Last updated: November 18, 2020
This User Interviews Security Addendum (“Security Addendum”) to the commercial services agreement and/or terms between User Interviews and Customer (“Agreement”) sets forth certain additional terms that apply in connection with Customer’s access and use of the Services. This Security Addendum is subject to and part of the Agreement. In the event of an express conflict between the terms of the Agreement and the terms of this Security Addendum, the terms of this Security Addendum shall control.
Unless otherwise provided herein, all capitalized terms used in this Security Addendum shall have the meaning ascribed to them in the Agreement.
1. Access to Customer Data. To the extent User Interviews may be given access to Customer Data in connection with the Agreement or any Order Form, User Interviews shall be responsible for all actions of User Interviews personnel relating to its and their use of the Customer Data. User Interviews shall restrict access to the Customer Data to the least degree of access required for performance of the Services (principle of least privilege). User Interviews and User Interviews personnel are not permitted to access from, store, cache or download any Customer Data to CD-ROMS, flash drives, portable hard drives, tape or other removable media (collectively, “Removable Media”), any other portable device, such as laptops, smartphones and tablets (collectively, “Portable Devices”), or any other non-portable device or system, unless such Removable Media, Portable Device or non-portable device or system is issued or approved by User Interviews and subject to User Interviews’ security policies (“User Interviews Authorized Device”).
2. Data Security Program. User Interviews shall implement and maintain physical, technical, and organizational security measures designed to protect the Customer Data against unauthorized access, use, destruction, loss, disclosure, and improper alteration (“User Interviews Data Security Program”). The User Interviews Data Security Program shall include: (i) industry standard security systems, computers and technologies, including firewalls and encryption; (ii) physical security procedures and monitoring of User Interviews’ data centers; (iii) restriction of access to Customer Data on a “need-to-know” basis and only from User Interviews Authorized Devices; (iv) monitoring of the processing and storage of Customer Data; (v) monitoring of password procedures; (vi) training for User Interviews personnel accessing Customer Data; and (vii) procedures to prevent a breach of confidentiality when providing Services to Customer, or obtaining services from any third party.
3. Obligations. User Interviews shall, and shall take steps to ensure that its personnel, process all Customer Data in compliance with applicable law. User Interviews shall also ensure that such personnel have committed themselves to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
4. General Security Controls. The User Interviews Data Security Program shall (i) adhere to industry standard practices and applicable industry compliance standards; (ii) comply with applicable law; and (iii) be designed to provide a secure technology environment. The User Interviews Data Security Program will at a minimum include the following security controls:
A. Secure Service Provider Network
i. Use of firewalls and antivirus software throughout the Service Provider Network
ii. Use of web application firewalls
iii. Intrusion detection and/or intrusion prevention systems
2. Protect Customer Data, using controls such as:
i. Encryption of Customer Data at rest and in transit, using 128-bit or higher encryption
ii. Data segmentation to prevent unauthorized access to Customer Data
iii. Regular backup procedures
3. Have a qualified 3rd party conduct annual penetration testing of User Interviews’ application network
B. Access Controls
i. Non-generic, complex, periodically changing passwords and use of strong encryption (i.e. Transport Layer Security “TLS”) to encrypt user IDs and passwords during transmission
ii. Segregation of functions and duties
iii. Multi-factor authentication for administrative access and access to Customer Data
iv. Logging access to assets processing or storing Customer Data and conducting regular access reviews
v. Implementation and enforcement of least privilege access principle
C. Security Awareness, Training and Background Checks
1. Maintain and comply with internal information security policies and standards
2. Conduct annual company-wide information security awareness training, including information security incident responses
3. Perform employee background checks for User Interviews personnel with access to Customer Data
D. Incident Management
1. Prepare and maintain an information security incident response plan.
E. Physical Security
F. Business Continuity and Disaster Recovery
H. Return and Disposal
5. Security Audits. User Interviews shall provide to Customer at the request of and at no cost to Company, summaries of any internal or third party audits of its information security policies, practices, and controls, to the extent such audits and report summaries are available. Such requests shall not be made more than once in any twelve (12) month period. Nothing herein is meant to create an obligation of User Interviews to perform such audits.
6. Information Security Incident. If User Interviews becomes aware of any unauthorized access, disclosure, loss or use of Customer Data (each an “Information Security Incident”), it shall report such Information Security Incident in detail to Customer no more than forty-eight (48) hours after the detection of the Information Security Incident, and shall take immediate and appropriate remedial actions.
A. Audit. Following an Information Security Incident, User Interviews shall, upon Customer’s request, provide Company access to User Interviews’ personnel, information, and documentation in order to verify User Interviews’ compliance with the terms of this Security Addendum.