The following are the Data Security Standards in respect of the Cloud Service provided by Varicent to Customer pursuant to the Varicent Cloud Services Agreement at https://www.varicent.com/legal_terms (the “Agreement”). Capitalized terms shall have the meanings set forth in the Agreement or elsewhere herein.
Varicent shall implement the following technical and organizational measures (“TOMs”) in its provision of the Cloud Service, including any underlying applications, platforms, and infrastructure components operated and managed by Varicent in providing the Cloud Service (“Components”).
1. DEFINITIONS
Capitalized terms shall have the meanings set forth in this Schedule or elsewhere in the Agreement. The terms “Data Subjects”, “Processing”, “Personal Data Breach”, “Data Protection Impact Assessment”, “Processor” and “Controller” shall have the meanings given to them in the GDPR. The term “Supervisory Authority” shall mean a regulatory or other governmental body or authority with jurisdiction or oversight over Data Protection Laws. The term “C2P SCCs” shall mean the Standard Contractual Clauses between Controllers and Processors (Module Two) as approved by the European Commission Implementing Decision 2021/914 of June 4, 2021 (“Decision”). The term “P2P SCCs” shall mean the Standard Contractual Clauses between Processors (Module Three) as approved by the Decision. The P2P SCCs together with the C2P SCCs shall be referred to as the “EU SCCs”. The EU Standard Contractual Clauses (2010/87/EU) shall be referred to as the “2010 SCCs”. The “UK Addendum” shall refer to the template issued by the UK Information Commissioner and approved by the UK Parliament and came into force on March 21, 2022. Unless otherwise indicated, references in this Schedule to Sections or Attachments means the Sections of, and Attachments to, this Schedule.
2. DATA PROTECTION
2.1. The security and privacy measures for the Cloud Service are designed to protect Customer Data input therein and to maintain the availability of such Customer Data pursuant to the Agreement. Varicent shall treat all Customer Data as confidential by not using, maintaining, or disclosing Customer Data except for purposes of providing the Cloud Service pursuant to the Agreement or as otherwise required by applicable Law, and specifically shall not disclose Customer Data except to Varicent Personnel, and only to the extent necessary to deliver the Cloud Service, unless otherwise specified in the Agreement.
2.2. Varicent shall securely sanitize physical media intended for reuse prior to such reuse and shall destroy physical media not intended for reuse.
2.3. The TOMs set forth in this Schedule shall be subject to audits as set forth in the applicable Software Schedule for the Software ordered by Customer in an Order. Upon request, Varicent shall provide evidence of stated compliance and accreditation, such as certificates, attestations, or reports resulting from accredited independent Third-Party audits, and other industry standards as specified in the Agreement.
2.4. Additional security and privacy information specific to the Cloud Service may be available elsewhere in the Agreement or the Documentation to aide in Customer’s initial and ongoing assessment of the Cloud Service’s suitability for use. Varicent shall direct Customer to available standard Documentation and/or audit reports/certifications if asked to complete Customer-preferred questionnaires or forms and Customer agrees such Documentation shall be used in lieu of any such request. Varicent may charge an additional fee to complete any Customer-preferred questionnaires or forms or to provide consultation to Customer for such purposes.
3. SECURITY POLICIES
3.1. Varicent shall maintain and follow IT security policies and practices that are integral to Varicent’s business and mandatory for all Varicent employees. Varicent’s management shall maintain responsibility and executive oversight for such policies, including formal governance and revision management, employee education, and compliance enforcement.
3.2. Varicent shall review its IT security policies at least annually and amend such policies as Varicent deems reasonable to maintain protection of the Cloud Service and Customer Data processed therein.
3.3. Varicent shall maintain and follow its standard mandatory employment verification requirements for all new hires. In accordance with Varicent internal processes and procedures, these requirements shall be periodically reviewed and include criminal background checks, proof of identity validation, and additional checks as deemed necessary by Varicent and permitted under applicable Law.
3.4. Varicent employees shall complete security and privacy education annually and certify each year that they shall comply with Varicent security and privacy policies. Additional policy and process training may be provided to individuals depending on their role in supporting the business and as required to maintain compliance and certifications stated in the Agreement.
4. SECURITY INCIDENTS
4.1. Varicent shall maintain and follow documented incident response policies for computer Security Incident handling and shall comply with the data breach notification terms of the Agreement.
4.2. Varicent shall investigate unauthorized access and unauthorized use of Customer Data in connection with or through the Cloud Service of which Varicent becomes aware (a “Security Incident”) and Varicent shall define and execute an appropriate response plan. Customer may notify Varicent of a suspected vulnerability or Security Incident by submitting a support ticket.
4.3. Varicent shall notify Customer without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by Varicent to affect the Customer Data, as may be required by applicable Law or the terms of the Agreement. Varicent shall provide Customer with reasonably requested information about such Security Incident and the status of any Varicent remediation and restoration activities.
4.4. Varicent shall notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to the Cloud Service. Varicent shall promptly investigate the Personal Data Breach if it occurred on Varicent infrastructure or in another area for which Varicent is responsible and shall assist Customer as set forth in Section 9.
5. ACCESS, INTERVENTION, TRANSFER, AND SEPARATION CONTROL
5.1. Varicent shall maintain documented security architecture of networks managed by Varicent in its operation of the Cloud Service. Varicent shall separately review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense-in-depth standards prior to implementation.
5.2. Varicent shall maintain measures for the Cloud Service that are designed to logically separate and prevent Customer Data from being exposed to or accessed by unauthorized Persons. Varicent shall maintain appropriate isolation of its production and non-production environments, and, if Customer Data is transferred to a non-production environment (for example, in order to reproduce an error at Customer's request), security and privacy protections in the non-production environment shall be equivalent to those in production.
5.3. Varicent shall encrypt Customer Data in transit using industry accepted cryptographic algorithms when transferring Customer Data over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, and FTPS, for Customer’s secure transfer of Customer Data to and from the Cloud Service over public networks.
5.4. Varicent shall encrypt Customer Data at rest using industry accepted cryptographic algorithms. Varicent manages the cryptographic keys and shall maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.
5.5. If Varicent requires access to Customer Data, it shall restrict such access to the minimum level required. Such access, including administrative access to any underlying Components (“Privileged Access”), shall be individual, role-based, and subject to approval and regular validation by authorized Varicent Personnel following the principles of segregation of duties. Varicent shall maintain measures to identify and remove redundant and dormant accounts with Privileged Access and shall promptly revoke such access upon the account owner’s separation or the request of authorized Varicent Personnel, such as the account owner’s manager.
5.6. Consistent with industry standard practices, and to the extent natively supported by each Component managed by Varicent within the Cloud Service, Varicent shall maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.
5.7. Varicent shall monitor use of Privileged Access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity; (b) facilitate a timely and appropriate response; and (c) enable internal and independent Third Party audits of compliance with documented Varicent policy.
5.8. Logs in which Privileged Access and activity are recorded shall be retained in compliance with Varicent’s records management plan. Varicent shall maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.
5.9. To the extent supported by native device or operating system functionality, Varicent shall maintain computing protections for its end-user systems that include endpoint firewalls, encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.
6. SERVICE INTEGRITY AND AVAILABILITY CONTROL
6.1. Varicent shall: (a) perform security and privacy risk assessments of the Cloud Service at least annually; (b) perform penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, annually; (c) enlist a qualified independent Third Party to perform penetration testing at least annually; (d) perform automated management and routine verification of underlying Components’ compliance with security configuration requirements; and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Varicent shall take reasonable steps to avoid Cloud Service disruption when performing its tests, assessments, scans, and execution of remediation activities.
6.2. Varicent shall maintain policies and procedures reasonably designed to manage risks associated with the application of changes to the Cloud Service. Prior to implementation, changes to the Cloud Service, including its systems, networks, and underlying Components, shall be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, and documented approval by authorized Varicent Personnel.
6.3. Varicent shall maintain a reasonably up to date inventory of all information technology assets used in its operation of the Cloud Service. Varicent shall monitor and manage the health, including capacity, and availability of the Cloud Service and its underlying Components.
Varicent shall implement, test, and maintain business continuity and disaster recovery plans consistent with industry standard practices and as described in the Agreement.
6.4. Varicent shall maintain measures designed to assess, test, and apply security advisory patches to the Cloud Service and its associated systems, networks, applications, and underlying Components. Upon determining that a security advisory patch is applicable and appropriate, Varicent shall implement the patch pursuant to documented severity and risk assessment guidelines. Implementation of security advisory patches shall be subject to Varicent change management policy.
6.5. Data Back-Up. Varicent shall back up the Cloud Service and Customer Data stored therein daily and copy such back-ups to an off-site location. Back-ups shall be encrypted at rest and during transmission to the offsite location.
6.6. Disaster Recovery. If a Force Majeure Event occurs that causes the Cloud Service to be unavailable, Varicent shall work to restore Customer’s access to the Cloud Service with a return to operation within fourteen (14) days. The environment shall be restored using the most recent data backup, with no more than twenty-four (24) hours of Customer Data loss of the restored Customer Data set.
7. PROCESSING OF CUSTOMER PERSONAL DATA
7.1. Processing.
7.1.1. Customer is (a) a Controller and exporter of any Personal Data that Varicent Processes on behalf of Customer (“Customer Personal Data”) or (b) acting as a Processor and exporter on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by Varicent as importer and Customer’s Subprocessor as set out in the Agreement. Customer appoints Varicent as a Processor to Process Customer Personal Data. If there are other Controllers, Customer shall identify and inform Varicent of any such other Controllers prior to providing their Personal Data, in accordance with this Schedule.
7.1.2. Customer shall comply with all applicable requirements of the Data Protections Laws and Customer will ensure that it has a lawful basis and all necessary appropriate consents and notice in place to enable the lawful transfer of Personal Data to Varicent for the duration and purposes of the Agreement.
7.1.3. A list of categories of Data Subjects, types of Customer Personal Data, Special Categories of Personal Data and the Processing activities is set out in Attachment A (Personal Data Processing Attachment). The duration of the Processing corresponds to the applicable Subscription Term, unless otherwise stated in Attachment A. The purpose and subject matter of the Processing is the provision of the Cloud Service as described in the Agreement.
7.1.4. Varicent shall Process Customer Personal Data according to Customer’s instructions set forth in the Agreement, and, if applicable, Customer’s and its Authorized Users’ use and configuration of the features of the Cloud Service. Customer may provide further legally required instructions regarding the Processing of Customer Personal Data (“Additional Instructions”) as described in Section 9.2. If Varicent notifies Customer that an Additional Instruction is not feasible, the Parties shall work together to find an alternative. If Varicent notifies Customer that neither the Additional Instruction nor an alternative is feasible, Customer may terminate its use of the Cloud Service which cannot be accommodated by Varicent within 14 days of Varicent’s notification to the Customer. If Varicent believes an instruction violates the Data Protection Laws, Varicent shall immediately inform Customer, and may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form. As of the Effective Date, Varicent does not believe that the laws and practices in any third country of destination applicable to its Processing of the Customer Personal Data prevent Varicent from fulfilling its obligations herein.
7.1.5. Customer shall serve as a single point of contact for Varicent. As other Controllers may have certain direct rights against Varicent, Customer undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. Varicent shall be discharged of its obligation to inform or notify another Controller when Varicent has provided such information or notice to Customer. Similarly, Varicent shall serve as a single point of contact for Customer with respect to its obligations as a Processor under the Agreement.
7.1.6. Varicent shall comply with all Data Protection Laws in respect of the Cloud Service applicable to Varicent as Processor. Varicent is not responsible for determining the requirements of Laws applicable to Customer’s business or that the Cloud Service meets the requirements of any such applicable Laws. As between the Parties, Customer is responsible for the lawfulness of the Processing of Customer Personal Data. Customer shall not use the Cloud Service in a manner that would violate applicable Data Protection Laws.
7.2. Data Subject Rights and Requests.
7.2.1. Varicent shall inform Customer of requests from Data Subjects exercising their Data Subject rights (including access, rectification, deletion, and blocking of data) addressed directly to Varicent regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Varicent shall reasonably assist Customer in handling such Data Subject requests in accordance with Section 9.2.
7.2.2. If a Data Subject brings a claim directly against Varicent for a violation of their Data Subject rights, Customer shall reimburse Varicent for any cost, charge, damages, expenses, or loss arising from such claim, to the extent that Varicent has notified Customer about the claim and given Customer the opportunity to cooperate with Varicent in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from Varicent damages resulting from Data Subject claims for a violation of their Data Subject rights caused by Varicent’s breach of its obligations under Section 7.1 of the Agreement or this Schedule.
7.3. Third Party Requests and Confidentiality.
7.3.1. Varicent shall not disclose Customer Personal Data to any Third Party unless authorized by Customer or required by applicable Law. If a government or Supervisory Authority demands access to Customer Personal Data, Varicent shall notify Customer prior to disclosure, unless such notification is prohibited by applicable Law.
7.3.2. Varicent requires all of its Personnel authorized to Process Customer Personal Data to commit themselves to confidentiality and not Process such Customer Personal Data for any other purposes, except on instructions from Customer or unless required by applicable Law.
7.4. Return or Deletion of Customer Personal Data. Upon termination or expiration of the Agreement, Varicent shall delete Customer Personal Data in its possession as set out in the Agreement, unless otherwise required by applicable Law.