Effective date: January 1, 2023
This Security Policy is incorporated into and made a part of the written agreement between Cerby and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.
Cerby utilizes infrastructure-as-a-service cloud providers as further described in the Agreement and/or Documentation (each, a "Cloud Provider") and provides the Service to Customer using a VPC/VNET and storage hosted by the applicable Cloud Provider (the “Cloud Environment").
Cerby maintains and/or leverages its Cloud Provider’s comprehensive documented security program providing for physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and Customer Data (the “Security Program”), including, but not limited to, as set forth below. Cerby and/or its Cloud Provider regularly test and evaluate the Security Program, and may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.
1. Cloud Provider’s Audits & Certifications
1.1. Cerby currently relies on its Cloud Provider’s third-party reviewed Security Program as described in the following audits and certifications ("Third-Party Audits"), on at least an annual basis:
- SOC 2 Type II
1.2. Third-Party Audits of Cerby’s Cloud Provider are available to Customer as described in Section 9.2.1.
1.3. To the extent Cerby does not obtain a Third-Party Audit of its own, Cerby will adopt or maintain, as applicable to its operations and the Service, an equivalent, industry-recognized framework.
2. Hosting Location of Customer Data
2.1. Hosting Location. The hosting location of Customer Data is the production Cloud Environment in the United States, or such other region mutually agreed to by Customer and Cerby, including as identified on the Order Form.
3. Encryption Cerby encrypts Customer Data within the Service at-rest using AES 256-bit (or better) encryption. Cerby uses Transport Layer Security (TLS) 1.2 (or better) within the Service for Customer Data in-transit over untrusted networks. For clarity, Cerby has no control over the encryption policies established by the applicable Shared Account Provider within the Shared Account to which Customer integrates the Service, and has no liability in connection therewith. Cerby logically separates encryption keys from Customer Data.
4. System & Network Security
4.1. Access Controls. All Cerby personnel access to the Cloud Environment is via a unique user ID and consistent with the principle of least privilege. All such access requires and occurs through a bastion host, with multi-factor authentication and passwords based on unique cryptographic keys.
4.2. Separation of Environments. Cerby logically separates production environments from development and testing environments. The Cloud Environment is both logically and physically separate from Cerby's corporate offices and networks.
4.3. Firewalls / Security Groups. Cerby shall protect the Cloud Environment using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.
4.4. Hardening. The Cloud Environment shall be hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this Security Addendum.
4.5. Monitoring & Logging.
4.5.1. Infrastructure Logs. Monitoring tools or services, such as host-based intrusion detection tools, are utilized to log certain activities and changes within the Cloud Environment. These logs are further monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one year.
4.5.2. User Logs. As further described in the Documentation, Cerby also captures logs of certain activities and changes within the Account and makes those logs available to Customer for Customer's preservation and analysis.
4.6. Vulnerability Detection & Management.
4.6.1. Anti-Virus & Vulnerability Detection. The Cloud Environment leverages advanced threat detection tools, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Cerby does not monitor Customer Data for Malicious Code.
4.6.2. Penetration Testing & Vulnerability Detection. Cerby regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of the Service at least annually.
4.6.3. Vulnerability Management. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, Cerby will use commercially reasonable efforts to address private and public (e.g., U.S.-Cert announced) critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days. To assess whether a vulnerability is ‘critical’, ‘high’, or ‘medium’, Cerby leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating.
5. Administrative Controls
5.1. Personnel Security. Cerby requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.
5.2. Personnel Training. Cerby maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding and on-going training.
5.3. Personnel Agreements. Cerby personnel are required to sign confidentiality agreements. Cerby personnel are also required to sign Cerby's information security policy, which includes acknowledging responsibility for reporting security incidents involving Customer Data.
5.4. Personnel Access Reviews & Separation. Cerby reviews the access privileges of its personnel to the Cloud Environment at least quarterly, and removes access on a timely basis for all separated personnel.
5.5. Cerby Risk Management & Threat Assessment. Cerby's security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.
5.6. External Threat Intelligence Monitoring. Cerby reviews external threat intelligence, including US-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation in accordance with Section 4.6.3 (Vulnerability Management).
5.7. Change Management. Cerby maintains a documented change management program for the Service.
5.8. Vendor Risk Management. Cerby maintains a vendor risk management review for vendors that process Customer Data designed to verify that each vendor maintains security measures consistent with Cerby's obligations in this Security Addendum.
6. Physical & Environmental Controls
6.1. Cloud Environment Data Centers. To ensure the Cloud Provider has appropriate physical and environmental controls for its data centers hosting the Cloud Environment, Cerby regularly reviews those controls as audited under the Cloud Provider's third-party audits and certifications. Each Cloud Provider shall have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks, which, shall include, but are not limited to, the following controls:
6.1.1. Physical access to the facilities are controlled at building ingress points;
6.1.2. Visitors are required to present ID and are signed in;
6.1.3. Physical access to servers is managed by access control devices;
6.1.4. Physical access privileges are reviewed regularly;
6.1.5. Facilities utilize monitor and alarm response procedures;
6.1.6. Use of CCTV;
6.1.7. Fire detection and protection systems;
6.1.8. Power back-up and redundancy systems; and
6.1.9. Climate control systems.
7. Incident Detection & Response
7.1. Security Incident Reporting. If Cerby becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a "Security Incident"), Cerby shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware.
7.2. Investigation. In the event of a Security Incident as described above, Cerby shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year.
7.3. Communication and Cooperation. Cerby shall provide Customer timely information about the Security Incident to the extent known to Cerby, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Cerby to mitigate or contain the Security Incident, the status of Cerby's investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Cerby personnel do not have visibility to the content of Customer Data, it will be unlikely that Cerby can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Cerby with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Cerby of any fault or liability with respect to the Security Incident.
8. Deletion of Customer Data.
8.1. By Customer. The Service provides Customer controls for the deletion of Customer Data, as further described in the Documentation.
8.2. By Cerby. Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, Cerby shall promptly delete any remaining Customer Data.
9. Customer Rights & Shared Security Responsibilities
9.1. Customer Penetration Testing. Customer may provide a written request for a penetration test of its Account ("Pen Test") by submitting such request via a support ticket. Following receipt by Cerby of such request, Cerby and Customer shall mutually agree in advance on details of such Pen Test, including the start date, scope and duration, as well as reasonable conditions designed to mitigate potential risks to confidentiality, security, or other potential disruption of the Service or Cerby's business. Pen Tests and any information arising therefrom are deemed Cerby's Confidential Information. If Customer discovers any actual or potential vulnerability in connection with a Pen Test, Customer must immediately disclose it to Cerby and shall not disclose it to any third-party.
9.2. Shared Security Responsibilities. Without diminishing Cerby's commitments in this Security Addendum, Customer agrees:
9.2.1. Cerby has no obligation to assess the content of Customer Data to identify information subject to any specific legal, regulatory or other requirement and Customer is responsible for making appropriate use of the Service to ensure a level of security appropriate to the particular content of Customer Data, including, where appropriate, implementation of encryption functionality.
9.2.2. to be responsible for managing and protecting its User roles and credentials, including but not limited to (i) requiring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) reporting to Cerby any suspicious activities in the Account or if a user credential has been compromised, (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration;
9.2.3. to appropriately manage and protect any Customer-managed encryption keys to ensure the integrity, availability, and confidentiality of the key and Customer Data encrypted with such key; and
9.2.4. to promptly update its Client Software whenever Cerby announces an update.