Written Information Security Program. Contractor shall establish and maintain a comprehensive, written information security program (a “WISP”) that includes technical and organizational security safeguards designed to protect Seagate Data (as defined in the Independent Contractor Agreement) against accidental, unauthorized, or unlawful use, destruction, loss, alteration, disclosure or access, or other unauthorized Contractor shall provide Seagate with a copy of its WISP, including any updates during the course of its engagement.
Content of WISP. Contractor’s WISP must reasonably address the confidentiality, integrity, and availability of all Seagate Data, including physical access, system access, data access, transmission, security oversight and enforcement. The WISP must comply with any requirements specified in other agreements with Seagate, including the Seagate Data Privacy Agreement, if applicable, and must include the following:
Periodic risk assessments;
Identification and documentation of the security requirements of authorized users;
Controls for user access including the nature and authorization of that access;
Prevention of unauthorized access through the use of effective physical and logical access controls, including but not limited to the physical security measures specified in this Exhibit;
Procedures to add new users, modify access levels of existing users, and removal of users who no longer need access;
Assignment of responsibility and accountability for security, system changes, and maintenance;
Implementation of system software upgrades and patches, including a patching interval of less than 90 days for security-impacting patches and less than 15 days for critical patches;
Procedures to test, evaluate, and authorize system components before implementation, including but not limited to data protection impact assessments;
Procedures to resolve complaints and requests relating to security issues;
Procedures to handle errors and omissions, Security Breaches, and other incidents;
Procedures to detect actual and attempted attacks or intrusions into systems and to proactively test security procedures, including but not limited to penetration testing;
Dedicated resources to support its information security policies and procedures, including but not limited to training programs for Contractor’s personnel;
Procedures for handling exceptions and situations not specifically addressed in its security processes;
Industry-standard governing security frameworks mapped to Contractor’s security policies and procedures;
Procedures for users, management, and third parties with access to Seagate Data to confirm (initially and annually) that ensure they understand and will comply with the applicable privacy policies and procedures relating to the security of Seagate Data;
Procedures for proper destruction and disposal of Seagate Data;
Procedures and control processes for change management of any applicable information security resources relating to the access, use, processing and storage of Seagate Data; and
Procedures for testing, tracking, and recording the change management processes before implementation.
Secure Environment and Equipment. Contractor shall securely collect, host, transmit, and store the Seagate Data. Contractor shall provide the Services using industry-standard physical and environmental security measures designed to prevent unauthorized access to, theft of, or unlawful disclosure of the Seagate Data. Contractor shall employ technologies that are consistent with generally accepted industry standards and best practices for firewalls and other security technologies. Contractor shall notify Seagate of each location for storing or processing Seagate Data. Contractor shall not allow Seagate Data to be commingled with data from other companies. Contractor shall ensure that physical work areas and any systems or equipment used to access Seagate Data or to provide the Services are secure from unauthorized access. Contractor’s personnel shall only work at secure, authorized locations as set forth in Contractor’s processes and procedures. If Contractor is using non-Seagate equipment, servers or systems (“Contractor Equipment”) to provide the Services, Contractor shall ensure that any such Contractor Equipment has industry-standard information security controls including, but not limited to, antivirus software, firewall protection, whole-disk encryption, current security patches, and malware protection. Contractor shall only use Contractor Equipment in connection with the Services upon Seagate’s prior written consent. Contractor shall also disclose if Contractor Equipment is a personal or “BYOD” device or a Contractor-owned device.
Encryption. Contractor shall maintain and use cryptography based on industry-tested and generally accepted algorithms and security protocols to safeguard Seagate Data during transmission and at rest, including but not limited to password encryption. Contractor shall ensure that trusted certificates and protocols use secure versions, configurations, and encryption methods. Contractor shall maintain and use a secure Key Management Process in connection with the Services and all systems and applications relating to the Services. All Keys must be at least a 128-bit symmetric key or a 2,048 asymmetric key.
Secure Messaging. If Contractor is using Contractor-managed messaging in connection with the Services, Contractor shall use and maintain secure messaging and call language based on generally accepted industry standards.
Data Format and Portability. Contractor shall maintain the Seagate Data in a file format acceptable to Seagate. Contractor shall maintain all Seagate Data in a format that may be exported to Seagate in a machine readable and interoperable format, upon Seagate’s request.
Data Integrity and Data Safeguards. Contractor shall maintain the confidentiality, integrity, and availability of the Seagate Data and shall not use, disclose, alter, deny, or allow access to the Seagate Data except as may be required to provide the Services in accordance with this Agreement (including any applicable Statements of Work). Contractor shall ensure that Seagate Data remains intact, complete, and current during its processing, transmission, and storage. Contractor shall prevent any persons from altering Seagate Data, unless authorized by Seagate. Contractor shall regularly test and validate the integrity of the Seagate Data. Contractor shall keep Seagate Data separate from the data of other customers during its processing including logical data separation between its customers in customer cloud instances and applications. Contractor shall establish and maintain security measures to prevent customers from accessing cloud service instances and applications or data of other customers.
Recoverability. Contractor shall comply with Seagate requests to produce the Seagate Data in response to Seagate or third party audits, incident, or investigation requests by Seagate, or as required by law. Contractor shall cooperate with Seagate to test the recoverability of the Seagate Data from Contractor’s systems and Contractor’s backups.
Audit and Test. Seagate may audit or have a third party audit the processes, controls, privacy, and security of the data centers, application, and network infrastructure Contractor uses to provide the Services. Seagate may conduct non-intrusive network audits, including but not limited to basic port scans, without prior notice. Seagate will not attempt to access the data of any other Contractor customer. Seagate may perform any technical security integrity review, penetration test, load test, denial-of-service simulation or vulnerability scan with Contractor’s consent.
Vulnerability Testing and Mitigation of Vulnerabilities. Contractor shall conduct annual Vulnerability Assessments and Penetration Tests (VA/PT) with respect to Seagate Data in accordance with its WISP. The assessments must be conducted internally prior to all new software and/or application releases. The assessments must be conducted by a reputable and accredited security testing firm in a manner consistent with generally accepted industry standards of VA/PT (such as the guidelines promulgated by the Open Web Application Security Project and the SANS Institute). Contractor shall mitigate any critical security vulnerabilities discovered at any time.
Business Continuity Plan. Contractor shall maintain an effective business continuity plan, including without limitation disaster recovery and crisis management procedures to provide Seagate with continuous access to and support for the Services and Seagate Data. Contractor shall ensure that backup and disaster-recovery planning processes protect Seagate Data from unauthorized use, access, disclosure, alteration, or destruction. Upon Seagate’s request, Contractor shall provide Seagate with a summary of Contractor’s business continuity plan and permit Seagate to participate in disaster recovery exercises. Contractor shall incorporate any modifications required by Seagate into the business continuity plan in a timeframe mutually agreed to by Seagate and Contractor.
Backups and Archives. On a daily basis, Contractor shall backup, archive, and maintain duplicate or redundant systems that can fully recover all Seagate Data. Contractor shall establish and follow procedures and reasonable frequency intervals for transmitting backup data and systems to Contractor’s backup location. Contractor shall maintain the backup storage and systems in a secure physical location other than the location of Contractor’s primary systems. Contractor shall update and test the backup storage systems at least annually. If the original Seagate Data is lost or corrupted, Contractor shall reconstruct the Seagate Data from the backup data within 2 hours. If a more frequent or more comprehensive recover time objective (RTO) or recovery point objective (RPO) is required by any service level agreements or statements of work with respect to the Services or the Seagate Data, the more frequent or more comprehensive terms will govern RTO and RPO requirements.
Controlled Access. Contractor shall prevent all personnel from gaining physical access to any areas hosting the Seagate Data, except for Contractor's employees who have a need to access the physical area.
Network Security. Contractor shall maintain network security using industry-standard techniques and shall configure all network infrastructure to enforce the “principle of least privilege,” including (a) filters that allow only the minimum required access/traffic, (b) anti-spoofing filters, (c) network ingress and egress filters, and (d) access control lists and routing protocols.
Hardening Documentation. Contractor shall maintain industry accepted documented system hardening processes and procedures to secure servers hosting the Seagate application and Seagate Data.
Host Monitoring. Contractor shall maintain documented processes and procedures for monitoring the integrity and availability of the servers hosting the Seagate application and Seagate Data.
Passwords. Contractor shall store all passwords within a secured database server, using industry-standard security measures behind Contractor’s firewall. Contractor shall use Secure Hash Algorithm 2 (SHA-2) or higher to scramble or hash the database password. Contractor’s system must require the required passwords upon application startup to connect to Contractor’s database.
Web Security. Contractor shall maintain documented processes and procedures for web security in connection with Seagate applications and processing Seagate Data. As part of its ongoing quality assurance and information security, Contractor shall conduct regular periodic penetration tests to identify and resolve security vulnerabilities in the applications and systems used by Seagate. The penetration tests must be conducted by a certified information security penetration testing firm using generally accepted industry-standard frameworks no less than annually. Contractor shall provide copies of the test results to Seagate.
Identity Provisioning and De-provisioning. Contractor shall provide a secure and timely management of on-boarding and off-boarding of cloud service customers. Contractor shall use generally accepted industry-standard APIs, such as Simple Cloud Identity Management, in the on- boarding and off-boarding.
Federation. If Contractor’s Services are implementing a service that requires log-on procedures by users or Contractor, Contractor shall use and implement Seagate’s Single Sign-on mechanisms which include the SAML v2 federation standard.
Strong Authentication. Contractor shall use two-factor authentication as part of its security processes to authenticate any remote administrators who manage the Services used for hosting Seagate application and Seagate Data.
Account Management/ Session Management. When building, supporting, or implementing systems or solutions in connection with the Services, Contractor shall follow generally accepted industry standards and practices for user authentication, session management, and access controls.
Authorization and Access Controls. Contractor shall maintain policy and role- based access controls to log user access information for compliance, audit, and incident investigation purposes. Contractor shall maintain segregation of duty and the principle of least privilege when processing, transmitting, or storing any Seagate Data, including but not limited to operating system permissions, file access, user accounts, and application to application communications.
Export and Delivery of Seagate Data. Contractor shall export the Seagate Data to Seagate in a machine readable and interoperable format at any time requested by Seagate, or give Seagate, or its third party designee, the ability to export the Seagate Data in a machine readable and interoperable format at any time. This obligation continues for 90 days after termination or expiration of this Agreement.
Deletion of Seagate Data. Within 90 days after Seagate informs Contractor that Seagate Data was received and migrated correctly, or informs Contractor of its election to not migrate the Seagate Data, Contractor shall securely destroy all Seagate Data, delink Seagate’s workspace identifiers, and overwrite with new data or otherwise destroy the Seagate Data through an approved sanitization method. If Contractor disposes of any paper, electronic or other record containing Seagate Data, Contractor shall do so by taking all reasonable steps (based on the sensitivity of the Seagate Data) to destroy Seagate Data by: (a) shredding, (b) permanently erasing and deleting, (c) degaussing, or (d) otherwise modifying the Seagate Data to make it unreadable, unreconstructable, and indecipherable. If Contractor decommissions or retires a hard drive that contains a copy of Seagate Data, then Contractor shall securely shred or destroy the drive rendering the Seagate Data unreadable. Contractor shall certify in writing that the drive has been shredded or destroyed and that the Seagate Data cannot be read, retrieved, or reconstructed. If Contractor has a legal obligation to retain Seagate Data beyond the period permitted under this Agreement, Contractor shall notify Seagate in writing of its obligation, and shall return or destroy the Seagate Data as soon as possible after the legally obligation ends.
Application APIs. Contractor shall document any APIs used in connection with the Seagate Data and Services and provide a list of the APIs to Seagate during and upon conclusion of the Services. Contractor’s API security must (a) adhere to generally accepted industry standards and best practices, and (b) follow application vulnerability standards and secure industry development standards.
Logs and Audit Files. If Contractor is building or implementing systems or applications in connection with the Services, Contractor shall maintain and provide Seagate with security log files for: (a) information requests and server responses, (b) access and authentication attempts, (c) account changes, (d) privileged use, (e) application failure, and (f) significant application configuration changes.
Security Breach and Incidents; Information Security Team Oversight. Contractor shall maintain a security incident management and investigation process that is consistent with best practices in its industry. Contractor shall notify Seagate of any Security Breaches, security incidents, or investigations relating to Security Breaches immediately, and in any event within 24 hours of learning of such Security breach or incident. Contractor shall notify Seagate of its designated primary security manager who is responsible for managing and coordinating the performance of Contractor’s information security obligations in this exhibit. Contractor shall give Seagate access to the security manager and to the personnel responsible for Contractor’s information security program in order to review and resolve any questions or issues.
Subcontractors and Sub-processors. Contractor shall not use subcontractors to access or process Seagate Data or provide the Services without Seagate’s prior written consent. If Seagate consents to Contractor’s use of a subcontractor to process Seagate Data, Contractor shall ensure the subcontractor agrees in writing to comply with all information security obligations applicable to Contractor under the terms of this Agreement. Contractor remains liable for and guarantees any subcontractor’s performance of all obligations. Contractor shall provide Seagate with a list and description of any third party applications or services used by Contractor in connection with the Services or Seagate applications.
REQUIRED CERTIFICATIONS AND REPORTS
ISO and SOC Reports. Contractor shall obtain and provide the following certifications and reports specific to the Services from a reputable and accredited audit firm reasonably acceptable to Seagate. The certifications and reports must cover Contractor’s standards and controls specific to the Services provided by Contractor. Contractor shall provide copies of the certifications and reports to Seagate (a) prior to commencement of the Services and (b) annually, no later than June 15th of each year. The certifications and report must cover at least 9 months of Seagate’s fiscal year, and must be delivered to Seagate no later than 90 days after the period covered by the certification or report.
International Standards Organization (ISO) 27001 or 27002,
American Institute of Certified Public Accountants (AICPA) Statements on Standards for Attestation Engagements (SSAE) 18 Type II, the services standard and controls report (i.e. SOC1 Type 1/Type 2, and/or SOC2 Type 1/Type 2) or other similar report. If Contractor is providing Services or related applications involving Seagate Data relating to Seagate’s financial reporting, then Contractor shall provide the SOC1 Type 2 report. If the Services include cloud instances and/or applications, Contractor shall provide a SOC2 Type 2 report; and
Validation assessments of compliance with PCI Data Security Standards if the Seagate Data or Services involve payment card processing or storage.
Seagate Review of Reports. Seagate may determine if Contractor’s certifications and reports are adequate. Contractor shall notify Seagate if there are any material changes in its reports or certifications. Upon written request from Seagate, Contractor shall also give Seagate a management representation letter stating that, to the knowledge of Contractor management after reasonable investigation, there have been no changes to the control environment between the date of the management representation letter and the date of the certification or report.
BACKGROUND CHECKS AND SITE/SYSTEM ACCESS
Background Checks. To the extent permitted by law Contractor shall perform background checks on all its employees, independent contractors, and temporary employees who will have access to Seagate Data (collectively “Contractor Personnel”) as a condition of hire or prior to the commencement of the Services. The background check must include criminal history, National Criminal Records Check, and 7-year county criminal court check for misdemeanor and felony convictions. Contractor shall allow Seagate to review Contractor practices and audit completed pre- employment screening processes to ensure these standards are met. If Contractor does not meet these requirements, or fails an audit, Seagate may conduct a background check (at no cost to Contractor) to determine eligibility of Contractor Personnel for site and system access. Contractor shall ensure all Contractor Personnel onsite at a Seagate location comply with Seagate’s policies, procedures, and guidelines.
Confidentiality. Each party shall comply with all applicable laws regarding background checks they conduct and shall maintain the confidentiality of all background check reports.
Access Restrictions. Contractor shall not allow any person with conviction for theft, violence, or fraud related offenses within the past 7 years to have access to Seagate Data, systems, or networks used to provide the Services, or to have access to the physical sites used to provide the Services unless otherwise prohibited by applicable law or regulations. Seagate may conduct any background screenings for Contractor Personnel who need access to Seagate’s systems, network, or physical site through a licensed Credit Reporting Agency in compliance with all applicable laws and regulations, including the Fair Credit Reporting Act and data protection and privacy regulations. Seagate shall maintain the confidentiality of the reports it reviews.