Salesloft Security Measures Description

Salesloft has implemented and will maintain during the term of the Agreement the technical and organizational measures described below. All capitalized terms not defined herein will have the meaning given to them within the Master Subscription Agreement found at https://www.salesloft.com/legal/msa or the other applicable master agreement governing Customer’s access to and use of Salesloft’s cloud based services.

Governance
1. Security Program. Salesloft maintains an enterprise-wide security program, including an information-security management system (“ISMS”), that is consistent with commonly accepted industry standards (such as ISO/IEC 27001, SOC 2).
2. Security Organization. Salesloft has a formal Information Security Team, composed of personnel dedicated to security-related job responsibilities such as security engineering, security operations, and governance, risk, and compliance.
3. Policies and Standards. Salesloft maintains security and privacy policies and standards that are approved by Salesloft management, reviewed at least annually, and made available to all employees.
4. Controls. Salesloft has implemented and maintains administrative, technical, and organizational controls that are designed, taking into account the nature of the Subscription Services and the data processed, to protect the confidentiality, integrity, and availability of Customer Data.
5. Audits, Attestations, and Certifications. Salesloft’s security program is subject, on at least an annual basis, to internal reviews, internal audits, and external audits. Where relevant to Salesloft’s processing of Customer Data, certifications or attestations resulting from external audits shall be made available to Salesloft customers upon request.
Personnel Security
1. Employee Screening. Salesloft performs background checks on all employees. Background checks may include, as permitted by law, criminal-record checks, employment-history verification, and education verification.
2. Confidentiality and Security Obligations. All Salesloft employees are required to execute employment contracts that include confidentiality terms.
3. Training. All Salesloft employees are required to complete security- and privacy-awareness training, and provide acknowledgement of security and privacy policies, during onboarding and at least annually thereafter.
Hosting Environments
1. Data Centers. The Subscription Services operate on software-defined (i.e., infrastructure-as-a-service, or IaaS) infrastructure in data centers for which the hosting providers have implemented and operate controls in alignment with commonly accepted industry standards (such as ISO/IEC 27001, SOC 2), including:
  1. Physical-security controls designed to prevent unauthorized access to the infrastructure; and
  2. Environmental controls (e.g., power management, temperature regulation, flood alarms, and fire suppression) designed to prevent or mitigate operational disruptions.
2. Network Security. Salesloft has implemented and configured network controls, including firewalls or equivalent technology, virtual private clouds (“VPCs”) and/or virtual local-area networks (“VLANs”), and access-control lists (“ACLs”) designed to prevent unauthorized access to, or transmissions within, the internal networks of the production environments used to provide the Subscription Services.
Logical Security
1. Access Control. Salesloft restricts access by Salesloft personnel to systems and Customer Data using role-based access controls (“RBAC”) designed in accordance with the principle of least privilege.
2. Authentication. Access to systems that process Customer Data requires authentication through an approved mechanism that enforces multi-factor authentication (“MFA”) and/or passwords that meet or exceed commonly accepted length, complexity, and lifecycle requirements.
3. Revocation. Access to Salesloft systems processing Customer Data is revoked promptly upon employee termination.
4. Access Reviews. Access to critical systems that process Customer Data is reviewed at least quarterly.
5. Encryption of Data at Rest. The Subscription Services encrypt Customer Data at rest using algorithms and protocols (e.g., AES-256) commonly accepted as providing “strong encryption”.
6. Encryption of Data in Transit. The Subscription Services support the encryption of Customer Data in transit over public networks using algorithms and protocols (e.g., HTTPS/TLS 1.2+) commonly accepted as providing “strong encryption”.
Configuration and Change Management

With respect to the Salesloft systems that process Customer Data:

Configurations. Salesloft configures systems in accordance with, and performs scans of configurations for deviations from, established benchmarks for hardened security configurations.
Change Management. Salesloft maintains a change-management process designed to ensure changes to systems are tested (where feasible), approved, and authorized prior to implementation in the production environment.

Operations
1. Resiliency and Availability. The infrastructure for the Subscription Services utilizes high-availability services and spans multiple geographically diverse and fault-independent availability zones designed to provide operational resiliency and high availability of the Subscription Services and Customer Data.
2. Monitoring. Salesloft has implemented and maintains tooling and processes to monitor the Subscription Services for, and promptly alert personnel to, operational incidents, suspicious or anomalous activity, and indicators of compromise.
3. Logging. System and application audit logs are securely collected and maintained for a commercially reasonable period to facilitate forensic investigations.
4. Patching. Salesloft uses commercially reasonable efforts, commensurate with the potential risk exposure as determined in Salesloft’s reasonable discretion, to patch or upgrade system components, or implement alternative measures designed to mitigate the risk of exploitation, for known security weaknesses in the Subscription Services.
Security Testing
1. Vulnerability Scans. Salesloft performs scans of the infrastructure in each production environment processing Customer Data at least daily to detect potential vulnerabilities.
2. Penetration Testing. The Subscription Services are subject to security testing, including penetration testing, at least annually by a qualified independent third party, and on an ongoing basis by independent security researchers participating in a bug-bounty program.
3. Remediation. Salesloft uses commercially reasonable efforts to remediate or mitigate known vulnerabilities and security defects within the Subscription Services in accordance with target timelines commensurate with the potential risk exposure, as determined in Salesloft’s reasonable discretion.
Data Backups
1. Data Replication. The Subscription Services utilize high-availability services that include data replication across availability zones (i.e., multiple data centers).
2. Periodic Backups. The Subscription Services perform backups of Customer Data at least daily.
3. Restoration Tests. Testing designed to validate the ability to restore Customer Data from backups is conducted at least annually.
Disaster Recovery and Business Continuity
1. Policy and Processes. Salesloft maintains a formal Disaster-Recovery (“DR”) and Business-Continuity (“BC”) policy and related processes designed to mitigate the impact of major disruptions to the Subscription Services due to a disaster scenario (i.e., the hosting environments becoming unavailable) or major disruptions to business operations (e.g., corporate offices being unavailable, a pandemic event, etc.).

Salesloft reserves the right to update the technical and organizational measures at any time in Salesloft’s discretion, provided that Salesloft does not reduce the overall security of Customer Data during Customer’s then current committed subscription term.