Security Addendum
This Security Addendum (“Addendum”) is incorporated into the Master Services Agreement or other document to which it is attached or in which it is referenced (“Agreement”) by and between Client (“Client”) and NetSPI LLC (“NetSPI”) and dated as of the effective date of the Agreement. Unless otherwise expressly defined in this Addendum, the capitalized terms used in this Addendum have the meanings assigned to them in the Agreement.
1. Definitions. As used in this Addendum:
a. “Client Data” means any and all Client information, including personal data, that comes within NetSPI’s possession or control or undergoes Processing by NetSPI in connection with the Offerings
b. “Processing” means any operation or set of operations performed upon data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
c. “Security Incident” means the actual or suspected unauthorized access to Client information technology systems or unauthorized access to, acquisition, disclosure, alteration, modification, loss, deletion, theft, misuse or destruction of Client Data within NetSPI’s possession or control or any other event that requires notice be provided to government regulators or individuals.
d. “Offerings” means the services, software, or SaaS engagement offered by NetSPI pursuant to the Agreement to which this Addendum is attached.
e. “NetSPI Personnel” means any NetSPI employees, contractors or other agents who assist in the performance of the Offerings.
2. Baseline Security. NetSPI shall implement and maintain baseline administrative, technical, physical and organizational security measures and require each contractor that assists in the performance of Offerings to do the same. Without limiting the foregoing, NetSPI shall:
a. implement and maintain reasonable internal policies, procedures and controls designed to:
a. secure any and all Client Data against accidental or unlawful loss, alteration, access, acquisition or disclosure;
b. identify reasonably foreseeable internal and external risks to the security, unauthorized access, acquisition, loss, alteration or disclosure of Client Data, including by means of periodic risk assessments, scanning and regular testing; and
c. reasonably mitigate or implement and maintain compensating controls with regard to any risks to security, unauthorized access, acquisition, loss, alteration or disclosure of Client Data.
b. conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against industry security standards and its policies, procedures and controls.
c. implement and maintain endpoint security controls on all devices that connect to Client information technology systems or may access Client Data, including without limitation:
a. an up-to-date anti-malware solution;
b. an endpoint vulnerability management program to mitigate or implement and maintain compensating controls with regard to all known operating system and application layer vulnerabilities; and
c. email and web filtering technologies.
d. periodically evaluate the security of its network and the Offerings to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews, assessments or testing.
e. ensure that all NetSPI Personnel are subject to reasonable background checks, and prohibit NetSPI Personnel from assisting in the performance of the Offerings if the applicable background check identifies any material issues, including without limitation any historical event that indicates such NetSPI Personnel presents an increased risk of violating NetSPI’s security protocols or procedures or Processing Client Data without authorization.
f. maintain user access and authentication mechanisms that allow all access to Client to be auditable and attributable to a named individual, and retain authentication logs for 12 months.
g. ensure that each subcontractor of NetSPI complies with the above requirements.
3. Information Security.
a. NetSPI will comply with applicable laws and regulations in its creation, collection, receipt, access, use, storage, disposal, and disclosure of Client Data.
b. NetSPI will employ reasonable security measures to protect Client Data in a manner that aligns with accepted industry standards (including ISO/IEC 27001 and ISO/IEC 27002 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework).
c. If, in the course of its performance under this Agreement, NetSPI has access to or will collect, access, use, store, dispose of, or disclose credit, debit, or other payment cardholder information on Client’s behalf, NetSPI will comply with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, as applicable.
4. Security Incidents.
In the event of any Security Incident, NetSPI will inform Client both by telephone and in writing (which may include email) of the Security Incident promptly, and no later than 48 hours after NetSPI reasonably suspects occurrence of the Security Incident. Such notice will contain a description of the Security Incident, the extent to which and what Client Data was or is subject to the Security Incident and the identity of affected individuals, to the extent known.
5. Certification.
NetSPI shall certify to Client annually upon request that NetSPI and its subcontractors remain in compliance with this Addendum. NetSPI shall be solely liable for any acts or omissions of its subcontractors in connection with this Addendum.
6. Security Controls Review or Audit.
At least annually, NetSPI will obtain a security controls review or audit performed by an independent third party based on recognized industry standards [as specified in Section 3(b)]. NetSPI will make results of such controls review or audit available to Client upon request.
7. Return or Disposal of Client Data.
At any time during the term of this Agreement at Client’s written request or on the termination or expiration of this Agreement, NetSPI will promptly return to Client or securely dispose of all Client Data in its possession or control and notify Client that such Client Data has been returned to Client or disposed of securely. If NetSPI is not reasonably able to return or securely dispose of Client Data, including, but not limited to, Client Data stored on backup media, NetSPI will continue to protect such Client Data in accordance with the terms of this Agreement until such time that it can reasonably return or securely dispose of such Client Data.
8. Business Continuity & Disaster Recovery.
NetSPI will maintain Business Continuity plans and Disaster Recovery plans and strategies in accordance with industry best practices and regulatory requirements. NetSPI shall adhere to appropriate service levels regarding the availability, recovery time objectives (RTO), and recovery point objectives (RPO).