Effective Date: August 2022
Contentstack takes information security seriously. This security overview applies to Contentstack’s corporate controls for safeguarding personal data/personal information (Personal Data) which is processed by us and transferred amongst Contentstack group companies.
1. Objectives and Exceptions
We have implemented a security policy aligned with an industry-standard or standards (such as IS)27001 or SOC2) that is designed to take reasonable steps to protect:
(a) the confidentiality, integrity, and availability of Personal Data that we process; and
(b) against accidental, unauthorized, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss, or destruction of Personal Data.
This security addendum pertains only to those components and areas over which we have control and are responsible. It does not apply to any changes, modifications, configurations, or other actions taken by our customers or their clients with respect to other aspects of the Customers' solution.
2. Security Measures - Overview
We have reasonable and appropriate security measures and procedures to manage and control identified security risks, commensurate with our legal and contractual obligations. Such security measures and procedures include physical, technical, and organizational safeguards that are:
(a) appropriate in consideration of the sensitivity of the Personal Data involved and the significance of our processing to the protection of an individual’s rights with regard to their Personal Data; and
(b) no less rigorous than (i) those maintained by us for our own systems and information of a similar nature and (ii) accepted industry standards for ensuring the confidentiality, integrity, and availability of Personal Data.
Further information on our security measures is set out in the sections below.
3. Physical Security Measures
(i) Physical Security and Access Control – Our security measures and procedures ensure that all systems hosting Personal Data are maintained in a physically secure environment that:
- ensures barriers to unauthorized access, and that access restriction at physical locations containing Personal Data (such as buildings, computer facilities, and records storage facilities) are designed and implemented to permit access only to authorized individuals;
- detect any unauthorized access that may occur, including 24 x 7 security personnel at all relevant locations;
- have provisions or redundancy to protect against fire and natural disasters; and
- provide redundant power, network, and cooling systems.
(ii) Physical Security for Media – Our security measures and procedures are designed to protect and prevent the unauthorized viewing, copying, alteration, or removal of any media containing Personal Data.
(iii) Media Destruction – Our security measures and procedures are designed to destroy removable media containing Personal Data that is no longer used, or alternatively to render Personal Data on such removable media unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed.
4. Technical Security Measures
(i) Customer Controls. In the event, Customer implements Single Sign On capability, certain access controls on hosted Customer systems, such as User password length and character requirements, limits on lockout and password reuse are under the exclusive control and responsibility of the Customer.
(ii) Access Controls on Information Systems. Our security measures and procedures are intended to allow access to all systems hosting Personal Data to be protected through the use of access control systems that uniquely identify each member of our staff requiring access, grant access only to authorized persons and are based on the principle of least privileges, prevent unauthorized persons from gaining access to Personal Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events. These security measures and procedures may include us implementing and maintaining:
- Access Rights Policies – our policies and procedures regarding the granting of access rights to Personal Data are designed to ensure that only authorized and trained members of our staff have access. We have an accurate and up-to-date list of all staff who have access to the Personal Data and we have the ability to promptly disable access by staff upon termination of their employment with us.
- Authorization Procedures for Persons Entitled to Access – our security measures and procedures establish and configure authorization profiles in order to ensure that members of our staff only have access to Personal Data and resources that they need to know to perform their duties, and that they are only able to access Personal Data within the scope and to the extent covered by their access permission. The access will be allocated on the basis of segregation of duties, least privilege and on role basis.
- Authentication Credentials and Procedures – our security measures and procedures for authentication of authorized members of our staff include:
- systems transmitting and storing Personal Data are designed to prevent access by unauthorized users;
- when privileged access (e.g., root or superuser level access) is granted to systems that handle Personal Data, such access is logged; and
- laptop encryption for all our staff who access Personal Data.
- Access Control from outside the Secured Area – our security measures and procedures are designed to prevent our information systems or Personal Data from being accessed by unauthorized persons from outside the secure area.
- Access Monitoring – our security measures and procedures monitor access to our information systems and Personal Data, and maintain records of system or applicable access attempts (both successful and failed).
- Intrusion Detection – our security measures and procedures are designed (i) to ensure that Personal Data and our assets and/or information systems are protected against the risk of intrusion by our intrusion detection system (IDS), and (ii) to monitor each and every instance of access to Personal Data and/or our assets and information systems to detect the same, and to promptly respond to the same.
- Network Security – our security measures and procedures are designed to ensure that our network is protected from external as well as internal threats using tools and infrastructure such as firewalls, ACLs, IDS/IPS and other controls as reasonably necessary. Our network is scanned for vulnerabilities and penetration testing is performed at least once a year. Event logging is in place to ensure that intrusion attempts into our network are logged.
- Mobile Technology Security - our security measures and procedures are designed to ensure that any mobile or portal system and/or storage device that processes Personal Data has software that will encrypt Personal Data when the device is outside of the designated data processing facility and/or during transport. The encryption software used meets the requirements of generally available, commercial software designed to provide disc/media encryption.
(iii) Data Management Controls
- Data Monitoring Tools – this tool contains technical functionality that permits our customers to determine access rights. Customers are responsible for reviewing and monitoring Personal Data to ensure compliance with its legal and contractual obligations (including under their agreement with us).
- Data Destruction – our security measures and procedures are designed to destroy Personal Data when appropriate and in accordance with our legal and contractual obligations.
- Data Availability Control – our security measures and procedures are designed to ensure data availability, including procedures to ensure that Personal Data is protected from accidental destruction or loss, and against loss of data caused by a power shortage or interruptions in the power supply.
- Software Patching – our security measures and procedures are designed to ensure the updating and patching of all computer software and network device software to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches.
- Infrastructure Management - our security measures and procedures are designed to demonstrate infrastructure management with a change control process including risk assessment based on industry standards, testing, and implementation of applicable security procedures as are present in this Data Management Controls section with respect to Infrastructure under our control and responsibility.
- Backup, Retention, and Recovery – our backup and recovery security measures and procedures are designed to ensure data availability in the event of loss of Personal Data or our information systems from any cause. All Personal Data is encrypted when stored and backed up.
- Hardening - our security measures and procedures are designed to ensure that all servers, network devices, and systems are hardened to ensure that default accounts are disabled and unused services are stopped.
- Application Security - our security measures and procedures are designed to ensure that the Contentstack application is reviewed on regular basis. Access to the Contentstack application may be accomplished through 128 bit SSL channel. Source code audits will occur at least once per year based on applicable industry standards.
5. Organizational Security Measures
(i) Responsibility – our security measures and procedures are designed to ensure that responsibility for information security management is assigned to appropriately skilled and senior staff. As permitted by applicable law, background checks are carried out on all our employees who have access to Personal Data.
(ii) Qualification of Employees – our security measures and procedures are designed to ensure the reliability, technical expertise, and personal integrity of all our staff who have access to our information systems and/or Personal Data.
(iii) Obligations of our Employees – our security measures and procedures are designed to verify that any employee, agent, or contractor accessing the Personal Data knows his obligations and the consequences of any security breach.
6. Training and Education
Our training and education program is designed to ensure that our staff are trained in and are adequately aware of their responsibilities under this security addendum.
7. Incident Management/Escalation
We have an incident response plan for dealing with any security incidents, including escalation paths to senior management based on the incident classification or severity, incident contact lists, initial responses, investigation log, system recovery, issue and eradication, reporting, review and follow up procedures with appropriate reports to regulatory and law enforcement agencies.
The customer acknowledges that the measures set out in this security addendum are subject to technical progress and development and that Contentstack may update or modify such from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Services during a Subscription Term.