UPDATED JULY 08, 2024
This Security Information Standards (“SIS”) is by and between BitSight Technologies, Inc. (“Bitsight”) and you as a customer receiving the Bitsight Services (the “Customer”) and is effective as of the Effective Date of that certain Bitsight Main Subscription Terms and Conditions by and between the Parties (the “Subscription Agreement”). This SIS forms a part of, and is incorporated into, the Subscription Agreement. Capitalized terms used but not defined in this SIS shall have the meanings set out in the Subscription Agreement.
SECURITY REQUIREMENTS:
1) During the Term upon Customer’s written request, Bitsight will provide a SSAE-16 SOC 2 Type 2 audit report annually for review by Customer. If Bitsight cannot produce an SSAE-16 SOC 2 Type 2 with a report issuance date within the last 12 months, upon request Bitsight will provide information on what internal audits are done and provide pertinent documentation on industry best practices that Bitsight follows.
2) The Bitsight security program is based on the NIST Cyber Security Framework along with other recognized industry frameworks such as CIS Critical Security Controls and ISO/IEC 27001.
3) Bitsight shall renew its Cloud Security Alliance (“CSA”) STAR Security Self-Assessment or other comparable assessment at least annually.
4) Bitsight shall renew its Cyber Essentials certification or comparable replacement certifications at least annually.
5) Bitsight has a Security Incident response process in place to manage and take immediate corrective action for any Security Incident. A “Security Incident” shall mean the loss or unauthorized destruction, alteration, disclosure of, access to, or control of Bitsight’s information technology systems, operational technology systems, networks, internet-enabled applications, or the data contained within such systems that affects Customer’s Confidential Information.
ADDITIONAL REPRESENTATIONS AND WARRANTIES:
In addition to the representations and warranties set forth in the Subscription Agreement, Bitsight further agrees:
1) That it has taken and implemented reasonable security measures and procedures to protect Customer Confidential Information against any and all reasonably anticipated Security Incidents and security vulnerabilities.
2) That its systems are monitored for Security Incidents on the basis of 24 hours per day by 7 days per week by 365 days per year.
3) That Bitsight personnel who will be or are developing software or have access to Customer Confidential Information have undergone security awareness training before or at the beginning of starting work and as needed thereafter. Security awareness training covers the identification and protection of sensitive data, common risks, preventative controls, and the proper reporting of phishing attacks and suspicious activity. In addition, Bitsight provides its personnel with information about recommended best security and privacy practices.
4) For employees who will create, process, receive, access, transmit or store Customer’s Confidential Information, Bitsight shall:
a) Have appropriate pre-employment screening for any person who receives a conditional offer of employment from Bitsight and must authorize Bitsight and/or a third-party agency designated by Bitsight to conduct, as permitted by applicable local law, some form of background check, the results of which will be in accordance with Bitsight’s background screening policy.
b) Have all employees and contractors sign a confidentiality agreement prior to the commencement of employment or the provision of services.
c) Have Role-based access control (“RBAC”) enforced to ensure only employees that need access to Customer Confidential Information have access.
d) Have disciplinary processes in place for violations of information security or privacy requirements.
e) Upon termination of employment, promptly remove such employee’s access to Customer’s Confidential Information.
SECURITY INCIDENTS:
1) Should a Security Incident occur, Bitsight shall notify affected customers of the Security Incident without undue delay but no later than seventy-two (72) hours after Bitsight becomes aware of the Security Incident in accordance with Bitsight Incident Response policies and applicable regulations.
2) Notification will be in writing (email shall be an acceptable form of writing), in accordance with the notice requirements in this Subscription Agreement, of the occurrence of the Security Incident.
3) Upon request, Bitsight shall provide the Customer with an interim written status report of each Security Incident within (forty-eight) 48 hours of such request.
4) Upon request, Bitsight shall coordinate the scheduling of a postmortem review with the Customer’s incident coordinator.
BITSIGHT’S VULNERABILITY AND PENETRATION TESTING:
1) At least once per year, Bitsight shall select an independent, qualified vendor to conduct a security assessment (e.g., penetration test, web application assessment, infrastructure test, vulnerability assessment, vulnerability scanning) on the Bitsight environment. Findings from these tests are evaluated, documented, and assigned to the appropriate teams for remediation and/or mitigation.
2) Upon request, Bitsight shall provide Customer with a written report summarizing:
a) Type of test(s) performed
b) Dates and scope of the test(s) performed
c) Results of the Testing
d) Management Response which addresses any findings and applicable remediation timeframes
All testing conducted by Bitsight and its external testers will be subject to appropriate non-disclosure and confidentiality obligations.
PHYSICAL & ENVIRONMENTAL CONTROLS:
1) Cloud Environment Data Centers. Bitsight is a cloud-based SaaS provider and we do not operate our own physical servers, routers, load balancers, or DNS servers to support the Bitsight portal. All of our servers are within our own virtual private cloud (“VPC”) with network access control lists (“ACLs”) that prevent unauthorized requests from reaching our internal network. RBAC ensures only employees needing access to customer data have access. To ensure the cloud provider has appropriate physical and environmental controls for its data centers hosting the cloud environment, Bitsight regularly reviews those controls as audited under the cloud provider’s third-party audits and certifications.
Each cloud provider shall have a SOC 2 Type II annual audit and ISO 27001 certification or industry-recognized equivalent frameworks. Such controls shall include, but are not limited to, the following:
a) Physical access to the facilities is controlled at building ingress points;
b) Visitors are required to present ID and are signed in;
c) Access control devices manage physical access to servers;
d) Physical access privileges are reviewed regularly;
e) Facilities utilize to monitor and alarm response procedures;
f) Use of CCTV;
g) Fire detection and protection systems;
h) Power back-up and redundancy systems; and
i) Climate control systems.
2) Bitsight Corporate Offices. While Customer Confidential Information is not hosted at Bitsight’s corporate offices, Bitsight’s technical, administrative, and physical controls for its corporate offices include but are not limited to the following:
a) Physical access to the corporate office is controlled at office ingress points;
b) Badge access is required for all personnel, and badge privileges are reviewed regularly;
c) Visitors are required to sign in and be escorted while on the premises;
d) Use of CCTV at building ingress points;
e) Tagging and inventory of Bitsight-issued laptops and network assets;
f) Fire detection and sprinkler systems; and
g) Climate control systems.
THIRD-PARTY ASSESSMENTS:
1) Bitsight conducts security due diligence and risk assessments of its vendors prior to onboarding and thereafter manages vendor security through its risk management program.
2) The risk management program consists of reviewing relevant security reports, certifications, penetration tests, and available policies. Additional information gathering can occur with the Bitsight Application and using questionnaires. Any findings produced from this review will be tracked to completion.
3) Bitsight management reviews the documented risks associated with vendors to understand the potential impact on the business. Mitigation plans are implemented to address material risks to business operations, including data protection.
4) Bitsight’s agreements with its vendors impose appropriate security obligations on them as necessary for Bitsight to maintain its security posture as outlined in this SIS. Customer Confidential Information is only shared with those subject to appropriate confidentiality terms with Bitsight.
5) Bitsight uses a risk-based approach to monitor vendor security practices and compliance with their agreements with Bitsight.
CUSTOMER’S SECURITY ASSESSMENT:
1) No more than once per year, with advance notice, and during Bitsight’s normal business hours, Customer may upon request conduct (or cause a qualified, independent third party to conduct) a security assessment for verification of Bitsight’s security processes and procedures. This assessment includes a vulnerability assessment of its services and deliverables under the Subscription Agreement and Bitsight’s protection of Customer Confidential Information (including its personal data it provides to Bitsight), in order to identify potential Security Incidents. Such security assessment shall be at the Customer’s sole cost. The assessment shall begin with the Customer’s request for Bitsight’s SSAE-16 SOC 2 Type 2 report, as applicable, followed by a security questionnaire. If required, a phone call or virtual meeting may be requested during normal business hours, with reasonable written notice, and without undue disruption to Bitsight’s business. Any data accessed or provided to Customer during the security assessment shall be deemed Bitsight Confidential Information.
2) If the Customer’s security assessment reveals that Bitsight’s processes and procedures do not meet the minimum standards of the Customer, then Bitsight shall commit resources to review the observation(s). Upon review by Bitsight and highlighting any compensating controls, Bitsight commits to determining the residual risk of the observation in discussions with the Customer and if commercially practicable and available, resolving promptly.