Security policy

I. Purpose

This Security Policy sets forth the information security program and infrastructure policies that Vendor will meet and maintain in order to protect the Customer Data from unauthorized use, access or disclosure, during the term of Customer’s Agreement with Vendor. Vendor may modify the terms of this Security Policy from time to time, provided that such terms shall be no less protective of Customer Data as those currently in effect.

The terms of this Security Policy are incorporated by reference in the Master Cloud Agreement, and capitalized terms not defined herein shall have the meanings ascribed to them in the Master Cloud Agreement between Vendor and Customer, provided, however, that if Vendor and Customer have not entered into a Master Cloud Agreement, capitalized terms are defined as follows:

• “Agreement” shall mean the agreement pursuant to which Vendor provides Customer with access to Vendor’s cloud products and services.
• “Customer” shall mean the customer contracting with Vendor for access to and use of Vendor’s cloud products and services.
• “Customer Data” shall mean any data, content or materials that Customer (including its authorized users) submits to the Services, including from third-party platforms.
• “Services” shall mean the cloud services provided under the Agreement.
• “Vendor” shall mean Collibra UK Limited or Collibra Inc., as applicable, depending on the legal entity contracting with Vendor.

II. Information Security Management Program

Vendor will maintain an information security program designed to protect and secure Customer Data from unauthorized access or use. The information security program will be documented and updated based on changes in applicable legal and regulatory requirements related to privacy and data security practices and industry standards applicable to Vendor. The program is based off of industry standards including standards from ISO, NIST, and the Cloud Security Alliance.

III. Standards

Vendor incorporates commercially reasonable and appropriate methods and safeguards to protect the security, confidentiality, and availability of Customer Data. Vendor will, at a minimum, adhere to applicable information security practices as identified in International Organization for Standardization 27001 (ISO/IEC 27001) (or a substantially equivalent or replacement standard).

IV. Independent Assessments

On an annual basis, Vendor has an independent third-party organization conduct an independent assessment of our security policies and procedures. Vendor undergoes penetration testing from independent third parties of its network and applications at minimum annually.

V. Information Security Policies

Vendor will implement, maintain, and adhere to its internal information security and privacy policies that address the roles and responsibilities of Vendor’s personnel, including both technical and nontechnical personnel, who have direct or indirect access to Customer Data in connection with the Service. All Vendor personnel with access to Customer Data will receive annual training on Vendor’s information security program.

VI. Information Security Infrastructure

1. Access Controls

   Vendor will ensure that appropriate access controls are in place to protect Customer Data. Vendor agrees that it will maintain appropriate access controls (physical, technical, and administrative) and will maintain such access controls in accordance with Vendor’s policies and procedures. Access controls will be audited at a minimum every 6 months to ensure access to compliance to policies.

2. Encryption

   Vendor implements industry standard encryption for all encryption within the subscription service. At a minimum, Vendor will use the Advanced Encryption Standard (AES) algorithm with a minimum key size of 256 bits for at rest encryption and Transport Layer Security (TLS) 1.2 for in transit encryption.

3. Network Security

   Vendor has network protections in place that are standard with a SaaS organization. Cloud native tools like security groups, software-defined networking, and infrastructure as code ensure that the Cloud network has protections in place.

4. Host Security

   Vendor uses reasonable efforts to ensure that Vendor’s operating systems and applications associated with the subscription service and are associated with Customer Data are hardened in accordance with CIS Security Benchmarks, patched and secured to mitigate the impact of security vulnerabilities in accordance with Vendor’s patch management processes. In addition, all servers have industry standard antivirus and host-based intrusion detection/prevention.

5. Data Management

   Vendor has adequate information security infrastructure controls in place for Customer Data obtained, transported, and retained by Vendor for the provision of the Services. Vendor will destroy, delete, or otherwise make irretrievable Customer Data upon the disposal or repurposing of storage media containing Customer Data. Customer Data is logically separated from the Customer Data of other Vendor customers.

6. Monitoring

   Vendor implements monitoring in its Cloud environment to ensure continuous security monitoring of events. Vendor uses Cloud-native logs to ensure that access and network events are monitoring, logged, and stored. Infrastructure logs are stored up to a year to support analysis and investigation as needed.

Notwithstanding the foregoing, Customer understands and acknowledges that Customer will be solely responsible for implementing and maintaining access and security controls on its own systems.

VII. Software Development Life Cycle

Vendor’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, configuration, maintenance, modification and management of infrastructure and software components. The SDLC methodology is consistent with the defined security, integrity, availability, and confidentiality policies of Vendor. System source/object code is protected from unauthorized access. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.

VIII. Security Incident Management

1. Notice

   Vendor will notify Customer of any confirmed Security Incident. Vendor will cooperate with Customer’s reasonable requests for information regarding any such Security Incident , and Vendor will provide regular updates on the Security Incident and the investigative action and corrective action taken. “Security Incident” means unauthorized access to, acquisition, or use of unencrypted Customer Data that has the potential to cause identity theft or financial harm to Customer’s employees or participants.

2. Remediation

   In the event that Vendor knows or has reason to know of a Security Incident, Vendor will, at its own expense: (i) investigate the Security Incident; (ii) provide Customer with a remediation plan to address the Security Incident and to mitigate the incident and reasonably prevent any further incidents; (iii) remediate the effects of the Security Incident in accordance with such remediation plan; and (iv) reasonably cooperate with Customer and any law enforcement or regulatory official investigating such Security Incident.

IX. Business Continuity and Disaster Recovery

Vendor implements and maintains business continuity and disaster recovery capabilities designed to minimize disruption of providing the Services to Customer. Vendor will review its business continuity and disaster recovery plans on at least an annual basis and update such plans, as needed. Further, Vendor will, at its discretion, perform annual testing of its business continuity and disaster recovery capabilities and provide to Customer, upon written request, and during the term of the Agreement, a summary of Vendor’s business continuity and disaster recovery capabilities, including related testing performed during the last year.