Last Updated: August 3, 2023
This Security Addendum is incorporated into and made a part of the written agreement between Softrip and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein have the meaning given in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum will govern.
THIS SECURITY ADDENDUM DOES NOT APPLY IF THE APPLICATION SOFTWARE IS CUSTOMER-HOSTED. THIS SECURITY ADDENDUM APPLIES SOLELY WHERE SOFTRIP IS THE PARTY HOSTING THE PLATFORM AS PART OF THE SOFTRIP OFFERINGS PURCHASED BY CUSTOMER. THIS SECURITY ADDENDUM DOES NOT APPLY TO ANY PRERELEASES OR THIRD-PARTY PRODUCTS.
Except where the Application Software is Customer-Hosted, Softrip utilizes the following infrastructure-as-a-service cloud providers Amazon Web Services (“Cloud Provider“) and provides the Platform to Customer using the production, backup, and development/test environments hosted by such Cloud Providers (“Cloud Environment“).
- Hosting Location of Customer Data
- Hosting Location. Softrip’s hosting location of Customer Data is the United States, unless a different hosting location is mutually agreed on an Order Form.
- Encryption of Customer Data. Softrip encrypts Customer Data at-rest using AES 256-bit (or better) encryption. Softrip uses Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit over untrusted networks.
- Encryption Key Management. Hardware security modules are used to safeguard top-level encryption keys. Softrip logically separates encryption keys from Customer Data.
- System & Network Security
- Cloud Environment Access Controls. All Softrip personnel access to the Cloud Environment is via a unique user ID, consistent with the principle of least privilege, requires a VPN, as well as multi-factor authentication and passwords meeting or exceeding PCI-DSS length and complexity requirements.
- Endpoint Controls. For access to the Cloud Environment, Softrip personnel use Softrip-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and Malicious Code (as defined below), and (iii) vulnerability management in accordance with Section 3.7.3 (Vulnerability Management).
- Separation of Environments. Softrip logically separates production environments from development and test environments.
- Firewalls / Security Groups. Softrip protects the Cloud Environment using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.
- Hardening. The Cloud Environment is hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this Security Addendum.
- Monitoring & Logging.
- Infrastructure Logs. Monitoring tools or services, such as host-based intrusion detection tools, are utilized to log certain activities and changes within the Cloud Environment. These logs are further monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one year.
- User Logs. Softrip captures logs of certain activities and changes within the Customer’s instance or account within the Platform and may, on request to Softrip, make those logs available to Customer for Customer’s reference.
- Vulnerability Detection & Management.
- Anti-Virus & Vulnerability Detection. The Cloud Environment leverages advanced threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Softrip does not monitor Customer Data for Malicious Code.
- Penetration Testing. Softrip regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of the Platform at least annually.
- Vulnerability Management. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Platform. Upon becoming aware of such vulnerabilities, Softrip will use commercially reasonable efforts to address private and public (e.g., U.S.-Cert announced) critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days. To assess whether a vulnerability is ‘critical’, ‘high’, or ‘medium’, Softrip leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating.
- Administrative Controls
- Personnel Security. Softrip requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.
- Personnel Training. Softrip maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding training.
- Personnel Agreements. Softrip personnel are required to sign confidentiality agreements. Softrip personnel are also required to sign Softrip’s information security policy, which includes acknowledging responsibility for reporting security incidents involving Customer Data.
- Personnel Access Reviews & Separation. Softrip reviews the access privileges of its personnel to the Cloud Environment at least quarterly, and removes access on a timely basis for all separated personnel.
- Softrip Risk Management & Threat Assessment. Softrip’s risk management process is modeled on NIST 80053 and ISO 27001.
- External Threat Intelligence Monitoring. Softrip reviews external threat intelligence, including US-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation in accordance with Section 4.7.3 (Vulnerability Management).
- Change Management. Softrip maintains a documented change management program for the Platform.
- Cloud Environmental Controls
- Cloud Provider Data Centers. The Cloud Provider has appropriate physical and environmental controls for its data centers hosting the Cloud Environment, as audited under the Cloud Provider’s third-party audits and certifications. Softrip selects only Cloud Providers with a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. The controls for its current Cloud Provider are described in https://docs.aws.amazon.com/security/
- Incident Detection & Response
- Security Incident Reporting. If Softrip becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Softrip shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware, unless a different notification period is required or permitted under applicable law. To facilitate timely notification, Customer must register and maintain an up-to-date email within the Platform for this type of notification. Where no such email is registered, Customer acknowledges that the means of notification shall be at Softrip’s reasonable discretion, and Softrip’s ability to timely notify shall be negatively impacted.
- Investigation. In the event of a Security Incident as described above, Softrip shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year.
- Communication and Cooperation. Softrip shall provide Customer timely information about the Security Incident to the extent known to Softrip, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Softrip to mitigate or contain the Security Incident, the status of Softrip’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Softrip personnel may not have visibility to the content of Customer Data, it may be unlikely that Softrip can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Softrip with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Softrip of any fault or liability with respect to the Security Incident.
- Shared Security Responsibilities. Without diminishing Softrip’s commitments in this Security Addendum, Customer agrees:
- Softrip has no obligation to assess the content, accuracy, or legality of Customer Data, including to identify information subject to any specific legal, regulatory, or other requirement, and Customer is responsible for making appropriate use of the Platform to ensure a level of security appropriate to the particular content of Customer Data, including, where appropriate, implementation of encryption functionality, pseudonymization of Customer Data, and configuration of the Platform to back-up Customer Data;
- Customer is responsible for managing and protecting its User roles and credentials, including but not limited to (i) ensuring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) promptly reporting to Softrip any suspicious activities related to Customer’s instance of the Platform or account within the Platform (e.g., a user credential has been compromised), (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration;
- To appropriately manage and protect any Customer-managed encryption keys to ensure the integrity, availability, and confidentiality of the key and Customer Data encrypted with such key.