Security Addendum

Last updated: 4/25/2024 | Previous Versions

This Security Addendum¹ (“Security Addendum”) forms part of, and is subject to, the Master Subscription Agreement, the Validatar Cloud Terms of Service, the Validatar Cloud Evaluation Terms of Service, or the Validatar Server Terms of Service (collectively the "Agreement") between Validatar, LLC (“Validatar”) and the legal entity defined as ‘Customer’ thereunder together with all Customer Affiliates who are signatories to an Order Form for their own Service Account or Server Software license pursuant to such agreement (collectively, for purposes of this Security Addendum, “Customer”, and together with Validatar, the “Parties” and each a “Party”). All capitalized terms not defined in this Security Addendum shall have the meanings set forth in the Agreement.

Validatar utilizes infrastructure-as-a-service cloud providers as further described in the Agreement and/or Documentation (each, a “Cloud Provider“) and provides the Service to Customer using a VPC/VNET and storage hosted by the applicable Cloud Provider (the “Cloud Environment“).

Validatar maintains a comprehensive documented security program under which Validatar implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and Customer Data (the “Security Program”), including, but not limited to, as set forth below. Validatar regularly tests and evaluates its Security Program, and may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

Validatar provides Server Software to Customer for use installed in a Customer-managed environment. When Customer uses Server Software, Customer accepts sole responsibility for the types of security controls and procedures defined in sections 1 through 9 of this Security Addendum.

1. Validatar’s Audits & Certifications

1.1. The information security management system used to provide the Service shall be assessed by independent third-party auditors as described in the following audits and certifications (“Third-Party Audits“), on at least an annual basis:

• SOC 2 Type II

1.2. Third-Party Audits are made available to Customer as described in Section 9.2.1.

1.3. To the extent Validatar decides to discontinue a Third-Party Audit, Validatar will adopt or maintain an equivalent, industry-recognized framework.

2. Hosting Location of Customer Data

2.1. Hosting Location. The hosting location of Customer Data is the production Cloud Environment in the Region offered by Validatar and selected by Customer on an Order Form or as Customer otherwise configures via the services.

3. Encryption

3.1. Encryption of Customer Data. Validatar encrypts Customer Data at-rest using AES 256-bit (or better) encryption. Validatar uses Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit to/from the Service over untrusted networks. 

4. System & Network Security

4.1. Access Controls.

4.1.1. All Validatar personnel access to the Cloud Environment is via a unique user ID, consistent with the principle of least privilege, requires a VPN, as well as multi-factor authentication and passwords meeting or exceeding PCI-DSS length and complexity requirements.

4.1.2. Validatar personnel will not access Customer Data except (i) as reasonably necessary to provide Validatar Offerings² under the Agreement or (ii) to comply with the law or a binding order of a governmental body.

4.2. Endpoint Controls. For access to the Cloud Environment, Validatar personnel use Validatar-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and Malicious Code (as defined below), and (iii) vulnerability management in accordance with Section 4.7.3 (Vulnerability Management).

4.3. Separation of Environments. Validatar logically separates production environments from development environments. The Cloud Environment is both logically and physically separate from Validatar’s corporate offices and networks.

4.4. Firewalls / Security Groups. Validatar shall protect the Cloud Environment using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.

4.5. Hardening. The Cloud Environment shall be hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching as described in this Security Addendum.

4.6. Monitoring & Logging.

4.6.1. Infrastructure Logs. Monitoring tools or services, such as host-based intrusion detection tools, are utilized to log certain activities and changes within the Cloud Environment. These logs are further monitored, analyzed for anomalies, and are securely stored to prevent tampering for at least one year.

4.6.2. User Logs. As further described in the Documentation, Validatar also captures logs of certain activities and changes within the Account and makes those logs available to Customer for Customer’s preservation and analysis.

4.7. Vulnerability Detection & Management.

4.7.1. Anti-Virus & Vulnerability Detection. The Cloud Environment leverages advanced threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Validatar does not monitor Customer Data for Malicious Code.

4.7.2. Penetration Testing & Vulnerability Detection. Validatar regularly conducts penetration tests and engages one or more independent third parties to conduct penetration tests of the Service at least annually. Validatar also runs daily vulnerability scans for the Cloud Environment using updated vulnerability databases.

4.7.3. Vulnerability Management. Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, Validatar will use commercially reasonable efforts to address private and public (e.g., U.S.-CERT announced) critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days. To assess whether a vulnerability is ‘critical’, ‘high’, or ‘medium’, Validatar leverages the National Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-CERT rating.

5. Administrative Controls

5.1. Personnel Security. Validatar requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.

5.2. Personnel Training. Validatar maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding and on-going training.

5.3. Personnel Agreements. Validatar personnel are required to sign confidentiality agreements. Validatar personnel are also required to sign Validatar’s information security policy, which includes acknowledging responsibility for reporting security incidents involving Customer Data.

5.4. Personnel Access Reviews & Separation. Validatar reviews the access privileges of its personnel to the Cloud Environment at least quarterly, and removes access on a timely basis for all separated personnel.

5.5. Validatar Risk Management & Threat Assessment. Validatar’s risk management process is modeled on NIST 800–53 and ISO 27001. Validatar’s security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.

5.6. External Threat Intelligence Monitoring. Validatar reviews external threat intelligence, including US-CERT vulnerability announcements and other trusted sources of vulnerability reports. U.S.-CERT announced vulnerabilities rated as critical or high are prioritized for remediation in accordance with Section 4.7.3 (Vulnerability Management). 

5.7. Change Management. Validatar maintains a documented change management program for the Service.

5.8. Vendor Risk Management. Validatar maintains a vendor risk management program for vendors that process Customer Data designed to ensure each vendor maintains security measures consistent with Validatar’s obligations in this Security Addendum.

6. Physical & Environmental Controls

6.1. Cloud Environment Data Centers. To ensure the Cloud Provider has appropriate physical and environmental controls for its data centers hosting the Cloud Environment, Validatar regularly reviews those controls as audited under the Cloud Provider’s third-party audits and certifications. Each Cloud Provider shall have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls, shall include, but are not limited to, the following:

• Physical access to the facilities are controlled at building ingress points;
• Visitors are required to present ID and are signed in;
• Physical access to servers is managed by access control devices;
• Physical access privileges are reviewed regularly;
• Facilities utilize monitor and alarm response procedures;
• Use of CCTV;
• Fire detection and protection systems;
• Power back-up and redundancy systems; and
• Climate control systems.

6.2 Validatar Corporate Offices. While Customer Data is not hosted at Validatar’s corporate offices, Validatar’s technical, administrative, and physical controls for its corporate offices covered by its ISO 27001 certification, shall include, but are not limited to, the following:

• Physical access to the corporate office is controlled at office ingress points;
• Badge access is required for all personnel and badge privileges are reviewed regularly;
• Visitors are required to sign in;
• Use of CCTV at building ingress points;
• Tagging and inventory of Validatar-issued laptops and network assets;
• Fire detection and sprinkler systems; and
• Climate control systems.
  

7. Incident Detection & Response

7.1. Security Incident Reporting. If Validatar becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Validatar shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware³. To facilitate timely notification, Customer must register and maintain an up-to-date email within the Service for this type of notification. Where no such email is registered, Customer acknowledges that the means of notification shall be at Validatar’s reasonable discretion (which may include using the Customer-designated email address associated with the Global Admin roles of the affected Account(s)) and Validatar’s ability to timely notify shall be negatively impacted.

7.2. Investigation. In the event of a Security Incident as described above, Validatar shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year. 

7.3. Communication and Cooperation. Validatar shall provide Customer timely information about the Security Incident to the extent known to Validatar, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Validatar to mitigate or contain the Security Incident, the status of Validatar’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Validatar personnel may not have visibility to the content of Customer Data, it may be unlikely that Validatar can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Validatar with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Validatar of any fault or liability with respect to the Security Incident.

8. Deletion of Customer Data.

8.1. By Customer Request. Validatar shall promptly delete any Customer Data upon receipt of a written request from the Customer for the deletion of Customer Data.

8.2. By Validatar. Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, Validatar shall promptly delete any remaining Customer Data. 

9. Customer Rights & Shared Security Responsibilities

9.1. Customer Penetration Testing. Customer may provide a written request for a penetration test of its Account (“Pen Test“) by submitting such request via a support ticket. Following receipt by Validatar of such request, Validatar and Customer shall mutually agree in advance on details of such Pen Test, including the start date, scope and duration, as well as reasonable conditions designed to mitigate potential risks to confidentiality, security, or other potential disruption of the Service or Validatar’s business. Pen Tests and any information arising therefrom are deemed Validatar’s Confidential Information. If Customer discovers any actual or potential vulnerability in connection with a Pen Test, Customer must immediately disclose it to Validatar and shall not disclose it to any third-party.

9.2. Customer Audit Rights.

9.2.1 Upon written request and at no additional cost to Customer, Validatar shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the “Auditor“), access to reasonably requested documentation evidencing Validatar’s compliance with its obligations under this Security Addendum in the form of, as applicable, (i) Validatar’s SOC 2 Type II audit report (ii) Validatar’s most recently completed industry standard security questionnaire, such as a SIG or CAIQ; and (iii) data flow diagrams for the Service (collectively with Third-Party Audits, “Audit Reports”).

9.2.2. Customer may also send a written request for an audit of Validatar’s applicable controls, including inspection of its facilities. Following receipt by Validatar of such request, Validatar and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of and security and confidentiality controls applicable to any such audit. Validatar may charge a fee (rates shall be reasonable, taking into account the resources expended by Validatar) for any such audit. Audit Reports, any audit, and any information arising therefrom shall be considered Validatar’s Confidential Information.

9.2.3. Where the Auditor is a third-party (or Customer is using a third-party to conduct an approved Pen Test under Section 9.1), such third party may be required to execute a separate confidentiality agreement with Validatar prior to any audit, Pen Test, or review of Audit Reports, and Validatar may object in writing to such third party if in Validatar’s reasonable opinion the third party is not suitably qualified or is a direct competitor of Validatar. Any such objection by Validatar will require Customer to appoint another third party or conduct such audit, Pen Test, or review itself. Any expenses incurred by an Auditor in connection with any review of Audit Reports, or an audit or Pen Test, shall be borne exclusively by the Auditor.

9.3. Sensitive Customer Data. Use of the Service to meet requirements of PCI-DSS, HIPAA, FedRAMP, State Authorizing Programs, the International Traffic in Arms Regulations (ITAR), the Defense Federal Acquisition Regulation Supplement (DFARS), the Criminal Justice Information Services (CJIS) Security Policy, Internal Revenue Service Publication 1075 (IRS 1075) or other similar heightened standards (“Heightened Standards”), may require additional controls which shall be implemented by Customer. Customer must implement all appropriate Customer-configurable security controls, including IP whitelisting and MFA for all User interactive logins (e.g., individuals authenticating to the Service) to protect Customer Data subject to such Heightened Standards. Additionally, to the extent the Documentation or the Agreement (as amended) sets forth specific requirements related to Heightened Standards (e.g., additional agreements required by Validatar and/or requirements to use designated Editions and/or Regions of the Service), Customer must satisfy such requirements before providing Validatar any Customer Data subject to such Heightened Standards.

9.4. Shared Security Responsibilities. Without diminishing Validatar’s commitments in this Security Addendum, Customer agrees:

9.4.1. Validatar has no obligation to assess the content, accuracy or legality of Customer Data, including to identify information subject to any specific legal, regulatory or other requirement and Customer is responsible for making appropriate use of the Service to ensure a level of security appropriate to the particular content of Customer Data, including, where appropriate, implementation of encryption functionality, such as the “tri-secret secure” feature (as described in the Documentation), pseudonymization of Customer Data, and configuration of the Service to back-up Customer Data;

9.4.2. Customer is responsible for managing and protecting its User roles and credentials, including but not limited to (i) ensuring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) promptly reporting to Validatar any suspicious activities related to Customer’s Account (e.g., a user credential has been compromised) by submitting a support ticket and designating it as a Severity Level 1 in accordance with the Support Policy, (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration;

9.4.3. To promptly update its Server Software and Client Software whenever Validatar announces an update.

1. For clarity, where Customer’s Agreement refers to the defined term “Security Policy”, such reference shall be interpreted to refer to this exhibit.

2. If Validatar Offering(s) is not defined in the Agreement, “Validatar Offering(s)” means the Service, Server Software, Client Software, Technical Services (including any Deliverables), and any support and other ancillary services (including, without limitation, services to prevent or address service or technical problems) provided by Validatar.

3. For clarity, where Customer’s Agreement refers to the defined term “Security Breach“, such reference shall be interpreted to refer to Security Incident, as defined herein.