Schedule B: Pindrop BCP and Security Terms
This Schedule B (Pindrop BCP and Security Terms) is incorporated into the Order (“Order”) between Pindrop Security, Inc. (“Pindrop”) and the customer identified in Section 2 (Company Information) (“Company”) of the Order. Capitalized terms not otherwise defined have the meanings given in the Order or the Pindrop Customer Agreement available at https://www.pindrop.com/pca (“PCA”).
1. Definitions.
“Company Confidential Information” means, for purposes of this Schedule B, Company’s Confidential Information within Pindrop’s possession or control.
“Company-Controlled Information Systems” means Information Systems within Company’s possession or control.
“In-Scope Subcontractor” means a Pindrop subcontractor who accesses, processes, or stores Company Call Data for the purpose of delivering components of Products or Services to Company.
“Information System” means a discrete set of electronic information resources organized for collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as specialized systems such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
“Pindrop-Controlled Information Systems” means (i) Information Systems within Pindrop’s possession or control and (ii) Amazon Web Services (“AWS”) Information Systems that (a) are under Pindrop’s enterprise account with AWS, (b) Pindrop uses to deliver Products or Services or as internal corporate-level systems, and (c) have data protection and security controls configured and managed solely by Pindrop. For clarity, “Pindrop-Controlled Information Systems” does not include any Company-Controlled Information Systems.
“Security Breach” means a reasonably suspected (or confirmed) unauthorized (i) disclosure of Company Confidential Information or (ii) third party access to a Pindrop-Controlled Information System that processes, holds, or provides access to Company Confidential Information.
2. Governance and Oversight; Security Examinations.
(a) Pindrop maintains a commercially reasonable cybersecurity program designed to protect the confidentiality, integrity, and availability of Pindrop-Controlled Information Systems, as detailed in this Schedule B. The cybersecurity program includes tracking data asset locations and maintaining risk-based written security policies that satisfy the requirements in this Schedule B (“Security Policy”). Pindrop will not change the Security Policy in a manner that will materially degrade the overall level of security described in this Schedule B.
(b) The Security Policy is based on a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Company Confidential Information that could result in unauthorized disclosure, misuse, alteration, destruction, or other compromise of Company Confidential Information, and assesses the sufficiency of safeguards in place to control these risks. The risk assessment includes (i) criteria for evaluation and categorization of identified security risks or threats to Company Confidential Information, (ii) criteria for assessment of confidentiality, integrity, and availability of Company Confidential Information, including adequacy of existing controls in the context of identified risks or threats, and (iii) requirements describing how identified risks are mitigated or accepted based on the risk assessment and how the Security Policy addresses those risks.
(c) Pindrop periodically performs additional risk assessments to reexamine reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Company Confidential Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of Company Confidential Information, and reassess the sufficiency of safeguards in place to control these risks.
(d) Pindrop will (i) design and implement safeguards to control the risks identified through its risk assessments and (ii) evaluate and adjust its cybersecurity program in light of the results of the testing and monitoring described in this Schedule B, any material changes to Pindrop’s operations or business arrangements, and any other circumstances that Pindrop knows or has reason to know may materially impact Pindrop’s cybersecurity program.
(e) Pindrop assigns appropriate individuals within Pindrop’s cybersecurity team to maintain responsibility and executive oversight of the Security Policy, including implementation, formal governance and revision management, employee education, and compliance enforcement. The assigned individuals report in writing, regularly and at least annually, to Pindrop’s executive leadership team, including the following information in each report: (i) the overall status of Pindrop’s cybersecurity program and (ii) material matters related to Pindrop’s cybersecurity program, including issues such as risk assessment, risk management and control decisions, service provider arrangements, test results, security events and related management response, compliance obligations, and recommendations for changes in the cybersecurity program.
(f) If a regulatory agency with supervisory authority over Company by Law (“Company Regulator”) requests that Company provide access to Products or Services, Company will use commercially reasonable efforts to resolve that request directly with the Company Regulator through alternative methods, including by reviewing security certifications for Pindrop-Controlled Information Systems with the Company Regulator. If the Company Regulator determines that information available through alternative methods is insufficient to verify compliance with Laws, then at the Company Regulator’s request and Company’s written confirmation that the Company Regulator has requisite supervisory authority over Company to make the request, Pindrop will provide the Company Regulator: (i) information about Products and Services and the opportunity to discuss Products, Services, operations, and controls with Pindrop subject matter experts and (ii) if legally required, a direct right to examine the Products and Services used by Company, including an examination on premises, provided that to the maximum extent permitted by Law (A) the examination must be conducted during normal business hours and in a manner that does not unreasonably disrupt Pindrop’s day to day business, (B) on premises examination of Pindrop’s procedures, systems and equipment is subject to Pindrop’s standard security policies, (C) Pindrop is not required to disclose or provide access to confidential information of a third party or any attorney-client privileged information, and (D) Pindrop is not obligated to share examination results with Company. Pindrop may charge Company a fee (based on Pindrop’s reasonable costs) for Company Regulator-related discussions, communications, and examinations.
3. Policies and Procedures.
(a) The Security Policy is communicated to relevant Pindrop employees, and is designed to protect Company Confidential Information within Pindrop-Controlled Information Systems and to support Pindrop’s compliance with the Agreement. At Company’s written request, Pindrop will provide Company (i) the title page and table of contents of the Security Policy or related policies or procedures described in this Schedule B that apply to Pindrop’s business, (ii) an opportunity to discuss Pindrop’s security measures, (iii) confirmation that penetration testing and vulnerability scanning has been performed, and (iv) independent audit reports for the Products (such as SOC2 Type 2) that Pindrop makes generally available to its customers under confidentiality terms.
(b) Pindrop reviews its Security Policy at least annually and amends the Security Policy (or subparts) as Pindrop deems commercially reasonable in light of relevant risk assessment findings, changes in Laws or standards, technology advances, or changes to Pindrop’s systems or business operations.
(c) Pindrop follows security-minded development practices (and, for externally developed applications, security assessment procedures) for applications that form any part of the Products or that are used to deliver the Products.
(d) Pindrop maintains and follows employment verification procedures consistent with Industry Standards (as defined below) for all new employee hires prior to the date of hire. These procedures include criminal background checks, proof of identity validation, and additional checks as Pindrop deems reasonably necessary and as permitted by Law. Each Pindrop entity is responsible for implementing the foregoing procedures in its hiring process consistent with local Law. Pindrop will provide verification of satisfactory completion of employee background checks at Company’s reasonable request, provided that Pindrop is not required to provide an actual copy of the background check results.
(e) Pindrop maintains an annual employee training program that includes (i) security education and awareness training that is updated to reflect risks identified by Pindrop’s risk assessments and (ii) promoting employee maintenance of current knowledge of changing information security threats and countermeasures.
4. Compliance.
Pindrop-Controlled Information Systems are subject to annual certification of compliance with SSAE SOC2 standards or any substantially equivalent or alternative successor standard (“Industry Standards”). At Company’s written request, Pindrop will provide evidence of compliance and accreditation with Industry Standards as reasonably determined by Pindrop, such as certificates, attestations, or reports resulting from accredited independent third-party audits (which occur at the frequency required by the relevant Industry Standard). Pindrop will use commercially reasonable efforts to verify that its In-Scope Subcontractors comply with all Laws applicable to the In-Scope Subcontractors’ business and all Laws generally applicable to information technology services providers, in each case to the extent relevant to the specific products and services the In-Scope Subcontractor provides to Pindrop in connection with the Products and Services covered under the Agreement. Verification may be accomplished through Pindrop’s vendor due diligence process. If Pindrop’s vendor due diligence process identifies a non-compliance with the Laws described above, Pindrop will work with the In-Scope Subcontractor to cure the non-compliance.
5. Incident Response and Security Breaches.
(a) Pindrop maintains and follows written incident response policies consistent with National Institute of Standards and Technology, United States Department of Commerce (“NIST”) guidelines or equivalent industry standards for computer security incident handling. Pindrop’s incident response policy is designed to enable prompt response to, and recovery from, any event materially affecting the confidentiality, integrity, or availability of Company Confidential Information. Pindrop’s incident response policy addresses: (i) the goals of the incident response policy, (ii) internal response processes, (iii) the definition of clear roles, responsibilities, and levels of decision-making authority, (iv) external and internal communications and information sharing, (v) identification of requirements for remediation of identified weaknesses in information systems and associated controls, (vi) documentation and reporting, and (vii) evaluation and revision of the incident response policies as necessary.
(b) Pindrop will investigate Security Breaches (and security incidents that are not yet Security Breaches, but are reasonably likely to result in Security Breaches) of which Pindrop becomes aware, perform a root-cause analysis of the same, and take prompt action designed to contain the Security Breach. Company must notify Pindrop of any suspected vulnerability or security incident by immediately submitting a technical support request to Pindrop.
(c) Pindrop will notify Company no more than 24 hours after Pindrop becomes aware of a Security Breach that impacts Company Confidential Information. Pindrop will provide Company reasonably requested information about the Security Breach and the status of Pindrop containment and service restoration activities.
6. Physical Security and Entry Control.
(a) Pindrop maintains reasonable physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, designed to protect against unauthorized entry into Pindrop-managed facilities (i.e., its headquarter facility) used to provide Pindrop-Controlled Information Systems. Auxiliary entry points into the facilities, such as delivery areas and loading docks, are controlled and isolated from computing resources.
(b) Access to Pindrop-managed facilities and controlled areas within those facilities is limited by job role and subject to authorized approval. Access is logged, and logs are retained for no less than one year. Pindrop revokes access to Pindrop-managed facilities upon separation of an authorized employee. Pindrop follows written separation procedures that include prompt removal from access control lists and surrender of physical access badges.
(c) Any person granted temporary permission to enter an Pindrop-managed facility or a controlled area within the facility is registered upon entry and is escorted by authorized personnel.
(d) Pindrop takes precautions designed to protect the physical infrastructure of Pindrop-managed facilities against environmental threats, both natural and man-made, such as excessive temperature, fire, flood, humidity, theft, and vandalism.
7. Access, Intervention, Transfer and Separation Control.
(a) Pindrop maintains measures for Pindrop-Controlled Information Systems designed to logically separate and prevent Company Confidential Information stored within Pindrop-Controlled Information Systems from being exposed to or accessed by unauthorized persons. Pindrop maintains isolation of its production and non-production environments, and, if Company Confidential Information is transferred to a non-production environment, for example to reproduce an error at Company’s request, security and privacy measures in the non-production environment will be equivalent to those in production.
(b) Pindrop will encrypt Company Confidential Information that is stored long-term within Pindrop-Controlled Information Systems, and when Pindrop transmits Company Confidential Information over public networks. Pindrop maintains written procedures for encryption key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use. To the extent that encryption is impractical, Pindrop uses compensating controls designed to protect Company Confidential Information.
(c) If Pindrop requires access to Company Confidential Information stored within Pindrop-Controlled Information Systems, and if Pindrop manages access, Pindrop deploys measures designed to restrict access to the minimum level required. Access, including administrative access, is individual, role-based, and subject to approval and validation by authorized Pindrop personnel following principles of segregation of duties. Pindrop maintains measures to identify and remove redundant and dormant accounts with privileged access and promptly revokes access upon an account owner’s separation or at the request of authorized Pindrop personnel, such as the account owner’s manager.
(d) For Pindrop-Controlled Information Systems, Pindrop will:
(i) monitor and periodically test Pindrop-Controlled Systems to assess Security Policy effectiveness;
(ii) maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and password change frequency;
(iii) monitor use of privileged access and maintain security information and event management measures designed to: (1) identify unauthorized access, use or tampering, (2) facilitate a timely and appropriate response, and (3) enable internal and independent third-party audits of Security Policy compliance;
(iv) where practicable, use multi-factor authentication designed to protect against unauthorized access to a Pindrop-Controlled Information System;
(v) maintain logs in which privileged access and activity are recorded and retained in compliance with Pindrop’s worldwide records management plan and Security Policy;
(vi) maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of the logs described in Subsection (v)above;
(vii) maintain tools designed to detect and remove viruses, worms, time bombs, Trojan horses, or other harmful or malicious code from the Pindrop-Controlled Information Systems;
(viii) adopt change management procedures; and
(ix) develop, implement, and maintain procedures for secure disposal of Company Confidential Information in any format used in connection with the provision of the Product or Service, unless the information is necessary for business operations or for other legitimate business purposes or as otherwise expressly authorized by Company in the Agreement, is otherwise required to be retained by Law, as set forth in Section 11(d) (Obligations Upon Termination) of the PCA, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
(e) Pindrop will securely sanitize physical media prior to reuse, and will destroy physical media not intended for reuse, consistent with NIST guidelines for media sanitization. At Company’s reasonable request, Pindrop will provide a certificate certifying the destruction of Company Confidential Information.
8. Service Integrity and Availability Control.
With respect to Pindrop-Controlled Information Systems, Pindrop will:
(a) Perform security risk assessments at least annually;
(b) Periodically perform security testing and vulnerability assessments;
(c) Enlist a qualified testing service to perform penetration testing at least annually;
(d) Perform automated vulnerability scanning, against configurations consistent with industry standards, reasonably designed to identify publicly-known security vulnerabilities in Pindrop-Controlled Information Systems based on Pindrop’s risk assessment: (i) at least every six months, (ii) whenever there are material changes to Pindrop’s technical operations of a nature that reasonably justifies performance of a scan, and (iii) whenever there are circumstances that Pindrop knows or has reason to know may materially impact Pindrop’s information security program if the circumstances are of a nature that reasonably justifies performance of a scan;
(e) Follow Pindrop’s policies with respect to remediation of identified vulnerabilities, based on associated risk, exploitability, and impact;
(f) Take reasonable steps to avoid disruption of Products and Services when performing its tests, assessments, scans, and execution of remediation activities;
(g) Maintain measures designed to assess, test, and apply security advisory patches. Upon determining that a security advisory patch is appropriate, Pindrop implements the patch consistent with Pindrop’s policies, taking into account associated risk, exploitability, and impact;
(h) Maintain policies and procedures designed to manage risks associated with the application of changes; and
(i) Maintain an inventory of information technology assets.
9. Vendor Management Program.
(a) Pindrop maintains a formal vendor management program. As part of the program, Pindrop periodically conducts due diligence on each of its In-Scope Subcontractors to assess whether the In-Scope Subcontractor maintains reasonable security measures designed to protect the Company Call Data in that In-Scope Subcontractor’s possession or control. In conducting In-Scope Subcontractor due diligence, Pindrop may rely upon the information available in an In-Scope Subcontractor’s SOC2 or comparable report or certification (each an “Independent Audit Report”) to make the assessment, even if the Independent Audit Report does not contain the level of detail specified in this Schedule B. At Company’s request, Pindrop will direct Company to a location at which it can obtain copies of an In-Scope Subcontractor’s Independent Audit Report. If Company is unable to obtain the Independent Audit Report, Pindrop will use reasonable efforts to secure the relevant Independent Audit Report from the In-Scope Subcontractor and provide a copy to Company. Pindrop will provide Company at least 30 days prior notice if there is a material change in the identity of the In-Scope Subcontractors relevant to the Products or Services covered under an existing Order.
(b) In addition to In-Scope Subcontractors, Company understands and agrees that Pindrop may use other vendor systems and solutions to support its day to day back office business operations where Confidential Information of Company (other than data that’s been input into a Product) may be collected, processed or stored, including by way of example, contract management, billing or other financial transaction-related tools and solutions (each a “Back Office Business System”). Back Office Business Systems are not Pindrop-Controlled Information Systems, but are subject to the requirements of Sections 9(c) and 9(d) below.
(c) Pindrop has written agreements in place with each In-Scope Subcontractor and each vendor providing Back Office Business Systems that contain commercially reasonable confidentiality obligations designed to protect the confidentiality of (i) Company Call Data within the In-Scope Subcontractor’s possession or control and (ii) Confidential Information within the possession or control of the vendor providing the Back Office Business System, as relevant.
(d) Pindrop is responsible for unauthorized disclosure of Company Call Data by an In-Scope Subcontractor and Confidential Information by each vendor providing a Back Office Business System to the same extent as Pindrop itself would be by the terms of the Agreement.
10. BCP Program.
(a) Pindrop’s business continuity program (“BCP”) includes (i) a business impact analysis and risk assessment that documents prioritization of business functions, processes, systems, subcontractors, resource requirements, and interdependencies that may affect recovery timelines and alternative resource plans, (ii) specifically defined or targeted recovery time objectives (“RTOs”), and (iii) specifically defined or targeted recovery point objectives (“RPOs”). Unless provided otherwise in an Order, Pindrop’s RTO and RPO policy for a single availability zone failure for a Product does not exceed 24 hours.
(b) Pindrop conducts periodic BCP exercises (such as tabletop exercises) annually. If an event triggers Pindrop’s BCP (each a “BCP Event Trigger”), Pindrop will implement the BCP policies and procedures. If a BCP Event Trigger occurs, depending on the nature and scope of the event, the availability or ability to recover Company Confidential Information, including (without limitation) Company Call Data, may be impacted.
(c) The Products are not designed for and should not be used by Company as an official record or similar, whether for regulatory purposes or otherwise.
(d) If a Product in use by Company experiences an outage, Pindrop will notify Company of the outage and provide periodic status updates until the outage is resolved, as detailed in the Support Program Terms.
(e) Pindrop will provide reasonable prior notice to Company if Pindrop’s BCP is changed in a way that would have a material adverse impact on Pindrop’s ability to deliver Products or Services to Company as described in the Agreement.
11. Company Responsibilities.
Company will implement commercially reasonable measures designed to detect and prevent the introduction of viruses, worms, time bombs, Trojan horses, or other harmful or malicious code into Pindrop-Controlled Information Systems used in the delivery of Products or Services. Company is responsible for determining whether Products or Services are suitable for Company’s use, and for implementing and managing security measures for all components of the Products and Services that Pindrop does not manage or for which Pindrop does not have security obligations under this Schedule B, with Pindrop’s only security obligations being as described in this Schedule B. Examples of Company responsibilities include, without limitation: (a) securing all Company-Controlled Information Systems and (b) accepting and implementing all security patches Pindrop provides in connection with software Pindrop provides or makes available to Company, without delay. Company is solely responsible for ensuring adequate backups of Company Call Data on Company-Controlled Information Systems that are physically and logically separated from the Products and Services. Company agrees that Pindrop is not in breach of this Schedule B to the extent that Pindrop’s non-compliance is directly caused by Company’s failure to comply with its own security responsibilities under the Agreement.