SECURITY REQUIREMENTS

1.0 Definitions

“De-identification” or “de-identified” is defined as removing, obscuring, masking, or obfuscating enough Personal Data Information from a record to ensure that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.

“Extended Workforce” is defined as any third party with access to Customer Data through, or under BeyondTrust, including sub-contractors and sub-contractors of whatever tier.

“Information Processing System(s)” is defined as the individual and collective electronic, mechanical, and software components of BeyondTrust’ operations that store, protected Customer’s Data.

“Information Security Event” is defined as any situation where Customer Data is lost; is subject to unauthorized or inappropriate access, use, or misuse; the security, confidentiality, or integrity of the information is compromised; or the availability of Information Processing System(s) is compromised by external attack.

“Personal Data” means “personal data”, “personal information”, personally identifiable information” or similar information defined in and governed by applicable Data Protection Laws and which is provided by the Customer to BeyondTrust pursuant to a Data Processing Addendum (“DPA”) and any Agreement in connection with the provision of Services. Personal data can also include any information with can be used to distinguish or trace an individual’s identity, alone or when combined with other personal or identifying information.

“Customer Data” means Customer Data which includes all graphic user interface, text, content, images, video, designs, products, computer programs, drawings, documentation, and other materials of any kind posted, submitted, provided or otherwise made available to BeyondTrust by Customer in connection with the Service being provided.

2.0 Purpose

BeyondTrust has implemented and maintains a comprehensive security program covering all areas of Information Security and with the intention of providing defense in depth for the protection of Customer Data. The program protects Information Processing System(s) and media containing Customer Data from internal and external security threats, as well as Customer Data from unauthorized disclosure. The purpose of this document is to describe the controls, methodologies, and guidelines that BeyondTrust has deployed in the protection of Personal Data and Customer Data.

3.0 BeyondTrust’s Security Program

3.1 Formal Security Policy. BeyondTrust has a security information policy that is approved by BeyondTrust’ management and is communicated to all BeyondTrust workforce personnel. BeyondTrust shall maintain written security management policies and procedures to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, and availability of BeyondTrust Information Processing System(s) and/or Customer's Data. Such policies and procedures shall (i) assign specific data security responsibilities and accountabilities to specific individual(s); (ii) include a formal risk management program, which includes periodic risk assessments; and (iii) provide an adequate framework of controls that safeguard Customer's information systems, including without limitation any software supporting Customer, and Customer Data.

3.2 Security Policy Review. BeyondTrust periodically reviews the information security policy at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. BeyondTrust shall periodically (no less than annually) evaluate its processes and systems to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the confidentiality, integrity, availability, and security of Customer Data within BeyondTrust information systems as well as the maintenance and structure of BeyondTrust's information systems. BeyondTrust shall document the results of these evaluations and any remediation activities taken in response to such evaluations. BeyondTrust has a security policy that is approved by the Chief Information Security Officer and details are communicated to all BeyondTrust employees.

3.2 Certifications and Attestations. BeyondTrust has implemented controls to meet the goals outlined in ISO/IEC 27001, ISO/IEC 27701, and AICPA SOC 2, which are standards for managing information security. BeyondTrust holds certifications under these standards for security and data protection and has an SOC 2 Type II audit report for the Services. BeyondTrust conducts an annual evaluation (referred to as an "Assessment") against these standards, which is kept confidential and can only be shared with prior approval under an Agreement in place between the Parties or a non-disclosure agreement.

4.0 Organizational Security

4.2 Security Requirement Persistence. BeyondTrust will include as part of its agreements with its Extended Workforce requirements no less stringent than those contained in this document, including any subsequent parties having access to Customer Data or Information Processing System(s) containing Customer Data.

4.3 Materiality of Organizational Security. BeyondTrust agrees that the requirements listed under Organizational Security are material to its Agreements with Customers.

5.0 Asset Management

5.1 Asset Inventory. BeyondTrust will maintain an inventory listing containing at a minimum all Information Processing System(s) and media containing Customer Data.

5.2 Acceptable Use. BeyondTrust will maintain guidance on the acceptable use of information and assets which is no less restrictive than ISO/IEC 27001 or its successor. Such guidance is approved by BeyondTrust’ management and is published and communicated to all BeyondTrust workforce personnel.

5.3 Portable Devices. Customer Data may not be stored on portable devices including, but not limited to laptops, Personal Digital Assistants, MP3 devices, and USB devices. The foregoing does not prohibit the storage of Customer Data on portable media such as tapes within a data center or in secure offsite storage.

5.4 Personally Owned Equipment. Customer Data may not be stored on personally owned equipment.

6.0 Human Resources Security

6.1 Security Awareness Training. BeyondTrust workforce members receive security awareness training appropriate to their job function. The content of the training also covers applicable security threat information, social engineering to include phishing/ransomware, compliance efforts for the business, expectations of adhering to policy for SOC 2 and ISO 27001, and privacy considerations. Recurring security awareness training is be delivered annually and as required to mitigate significant changes to information security risk.

6.2 Removal of Access Rights. The access rights of all BeyondTrust workforce members with access to Information Processing System(s) or media containing Personal Data or Customer Data will be removed immediately upon termination of their employment, contract, or agreement, or adjusted upon change of job function.

6.3 Background Checks. BeyondTrust conducts pre-employment background checks of all global candidates for employment, subject to applicable law. Such background checks will include the following elements: SSN / name verification, criminal record checks, credit, education verification, and drug screening.

7.0 Physical and Environmental Security

7.1 Secure Areas. All areas, including facilities, telecommunication areas, cabling areas, and off-site areas that may contain system(s) or media containing Customer Data shall be protected by the use of appropriate security controls to include, but not be limited to:

7.1.1 Access will be controlled by use of a defined security perimeter, appropriate security barriers, entry controls, and authentication controls as determined by BeyondTrust’ security risk assessment. A record of all accesses will be securely maintained for a minimum of 90 days.

7.1.2 All personnel are required to wear some form of visible identification to identify them as employees, contractors, visitors, etc.

7.1.3 Visitors to secure areas are escorted or cleared via an appropriate background check for non-escorted access. Date and time of entry and departure will be recorded and kept for a minimum of 90 days.

7.1.4 Cloud Procedures. Hosting Facilities. All third-party data centers that are utilized to host and deliver the Service to customers have implemented a robust security program which includes (i) physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, mantraps, appropriate perimeter deterrents (for example, fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor.

7.1.5 BeyondTrust hosts customer instances in primary and secondary SSAE 18 Type II or ISO/IEC 27001 certified (or equivalent) data centers in the geographic regions specified on the order for the subscription term. Each data center includes full redundancy (N+1) and fault tolerant infrastructure for electrical, cooling and network systems.

7.1.6 Visitor Procedures. All visitors to a BeyondTrust facility are required to have a legitimate business purpose and required to show formal identification prior to being granted access. When accessing secure areas, visitors are escorted or cleared via an appropriate background check for non-escorted access. Date and time of entry as well as departure is recorded and kept for a minimum of 90 days.

8.0 Communications and Operations Management

8.1 Protections Against Malicious Code. BeyondTrust will use detection, prevention, and recovery controls which are no less current than ISO/IED 27001 or its successor to protect against malicious software and will train BeyondTrust workforce personnel on the prevention and detection of malicious software.

8.2 Back-ups. BeyondTrust will perform appropriate back-ups of Information Processing System(s) and media containing Customer Data as required to protect the confidentiality, integrity, and availability of Customer Data.

8.3 Media Handling. BeyondTrust will control media containing Customer Data to protect against unauthorized access or misuse.

8.4 Media Disposal. BeyondTrust will securely dispose of media (including, but not limited to paper, disks, CDs, DVDs, optical disks, USB devices, and hard drives) containing Customer Data by the maintenance of procedures to include, but not be limited to:

8.4.1 Disposal of media containing Customer Data so that it is rendered unreadable or undecipherable, such as by burning, shredding, pulverizing, or overwriting similar to the methods described in NIST Special Publication 800-88.

8.4.2 Maintenance of a disposal log that is secured and provides an audit trail of disposal activities. The log will be kept for a minimum of 90 days.

8.4.3 Purge of Customer Data and Personal Data Information from all of BeyondTrust’ physical storage mediums (filing cabinets, drawers, etc.) and Information Processing System(s) within thirty (30) days of the latest occurrence of the following: (i) upon extermination of this agreement; (ii) upon the completion of BeyondTrust’ performance obligations under this document; (iii) when no longer required by law or court order; or (iv) the destruction date specified in BeyondTrust’ documented record retention schedule.

8.4.3.1 Upon request, BeyondTrust will provide a Certificate of Destruction to Customer certifying that all Customer Data and Personal Data was purged within time frame as stated in the Agreement, following the purge.

8.5 Exchange of Information. To protect the confidentiality and integrity of Customer Data in transit, BeyondTrust will:

8.5.1 Perform an inventory and risk assessment of all data exchange channels (including, but not limited to FTP, HTTP, HTTPS, SMTP, modem, and fax) at a minimum for those data exchange channels used to transmit Customer Data in order to identify and mitigate risks to Customer Data from the use of these channels.

8.5.2 Monitor all data exchange channels to detect unauthorized information (including, without limitation, PII) releases.

8.5.3 Use appropriate security controls and approved data exchange channels when exchanging Customer Data.

8.5.4 Use industry standard enhanced security measures where available (at a minimum TLS1.2 or better encryption) to encrypt Customer Data transmitted via open networks, including, but not limited to the Internet and wireless.

8.5.5 Prohibit information about Customer customers, members, or workforce members gathered by BeyondTrust web pages from being used except for the performance of its obligations under this document.

8.5.6 Prohibit the use of web tracking technologies including, but not limited to web beacons, web bugs, invisible GIFs, and persistent cookies from being used to gather information about Customer customers, members, or workforce members, except as agreed to in writing by Customer and as necessary for BeyondTrust to perform its obligations under this Agreement.

8.6 Protection of Customer Data. To protect the confidentiality and integrity of Customer Data at rest, BeyondTrust will:

8.6.1 Encrypt all Customer Data wherever it resides on BeyondTrust systems.

8.6.2. Encrypt all Customer Data on all backup and removable media.

8.6.3. Utilize industry-standard encryption algorithms and mechanisms (AES-256 at a minimum wherever possible, off-system key storage) for all at-rest encryption implementations.

8.6.4. Develop and implement a full key lifecycle management program and subsequent processes designed to fully protect encryption keys.

8.7 Vulnerability Management. BeyondTrust has established a vulnerability and patch management policy and procedure that is reviewed annually, approved by management, and focuses on all critical business systems, the Service, and supporting processes. BeyondTrust conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, BeyondTrust will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with BeyondTrust's current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems.

To protect against system, network, and application vulnerabilities and exploitation, BeyondTrust will:

8.7.1 Regularly monitor vulnerability and patch notification lists and repositories for new and updated system vulnerability information.

8.7.2 Regularly scan internal and external networks and applications for the existence of potential security weaknesses and gaps, on a period not to exceed thirty (30) days between cycles.

8.7.3 Perform risk assessment of all disclosed and relevant vulnerability information as it applies to BeyondTrust systems, networks, and applications.

8.7.4 Test all planned updates and mitigations prior to deployment into production environments.

8.7.5 Update systems, networks, and applications to protect against vulnerabilities on a defined and continuous cycle, not to exceed thirty (30) days in total duration.

8.7.6 Utilize a process to deploy updates deemed to be critical in nature, based on a risk assessment, more rapidly than the normal cycle.

8.7.7 Perform penetration testing of networks, systems, and applications on an annual basis that includes testing to exploit identified security weaknesses and gaps as well as faulty business and processing logic.

8.7.8 BeyondTrust shall use commercially reasonable efforts to update systems, networks, and applications to protect against vulnerabilities on a defined and continuous cycle, in accordance with industry standards.

8.8 Penetration Testing. BeyondTrust performs penetration testing of networks, systems, and applications on an annual basis which includes testing to exploit identified security weaknesses and gaps as well as faulty business and processing logic.

8.8.1 Penetration Tests by Independent Third Party. No more than once per calendar year, BeyondTrust contracts with a third-party vendor to perform a penetration test of BeyondTrust’s solutions, cloud environment(s), and corporate environment to identify and mitigate risks while ensuring that appropriate resources are allocated to increase security. All findings are reviewed internally by appropriate stakeholders and remediated in accordance with BeyondTrust’s internal policies.

8.8.2 Penetration Tests by Customer. No more than once per calendar year Customer may request to perform, at its own expense, an application penetration test of its instances of the Service. The Customer shall notify BeyondTrust in advance of any test by submitting a request using BeyondTrust’s online support portal and completing a penetration testing scoping document. BeyondTrust and the Customer must agree upon a mutually acceptable time for the test; Customer shall not perform a penetration test without BeyondTrust’s express written authorization. The test must be of reasonable duration and must not interfere with BeyondTrust’s day-to-day operations. Promptly upon completion of the penetration test, Customer shall provide BeyondTrust with the test results including any detected vulnerability. Upon such notice, BeyondTrust shall, consistent with industry standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the Service. Customer shall treat the test results as Confidential Information of BeyondTrust. All penetration tests shall not in any manner or under any circumstances use, copy, modify, enhance, merge, reverse engineer, reverse assemble, decompile, disassemble or in any way alter any Software or Other Offering or any copy, adaptation, transcription, or merged portion thereof or otherwise attempt to derive source code therefrom.

8.9 Monitoring. To protect against unauthorized access or misuse of Customer Data residing on Information Processing System(s), BeyondTrust will:

8.9.1. Employ security controls which are no less restrictive than ISO/IEC 27001 or its successor and tools to monitor Information Processing System(s) for unusual or suspicious activities, exceptions, and Information Security Events.

8.9.2 Protect logging functions and log information against tampering and unauthorized access and keep critical logs for a minimum of 90 days.

8.9.3 Perform, at a minimum, quarterly reviews of access logs and take immediate actions necessary to mitigate issues found.

8.9.4 At Customer’s request, make redacted logs available to Customer to assist in investigations.

8.9.5 Synchronize the clocks of all relevant Information Processing System(s) using a national or international time source.

9.0 Access Control

9.1 User Access Management. BeyondTrust Information Processing System(s)are protected against unauthorized access or misuse of Customer Data, BeyondTrust will:

9.1.1 Employ a formal user registration and de-registration procedure for granting and revoking access rights to all Information Processing System(s).

9.1.2 Employ a formal password management process. BeyondTrust shall implement appropriate password parameters for systems that may access, transmit or store Customer Data ("Systems"). BeyondTrust shall implement strong authentication services and complex passwords ("Passwords") for all network and systems access to related Systems. BeyondTrust shall require multi-factor authentication to managed environments from an external network. “Multi-Factor Authentication” means authentication through verification of at least two (2) of the following types of authentication factors: (a) knowledge factors, such as a password; (b) possession factors, such as a token or text message on a mobile phone; or (c) inherence factors, such as a biometric characteristic. Default passwords used in BeyondTrust's products shall be changed upon installation.

9.1.3 Perform a recurring review of users’ access and access rights to ensure that they are appropriate for the users’ role.

9.2 User Responsibilities. To protect against unauthorized access or misuse of Customer Data residing on Information Processing System(s), BeyondTrust will:

9.2.1 Train Information Processing System(s) users on current security practices in the selection and use of strong passwords.

9.2.2 Use appropriate controls to protect unattended equipment from access and use by unauthorized individuals.

9.2.3 Use appropriate controls to protect Customer Data contained in all work areas from inappropriate access, including, but not limited to paper and on display screens.

9.3 Network Access Control. Access to internal, external, and public network services that allow access to Information Processing System(s) will be controlled. In order to mitigate the risk of unauthorized access, BeyondTrust will:

9.3.1 Use authentication controls that are no less restrictive than ISO/IEC 27001 or its successor.

9.3.2 Network access controls that are no less restrictive than ISO/IEC 27001 or its successor.

9.3.3 Tightly control access to physical and logical diagnostic and configuration ports.

9.4 Operating System Access Control. To protect against unauthorized access or misuse of Customer Data residing on Information Processing System(s), BeyondTrust will:

9.4.1 Control access to operating systems by use of a secure log-on procedure.

9.4.2 Use unique identifiers (e.g. user IDs) to uniquely identify Information Processing System(s) users.

9.4.3 Monitor and control access to utility programs that are capable of overriding system and application controls.

9.4.4 When technically possible, shut down inactive sessions after a defined period of time.

9.4.5 When technically possible, employ restrictions on connection times to high risk applications.

9.5 Mobile Commuting and Remote Working. To protect Customer Data residing on Information Processing System(s) from the risks inherent in mobile computing and remote working, BeyondTrust will:

9.5.1 Perform a risk assessment which, at a minimum, identifies and mitigates risks to Customer Data from mobile commuting and remote working.

9.5.2 Maintain policies and procedures for managing mobile commuting and remote working.

9.5.3 Use security controls to manage authentication of mobile and remote users which are no less restrictive than ISO/IEC 27001 or its successor.

10.0 Information Systems Acquisition, Development, and Maintenance

10.1 Security of System Files. To protect Information Processing System(s) and system files containing Customer Data, BeyondTrust will restrict access to source code to authorized users who have a direct need to know.

10.2 Security in Development and Support Processes. To protect Information Processing System(s) and system files containing Customer Data, BeyondTrust will:

10.2.1 Use a formal change control process to implement Information Processing System(s) changes.

10.2.2 Use security controls which are no less restrictive than ISO/IEC 27001 or its successor to minimize information leakage.

10.2.3 Perform quality control and security management oversight of outsourced software development.

11.0 Information Security Incident Management

11.1 Reporting Information Security Events and Weaknesses. To protect Information Processing System(s) and system files containing Customer Data, BeyondTrust will:

11.1.1 Maintain a process to ensure that Information Security Events are reported through appropriate management channels as quickly as possible. BeyondTrust will ensure that its Extended Workforce has a similar process.

11.1.2 Perform initial and recurring training of all BeyondTrust workforce personnel and Extended Workforce on how to report any observed or suspected Information Security Event. BeyondTrust will ensure that its Extended Workforce has a similar or comparable process.

11.1.3 Notify Customer by email or phone within forty-eight (48) hours of all Information Security Events which affect Customer Data or environments that store, transmit, or process Customer Data. Following any such event, BeyondTrust will promptly notify Customer whether or not Customer Data was compromised or released to unauthorized parties, the Customer Data that was affected, and details of the event.

12.0 Business Continuity Management

12.1 Business Continuity Management Program. In order to protect the confidentiality, integrity, and availability or Customer Data, BeyondTrust will:

12.1.1 Maintain a business continuity management program that ensures that security controls that meet or exceed the requirements of this document are maintained in test and actual business continuity scenarios.

12.1.2 Update and test Business Continuity Plans annually at a minimum, and as required to mitigate significant changes to information security risk. RTO/RPO timescales are situation specific and will vary depending on the nature of the incident.

13.0 Security Assessments

13.1 Initial and Recurring Security Assessments. Each year throughout the Term of the Agreement, BeyondTrust will permit Customer representatives to conduct an annual assessment through security questionnaires and reasonable documentation review.

13.2 Security Assessments Following Information Security Events. Following the occurrence of an Information Security Event, BeyondTrust will reasonably provide information related to the physical and logical security controls used at BeyondTrust’ data processing and business facilities in order to assess the impact of the event, even if an assessment has been completed within the year.

13.3 Security Assessment Findings. Upon completion of an assessment, Customer may provide BeyondTrust with an assessment that summarizes Customer’s findings. Upon Customers reasonable request, BeyondTrust will provide the following in relation to BeyondTrust’s security, confidentiality, privacy, and other controls for its services and products provided under the Agreement: 1) a summary of applicable tests undertaken by BeyondTrust along with an executive summary of the testing and 2) a copy of the audits and assessment reports undertaken by BeyondTrust or a third party retained by BeyondTrust, which shall be in the form of a SOC 2 Type II report. Should BeyondTrust be made aware of or otherwise discover, deficiencies categorized as critical or high, BeyondTrust will take all commercially reasonable efforts to remediate those deficiencies in a timely manner.

14.0 De-Identification of Customer Data Used in Non-Production Environments

14.1 Exclusions to the De-Identification Requirement.

14.1.1 De-identification is not required if the security controls used in the environment are equivalent to the security controls used in the production environment and the security controls used to meet or exceed the requirements of this document.

14.1.2 De-identification is not required if de-identification would interfere with the resolution of a current production failure. De-identification should be performed to the extent possible and the Customer Data that has not be de-identified should be removed from the non-production environment as soon as the failure has been resolved.

14.1.3 De-identification is not required if de-identification would interfere with an atypical, short-term, non-production activity (e.g. near-production final testing) where de-identification would distort the results of the activity. De-identification should be performed to the extent possible and the Customer Data that has not been de-identified should be removed from the non-production environment as soon as the activity has been completed.

14.1.4 If Customer Data is required to be used in non-production environments and the requirement does not meet one of the exceptions listed above, BeyondTrust will obtain written permission from Customer prior to the use.

15.0 Privacy

15.1 Segregation. All Customer data is segregated from data of other Customers, as well as internal data from BeyondTrust.

15.2 Data Usage. BeyondTrust will not use Customer data for any purpose other than in support of the obligations described herein and within any additional services agreement.

15.3 Legal Compliance. BeyondTrust maintains compliance with all applicable privacy laws and regulations in the US and internationally, including without limitation United States state privacy laws.

15.4 Testing Restrictions. BeyondTrust does not use Customer Data, in whole or in part, in connection with any testing in system development. Customer Data means all Customer, associate, employee, contractor, and payroll information submitted by or with respect to Customer to BeyondTrust in the performance of the services specified within any additional services agreement.

16.0 Vendor Management

16.1 Vendor Assessment. BeyondTrust conducts annual reviews and risk assessments of all vendors processing, storing, or transmitting Customer Data.

16.2 Vendor Risk Assessment. Information gathered from the vendor review is used as inputs to the BeyondTrust risk assessment process which is used to generate a metrics-based narrative report identifying all areas of concern and the associated potential impact and likelihood.

16.3 Vendor Risk Remediation. BeyondTrust works with the vendor to identify a plan of action for remediation of all identified risks and the successful completion of the remediation plan.