{"component": "clause", "props": {"groups": [{"samples": [{"hash": "7YWAXaKLbBq", "uri": "/contracts/7YWAXaKLbBq#application-security", "label": "Saas Subscription Agreement", "score": 29.5881385803, "published": true}, {"hash": "cxtfoW59XCO", "uri": "/contracts/cxtfoW59XCO#application-security", "label": "Master Subscription Agreement", "score": 29.3034515381, "published": true}, {"hash": "74blW5pAeAa", "uri": "/contracts/74blW5pAeAa#application-security", "label": "Master Subscription Agreement", "score": 29.2815532684, "published": true}], "snippet_links": [{"key": "software-development", "type": "clause", "offset": [4, 24]}, {"key": "source-code", "type": "clause", "offset": [97, 108]}], "size": 7, "snippet": "The software development for the Medallia Experience Cloud follows a secure lifecycle, including source code management and appropriate reviews.", "hash": "5163baf45b40a402e9fc40c0ed1b57bd", "id": 4}, {"samples": [{"hash": "jCAb6yIbhsF", "uri": "/contracts/jCAb6yIbhsF#application-security", "label": "Joint Controller Addendum", "score": 35.1253852844, "published": true}, {"hash": "9Hj1KWX6Vws", "uri": "/contracts/9Hj1KWX6Vws#application-security", "label": "Joint Controller Addendum", "score": 34.7934799194, "published": true}], "snippet_links": [{"key": "supplier-shall", "type": "clause", "offset": [0, 14]}, {"key": "and-support", "type": "clause", "offset": [34, 45]}, {"key": "software-and-systems", "type": "clause", "offset": [57, 77]}, {"key": "in-connection-with", "type": "clause", "offset": [95, 113]}, {"key": "the-services", "type": "clause", "offset": [114, 126]}, {"key": "the-agreement", "type": "clause", "offset": [145, 158]}, {"key": "subsequent-updates", "type": "clause", "offset": [163, 181]}, {"key": "bug-fixes", "type": "clause", "offset": [197, 206]}, {"key": "industry-practices", "type": "definition", "offset": [302, 320]}, {"key": "paragraph-9", "type": "clause", "offset": [350, 361]}, {"key": "data-security", "type": "clause", "offset": [369, 382]}, {"key": "without-limiting-supplier", "type": "clause", "offset": [385, 410]}, {"key": "confidentiality-obligations", "type": "definition", "offset": [413, 440]}, {"key": "other-obligations", "type": "clause", "offset": [444, 461]}, {"key": "information-of", "type": "clause", "offset": [488, 502]}, {"key": "agreement-or", "type": "definition", "offset": [576, 588]}, {"key": "in-accordance-with", "type": "definition", "offset": [645, 663]}, {"key": "industry-best-practices", "type": "definition", "offset": [664, 687]}, {"key": "compliance-with-all-applicable-laws", "type": "clause", "offset": [695, 730]}, {"key": "security-measures", "type": "definition", "offset": [740, 757]}, {"key": "not-limited", "type": "clause", "offset": [774, 785]}, {"key": "information-from", "type": "clause", "offset": [841, 857]}, {"key": "unauthorized-disclosure-or-use", "type": "clause", "offset": [858, 888]}, {"key": "by-supplier", "type": "clause", "offset": [961, 972]}, {"key": "similar-nature", "type": "definition", "offset": [995, 1009]}, {"key": "offsite-facility", "type": "definition", "offset": [1072, 1088]}, {"key": "supplier-must", "type": "clause", "offset": [1090, 1103]}, {"key": "terms-of", "type": "definition", "offset": [1127, 1135]}, {"key": "related-to", "type": "clause", "offset": [1145, 1155]}, {"key": "information-to-third-parties", "type": "clause", "offset": [1176, 1204]}, {"key": "subcontracting-services", "type": "clause", "offset": [1218, 1241]}, {"key": "a-third-party", "type": "clause", "offset": [1290, 1303]}, {"key": "offsite-storage-facility", "type": "definition", "offset": [1306, 1330]}, {"key": "to-company", "type": "clause", "offset": [1371, 1381]}, {"key": "without-limiting-the-foregoing", "type": "clause", "offset": [1383, 1413]}, {"key": "the-facility", "type": "definition", "offset": [1415, 1427]}, {"key": "full-compliance", "type": "clause", "offset": [1456, 1471]}, {"key": "the-provisions-of-this", "type": "clause", "offset": [1484, 1506]}, {"key": "data-storage", "type": "clause", "offset": [1517, 1529]}, {"key": "designated-supplier", "type": "definition", "offset": [1617, 1636]}, {"key": "storage-resources", "type": "clause", "offset": [1651, 1668]}, {"key": "no-personal-information", "type": "clause", "offset": [1679, 1702]}, {"key": "at-any-time", "type": "clause", "offset": [1708, 1719]}, {"key": "computing-device", "type": "definition", "offset": [1777, 1793]}, {"key": "portable-storage-medium", "type": "definition", "offset": [1801, 1824]}, {"key": "the-supplier", "type": "clause", "offset": [1884, 1896]}, {"key": "recovery-processes", "type": "clause", "offset": [1921, 1939]}, {"key": "paragraph-6", "type": "definition", "offset": [1973, 1984]}, {"key": "data-transmission", "type": "definition", "offset": [2102, 2119]}, {"key": "electronic-transmission", "type": "definition", "offset": [2134, 2157]}, {"key": "with-company", "type": "clause", "offset": [2194, 2206]}, {"key": "or-equivalent", "type": "definition", "offset": [2287, 2300]}, {"key": "data-encryption", "type": "definition", "offset": [2351, 2366]}, {"key": "backup-data", "type": "definition", "offset": [2527, 2538]}], "size": 5, "snippet": "Supplier shall provide, maintain, and support any of its software and systems provided or used in connection with the services or products under the Agreement and subsequent updates, upgrades, and bug fixes such that they are and remain secure from vulnerabilities, utilizing recognized and comparable industry practices or standards as set forth in paragraph 9 below. Data Security - Without limiting Supplier\u2019s confidentiality obligations or other obligations to protect data and other information of Company or its Affiliates, including any Personal Information, under the Agreement or this JCA, Supplier shall store all Personal Information in accordance with industry best practices and in compliance with all applicable laws, and use security measures, including, but not limited to, encryption and firewalls, to protect such Personal Information from unauthorized disclosure or use. Such measures shall be no less rigorous than those measures maintained by Supplier for its own data of a similar nature. When Supplier stores Personal Information in a third-party\u2019s offsite facility, Supplier must have complied with the terms of this JCA related to disclosing Personal Information to third parties or otherwise subcontracting services or products to third parties and shall only use a third party\u2019s offsite storage facility that is otherwise reasonably acceptable to Company, without limiting the foregoing, the facility of a third party that is in full compliance with all of the provisions of this Appendix. Data storage - Any and all Personal Information will be stored, processed, and maintained solely on designated Supplier computing and storage resources, and that no Personal Information will at any time be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of the Supplier's designated backup and recovery processes and encrypted in accordance with paragraph 6 below. Supplier shall store all backup Personal Information as part of its designated backup and recovery processes. Data Transmission - Any and all electronic transmission or exchange of Personal Information with Company and/or any third parties shall take place via secure means (using HTTPS or SFTP or equivalent) and solely in accordance with paragraph 6 below. Data Encryption - Supplier agrees that any and all Personal Information stored on any portable or laptop computing device or any portable storage medium, including all company backup data, shall be kept in encrypted form, using a commercially supported encryption solution. Encryption solutions will be deployed with no less than a 128-bit key for symmetric encryption and a 2048 (or larger) bit key length for asymmetric encryption.", "hash": "d5e6cf21b32f92d88a034f55c531a91d", "id": 7}, {"samples": [{"hash": "7LbSYO0nZB1", "uri": "/contracts/7LbSYO0nZB1#application-security", "label": "Call Off Contract", "score": 36.325138092, "published": true}, {"hash": "5jG92AHu5uu", "uri": "/contracts/5jG92AHu5uu#application-security", "label": "Data Processing Agreement", "score": 33.153049469, "published": true}, {"hash": "dd4AwlWzOP", "uri": "/contracts/dd4AwlWzOP#application-security", "label": "Data Processing Addendum", "score": 33.0020980835, "published": true}], "snippet_links": [{"key": "software-development-lifecycle", "type": "clause", "offset": [35, 65]}, {"key": "for-the-purpose-of", "type": "definition", "offset": [66, 84]}, {"key": "information-systems", "type": "definition", "offset": [165, 184]}, {"key": "mobile-applications", "type": "definition", "offset": [222, 241]}, {"key": "customer-personal-data", "type": "definition", "offset": [291, 313]}], "size": 12, "snippet": "17.1 Zoom must have an established software development lifecycle for the purpose of defining, acquiring, developing, enhancing, modifying, testing, or implementing information systems. Zoom must ensure that web-based and mobile applications used to store, receive, send, control, or access Customer Personal Data are monitored, controlled, and protected.", "hash": "1617ad047fb336e65791281dc8a1874b", "id": 2}, {"samples": [{"hash": "21SBkmOIvmg", "uri": "/contracts/21SBkmOIvmg#application-security", "label": "Fund Administration and Accounting Agreement (WisdomTree Bitcoin Fund)", "score": 37.2327173169, "published": true}, {"hash": "cnb4raGinTL", "uri": "/contracts/cnb4raGinTL#application-security", "label": "Custody Agreement (Blackstone Private Real Estate Credit & Income Fund)", "score": 37.1560592651, "published": true}, {"hash": "bObc8ru8j6r", "uri": "/contracts/bObc8ru8j6r#application-security", "label": "Securities Lending Authorization Agreement (WisdomTree Trust)", "score": 36.8028755188, "published": true}], "snippet_links": [{"key": "application-development", "type": "clause", "offset": [35, 58]}, {"key": "software-development-life-cycle", "type": "clause", "offset": [94, 125]}, {"key": "new-applications", "type": "clause", "offset": [179, 195]}, {"key": "changes-to", "type": "clause", "offset": [200, 210]}, {"key": "production-environments", "type": "clause", "offset": [241, 264]}], "size": 78, "snippet": "The ISP will require that in-house application development be governed by a documented secure software development life cycle methodology, which will include deployment rules for new applications and changes to existing applications in live production environments.", "hash": "7a6e83344228732fcdbc8c0bdc52dca9", "id": 1}, {"samples": [{"hash": "cxpNoRElwMv", "uri": "/contracts/cxpNoRElwMv#application-security", "label": "Hosting Services Agreement", "score": 33.4970970154, "published": true}, {"hash": "bnQHkhgnPVX", "uri": "/contracts/bnQHkhgnPVX#application-security", "label": "Hosting Services Agreement", "score": 33.2153320312, "published": true}, {"hash": "bQqBaJH0mnZ", "uri": "/contracts/bQqBaJH0mnZ#application-security", "label": "Hosting Services Agreement", "score": 33.2113800049, "published": true}], "snippet_links": [{"key": "responsible-for", "type": "clause", "offset": [37, 52]}, {"key": "not-limited", "type": "clause", "offset": [84, 95]}, {"key": "security-updates", "type": "definition", "offset": [178, 194]}, {"key": "updates-and-patches", "type": "clause", "offset": [202, 221]}, {"key": "responsibility-of-the-customer", "type": "clause", "offset": [230, 260]}], "size": 4, "snippet": "Unless specified otherwise NH is not responsible for keeping applications, like but not limited to WordPress, Magento, Drupal, XenForo and vBulletin, with the latest patches and security updates. These updates and patches are the responsibility of the customer.", "hash": "b3af856bb960246dd56c997cfa4fb9bf", "id": 8}, {"samples": [{"hash": "dxKAwx2P1rX", "uri": "/contracts/dxKAwx2P1rX#application-security", "label": "Data Processing Agreement", "score": 35.3975982666, "published": true}, {"hash": "jnwWFDvUsVh", "uri": "/contracts/jnwWFDvUsVh#application-security", "label": "Data Processing Agreement", "score": 35.1083908081, "published": true}, {"hash": "6EO1oRz5nuN", "uri": "/contracts/6EO1oRz5nuN#application-security", "label": "Data Processing Agreement", "score": 35.0262718201, "published": true}], "snippet_links": [{"key": "development-team", "type": "definition", "offset": [13, 29]}, {"key": "secure-coding-practices", "type": "definition", "offset": [50, 73]}, {"key": "industry-best-practices", "type": "definition", "offset": [83, 106]}, {"key": "security-team", "type": "definition", "offset": [154, 167]}, {"key": "party-software", "type": "clause", "offset": [258, 272]}, {"key": "to-mitigate", "type": "definition", "offset": [273, 284]}, {"key": "from-time-to-time", "type": "clause", "offset": [468, 485]}, {"key": "policies-and-procedures", "type": "clause", "offset": [500, 523]}, {"key": "repository-system", "type": "definition", "offset": [559, 576]}, {"key": "data-centre", "type": "clause", "offset": [597, 608]}, {"key": "access-privileges", "type": "clause", "offset": [649, 666]}, {"key": "the-code", "type": "clause", "offset": [691, 699]}, {"key": "unit-testing", "type": "definition", "offset": [842, 854]}, {"key": "workforce-member", "type": "definition", "offset": [1010, 1026]}, {"key": "access-to-customer-data", "type": "clause", "offset": [1041, 1064]}, {"key": "access-permission", "type": "clause", "offset": [1072, 1089]}, {"key": "granted-by", "type": "definition", "offset": [1093, 1103]}, {"key": "technical-issue", "type": "definition", "offset": [1149, 1164]}, {"key": "production-environment", "type": "clause", "offset": [1196, 1218]}, {"key": "logically-segregated", "type": "definition", "offset": [1222, 1242]}, {"key": "development-environment", "type": "definition", "offset": [1264, 1287]}, {"key": "virtual-private-cloud", "type": "definition", "offset": [1305, 1326]}, {"key": "database-data", "type": "definition", "offset": [1373, 1386]}, {"key": "cloud-storage", "type": "definition", "offset": [1398, 1411]}, {"key": "cloud-service-provider", "type": "definition", "offset": [1415, 1437]}], "size": 5, "snippet": "\u25cf The Hubilo development team is trained on OWASP Secure Coding Practices and uses industry best practices for building secure applications. \u00b7 The Hubilo security team conducts Whitebox testing on each code release and they also do Blackbox testing on third-party software to mitigate risk. Apart from this Hubilo also performs code scanning using Sonarqube in QA environment. Hubilo Security team uses Burp Suite Professional software to test for all vulnerabilities from time to time as per Hubilo policies and procedures. \u25cf Hubilo code is stored in a code repository system hosted by our cloud data centre provider. Hubilo adopts a strict, least access privileges principle for access to the code. Commits to production code are strictly reviewed, and approval is restricted to just CTO/Sr. VP of Engineering / Lead-DevOps, (after passing Unit Testing and QA in Test and Staging). \u25cf The data stored on production servers is accessible only to the CTO/Sr. VP of Engineering/ Lead-DevOps of the org. No other workforce member of Hubilo has access to customer data unless access permission is granted by the CTO/Sr. VP of Engineering to resolve any technical issue or for debugging. \u25cf The Hubilo production environment is logically segregated from the staging and development environment with concepts of virtual private cloud and subnets. There is an hourly backup of the database data at secured cloud storage of cloud service provider (AWS). \u25cf Connection to the Hubilo web-app via HTTPS by using the latest version of Transport Layer Socket (TLS) like TLS 1.2+ and above.", "hash": "2c86f5e3954dd1be01f6ed21f3b78c74", "id": 6}, {"samples": [{"hash": "8ZvmQacPxN0", "uri": "/contracts/8ZvmQacPxN0#application-security", "label": "Data Processing Agreement", "score": 36.3555641174, "published": true}, {"hash": "gthbe7pLuvq", "uri": "/contracts/gthbe7pLuvq#application-security", "label": "Data Processing Addendum", "score": 34.1421012878, "published": true}, {"hash": "4UDoOWKQLoo", "uri": "/contracts/4UDoOWKQLoo#application-security", "label": "Data Processing Agreement", "score": 34.1421012878, "published": true}], "snippet_links": [{"key": "supplier-will", "type": "clause", "offset": [4, 17]}, {"key": "systems-development-life-cycle", "type": "definition", "offset": [36, 66]}, {"key": "for-supplier", "type": "definition", "offset": [75, 87]}, {"key": "personal-data", "type": "definition", "offset": [124, 137]}, {"key": "evidence-of", "type": "definition", "offset": [167, 178]}, {"key": "review-process", "type": "definition", "offset": [193, 207]}, {"key": "executed-by", "type": "clause", "offset": [277, 288]}, {"key": "third-party", "type": "definition", "offset": [303, 314]}, {"key": "timely-resolution", "type": "clause", "offset": [358, 375]}, {"key": "medium-risk", "type": "definition", "offset": [413, 424]}, {"key": "change-management", "type": "clause", "offset": [475, 492]}, {"key": "patch-management", "type": "definition", "offset": [518, 534]}, {"key": "vulnerability-assessment", "type": "definition", "offset": [536, 560]}, {"key": "access-control", "type": "clause", "offset": [569, 583]}, {"key": "system-hardening", "type": "clause", "offset": [588, 604]}, {"key": "in-accordance-with", "type": "definition", "offset": [614, 632]}, {"key": "industry-best-practices", "type": "definition", "offset": [633, 656]}, {"key": "will-provide", "type": "clause", "offset": [671, 683]}, {"key": "penetration-tests", "type": "clause", "offset": [746, 763]}, {"key": "in-a-timely-manner", "type": "definition", "offset": [824, 842]}], "size": 4, "snippet": "7.1 Supplier will maintain a secure systems development life cycle process for Supplier\u2019s systems that Process or store UKG Personal Data, including at a minimum:\n(a) evidence of a secure code review process;\n(b) perform periodic application penetration and vulnerability test executed by a specialized third party;\n(c) implement a procedure that results in timely resolution of all discovered critical, high and medium risk vulnerabilities; and\n(d) a security checkpoint in change management.\n7.2 Supplier will apply patch management, vulnerability assessment, strong access control and system hardening measures in accordance with industry best practices.\n7.3 Supplier will provide to UKG upon UKG\u2019s request, evidence that periodic application penetration tests are performed and discovered vulnerabilities are remediated in a timely manner.", "hash": "f7237aec2524dd5a258318f920873109", "id": 10}, {"samples": [{"hash": "dS8q6khWIqz", "uri": "/contracts/dS8q6khWIqz#application-security", "label": "General Terms and Conditions", "score": 35.5409507751, "published": true}, {"hash": "8oUDsZZBIFl", "uri": "/contracts/8oUDsZZBIFl#application-security", "label": "General Terms and Conditions", "score": 34.5586967468, "published": true}, {"hash": "4K1Mdlty9iM", "uri": "/contracts/4K1Mdlty9iM#application-security", "label": "General Terms and Conditions", "score": 33.4440727234, "published": true}], "snippet_links": [{"key": "identity-theft", "type": "clause", "offset": [93, 107]}, {"key": "our-services", "type": "definition", "offset": [147, 159]}, {"key": "distributed-denial-of-service", "type": "definition", "offset": [165, 194]}], "size": 6, "snippet": "Reveal uses \u2587\u2587\u2587\u2587\u2587\u2587.\u2587\u2587\u2587 to detect and block in real time attacks such as XSS, SQL Injections, Identity Theft etc. We also use Cloudflare to protect our services from Distributed Denial of Service (DDoS) attacks.", "hash": "6d76fb73117a91f07133a9dbf7e94ab2", "id": 5}, {"samples": [{"hash": "gXT0EDPYqeb", "uri": "/contracts/gXT0EDPYqeb#application-security", "label": "Professional Services", "score": 34.6308555603, "published": true}, {"hash": "4HIovTK3X0F", "uri": "/contracts/4HIovTK3X0F#application-security", "label": "Prevention and Promotion Client Services Contract", "score": 34.2474937439, "published": true}, {"hash": "iEEKqFxaFDl", "uri": "/contracts/iEEKqFxaFDl#application-security", "label": "Prevention and Promotion Client Services Contract", "score": 34.1316604614, "published": true}], "snippet_links": [{"key": "contractor-must", "type": "clause", "offset": [0, 15]}, {"key": "and-support", "type": "clause", "offset": [25, 36]}, {"key": "bug-fixes", "type": "clause", "offset": [97, 106]}, {"key": "the-software", "type": "definition", "offset": [117, 129]}], "size": 10, "snippet": "Contractor must maintain and support its software and subsequent upgrades, updates, patches, and bug fixes such that the software is, and remains secure from known vulnerabilities.", "hash": "abf2c8373f2903e8a79310780ab55975", "id": 3}, {"samples": [{"hash": "9Fy0x6bJsq1", "uri": "/contracts/9Fy0x6bJsq1#application-security", "label": "Data Processing Addendum", "score": 34.049030304, "published": true}, {"hash": "i9EC9EjklLp", "uri": "/contracts/i9EC9EjklLp#application-security", "label": "Data Processing Addendum", "score": 33.7955169678, "published": true}, {"hash": "d19E2fdXer7", "uri": "/contracts/d19E2fdXer7#application-security", "label": "Data Processing Agreement", "score": 27.6064338684, "published": true}], "snippet_links": [{"key": "security-program", "type": "clause", "offset": [21, 37]}, {"key": "based-on", "type": "clause", "offset": [41, 49]}, {"key": "to-secure", "type": "clause", "offset": [101, 110]}, {"key": "product-code", "type": "definition", "offset": [111, 123]}, {"key": "core-elements", "type": "definition", "offset": [129, 142]}, {"key": "code-analysis", "type": "clause", "offset": [209, 222]}, {"key": "system-hardening", "type": "clause", "offset": [246, 262]}], "size": 4, "snippet": "Genesys\u2019 application security program is based on the Microsoft Security Development Lifecycle (SDL) to secure product code. The core elements of this program are manual code reviews, threat modelling, static code analysis, dynamic analysis, and system hardening.", "hash": "4eb1b75ba686ede0cd6ac1a3136a10cd", "id": 9}], "next_curs": "Cl0SV2oVc35sYXdpbnNpZGVyY29udHJhY3RzcjkLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2Ih1hcHBsaWNhdGlvbi1zZWN1cml0eSMwMDAwMDAwYQyiAQJlbhgAIAA=", "clause": {"parents": [["miscellaneous", "Miscellaneous"], ["general", "General"], ["severability", "Severability"], ["disclosure-of-certain-regulatory-matters", "Disclosure of Certain Regulatory Matters"], ["competent-supervisory-authority", "COMPETENT SUPERVISORY AUTHORITY"]], "title": "Application Security", "children": [["functional-requirements", "Functional Requirements"], ["software-development-life-cycle", "Software Development Life Cycle"], ["logging", "Logging"], ["testing-and-remediation", "Testing and Remediation"], ["data-integrity", "Data Integrity"]], "size": 237, "id": "application-security", "related": [["aviation-security", "Aviation Security", "Aviation Security"], ["transaction-security", "Transaction Security", "Transaction Security"], ["union-security", "UNION SECURITY", "UNION SECURITY"], ["information-security", "Information Security", "Information Security"], ["article-union-security", "ARTICLE UNION SECURITY", "ARTICLE UNION SECURITY"]], "related_snippets": [], "updated": "2026-03-29T04:25:46+00:00", "also_ask": ["What minimum security standards should be mandated in the clause?", "How can liability for security breaches be strategically allocated?", "What audit and compliance rights are essential for enforceability?", "How does this clause compare to industry-standard application security provisions?", "What are the most common pitfalls that render application security clauses unenforceable in court?"], "drafting_tip": "Specify security standards, require regular audits, and mandate breach notification to ensure compliance, maintain system integrity, and enable prompt risk mitigation.", "explanation": "The Application Security clause establishes requirements and standards to ensure that software applications are protected against security threats and vulnerabilities. It typically mandates the implementation of secure coding practices, regular security testing, and prompt remediation of identified issues, often applying to both in-house and third-party applications. By setting these expectations, the clause helps prevent data breaches and unauthorized access, ultimately safeguarding sensitive information and maintaining the integrity of the software environment."}, "json": true, "cursor": ""}}