May 1, 2023
Freshworks as a data processor uses the technical and organisational measures (listed below), to assist in providing services as described in our Terms of Service and the DPA customers may have signed with us.
Processor maintains and enforces various policies, standards and processes designed to secure Personal Data and other data to which Processor employees are provided access, and updates such policies, standards and processes from time to time consistent with industry standards. Following is a description of some of the technical and organizational measures implemented by Processor as of the date of signature:
1.1 Processor shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Processor, if any, comply with all of the foregoing. Processor shall designate an individual to be responsible for the information security program. Such individual shall respond to Controller inquiries regarding computer security and to be responsible for notifying Controller-designated contact(s) if a breach or an incident occurs, as further described herein.
1.2 Processor shall conduct formal privacy and security awareness training for all its employees as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Processor, confirming that this training and subsequent annual recertification process have been completed.
1.3 Controller shall have the right to review an overview of Processor’s information security program prior to the commencement of Service and annually thereafter upon Controller request.
1.4 Processor shall not transmit any unencrypted Personal Data over the internet or any unsecured network. Processor shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.
1.5 In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and without undue delay and within 72 hours following confirmation of any such event, provide Controller notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller.
2.1 All Processor connectivity to Controller computing systems and/or networks and all attempts at same shall be only through Controller’s security gateways/firewalls and only through Controller-approved security procedures.
2.2 Processor shall not access and will not permit unauthorized persons or entities to access Controller computing systems and/or networks without Controller’s express written authorization and any such actual or attempted access shall be consistent with any such authorization.
2.3 Processor shall take appropriate measures to ensure that Processor’s systems connecting to Controller’s systems and anything provided to Controller through such systems does not contain any computer code, programs, mechanisms or programming devices designed to, or that would enable, the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of Controller’s systems.
2.4 Processor shall maintain technical and organisational measures for data protection including: (i) firewalls and threat detections systems to identify malicious connection attempts, to block spam, viruses and unauthorized intrusion; (ii) physical networking technology designed to resist attacks by malicious users or malicious code; and (iii) encrypted data in transit over public networks using industry standard protocols.
3.1 Erasure of Information and Destruction of Electronic Storage Media. All electronic storage media containing Personal Data must be wiped or degaussed for physical destruction or disposal, in a manner meeting forensic industry standards such as the NIST SP800-88 Guidelines for Media Sanitization, prior to departing Controller Work Area(s), with the exception of encrypted Personal Data residing on portable media for the express purpose of providing service to the Controller. Processor shall maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure level resources.
3.2 Processor shall maintain authorization and authentication technologies and processes to ensure that only authorized persons access Personal Data, including: (i) granting access rights on the basis of the need-to-know-principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length and duration requirements; (iv) storing passwords in a manner that makes them undecipherable if used incorrectly or recovered in isolation; (v) logging and auditing all access sessions to systems containing Personal Data; and (vi) instructing employees on safe administration methods when computers may be unattended such as use of password protected screen savers and session time limits.
3.3 Processor shall maintain measures to provide for separate processing of data for different purposes including: (i) provisioning Controller within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.
4.1 Processor shall ensure that at least the following physical security requirements are met:
i) All backup and archival media containing Personal Data must be contained in secure, environmentally controlled storage areas owned, operated, or contracted for by Processor.
ii) Technical and organisational measures to control access to data center premises and facilities are in place and include: (i) staffed reception desks or security officers to restrict access to identified, authorized individuals; (ii) visitor screening on arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic door locking systems with access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital camera coverage, motion detecting alarm systems and detailed surveillance and audit logs; (v) intruder alarms present on all external emergency doors with one-way internal exit doors; and (vi) segregation of shipping and receiving areas with equipment checks upon arrival.
iii) Processor shall maintain measures to protect against accidental destruction or loss of Personal Data including fire detection and suppression and air conditioning (HVAC) systems that provide stable airflow, temperature and humidity.
5.1 During the performance of Services under the Agreement, Processor shall engage, at its own expense and at least one time per year, a third-party vendor (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Processor’s systems containing and/or storing Personal Data.
5.2 The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Processor systems containing and/or storing Personal Data, which could expose Controller’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Processor systems containing and/or storing Personal Data that could be exploited by a malicious party.
5.3 Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un- sanitized input; broken or excessive access controls; broken authentication and session management; cross- site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing.
5.4 Within a reasonable period after the Security Test has been performed, Processor shall remediate the issues (if any) identified and subsequently engage, at its own expense, the Testing Company to perform a revalidation Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Controller upon request.
Processor, and all subcontracted entities (as appropriate) shall conduct at least annually an SSAE 18 (or equivalent) audit covering all systems and/or facilities utilized to provide the Service to the Controller and will furnish to Controller the results thereof promptly following Controller’s written request. If, after reviewing such audit results, Controller reasonably determines that security issues exist relating to the Service, Controller will notify Processor, in writing, and Processor will promptly discuss and where commercially feasible, address the identified issues. Any remaining issues shall be documented, tracked and addressed at such time as agreed upon by both Processor and the Controller.
Sorry, our deep-dive didn’t help. Please try a different search term.