Information Security Addendum
This Information Security Addendum (this “Addendum”) forms part of the Master Services Agreement, Terms of Service, End User Agreement, Data Processing Addendum, or other written or electronic agreement by and between Synack, Inc., a Delaware corporation (“Synack”) and the counterparty thereof (“Customer”) (the “Agreement”). Capitalized terms used but not defined in this Addendum have the meanings ascribed in the Agreement.
1. PURPOSE. This Addendum describes the minimum information security standards that Synack shall maintain in connection with the Confidential Customer Information, including information regarding the Customer Materials and any personal data disclosed or made available to Synack by Customer (collectively, the “Customer Data”). Requirements in this Addendum are in addition to any requirements in the Agreement and the Data Processing Addendum, if applicable.
2. SECURITY MEASURES.
2.1 Access control to premises and facilities. Synack shall maintain appropriate security measures to prevent unauthorized physical access to premises and facilities holding the Customer Data, including:
(a) Locked doors;
(b) Access control system using electronic access, biometric access or physical key;
(c) Alarm system;
(d) Video surveillance; and
(e) Logging of facility exits and entries.
2.2 Access control to systems. Synack shall maintain appropriate measures to prevent unauthorized access to its information technology systems, including:
(a) Unique login identifiers assigned to each user;
(b) Prohibition of shared non-machine accounts in all circumstances;
(c) Required password procedures (including minimum length and complexity and forced changes of password);
(d) Prohibition of guest users or anonymous accounts;
(e) Central management of system access;
(f) Tracking of access change requests;
(g) Privilege access restrictions (whereby access is subject to existing access rights and approval from management);
(h) Quarterly access checks to ensure access levels are appropriate for the roles each user performs;
(i) Monitoring of all access control changes to accounts and groups (including creation, modification, and deletion);
(j) Network access control for all information technology systems (requiring hosts to be preauthorized and authenticated to the network and ensuring hosts are running the minimum set of information security controls prior to being granted access);
(k) Required multi-factor authentication through a VPN tunnel from a pre-authorized machine for remote access to internal corporate network and consoles; and
(l) Full suite of firewall controls that monitors inbound and outbound traffic against a pre-established set of permissible traffic flows.
2.3 Access control to data. Synack shall maintain appropriate security measures to prevent authorized users from accessing data beyond their authorized access rights and to prevent the unauthorized input, reading, copying, removal, modification or disclosure of data. These measures include the following:
(a) Principle of least privilege applied to all access request decisions;
(b) Access rights defined according to duties, with appropriate levels of access allocated according to the “need to know” principle;
(c) Differentiated access rights through Role Based Access Controls (RBAC);
(d) Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment;
(e) Host-based device management and data loss prevention software on all hosts (monitoring for the movement of sensitive data to and from the host), which is required to join the network through network access control; and
(f) Row level access controls on all databases containing sensitive information to restrict access of data objects to specific users.
2.4 Disclosure control. Synack shall maintain appropriate security measures to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures include:
(a) Compulsory use of a wholly-owned and managed private network for all data transfers within the corporate group;
(b) Full-disk encryption required on all end-user devices to protect against data incidents through theft or loss, including Device Management and Data Loss Prevention controls with the ability to remotely wipe the device of data (required to join the network through network access control);
(c) Audit trail creation for all data access and transfers across all information systems, including but not limited to date and time of event, type of action performed, and name of files accessed; and
(d) Encryption of all sensitive data to protect against theft or loss of database files in transit and at rest.
2.5 Input control. Synack shall maintain appropriate security measures to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom. These measures include:
(a) Creating an audit trail for all user actions across all information systems, including but not limited to date and time of event, type of action performed, and process used;
(b) Ensuring that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment; and
(c) Ensuring that it is possible to verify and establish which personal data have been entered into automated data processing systems and when and by whom the data have been entered.
2.6 Job control. Synack shall maintain appropriate security measures to ensure that Customer Data is processed strictly in compliance with Customer’s instructions, including unambiguous wording of contractual instructions and monitoring of contract performance.
2.7 Availability control. Synack shall maintain appropriate security measures to ensure that data are protected against destruction or loss of data through accidental or malicious intent, including:
(a) Ensuring that installed systems may be restored in the event of an interruption;
(b) Ensuring that systems are functioning and faults are reported;
(c) Ensuring stored personal data cannot be corrupted by means of a malfunctioning of the system;
(d) Uninterruptible power supply (UPS) of critical information systems;
(e) Automation backup functions of user and system level data across information systems and off-site storage;
(f) Business Continuity and Disaster Recovery Plans and Procedures;
(g) Prohibition of portable or removable media and enforcement through device management policy; and
(h) Anti-malware and Intrusion Detection/Prevention solutions with advanced persistent threat detection capabilities, which perform real-time behavior analysis of machine and network behavior.
2.8 Segregation control. Synack shall maintain appropriate security measures to allow data collected for different purposes to be processed separately, including:
(a) Restriction of access to data stored for different purposes according to staff roles and responsibilities;
(b) Segregation of business information system functions; and
(c) Segregation of testing and production information system environments.
2.9 Audit. Synack shall maintain appropriate security measures to ensure proper functioning of controls, including:
(a) Audits and certifications each year to the ISO 27001:2013 standard in multiple locations throughout the world;
(b) Allowing audits multiple times throughout the year by external clients as part of their own internal risk management processes; and
(c) Audits multiple times each year through internal risk management processes by internal audit teams for application security, vulnerability assessments, and network security.
3. Messaging System. Customer may from time to time use Synack’s messaging system to communicate with Synack Personnel through the Synack Platform. Synack reserves the right to monitor, intercept and review, without further notice, messages sent or received using the message system. Synack may also store copies of such data and communications for a period of time after they are created, and may delete such copies from time to time without notice. Customer acknowledges and agrees that the identity of any Synack Personnel will not be disclosed or otherwise made available to Customer by Synack or through the Synack Platform, and that Synack has no obligation to disclose the identity of any Synack Personnel to Customer.
4.1 Effectiveness. This Addendum will be effective from the date on which it is appended to the Agreement and shall remain in effect throughout the term of the Agreement. In the event of the expiration or termination of the Agreement or this Addendum, Synack’s obligations described in Section 2 of this Addendum will survive for so long as Synack holds, stores or otherwise processes Customer Data.
4.2 Integration. This Addendum forms part of the Agreement and shall be governed by and subject to the terms therein, including, without limitation, provisions regarding limitation of liability, governing law, and notices.