Drift Information Security Addendum
This Information Security Addendum (“ISA”) is incorporated into the Master Software Subscription Agreement (the “Agreement”), between Drift and Customer governing Customer’s use of Drift’s Platform.
- Management Accountability. Drift has defined and assigned management accountability and responsibilities for information security and data protection, which include:
- Active monitoring and review of all data processing as it related to the Platform and Services provided in the Agreement; and
- Independent review and verification of the design and operating effectiveness of its information security management (i.e. control objectives, controls, policies, processes and procedures for information security) and technical compliance of its information systems, at a minimum once annually, or in the event of material changes.
- Security Requirements. Drift maintains Physical, Administrative, and Technical Safeguards consistent with industry-accepted best practices (such as the International Organization for Standardization’s ISO 27001 and 27002 standards, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, TheCenter for Internet Security Critical Security Controls for Effective Cyber Defense, or other industry-accepted standards for information security) to protect the Confidentiality, Integrity, and Availability of Customer Content.
- Third Party Attestations. Upon reasonable written request, Drift shall provide the following to the Customer:
- Drift’s SOC 2 Type 2 report issued by a licensed Certified Public Accountant in good standing; and
- Report, or summary of findings, of a penetration test (“pen test”) or vulnerability assessment performed by an independent party and drafted by that independent party.
- Risk Management Process. Drift has a formal, documented, security and privacy risk identification, assessment, mitigation, and management process.
- Information Security Policies. Drift has written policies for information security management, incident response, and disaster recovery. Drift regularly reviews such policies and documented operating procedures to ensure their ongoing suitability.
- Human Resource Controls. Drift has in place adequate human resource measures to ensure that Customer Content is protected from intentional or accidental destruction or loss, which include:
- Appropriate background checks, including criminal history screening, performed on all Personnel pre-employment;
- Personnel policies restricting the disclosure of Customer Content;
- Personnel policies in respect of each employee and contractor’s access rights to Customer Content;
- Contractual agreements with its Personnel that include provisions to enforce their internal and customer compliance obligations, and appropriate confidentiality and non-disclosure obligations that state consequences of any violations of such obligations; and
- Conducting and maintaining a security awareness program, requiring all Personnel to complete security awareness training on a least an annual basis, and which covers relevant threats and business requirements (such as social-engineering attacks, handling Personally Identifiable Information or Personal Data, causes of unintentional data exposure, and security incident identification and reporting) to ensure they understand their responsibilities in relation to Customer Content.
- Maintaining an off-boarding process to immediately revoke access of any terminated Personnel.
- Physical Access Controls to Processing Areas. Drift has in place suitable measures designed to prevent unauthorized individuals from gaining physical access to the equipment used for data processing, which include:
- Establishing appropriate physical access control policies;
- Protecting and restricting access to processing areas;
- Securing of data processing equipment;
- Establishing access authorizations for Personnel and third parties, including maintaining of respective documentation;
- Restrictions on access to, and management of, a physical access system (e.g. keys, key cards, keypad codes, biometric systems);
- Logging, alerting, and monitoring of all access to the data centers where Customer Content is hosted; and
- Data center controls: The data centers where Customer Content (i) is hosted will be protected by a security alarm system, 24/7 CCTV surveillance system, and employ other appropriate security measures; (ii) maintains appropriate environmental controls, including but not limited to – temperature, humidity, smoke, and fire detection, prevention, and mitigation systems; and is designed with sufficient redundancy to meet Customer’s availability requirements and any service level and/or uptime agreements between Drift and the Customer.
- Logical Access. Drift shall only provide its Personnel with access to its network and network services which such Personnel have each been specifically authorized to use, provided that such Personnel have a reasonable need to access in order for Drift to provide the Platform and Services pursuant to the Agreement. Furthermore, Drift shall implement the following identity and access management controls:
- Drift shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices;
- Drift will maintain an inventory of all administrator accounts with access to Customer Content ;
- A formally documented identity management process that includes account management and user account verification, deletion and/or disablement, among others;
- Drift will assign individual, unique IDs to all Personnel with access to Customer Content, including accounts with administrative access. Accounts with access to Customer Content will not be shared;
- Drift will periodically review Personnel and services with access to Customer Content and remove accounts that no longer require access.
- Drift will implement account and password management policies to protect Customer Content, including, but not limited to:
- Use of multifactor authentication for at least all remote and administrative access.
- Implementation of password controls for all accounts with access to Customer Content or processing facilities. The controls will comply with, or exceed, the Customer password requirements which require complex passwords (pass phrase preferred) with at least one each of the following:
- Upper case;
- Lower case;
- Numeric;
- Special character;
- No repeating characters; and
- Passwords of a minimum of 8 characters.
- Before deploying any new hardware, software, or other asset, Drift will change all default and manufacturer-supplied passwords to a password consistent with the password strength requirement;
- Encrypted passwords shall be stored in an industry-accepted form that is resistant to offline attacks; and
- Drift shall implement an industry-accepted rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on a user’s account.
- Asset Management. Drift documents and maintains an inventory of assets and implement appropriate asset management controls, which include(s):
- Identification and management of assets associated with the handling, processing, storage or transmission of Customer Content;
- Ensuring that all items of equipment containing storage media shall be verified to ensure that any confidential data and/or licensed software associated with the provision of Services to Customer has been securely wiped (e.g. through high-intensity re-formatting) prior to removal from secure premises. Drift shall ensure evidence is retained of secure disposal of any such media; and
- Ensuring that all Personnel return to Drift any Customer Content or assets allocated to them upon termination of their employment or contract.
- Endpoint Security. Drift maintains suitably designed endpoint security measures, including:
- Demonstrated provisioning, hardening, anti-virus/anti-malware software, and patching processes.
- Encryption of all system hard drives (e.g., desktops, laptops, workstations, servers, mobile devices) that contain Customer Content.
- Encryption of Customer Content both in transit and at rest.
- Drift shall manage security configurations of its systems using industry best practices to protect Customer Content from exploitation through vulnerable services and settings.
- Network Security. Drift networks, including the network infrastructure itself, have appropriate levels of protection, including:
- Remote access to (i) any network, system, application, or other Drift asset containing Customer Content; (ii) Drift’s corporate or development networks will require multi-factor authentication (i.e., requiring at least two factors to authenticate a user); and/or (iii) require and deploy single sign-on (SSO) protocols where possible.
- Drift will maintain and configure firewalls to protect systems containing Customer Content from unauthorized access. Drift will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
- Drift shall disable all unnecessary external-facing services, protocols, and ports. Authorized services will be documented by Drift with a business justification and receive any required approvals.
- Logs. Drift has implemented application and system logging as well as management controls, including:
- Logging facilities and log information shall be protected against tampering and unauthorized access;
- Drift will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect Customer Content;
- Event logs, including administrator and operator logs, recording access, activities, exceptions, faults and information security events shall be generated, monitored and retained for the duration of the Agreement and for six (6) months after expiry or termination; and
- In a multi-tenant environment with a shared responsibility model (e.g. a SaaS), Drift shall associate logs with a unique Customer implementation ID, where possible, and provide this information to Customer upon request.
- Incident Management. Drift maintains an updated written information security incident response plan, including a process to notify and involve Customer where appropriate. Drift shall ensure that management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. Information security events shall be reported through appropriate management channels as quickly as possible. Procedures will be in place to actively monitor, review, and act on any unauthorized processing of Customer Content. Drift shall test its Incident Management plan at least annually.
- Vulnerability and Penetration Tests. Drift maintains a process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Customer Content. Drift:
- Conducts vulnerability scans and penetration tests on the IT infrastructure used to process Customer Content; and
- Maintains a process to report and mitigate all vulnerabilities identified in the scan and test in a timely manner. Specifically: (i) Critical/Severe rated vulnerabilities shall be remediated immediately; (ii) High rated vulnerabilities shall be remediated within thirty (30) calendar days; (iii) Medium rated vulnerabilities shall be remediated within ninety (90) calendar days; and (iv) Low rated vulnerabilities shall be remediated within one hundred twenty (120) calendar days.
- Software Development. Drift will ensure that all software developed or maintained for the Customer follows a Software Development Life Cycle (SDLC) process and is designed to be free of any known critical/severe, high and medium rated application security vulnerabilities (as defined by industry standards). Specifically:
- Drift has established principles for engineering secure systems. These principles are documented, maintained and applied to any information systems implementation efforts.
- Drift shall ensure adequate physical and/or logical separation between development, testing, and production environments to prevent unauthorized or unintended changes to the production environment;
- Changes to production systems are tracked, recorded, and reviewed. Such changes shall not provide materially less than the current level of security and protection;
- Personnel of Drift are sufficiently and periodically trained in secure coding techniques, including the OWASP Top 10;
- The SDLC process includes software security reviews covering all aspects of applications delivered to the Customer, including custom code, components, products, and system configuration. Such review includes testing for security vulnerabilities and provides assurance that open source code used in the development of the product is free from known vulnerabilities and is current; and
- Drift will remediate and retest all the identified critical/severe and high rated vulnerabilities. All the medium, low or informational rated security issues discovered after delivery will be handled in the same manner as other bugs and issues as specified in the Agreement.
- Data Management. Drift has a demonstrable process to manage and protect Customer Content. Specifically:
Drift will document and maintain information regarding how and where Customer Content is processed while in Drift’s possession or control (i.e., data inventory);- The Customer’s production data will not be used in Drift’s development or staging environment. If production data is used, Drift will de-identify the Customer Content and apply all applicable user access and data management controls to the non-production environment;
- Customer Content will be logically separated from that of other Drift customers;
- Customer Content will be retained in accordance with defined retention periods and only for as long as is necessary for the purpose(s) for which it was collected;
- At any point during the term of the agreement or the one hundred and eight (180) day period immediately following termination thereof, and upon written request from Customer, Drift will render all Customer Content on Drift’s systems and applications inaccessible, unreadable, or otherwise sanitized; and, upon request, will supply Customer with written confirmation of compliance, including the date of completion. Absent such a request, Drift will wait one hundred and eighty (180) days after the termination of the agreement prior to permanently deleting all Customer Content;
- Any transfer or exchange of Customer Content will be carried out in a secure manner; and
- All Customer Content will be protected by access controls. All Customer Content will be protected from improper access, disclosure, modification, and deletion.
- Business Continuity & Disaster Recovery Plan. Drift maintains a business continuity and disaster recovery plan designed, maintained and followed to maintain and/or resume the availability of the Services according to the Recovery Time Objective (“RTO”) and Recovery Point Objective (“RPO”) set forth below. Upon request, Drift shall provide a summary of its business continuity plan. The plan will include, at a minimum:
- RTO: 24 hours;
- At least an annual exercise;
- Summary report of results, gaps, findings and remediation (if any) for all exercises; and
- Procedural documentation of recovery tasks.
Planned and unplanned outages are documented at https://drift.status.io. On a periodic basis, restoration tests shall be performed to determine whether the backed-up data is recoverable and if Drift can meet its responsibilities to maintain service availability. Annual fire drills and tabletop or disaster recovery exercises shall also be performed.
- Right to Audit. The Customer, or a third party on their behalf, at no additional cost to Drift and upon reasonable advance notice, but no more than once per calendar year, may conduct an information security assessment of Drift’s services. Such assessment must consist of any written security assessment questionnaire and requests for supporting documentation. Drift will provide the necessary documentation within thirty (30) days of the request. In response, Drift shall provide the Customer with its most recent third-party assessments/reports, which may include SOC 2 Type 2 report, third-party penetration test executive summary report, written responses to Customer’s questionnaire, and all supporting documentation that Drift generally makes available to its customers to verify that Drift employs commercially reasonable practices and procedures in compliance with this agreement. Should follow-up questions arise as a result of the above process, Drift Personnel will participate in online meetings with the Customer to clarify Customer’s understanding of Drift information security processes and procedures as they relate to the Services. Drift will provide the Customer with written responses to any audit findings identified by Customer including a timetable for remediation of said findings.
- Definitions.
- “Confidentiality, Integrity, and Availability” refers to the three properties of the information security model known as the “CIA Triad.” Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity is the property that data or information have not been altered or destroyed in an unauthorized manner. Availability is the property that data or information is accessible and useable upon demand by an authorized person.
- “Customer Content” shall have the same definition as in the Agreement.
- “Personnel” means Drift’s or its contractors or subcontractor’s employees, agents, subcontractors, and other authorized users of its systems and network resources.
- “Physical, Administrative, and Technical Safeguards” refers to the controls Drift has implemented to maintain information security. Physical safeguards address physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Administrative safeguards address administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic data or information and to manage the conduct of Personnel in relation to the protection of that data or information. Technical safeguards address the technology, and the policies and procedures for its use, that protect electronic data or information and control access to it.