce its intent to review Vendor in accordance with these Terms by providing at least five (5) business days’ notice to Vendor. Vendor will provide Monitor with access to its site, systems, and records as reasonably necessary to assess compliance with the requirements of these Terms. At BigID’s reasonable request, Vendor will provide Monitor, with a personal site guide while on-site. Vendor will make available to Monitor, for in-person or phone interviews, any Vendor employees and/or contractors for provision of information and cooperation related to the verification hereunder. Such verification will be at BigID’s expense, unless it reveals material non-compliance with the requirements of these Terms, in which case will be borne by Vendor.
  11. Backup & Disaster Recovery
    1. Vendor must maintain a disaster recovery and business continuity plan defining how Protected Information will be recovered from backup tapes and offsite information systems, and how the business will continue operating during the recovery period. Recovery time objectives (RTO) and recovery point objectives (RPO) must be defined and shared with BigID upon request.
    2. Vendor must test the disaster recovery and business continuity plan at least once per year to validate disaster recovery and business continuity procedures as well as the RTO and RPO. The tests must incorporate scenarios for availability zone failure as well as a regional failure.
    3. Vendor must perform regular encrypted backups of Protected Information processed on its information systems. The regularity of backup will depend on the type, volume, and frequency of change of Protected Information processed by Vendor and agreed with BigID.
  12. System Development
    1. Vendor must maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Protected Information. Vendor must employ documented secure programming guidelines, standards, and protocols in the development of applications that process or store any Protected Information.
    2. Vendor must have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all applications that store or process Protected Information.
    3. Vendor must use a threat model methodology to identify the key risks to the important assets and functions provided by all applications that store or process Protected Information, conduct an analysis of the most common programming errors, and document in writing that they have been mitigated.
    4. Vendor will patch all workstations and servers with all current operating system, database, and application patches deployed in Vendor’s computing environment according to a schedule predicated on the criticality of the patch. Vendor must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched.
    5. Vendor will employ an effective, documented change management program with respect to the Services as an integral part of its security profile. This includes logically or physically separate environments from production for all development and testing. Vendor shall not use Protected Information in development or testing environments, unless the Protected Information has been sufficiently sanitized such that it does not pose a risk of a Security Incident.
    6. Vendor must notify BigID and agree in writing any significant changes to any system used to process Protected Information.

9.    Cyber & Privacy Insurance

In addition to the insurance requirements set forth in the Agreement, Vendor shall maintain, at its sole cost and expense, Privacy and Cybersecurity insurance (or its equivalent) of not less than five million US dollars ($5,000,000) each occurrence or claim. Coverage shall be sufficiently broad to respond to the duties and obligations as undertaken by Vendor in this Agreement and shall include, but not be limited to, claims involving infringement of intellectual property, including but not limited to infringement of copyright, trademark, trade dress, invasion of privacy violations, information theft, damage to or destruction of electronic information, release of private information, alteration of electronic information, extortion, and network security. The policy shall provide coverage for breach response costs and regulatory fines directly applicable to Vendor with limits sufficient to respond to these allegations or the applicable Limit of Liability stated in the Agreement. The retroactive coverage date shall not be later than the effective date of this Agreement. Vendor shall maintain this coverage for the duration of this Agreement and for a period of not less than one (1) year after the expiration, cancellation, or termination of this Agreement.

10.    Termination and Survival

  1. Vendor shall cease to process Protected Information upon the termination or expiration of the Agreement.
  2. The provisions in these Terms relating to the protection of Protected Information shall survive termination of the Agreement or these Terms and remain in effect for as long as Vendor has Protected Information.

11.    Miscellaneous

  1. Vendor agrees that BigID has the right to unilaterally amend, with reasonable notice provided to Vendor, the requirements of this Addendum to the extent required to remain in compliance with state or federal legislation containing additional or different standards related to the handling of Personal Data, and such amendments shall automatically take effect sixty (60) days after such notice is provided (or sooner where required to comply with law).
  2. Except as amended by this DPA, the Agreement will remain in full force and effect.
  3. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
  4. Any claims brought under this DPA shall be subject to the terms and conditions of the Agreement, including but not limited to the exclusions and limitations included therein.

SCHEDULE 1 – DETAILS OF THE PROCESSING

Nature and Purpose of Processing
Vendor (and any Sub-processors it engages) will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by BigID in its use of the Services. This includes:

To be filled out by Vendor

Duration and frequency of Processing, and period for which Personal Data will be retained

To be filled out by Vendor

Categories of Data Subjects
BigID may submit Personal Data to the Services, the extent of which is determined and controlled by BigID in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

To be filled out by Vendor

Type of Personal Data
BigID may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

To be filled out by Vendor

SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSES INFORMATION

When the Standard Contractual Clauses apply:

  • Annex I.A is completed with the names, addresses and contact persons of the parties as set out in the Agreement.
  • The signatures of each party and date of this DPA are deemed to be inserted.
  • The role of BigID is specified as “controller” and the role of the Vendor is specified as “processor”.
  • Annex I.B is completed with the information set out in Schedule 1 to this DPA, as well as the details of the restrictions and safeguards set out in Schedule 3 to this DPA which, taking into consideration the nature of the data and the risks involved, apply to all Personal Data transferred, including sensitive data.
  • Annex II is completed with the details of the technical and organisational measures set out in Schedule 3 to this DPA.
  • Annex I.C is completed as follows:
    • Where BigID’s processing of the Personal Data does not fall within scope of the EU GDPR, then the UK Information Commissioner’s Office is inserted as the competent supervisory authority, as per the UK Addendum.
    • Where BigID’s processing of the Personal Data falls within scope of the EU GDPR, then the competent supervisory authority will be either (i) the supervisory authority in the EU member state in which BigID is established, or (ii) (if BigID is not established in the EU) the EU member state in which Customer has appointed its EU representative, or (iii) (if Customer is not established in the EU and has not appointed an EU representative) the Irish Data Protection Commission.
  • Option 1 is deleted from clause 9(a) and (subject to Section 6.4 of this DPA) the relevant time period shall be fourteen (14) calendar days. The “agreed list” referred to in this provision shall be the Sub-processor List referred to in Section 6.2 of this DPA.
  • The optional wording at clause 11(a) is deleted.
  • Option 2 is deleted from clause 17, and:
    • where BigID’s processing of the Personal Data does not fall within scope of the EU GDPR, then the governing law shall be the laws of England and Wales; but
    • where BigID’s processing of the Personal Data falls within scope of the EU GDPR, the governing law shall be the law of the Republic of Ireland.
  • Clause 18(b) is completed as follows:
    • Where BigID’s processing of the Personal Data does not fall within scope of the EU GDPR, with the words “England and Wales”; or
    • Where BigID’s processing of the Personal Data falls within scope of the EU GDPR, with the words “the Republic of Ireland”.

When the UK Addendum applies, then in addition to the information relating to the Standard Contractual Clauses set out in this Schedule above:

  • Table 1 is completed with the start date being the date of the Agreement, and the legal and trading names, main address, official registration number, key contact name, job title and contact details (including email address) of the Parties as set out in the Agreement. The signatures of each party are deemed to be inserted in the main Agreement.
  • Tables 2 and 3 are completed with the information about the Standard Contractual Clauses set out in this Schedule above, applying as relevant to a transfer in accordance with Clause 4.4 of this DPA. The first option in Table 2 is selected, and that table is completed with the date of the Agreement.
  • Table 4 is completed so that either Party may end the UK Addendum if the UK Addendum is changed by the UK Information Commissioner’s Office, and the Parties agree that once the UK Addendum has ended then BigID will no longer transfer personal data subject to the UK GDPR to the Customer under the Agreement and this DPA unless an alternative transfer safeguard has been put in place to BigID’s reasonable satisfaction.

 

SCHEDULE 3 – SECURITY MEASURES

This Schedule 3, Security Measures (“Security Measures”), is incorporated by reference to and made a part of the Data Processing Agreement (“DPA”). All capitalized terms not defined in these Security Measures or in the DPA shall have the meaning set forth in the Agreement. Vendor shall apply the following safeguards to help protect data and other information (including metadata) (“Data”) that BigID or its customers or other end users import into, or create in using, Vendor’s products and services (“Services”) or otherwise provide to Vendor:

1. Information Security Program

Vendor shall maintain a comprehensive, written information security program consistent with industry standards of organizational, operational, administrative, physical, and technical safeguards governing the processing, storage, and transmission of Data and appropriate to the risks represented by the processing of Data within the context of Services under the Agreement and to prevent any access to Data in a manner not authorized by the Agreement or this Schedule. Vendor shall define responsibility for the ongoing review of information security program to reasonably ensure its continuing suitability, adequacy, and effectiveness. Such program shall include at a minimum, but shall not be limited to, the requirements of this Schedule.

2. Secure Application Development and Testing

  1. Vendor shall follow secure application development and coding practices and shall establish an application development and maintenance framework that protects the security and integrity of the Data and Services in accordance with the OWASP Secure Coding Practices Quick Reference Guidelines and materials referenced therein, as updated periodically.
  2. Vendor shall use leading continually updated programs designed to ensure that the Services will be free of any virus, malware, program routine, device, or other undisclosed feature (collectively, “Malware”), including, without limitation, a time bomb, software lock, drop-dead device, malicious logic, worm, Trojan horse, or trap door, that is capable of deleting, disabling, deactivating, corrupting, damaging, impairing, disrupting, modifying, erasing, interfering with, or otherwise harming or providing unauthorized access to the Data, or BigID’s or any other parties’ other information or data, hardware, virtual machines, containers, programs, codes, resources, or databases.
  3. Vendor shall conduct vulnerability scans/penetration testing of the Services at least every six months, and shall engage a reputable third -party service provider to perform such testing at least annually. Upon request, Vendor shall provide vulnerability assessment summaries or attestation letters and a description of corrective action plans. BigID may perform or engage a third party to perform vulnerability scans/penetration testing of the Services.
  4. Vendor shall classify Malware and security vulnerabilities in accordance with industry standard risk rating methodologies (such as, NIST) and take prompt appropriate actions to mitigate risks before Vendor is able to provide a security patch. Vendor shall install a suitable, tested, security patch release that fully removes / remediates identified Malware and vulnerabilities within the next 7 days for Critical, 30 days for High, 90 days for Moderate, or 180 days for Low Risk. If the Data has been adversely affected by the Malware or a vulnerability, Vendor shall assist and cooperate with BigID with any necessary or appropriate disclosures and other investigative, remedial, and monitoring measures.

3. Breach Notifications 
Vendor shall, as soon as reasonably possible and no more than forty-eight (48) hours after Vendor becomes aware, notify BigID by e-mail at [email protected] of any Data Security Breach, including all relevant facts which Vendor knows or has reason to believe has or may have occurred or is investigating. Vendor shall assist and cooperate with BigID with any necessary or appropriate disclosures and other investigative, remedial, and monitoring measures as a result of any Data Security Breach. “Data Security Breach” herein means an actual or reasonably suspected unauthorized disclosure of, access to, or acquisition, processing, transfer, or disposal of, Data through a security breach, loss or corruption or any other circumstances.

4. Security Incident Responses
Vendor shall maintain a security incident response team of qualified personnel who are capable of meeting on short notice to address any incidents, and can focus on implementing procedures in the event of any Data Security Breach or breach of any application or system directly associated with the accessing, processing, storage, communication, or transmission of Data. Such procedures shall include: (a) assessing the risk the incident poses and determining who may be affected; (b) internal reporting as well as the “Breach Notification” process described further above; (c) keeping a permanent record of what was done and by whom to help in later analysis and possible legal action; (d) conducting and documenting root cause analysis and remediation plan; and (e) full and timely remediation of the Data Security Breach and any related breach of any application or system.

5. Other Notifications 

Vendor shall, as soon as reasonably possible and without undue delay after Vendor becomes aware, and no more than 48 hours, notify BigID by e-mail at [email protected] of:

  1. Any request for access to, or information about, any Data from any government official (including any data protection agency or law enforcement agency), and any requests, complaints or other communications regarding an individual’s personal information received from any such individual whose personal information is or may be included in the Data. Vendor understands that it is not authorized to respond to these requests, unless explicitly authorized by BigID, except for a request received from a governmental agency with a subpoena or similar legal document compelling disclosure by Vendor, provided that Vendor notifies BigID in advance of any such disclosure, where possible; or
  2. Any Malware (as defined above) or vulnerability within the Services or the related network or systems that store and process Data that presents a risk to the security of Data or is likely to have an adverse impact on BigID or its customers or end users.

6. Encryption
Vendor shall encrypt all records and files containing Data, both at rest and in transit, using an up-to-date industry-standard encryption standard for confidential data and personal information.

7. Background Checks & Security Training 
Vendor shall obtain appropriate background checks for all persons (employees, contractors, or subcontractors, etc.) who may have access to Data or any development or testing environments or source code (“Applicable Persons”). Vendor will not permit any Applicable Persons to have access to Data, development or testing environments or source code, if such parties fail to pass such background check. Without limiting the generality of the foregoing, to the extent consistent with applicable laws, Vendor will not permit any Applicable Persons to have any such access if the person has been convicted of, or pleaded guilty or nolo contendere to, a felony or misdemeanor involving theft, dishonesty, fraud, or computer-related crimes, during the prior seven (7) years. Vendor shall provide an appropriate level of supervision, guidance, and training on information security program safeguards and the importance of personal information security to Applicable Persons before such access is granted and subsequently on an annual basis.

8. Continuity of Business Operations
Vendor shall have business continuity and disaster recovery plans established to maintain a level of service consistent with its obligations of the Agreement and industry standards, including but not limited to procedures to backup all Data daily. Vendor shall periodically, and in any event at least once per year, fully and successfully test such business continuity and disaster recovery plans. Upon request, Vendor shall provide test activity logs and test results for review by BigID. Backup datasets shall be appropriately protected via strong access controls, encryption, and the other requirements of this Schedule.

9. Separate Data Center Provider or Other Subcontractors (if applicable) 
If Vendor uses a third party’s data center to host Vendor’s Services, or a subcontractor to provide any portion of the Services or related support services, Vendor must ensure that the third party complies with all requirements applicable to Vendor herein. Vendor shall notify BigID immediately if the third -party provider fails to comply with requirements herein, including but not limited to any failure to maintain up-to-date 3rd party security certifications, validations, audits, or other credentials.

10. Physical and Environmental Security

  1. Vendor shall establish a security perimeter around the data processing facilities and physical work environment where Data is stored or processed which includes (ai) physical entry controls to reasonably ensure that only authorized individuals gain access to such facilities and (bii) environmental controls to reasonably protect against damage from fire, flood, and other forms of man-made or natural disasters.
  2. Passage through the physical barriers shall be established either through electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and other third parties shall be assigned photo-ID badges that must be worn while at the facilities.
  3. Visitors shall be required to sign-in with designated personnel, show appropriate identification, and assigned a visitor ID badge that must be worn while the visitor is at any of the facilities, and shall be continually escorted by authorized employees or contractors while visiting the facilities.
  4. Vendor shall only provide access to the facilities to those employees and third parties who have a legitimate business need for such access privileges. When an employee or third party no longer has such a business need for the access privileges assigned to him/her, the access privileges shall be promptly revoked, even if the employee or a third party continues to be an employee of or have a third -party relationship with Vendor.
  5. Vendor shall maintain throughout data processing facilities fire, smoke, heat, and water detection and fire suppression mechanisms. Sufficient power backup systems to ensure uninterrupted power supply shall be established as appropriate.

11. Restrictions on Access to Data; Controls
The Data is strictly confidential. To the extent that BigID permits Vendor or its personnel, contractors, or subcontractors to have access to any Data, the following provisions shall apply:

  1. Vendor shall make Data available only to its employees or third parties who have a legitimate business need to access Data in order to assist Vendor carry out its Agreement obligations with BigID, who are bound by legally enforceable confidentiality, privacy, and data security obligations at least equivalent to those provided in the Agreement and this Schedule, and who have received training on the appropriate processing of Data. In addition, BigID’s consent must be obtained each time that any such person is provided with access to any Data. Consent shall be in writing (e.g., an email), or granted by BigID’s initiation of a screen share session.
  2. Vendor shall have a formal user access management process whereby user access is formally requested, approved upon identity verification, and is granted based on the need to know utilizing the concept of least privilege. Access to Data shall be restricted only to active users and active user accounts. Access of terminated employees or those who no longer need such access shall be revoked immediately. Processes shall be established to periodically review user access to Vendor’s facilities and systems that store and process Data.
  3. Vendor shall use secure user authentication protocols, including assigning unique identifications and strong passwords to each person with computer access.
    1. Passwords shall not be vendor supplied default passwords and shall be kept in a location and/or format that do not compromise the security of the data they protect
    2. The display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties are not able to observe or subsequently recover them. Passwords must not be logged or captured as they are being entered. User passwords must be stored and transmitted only with cryptographic protection.
    3. Password for each technology must be chosen to mitigate the risks associated with known password length vulnerabilities in accordance with industry standard best practices. In no case may the password length be configured to be less than twelve (12) characters. Password complexity level should not be less than 3 out of 4 character classes and must have character class choices such as upper case letters, lower case letters, numeric digits, or special characters (such as $, &, #, @, etc.).
    4. When provided by the specific technology being implemented, a mechanism must be in place to prevent the reuse of at least the last twenty-four (24) passwords. Passwords must be changed after incidents and otherwise per industry standard best practices.
  4. User IDs and password must not be shared without a formal approval from BigID for systems that store, access, and transmit Data.
  5. Access to user identification shall be blocked after five (5) unsuccessful attempts to gain access. Inactivity timeouts shall be established for no longer than 30 minutes for all systems and applications that store Data.
  6. Vendor shall establish reasonable monitoring of systems for unauthorized use of or access to Data. Actual or attempted logon violations and access violations shall be logged. These logs shall be protected during their lifetime to ensure confidentiality and integrity and retained for the duration of the Agreement. Upon request, the logs shall be provided in a secure electronic format to BigID.
  7. Remote access to Vendor’s network, systems, and applications that store Data shall be established upon a formal approval, using strong authentication. Remote access activity shall be logged and monitored. Remote access to BigID network shall be established only upon request and in accordance with BigID policies.
  8. Vendor shall maintain records of all access requests and logs of access activities for all systems that store, access, process and transmit Data for a period of no less than 180 days. Upon request, Vendor shall provide such records to BigID for review.
  9. Vendor shall ensure separation of duties for security administration, access review, and security violation investigations. Vendor shall establish separation between development and operations personnel, as well as other potentially conflicting roles.
  10. Storage, hosting, and processing of Data must be logically separate from that of other ’companies serviced by Vendor. In instances where a shared storage, hosting or processing work area is authorized by BigID, proper due diligence must be followed by Vendor to prevent the inadvertent disclosure of Data.
  11. Vendor shall enforce clean desk/clear screen policies to make sure that Data is not left unattended in any public place at any time.

12. Network Security

  1. Vendor shall use up-to-date versions of system security products such as firewalls, proxies, web application firewalls, and interfaces. Such products must include malware protection and up-to-date patches and virus definitions, and must be set to receive the most current security updates on a regular basis. Vendor shall have current antivirus and malware programs installed and running to scan for and promptly remove viruses and malware on all laptops, servers, and networks.
  2. Vendor shall have a patch management process that includes testing patches before installation on all systems used to store, access, and transmit Data or are used to deliver Services to BigID.
  3. Vendor shall ensure that system administrators maintain complete, accurate, and up-to-date information regarding the configuration of all information systems used to store, access, and transmit Data.
  4. Vendor shall maintain intrusion detection and/or prevention and monitoring and response processes in a manner which shall identify both internal and external vulnerabilities and risks that could result in unauthorized disclosure, misuse, alteration, or destruction of Data or information systems that are used to deliver Services to BigID.
  5. Vendor shall subscribe to vulnerability intelligence services or to information security advisories and other relevant sources providing current information about system vulnerabilities.
  6. Vendor shall perform quarterly vulnerability scans/penetration testing assessments of its network, and shall engage a reputable third -party service provider to perform such testing at least once per year. Upon request, Vendor shall provide vulnerability assessment summaries or attestation letters and a description of corrective action plans. BigID may perform or engage a third party to perform vulnerability scans/penetration testing of the Services.
  7. Vendor shall classify network security vulnerabilities in accordance with industry standard risk rating methodologies and take prompt appropriate actions to mitigate risks before Vendor is able to obtain and install a security patch. Vendor shall install a suitable, tested, security patch release that fully removes / remediates identified network vulnerabilities within the next 7 days for Critical, 30 days for High, 60 days for Moderate, or 90 days for Low Risk. If the Data has been adversely affected by the exploitation of a network vulnerability, Vendor shall assist and cooperate with BigID with any necessary or appropriate disclosures and other investigative, remedial, and monitoring measures.
  8. Vendor shall maintain network and remote access logs for at least six (6) months, and make them available to BigID upon request.

13. Asset Management 
Vendor must have and use a documented process and tools for tracking both physical and data assets used in developing, testing, or providing the Services, including appropriate persons with responsibility for each asset.

14. Data Return and Destruction 
At BigID’s written option within thirty (30) days after the termination of this Agreement, Vendor shall at its expense either: (a) securely deliver all Data to BigID in an industry standard non-proprietary format, or (b) arrange for the secure and permanent destruction of all Data from the Services and all related hardware and other resources, including but not limited to all back-up resources and any storage media. Upon BigID’s request, Vendor shall provide a written confirmation of Data return and destruction.

15. Audits and Inspections

Vendor shall at its expense undergo an industry standard security framework third party audit or attestation (e.g., SOC 2, Type 2) performed by an independent organization and shall provide to BigID upon request a report produced at least once a year as a verification and assurance of the effectiveness of internal controls over the handling of Data. The scope of such audit shall include the environment used to process Data and host systems that store, access, and transmit Data. The audit must cover, at a minimum, a test of effectiveness of internal controls around: (i) data center physical security and environmental controls; (ii) personnel security; (iii) logical and physical user access controls; (iv) segregation of duties; (v) infrastructure security; (vi) security operations; (vii) information security incident management; (viii) change management; (ix) monitoring and review controls; (x) application controls; and (xi) business continuity. BigID may terminate the Agreement in whole or in part without any liability if such audit report identifies material failures and Vendor does not repair such material failures within thirty (30) days following receipt of BigID’s notice requiring Vendor to do so; in such case, Vendor shall provide a prorated refund of any prepaid fees.

BigID may require that Vendor accurately and completely fill out a standard form of data security questionnaire on an annual basis, or more frequently in case of a Data Security Breach. In addition, in case of Data Security Breach, Vendor agrees to provide BigID with copies of and/or reasonable information concerning Vendor’s written information security program, and BigID shall also have the right to conduct (or have a third party professional conduct) reasonable inspections and/or audits of Vendor’s information security protocols at Vendor’s facilities where Data is processed or where systems that store, access and transmit Data are hosted. Vendor agrees to cooperate with BigID regarding such inspections or audits. BigID will endeavor to conduct such inspections or audits in a manner that does not unreasonably interfere with Vendor’s business operations. Should the findings of an inspection or audit disclose or indicate security problems or concerns, BigID will detail such findings in a notice to Vendor, and work with Vendor to identify means for correcting the problems and addressing the concerns to BigID’s reasonable satisfaction. In the event Vendor cannot correct such problems to BigID’s reasonable satisfaction, BigID shall have the right to terminate this Agreement immediately; in such case, Vendor shall provide a prorated refund of any prepaid fees.

IN WITNESS WHEREOF, the Parties have caused this Addendum and the attached Schedules to be executed below by their duly authorized signatories as of the Addendum Effective Date:

BIGID, INC.

Name: ______________________________

Title: ______________________________

Contact: _____________________________

Date: _______________________________

[VENDOR]

Name: ______________________________

Title: ________________________________

Contact: _____________________________

Date: ________________________________

Industry Leadership