Data Security Guide

This Data Security Guide forms a part of the Agreement and describes the measures BugZero takes to protect Customer Data. In the event of any conflict between the terms of this Data Security Guide and the terms of the Agreement with respect to the subject matter herein, this Data Security Guide shall control. All capitalized terms not defined in this Data Security Guide will have the meaning given to them in other parts of the Agreement.

SECURITY PROGRAM
While providing the Subscription Service, BugZero will maintain a written information security program of policies, procedures and controls governing the processing, storage, transmission and security of Customer Data (the “Security Program”). The Security Program includes industry-standard practices designed to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. BugZero regularly tests, assesses, and evaluates the effectiveness of the Security Program and may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, although no such update will materially reduce the commitments, protections or overall level of service provided to Customer as described herein.
PHYSICAL, TECHNICAL, AND ADMINISTRATIVE SECURITY MEASURES
1. PHYSICAL SECURITY MEASURES.
2. DATA CENTER FACILITIES. All physical security facilities are owned and operated by 3rd party Public Cloud Provider(s) (i.e. Amazon Web Services).
3. TECHNICAL SECURITY MEASURES.
4. ACCESS ADMINISTRATION. Access to the Subscription Service by BugZero employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production instances. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationships. Production infrastructure includes appropriate user account and password controls (e.g., the required use of complex passwords and a two-factored authenticated connection) and is accessible for administration.
5. SERVICE ACCESS CONTROL. The Subscription Service provides user and role-based access controls. Customer is responsible for configuring such access controls within its instance.r
6. LOGGING AND MONITORING. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies.
7. FIREWALL SYSTEM. Next generation firewalls and intrusion detection are implemented to protect BugZero systems by inspecting all ingress connections routed to the BugZero environment.
8. VULNERABILITY MANAGEMENT. BugZero conducts periodic security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, BugZero will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with BugZero’s then-current vulnerability management and security patch management standard operating procedure.
9. ANTIVIRUS. BugZero updates antivirus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software.
10. CHANGE CONTROL. BugZero ensures that changes to platform, applications, and production infrastructure are evaluated to minimize risk and are implemented following BugZero’s standard operating procedure.
11. DATA SEPARATION. Customer Data shall be maintained within a logical single-tenant architecture on multi-tenant cloud infrastructure that is logically separate from BugZero’s corporate infrastructure.
12. ADMINISTRATIVE SECURITY MEASURES.
13. DATA CENTER INSPECTIONS. BugZero performs routine reviews of 3rd party audits to ensure that it continues to maintain the security controls necessary to comply with the Security Program.
14. PERSONNEL SECURITY. BugZero performs background screening on all employees and all contractors who have access to Customer Data in accordance with BugZero’s then-current applicable standard operating procedure and subject to Law.
15. SECURITY AWARENESS AND TRAINING. BugZero maintains a security awareness program that includes appropriate training of BugZero personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at BugZero.SECURITY AWARENESS AND TRAINING. BugZero maintains a security awareness program that includes appropriate training of BugZero personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at BugZero.
16. VENDOR RISK MANAGEMENT. BugZero maintains a vendor risk management program that assesses all vendors that access, store, process, or transmit Customer Data for appropriate security controls and business disciplines.
SERVICE CONTINUITY
1. DATA MANAGEMENT; DATA BACKUP. BugZero will host Customer’s access to and use of purchased instances of the Subscription Service in a public cloud provider’s secure platform. The production database servers use redundant storage and reside in multiple availability zones making accessing this data in the event of a disaster possible. BugZero backs up all Customer Data in accordance with BugZero’s standard operating procedures.
MONITORING AND INCIDENT MANAGEMENT
1. MONITORING, MANAGEMENT AND NOTIFICATION.
2. INCIDENT MONITORING AND MANAGEMENT. BugZero will monitor, analyze, and respond to security incidents in a timely manner in accordance with BugZero’s standard operating procedure. BugZero’s support group will escalate and engage response teams as may be necessary to address an incident.
3. BREACH NOTIFICATION. BugZero will report to Customer any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a “Breach”) without undue delay following determination by BugZero that a Breach has occurred.
4. REPORT. The initial report will be made to Customer security or privacy contact(s) designated in BugZero’s customer support portal (or if no such contact(s) are designated, to the primary contact designated by Customer). As information is collected or otherwise becomes available, BugZero shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Customer to notify relevant parties, including affected Data Subjects, government agencies, and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information of the BugZero contact from whom additional information may be obtained. BugZero shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches.
5. CUSTOMER OBLIGATIONS. Customer will cooperate with BugZero in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Customer is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.
6. USE OF AGGREGATE DATA. BugZero may collect, use, and disclose quantitative data derived from Customer’s use of the Subscription Service for industry analysis, benchmarking, analytics, marketing, and other business purposes in support of the provision of the Subscription Service. Any such data will be in aggregate form only and will not contain Customer Data.
7. COOKIES. When providing the Subscription Service, BugZero uses cookies to: (a) track session state; (b) route a browser request to a specific node when multiple nodes are assigned; and (c) recognize a user upon returning to the Subscription Service. Customer shall be responsible for providing notice to, and collecting any necessary consents from, its authorized users of the Subscription Service for BugZero’s use of cookies.
SHARING THE SECURITY RESPONSIBILITY
1. PRODUCT CAPABILITIES. The Subscription Service has the capabilities to: (a) authenticate users before access; (b) encrypt passwords; (c) allow users to manage passwords; (d) prevent access by users with an inactive account; and (e) and encrypt data in transit where possible. Customer manages each user’s access to and use of the Subscription Service by assigning to each user a credential and user type that controls the level of access to the Subscription Service. Customer shall be responsible for implementing encryption and access control functionalities available within the Subscription Service for protecting all Customer Data containing sensitive data, including credit card numbers, social security and other government-issued identification numbers, financial and health information, Customer Data, and any Personal Data deemed sensitive or “special categories of personal data” under Data Protection Laws. Customer is solely responsible for its decision not to encrypt such data and BugZero will have no liability to the extent that damages would have been mitigated by Customer’s use of such encryption measures. Customer is responsible for protecting the confidentiality of each user’s login and password and managing each user’s access to the Subscription Service.
2. CUSTOMER COOPERATION. Customer shall promptly apply any Upgrade or Update that BugZero determines is necessary to maintain the security, performance, or availability of the Subscription Service.
3. LIMITATIONS. Notwithstanding anything to the contrary in this Data Security Guide or other parts of the Agreement, BugZero’s obligations extend only to those systems, networks, network devices, facilities, and components over which BugZero exercises control. This Data Security Guide does not apply to: (a) information shared with BugZero that is not Customer Data; (b) data in Customer’s VPN or a third-party network; (c) any data processed by Customer or its users in violation of the Agreement or this Data Security Guide; or (iv) Integrated Products. For the purposes of this Data Security Guide, “Integrated Products” shall mean BugZero-provided integrations to third-party products or any other third-party products that are used by Customer in connection with the Subscription Service. Customer agrees that its use of such Integrated Products will be: (i) in compliance with all Laws, including but not limited to, Data Protection Laws; and (ii) in accordance with its contractual agreement with the provider of such Integrated Products. Any Personal Data populated from the Integrated Products to the Subscription Service must be collected, used, disclosed and, if applicable, internationally transferred in accordance with Customer’s privacy policy, which will adhere to Data Protection Laws.