Security Addendum

Legal / Security Addendum

Last Updated: July 7, 2023

Contentstack takes information security seriously. This security overview applies to Contentstack’s corporate controls for safeguarding personal data/personal information ("Personal Data") which is processed by us and transferred amongst Contentstack group companies.

1. Objectives and Exceptions

Contentstack has implemented a security policy aligned with an industry-standard or standards (such as ISO27001 or SOC2) that is designed to take reasonable steps to protect:

(a) the confidentiality, integrity, and availability of Personal Data that Contentstack processes; and

(b) against accidental, unauthorized, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss, or destruction of Personal Data.

This security addendum pertains only to those components and areas over which Contentstack has control and is responsible. It does not apply to any changes, modifications, configurations, or other actions taken by Customers or Customer's clients with respect to other aspects of the Customers' solution.

2. Security Measures - Overview

Contentstack has reasonable and appropriate security measures and procedures to manage and control identified security risks commensurate with Contentstack's legal and contractual obligations. Such security measures and procedures include physical, technical, and organizational safeguards that are:

(a) appropriate in consideration of the sensitivity of the Personal Data involved and the significance of Contentstack processing to the protection of an individual’s rights with regard to their Personal Data; and

(b) no less rigorous than (i) those maintained by Contentstack's own systems and information of a similar nature and (ii) accepted industry standards for ensuring the confidentiality, integrity, and availability of Personal Data.

Further information on Contentstack security measures is set out in the sections below.

3. Physical Security Measures

(i) Physical Security and Access Control – Contentstack's security measures and procedures ensure that all systems hosting Personal Data are maintained in a physically secure environment that:

ensures barriers to unauthorized access and that access restrictions at physical locations containing Personal Data (such as buildings, computer facilities, and records storage facilities) are designed and implemented to permit access only to authorized individuals;
detect any unauthorized access that may occur, including 24 x 7 security personnel at all relevant locations;
have provisions or redundancy to protect against fire and natural disasters; and
provide redundant poContentstackr, network, and cooling systems.

(ii) Physical Security for Media – Contentstack's security measures and procedures are designed to protect and prevent the unauthorized viewing, copying, alteration, or removal of any media containing Personal Data.

(iii) Media Destruction – Contentstack's security measures and procedures are designed to destroy removable media containing Personal Data that is no longer used, or alternatively to render Personal Data on such removable media unintelligible and not capable of reconstruction by any technical means before reuse of such removable media is allowed.

4. Technical Security Measures

(i) Customer Controls. In the event, Customer implements Single Sign On capability, certain access controls on hosted Customer systems, such as User password length and character requirements, limits on lockout, and password reuse, are under the exclusive control and responsibility of the Customer.

(ii) Access Controls on Information Systems. Contentstack's security measures and procedures are intended to allow access to all systems hosting Personal Data to be protected through the use of access control systems that uniquely identify each member of Contentstack's staff requiring access, grant access only to authorized persons and are based on the principle of least privileges, prevent unauthorized persons from gaining access to Personal Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events. These security measures and procedures may include Contentstack implementing and maintaining:

Access Rights Policies – Contentstack's policies and procedures regarding the granting of access rights to Personal Data are designed to ensure that only authorized and trained members of Contentstack's staff have access. Contentstack has an accurate and up-to-date list of all staff who have access to the Personal Data, and Contentstack has the ability to promptly disable access by staff upon the termination of their employment with us.
Authorization Procedures for Persons Entitled to Access – Contentstack's security measures and procedures establish and configure authorization profiles in order to ensure that members of Contentstack's staff only have access to Personal Data and resources that they need to know to perform their duties and that they are only able to access Personal Data within the scope and to the extent covered by their access permission. The access will be allocated on the basis of segregation of duties, least privilege, and on a role basis.

Authentication Credentials and Procedures – Contentstack's security measures and procedures for authentication of authorized members of Contentstack staff include:
- systems transmitting and storing Personal Data are designed to prevent access by unauthorized users;
- when privileged access (e.g., root or superuser level access) is granted to systems that handle Personal Data, such access is logged; and
- laptop encryption for all Contentstack staff who access Personal Data.

Access Control from outside the Secured Area – Contentstack's security measures and procedures are designed to prevent Contentstack's information systems or Personal Data from being accessed by unauthorized persons from outside the secure area.
Access Monitoring – Contentstack's security measures and procedures monitor access to Contentstack's information systems and Personal Data, and maintain records of system or applicable access attempts (both successful and failed).
Intrusion Detection – Contentstack's security measures and procedures are designed (i) to ensure that Personal Data and Contentstack's assets and/or information systems are protected against the risk of intrusion by an intrusion detection system (IDS) and (ii) to monitor each and every instance of access to Personal Data and/or Contentstack's assets and information systems to detect the same and to respond to the same promptly.
Network Security – Contentstack's security measures and procedures are designed to ensure that Contentstack's network is protected from external and internal threats using tools and infrastructure such as firewalls, ACLs, IDS/IPS, and other controls as reasonably necessary. Contentstack's network is scanned for vulnerabilities, and penetration testing is performed at least once a year. Event logging is in place to ensure that intrusion attempts into the Contentstack network are logged.
Mobile Technology Security - Contentstack's security measures and procedures are designed to ensure that any mobile or portal system and/or storage device that processes Personal Data has software that will encrypt Personal Data when the device is outside of the designated data processing facility and/or during transport. The encryption software used meets the requirements of generally available commercial software designed to provide disc/media encryption.

(iii) Data Management Controls

Data Monitoring Tools – this tool contains technical functionality that permits Customers to determine access rights. Customers are responsible for reviewing and monitoring Personal Data to ensure compliance with their legal and contractual obligations (including under their agreement with us).
Data Destruction – Contentstack's security measures and procedures are designed to destroy Personal Data when appropriate and in accordance with Contentstack's legal and contractual obligations.
Data Availability Control – Contentstack's security measures and procedures are designed to ensure data availability, including procedures to ensure that Personal Data is protected from accidental destruction or loss and against data loss caused by a power shortage or interruptions in the power supply.
Software Patching – Contentstack's security measures and procedures are designed to ensure the updating and patching of all computer software and network device software to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches.
Infrastructure Management - Contentstack's security measures and procedures are designed to demonstrate infrastructure management with a change control process, including risk assessment based on industry standards, testing, and implementation of applicable security procedures as are present in this Data Management Controls section with respect to infrastructure under Contentstack control and responsibility.
Backup, Retention, and Recovery – Contentstack's backup and recovery security measures and procedures are designed to ensure data availability in the event of loss of Personal Data or Contentstack information systems from any cause. All Personal Data is encrypted when stored and backed up.
Hardening - Contentstack's security measures and procedures are designed to ensure that all servers, network devices, and systems are hardened to ensure that default accounts are disabled and unused services are stopped.
Application Security - Contentstack's security measures and procedures are designed to ensure that the Contentstack application is reviewed regularly. Access to the Contentstack application may be accomplished through a 128-bit SSL channel. Contentstack's code audits will occur at least once per year based on applicable industry standards.

5. Organizational Security Measures

(i) Responsibility – Contentstack's security measures and procedures are designed to ensure that responsibility for information security management is assigned to appropriately skilled and senior staff. As permitted by applicable law, background checks are carried out on all Contentstack employees with access to Personal Data.

(ii) Qualification of Employees – Contentstack's security measures and procedures are designed to ensure the reliability, technical expertise, and personal integrity of all Contentstack staff with access to Contentstack information systems and/or Personal Data.

(iii) Obligations of Contentstack Employees – Contentstack security measures and procedures are designed to verify that any employee, agent, or contractor accessing the Personal Data knows his obligations and the consequences of any security breach.

6. Training and Education

Contentstack's training and education program is designed to ensure that Contentstack's staff are trained in and adequately aware of their responsibilities under this security addendum.

7. Incident Management/Escalation

Contentstack has an incident response plan for dealing with any security incidents, including escalation paths to senior management based on the incident classification or severity, incident contact lists, initial responses, investigation log, system recovery, issue and eradication, reporting, review and follow up procedures with appropriate reports to regulatory and law enforcement agencies.

8. Customer

The customer acknowledges that the measures set out in this security addendum are subject to technical progress and development and that Contentstack may update or modify such from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Services during a Subscription Term.

How to Get Your Technical Debt Under Control

5 First Priorities for Business Change

Why a composable CMS is right for you

How to choose an omnichannel marketing platform

What is a Headless CMS?

Creating a culture of empowerment

Contentstack basics

Quickstart in 5 mins

Starter apps

Content Delivery APIs

Content Management APIs

How-to guides

The creative professional

The modern developer

For retail

From paper orders to e-commerce powerhouse Dawn Foods’ MACH journey

Forrester: The Total Economic Impact™ of Contentstack Headless CMS Platform

Composable vs. monolithic: Which is right for you?

LADbible Group cut editorial time in half and scaled with ease

Burberry chooses headless CMS to enable speed and agility

Contentstack’s partner program

Understanding and Resolving CORS Error

Webhook

ASICS chooses Contentstack to modernize and accelerate global online experience ...

Contentstack Expands Product Suite, Enters Front-End Hosting Market With New Fully-Integrated...