Effective date: October 2, 2021
This IndustryVault Security Addendum (“Security Addendum”) outlines the technical and procedural measures that IndustryVault undertakes to protect Customer Content from unauthorized access or disclosure. IndustryVault maintains these security measures in a manner generally consistent with NIST 800-53 and the Center for Information Security (“CIS”) Benchmarks for Cloud Providers. This Security Policy is referenced in and made a part of your Master Services Agreement with IndustryVault (the “Agreement”), and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement or Documentation, as applicable. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.
Customer Content Access and Management
- IndustryVault controls User access to the Customer’s Account in the Services via usernames and passwords.
- IndustryVault Personnel do not have access to unencrypted Customer Content unless the Customer approves access pursuant to an Order Form or SOW authorizing access to IndustryVault Personnel. If such access is granted, IndustryVault Personnel are prohibited from storing Customer Content on local desktops, laptops, mobile devices, shared drives, removable media such as USB drives, or on public facing systems that do not fall under the administrative control or compliance monitoring processes of IndustryVault.
- IndustryVault uses Customer Content only as necessary to provide the Services to Customer, as provided in the Agreement.
- Customer Content is processed or stored using Cloud Providers in the Services Region requested by Customer.
- IndustryVault shall create and maintain data flow diagram(s) indicating how Customer Content flows through the Services (“Data Flow Diagrams”) and shall provide Data Flow Diagrams upon Customer’s reasonable request. Data Flow Diagrams are IndustryVault Confidential Information.
Encryption and Logical Separation of Customer Content
- The Services always encrypt Customer Content while at rest with AES 256-bit encryption.
- The Services encrypt Customer Content in transit with Transport Layer Security (“TLS”) 1.2 when communicating across untrusted networks such as the public internet. Upon written request, at an additional cost, IndustryVault also will encrypt in transit when communicating inside the Cloud Private Network.
Services Infrastructure Access Management
- Password policy for the Services adheres to the PCI-DSS password requirements.
- Access to the Cloud Provider systems and infrastructure that support the Services is restricted to IndustryVault Personnel who require such access as part of their job responsibilities.
- Unique User IDs are assigned to IndustryVault Personnel requiring access to the Cloud Provider servers that support the Services.
- Access privileges of separated IndustryVault Personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.
- User access to the systems and infrastructure that support the Services is reviewed quarterly.
- Access attempts to the systems and infrastructure that support the Services are logged, monitored, and alerted for suspicious activities.
- Cloud Provider network security groups have deny-all default policies and only enable business-required network protocols for egress and ingress network traffic. The Services only allows TLS 1.2 protocol from the public internet.
- IndustryVault’s Risk Management process is modeled on NIST 800-53 Tier 3.
- IndustryVault conducts risk assessments of various kinds throughout the year, including self- and third-party assessments and tests, automated scans, and manual reviews.
- Results of assessments, including formal reports as relevant, are reported to the Security Committe. The Security Committee meets quarterly to review reports, identify control deficiencies and material changes in the threat environment, and make recommendations for new or improved controls and threat mitigation strategies to senior management.
- Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis.
- Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.
Vulnerability Scanning and Penetration Testing
- Vulnerability scans are automatically performed monthly on systems required to operate and manage the Services. The vulnerability database is updated regularly.
- Scans that detect vulnerabilities meeting IndustryVault-defined risk criteria automatically trigger notifications to security personnel.
- Potential impact of vulnerabilities that trigger alerts are evaluated by staff.
- Vulnerabilities that trigger alerts and have published exploits are reported to the Security Committee, which determines and supervises appropriate remediation action.
- Vulnerabilities are prioritized based on potential impact to the Services, with “critical” and “high” vulnerabilities typically being addressed within 30 days of discovery and “medium” vulnerabilities being addressed within 90 days of discovery.
- Security management monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.
- Penetration tests by an independent third party expert are conducted at least every six months.
Remote Access & Wireless Networks
- All access by IndustryVault Personnel to Cloud Providers requires successful authentication through a secure connection via approved methods (i.e., Cloudflare Access), and is enforced with mutual certificate authentication and multi-factor authentication (“MFA”).
- Secure access is further enforced by mutual TLS authentication.
- All corporate and remote offices, including LAN and WiFi networks in those offices, always will be considered to be untrusted networks.
System Event Logging, Monitoring & Alerting
- Monitoring tools and services are used to monitor the Services’s systems, including network activity, server events, API security events, availability events, and resource utilization.
- Security event logs are collected in a central system and protected from tampering. Logs are stored for a minimum of 90 days.
- All IndustryVault-provided user endpoints have Endpoint Detection & Response (“EDR”) tools to monitor and alert for suspicious activities and potential malware.
- All Cloud Providers leverage advanced threat detection tools to monitor and alert for suspicious activities and potential malware.
System Administration and Patch Management
- IndustryVault creates, implements and maintains system administration procedures for systems with access to Customer Content that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications) and proper installation of threat detection software, as well as daily signature updates of same.
- Industry uses the Center for Internet Security (CIS) Benchmarks for secure system configuration.
- IndustryVault Security reviews US-Cert new vulnerabilities announcements weekly and assesses their impact to IndustryVault based on a IndustryVault-defined risk criteria, including applicability and severity.
- Applicable US-Cert security updates rated as “high” or “critical” are addressed within 30 days of the patch release and those rated as “medium” are addressed within 90 days of the patch release.
Security Training and Personnel
- IndustryVault maintains a security awareness program for IndustryVault Personnel, which provides initial education, ongoing awareness, and individual IndustryVault Personnel acknowledgment of intent to comply with IndustryVault’s corporate security policies. New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the IndustryVault Information Security Policy.
- All IndustryVault Personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Customer Content.
- All IndustryVault Personnel are required to review and acknowledge security guidelines annually.
- IndustryVault performs criminal background screening as part of the IndustryVault hiring process, to the extent legally permissible.
- IndustryVault will ensure that its subcontractors, vendors, and other third parties (if any) that have direct access to the Customer Content in connection with the Services adhere to data security standards consistent with NIST 800-53.
The Services are entirely hosted with Cloud Providers, and all physical security controls are managed by the respective Cloud Provider. IndustryVault reviews Cloud Providers’ SOC 2 Type 2 reports annually to ensure appropriate physical security controls:
- Visitor management will include tracking and monitoring physical access, including use of CCTV cameras at all facilities.
- Doors used only as exit points will have only “one way” doorknobs or crash bar exit devices installed, and all doors will be equipped with door alarm contacts.
- Physical access point to server locations will be managed by electronic access control devices.
- Video capturing devices in data centers will have at least 90 days of image retention.
- All access and video systems will be tied in to generator or UPS backup systems.
Notification of Security Breach
- A “Security Breach” is (i) the unauthorized access to or disclosure of Customer Content, or (ii) the unauthorized access to the systems within the Services that transmit or store Customer Content.
- IndustryVault will notify Customer in writing within seventy-two (72) hours of a confirmed Security Breach.
- Such notification will describe the Security Breach and the status of IndustryVault’s investigation.
- IndustryVault will take appropriate actions to contain, investigate, and mitigate the Security Breac1.
Business Continuity and Disaster Recovery
- IndustryVault maintains a Business Continuity and Disaster Recovery Plan (“DRP”) for the Services. The DRP is tested annually.
- The Services are managed in different Regions as standalone deployments which can be employed as part of Customer’s DRP strategy. To effectively use the cross-regional availability of the Services for disaster recovery purposes, Customer must designate a specific secondary Region to support its DRP. IndustryVault will backup Customer Content across applicable regions.
- Customer acknowledges that IndustryVault does not assess the contents of Customer Content, and that the Customer is responsible for making appropriate use of the Services to ensure a level of security appropriate to the particular nature of Customer Content; to manage and protect its accounts, roles and credentials; and to update its Client Software (if any) whenever IndustryVault announces an update impacting the secure use of such Client Software.
- Customer will promptly notify IndustryVault if a User account or password has been compromised, or if Customer suspects possible suspicious activities that could negatively impact security of the Services or Customer’s Account.
- Customer may not perform any security penetration tests or security assessment activities without the express advance written consent of IndustryVault.
- Customers must adopt IndustryVault-required IP whitelisting and MFA in the Services if required by an Order Form or SOW.
How to Contact Us
If you have any questions about this Addendum or other security-related issues, please contact us at [email protected] or IndustryVault LLC, 100 Pine Street, Suite 1250, San Francisco, CA 94111.