SERVICE PROVIDER SECURITY POLICY
Service Provider Security Policy
THIS SERVICE PROVIDER SECURITY POLICY ("SECURITY POLICY") IS AGREED BETWEEN EDGE FIBERNET, INC., OR ITS AFFILIATE, WHICHEVER IS THE BUYER OF SERVICES ("BUYER"), AND THE ENTITY FROM WHICH BUYER IS PURCHASING ("PROVIDER") ONE (1) OR MORE PROFESSIONAL SERVICES ("SERVICES") TO BE PERFORMED FOR THE BENEFIT OF BUYER OR A BUYER CUSTOMER ("CUSTOMER") UNDER BOTH AN "AGREEMENT" (MEANING EITHER A WRITTEN AGREEMENT BETWEEN BUYER AND PROVIDER OR THE WRITTEN GOVERNING TERMS AND CONDITIONS) AND ANY ASSOCIATED "TRANSACTION DOCUMENT" (MEANING A PURCHASE ORDER OR STATEMENT OF WORK), WHICH TOGETHER EXCLUSIVELY GOVERN SUCH SERVICES EFFECTIVE ON THE EARLIER OF THE DATE WHEN SUCH TRANSACTION DOCUMENT IS "EXECUTED" (MEANING, WITH RESPECT TO A PURCHASE ORDER, THE DATE ON WHICH SUCH PURCHASE ORDER IS ACCEPTED BY PROVIDER, AND WITH RESPECT TO A STATEMENT OF WORK, THE DATE THAT IS IDENTIFIED AS THE EFFECTIVE DATE OF SUCH STATEMENT OF WORK, OR IN THE ABSENCE OF SUCH IDENTIFIED EFFECTIVE DATE, WHEN THE STATEMENT OF WORK IS COUNTERSIGNED) AND THE DATE WHEN PROVIDER INITIATES PERFORMANCE UNDER A TRANSACTION DOCUMENT ("POLICY EFFECTIVE DATE"). THIS SECURITY POLICY IS INCORPORATED BY THIS REFERENCE INTO THE AGREEMENT AND ANY TRANSACTION DOCUMENT EXECUTED AFTER THE DATE WHEN THIS SECURITY POLICY IS POSTED ON THIS WEBSITE. FROM TIME TO TIME, BUYER MAY AMEND THIS SECURITY POLICY IN ITS SOLE DISCRETION, POSTING THE AMENDED SECURITY POLICY ON THIS WEBSITE WITHOUT PRIOR NOTICE, AND ANY SUCH AMENDMENTS OF THE SECURITY POLICY SHALL BE INCORPORATED INTO THE AGREEMENT AND SHALL BE BINDING ON THE PARTIES TO THE AGREEMENT; PROVIDED THAT THE VERSION OF THIS SECURITY POLICY THAT APPEARS ON THIS WEBSITE AT THE TIME A TRANSACTION DOCUMENT IS EXECUTED SHALL BE BINDING WITH RESPECT TO THE SERVICES PERFORMED UNDER SUCH TRANSACTION DOCUMENT.
IN THE EVENT OF A CONFLICT BETWEEN THIS SECURITY POLICY AND THE AGREEMENT, THIS SECURITY POLICY SHALL PREVAIL. IN THE EVENT OF A CONFLICT BETWEEN THE TRANSACTION DOCUMENT AND THIS SECURITY POLICY, THIS SECURITY POLICY SHALL PREVAIL; PROVIDED THAT CONFLICTING TERMS AND CONDITIONS IN A STATEMENT OF WORK THAT EXPRESSLY STATE THAT THEY SUPERSEDE CERTAIN SPECIFIED PROVISIONS OF THIS SECURITY POLICY SHALL PREVAIL WITH RESPECT TO THE SERVICES UNDER ONLY THAT CERTAIN STATEMENT OF WORK.
AS USED HEREIN, "PARTY" MEANS BUYER OR PROVIDER INDIVIDUALLY, AND "PARTIES" MEANS BUYER AND PROVIDER COLLECTIVELY. "AFFILIATE" MEANS AN ENTITY THAT OWNS, IS OWNED BY, OR IS UNDER COMMON OWNERSHIP WITH, A PARTY. "PURCHASE ORDER" OR "PO" MEANS A WRITTEN ORDER FOR SERVICES SUBMITTED BY BUYER TO PROVIDER EITHER IN HARD COPY OR ELECTRONIC FORM IN ACCORDANCE WITH THE TERMS OF THE AGREEMENT. "STATEMENT OF WORK" MEANS A WRITTEN AND EXECUTED CONTRACT THAT IS BETWEEN BUYER OR BUYER'S AFFILIATE AND PROVIDER, AND THAT SPECIFIES THE TERMS AND CONDITIONS UNDER WHICH PROVIDER WILL PROVIDE SERVICES AND WORK PRODUCT TO BUYER FOR THE BENEFIT OF A CUSTOMER.
PROVIDER SHALL ENSURE THAT PROVIDER PERSONNEL HAVE READ AND UNDERSTOOD THE CONTENTS OF, AND SHALL WARRANT PROVIDER PERSONNEL'S CONTINUOUS COMPLIANCE WITH, THIS SECURITY POLICY.
Provider and Provider Personnel shall not disclose to any unauthorized person any "Confidential Information" (meaning the terms and conditions of the Agreement; all Secret Information, Sensitive Information, and Restricted Information; and additional information that with respect to Provider is owned or possessed by Provider or Provider Personnel and with respect to Buyer is owned or possessed by Buyer or Buyer Personnel or Affiliate or any Customer or Customer's Personnel or Affiliate, that either is marked as "confidential" or "proprietary" or otherwise due to its nature reasonably would be deemed to be confidential, and that is disclosed or accessed pursuant to this Agreement). "Secret Information" means information that is used to protect other Confidential Information. "Sensitive Information" means any information that could be misused in such a way as to jeopardize the financial or legal position of its owner, or of the person or company described by the information. "Restricted Information" means information that is not Secret Information or Sensitive Information, but whose permissible use has been restricted by its owner.
Confidential Information includes, but is not limited to, the following types of information and other information of a similar nature (regardless of whether reduced to writing or designated as "confidential"):
Corporate Confidential Information. such as certain types of Secret Information (e.g., computer account IDs, passwords for computer or database systems, private encryption keys, SSL keys, computer source code relating to encryption/decryption, special access privileges, known security vulnerabilities, security audit and review results, and information explicitly designated or labeled as "secret"), certain types of Sensitive Information (e.g., work product resulting from Services and related media; Buyer's and Customers' information about internal business operations, including without limitation personnel and financial information, service provider and supplier names, characteristics, services, agreements and related information, purchasing and cost information, internal services, operational manuals, and the manner and methods of conducting business; Buyer's and Customers' information about business and financial performance, including without limitation transaction details; Buyer's and Customers' information about proprietary rights, such as such as patents, copyrights, and trade secrets, including without limitation information related to undisclosed proprietary rights and the acquisition, protection, enforcement, and licensing of proprietary rights; Buyer's and Customers' information about marketing and development operations, including without limitation marketing and development plans, price and cost data, price and fee amounts, pricing and billing policies, quoting procedures, marketing techniques, methods of obtaining business, forecasts, forecast assumptions, volumes, and future plans and potential strategies; and information identified as "sensitive" by Buyer or any Customer), and certain types of Restricted information (e.g., aggregated or anonymous Customer information other than Personally Identifiable Information, contractual information or obligations not identified above as Sensitive Information, and any information explicitly identified as "restricted" by Buyer or any Customer).
CONTROLLING ACCESS TO CONFIDENTIAL INFORMATION
Confidential Information stored on Provider's systems must be stored behind firewalls, and Provider shall not permit Provider Personnel access to such Confidential Information unless the following conditions are met:
- Each Provider Personnel member who needs access to the Confidential Information can be uniquely identified (e.g., by a unique User ID), with the exception of "root" password access provided by Provider to its core system administration team;
- Each Provider Personnel member who needs access to the Confidential Information is required to enter a correct password or other authorizing token to indicate that such member is the authorized user of the account, and such password must comply with a password policy that the Parties must establish and that satisfies certain minimal standards (i.e., 8 characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every ninety (90) days) and that makes passwords sufficiently secure to resist effectively both educated guessing and brute-force attacks ("Password Policy").
- Each Provider Personnel member who needs access must be allowed only for the minimum access level(s) required to perform such member's portion of the Services. The ability to read, write, modify, or delete Confidential Information must be limited to those Personnel specifically needed and authorized to perform such data maintenance functions.
- Each Provider Personnel member's access in each instance must be recorded in a log file that records: date, time, and duration of access; name of individual obtaining access; and nature of the access (e.g., read, write, modify, delete, etc.).
Provider and Provider Personnel shall not display or store in clear text on its or their systems or disclose to third parties under any circumstances any Secret Information. At a minimum, the financial services industry standard encryption techniques must be employed by Provider to prevent unauthorized persons' access to Secret Information stored on Provider's systems. Provider shall strive to adopt industry best practices for preserving the confidentiality of Secret Information. Whenever possible, message digest algorithms, such as SHA-1 or MD5, should be used to hash and verify users' passwords, and salt should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.
Provider must ensure that procedures are in place to modify or revoke access permissions to Confidential Information when a Provider Personnel member: (a) improperly accesses and/or uses such Confidential Information; or (b) no longer needs access to such Confidential Information for any authorized reason (including due to a change in job or responsibilities, removal from the applicable Services project, or termination of employment).
Provider and Provider Personnel shall store documents and other printed materials that contain Confidential Information only in secure areas where access is limited to Provider Personnel who have a business need to access it and to authorized Buyer and Customer Personnel. Upon termination of the Parties' relationship or upon earlier request by Buyer, all Customer and Buyer Confidential Information must be returned or destroyed in a secure manner. At a minimum, the financial services industry standard protections must be employed to ensure secure storage and, as applicable, destruction of Secret Information and Sensitive Information, including either on-site shredding prior to recycling, or storing of documents in publicly-accessible, secure storage bins until off-site shredding is performed by a licensed contractor.
TRANSMITTING CONFIDENTIAL INFORMATION
Provider and Provider Personnel must not electronically transmit Secret Information or Sensitive Information over publicly-accessible networks without using either 128-bit SSL encryption technology or, if such technology is restricted by law, then the strongest legally permitted encryption technology.
Confidential Information must never be submitted in a URL (e.g., using a Get method) in a manner that potentially exposes the information to third parties and causes such information to be cached or logged.
MAINTAINING A SECURE ENVIRONMENT
Provider must back up regularly, but no less often than weekly, its Confidential Information data stores. Such stores and their backups must be stored in a secure, environmentally-controlled, limited-access facility.
Provider must run internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades).
Provider must install and run promptly (as soon as they can be installed and integrated safely into Provider's existing architecture and systems) any security-related fixes identified by its hardware or software vendors if the security threat being addressed by the fix is one that threatens the privacy or integrity of any Confidential Information.
Buyer may from time to time advise Provider of recent security threats that have come to Buyer's attention and require Provider to implement specific modifications to its software, policies, or procedures that may be necessary to counter such threats. Provider must either implement such modifications within a mutually-agreeable time, or obtain Buyer's written permission for Provider to take some alternative course of action that will ensure the privacy and integrity of any Confidential Information.
Provider must immediately provide notice to Buyer if Provider knows or suspects that Confidential Information has been compromised or disclosed to any unauthorized person(s), or that there has been any deviation from the requirements set forth in this Security Policy or in the Agreement. Provider agrees that Buyer shall have the right to control and direct any response and/or correction of any compromise or disclosure. Notwithstanding the minimum standards set forth in this Security Policy, Provider shall monitor and periodically incorporate reasonable industry-standard security safeguards.
Provider shall not send any Secret Information or Sensitive Information in any e-mail message over publicly-accessible networks unless the e-mail is encrypted using a previously-approved encryption mechanism or is secured by some other method that has been mutually agreed upon in advance by Buyer and Provider.
Provider and Provider Personnel shall not reveal any Personally Identifiable Information of Buyer's Personnel or any Customer Personnel to any third party, except as authorized in advance in writing by the owner of the Personally Identifiable Information or as otherwise required by law or judicial order.
AUDITS, EVALUATIONS, AND REMEDIES
Upon fourteen (14) days' prior written notice to Provider, Buyer or its agent that is bound by applicable confidentiality obligations may enter Provider's premises and perform an audit of Provider's books, records, facilities, and computer systems and/or an evaluation of Provider's operational processes, systems, vulnerability scan results, and computer network security to verify Provider's compliance with this Security Policy. Provider shall reasonably cooperate with Buyer to schedule any such audits and/or evaluations in order to minimize disruption of Provider's business. Buyer or its agent shall comply with Provider's reasonable policies and procedures that apply to third parties provided access to Provider's premises, and Buyer or its agent shall access Provider's premises during normal business hours (Monday through Friday, 8:00 AM to 5:00 PM). Notwithstanding the foregoing, if Buyer in good faith believes that a threat to security exists that could affect Buyer's or any Customer's Confidential Information, Provider must provide Buyer or its agent access to its premises immediately upon request by Buyer to perform an audit and/or evaluation. Buyer will make available to Provider the results of any such audits and/or evaluations and, depending on the seriousness of any problems identified, may require Provider to remedy any and all such problems at Provider's sole cost and in a timely fashion. The costs associated with any such audit and/or evaluation shall be borne by Buyer unless Buyer reasonably identifies one (1) or more material nonconformities with this Security Policy or the Agreement, in which case Provider shall be obligated to pay the costs.
Notwithstanding anything to the contrary set forth in this Security Policy or the Agreement, Buyer has sole discretion to require Provider to correct any identified security-related problem within a period of time that is shorter than any remedy period set forth in this Security Policy or the Agreement. Buyer shall provide written notice of any problem(s) to Provider, and Provider must immediately take all appropriate steps to correct such problem(s). If Provider fails to correct any security problem within a period of time that is minimally reasonable under the circumstances, Buyer may instruct Provider to take certain interim and/or permanent measures that are necessary to protect the Confidential Information of Buyer or the applicable Customer(s). If Provider refuses or fails to take such interim and/or permanent measures within a commercially reasonable time, Buyer may terminate immediately the Agreement and any other agreements between Buyer and Provider for cause.
Point of Contact. Provider shall identify a primary and alternate single point of contact for security issues, providing each person's email address, business telephone number, and cell phone number, and one of those points of contact must be available at all times (24/7/365). Such identification and contact information must be given in writing to the other party within ten (10) "Business Days" (meaning Monday through Friday, excluding Holidays) after the Effective Date of the Agreement.