{"component": "clause", "props": {"groups": [{"snippet_links": [{"key": "all-products", "type": "clause", "offset": [26, 38]}, {"key": "in-accordance-with", "type": "clause", "offset": [59, 77]}, {"key": "consistent-with", "type": "definition", "offset": [120, 135]}, {"key": "industry-best-practices", "type": "definition", "offset": [157, 180]}, {"key": "design-review", "type": "clause", "offset": [202, 215]}, {"key": "secure-coding-practices", "type": "clause", "offset": [217, 240]}, {"key": "remediation-requirements", "type": "clause", "offset": [265, 289]}, {"key": "to-secure", "type": "clause", "offset": [333, 342]}, {"key": "the-software", "type": "clause", "offset": [343, 355]}, {"key": "development-environment", "type": "definition", "offset": [356, 379]}, {"key": "the-products", "type": "clause", "offset": [383, 395]}, {"key": "unauthorized-access", "type": "definition", "offset": [401, 420]}, {"key": "documentation-provided", "type": "clause", "offset": [487, 509]}, {"key": "ensure-security", "type": "clause", "offset": [635, 650]}, {"key": "access-to", "type": "definition", "offset": [797, 806]}, {"key": "any-service", "type": "clause", "offset": [807, 818]}, {"key": "intended-user", "type": "definition", "offset": [868, 881]}, {"key": "the-supplier-shall", "type": "clause", "offset": [910, 928]}, {"key": "provide-access", "type": "clause", "offset": [964, 978]}, {"key": "default-account", "type": "definition", "offset": [1017, 1032]}, {"key": "not-required", "type": "definition", "offset": [1418, 1430]}, {"key": "by-default", "type": "clause", "offset": [1478, 1488]}, {"key": "in-the-event", "type": "clause", "offset": [1587, 1599]}, {"key": "wireless-technology", "type": "definition", "offset": [1609, 1628]}, {"key": "security-requirements", "type": "definition", "offset": [1753, 1774]}, {"key": "ieee-standards", "type": "definition", "offset": [1858, 1872]}, {"key": "contained-in", "type": "definition", "offset": [1943, 1955]}, {"key": "information-processing", "type": "clause", "offset": [2061, 2083]}, {"key": "requirements-for", "type": "clause", "offset": [2109, 2125]}, {"key": "cryptographic-modules", "type": "definition", "offset": [2126, 2147]}, {"key": "integrity-of", "type": "clause", "offset": [2281, 2293]}], "samples": [{"hash": "7NvmarfST64", "uri": "/contracts/7NvmarfST64#secure-software-development", "label": "Hosted Application Terms and Conditions", "score": 27.6490650177, "published": true}, {"hash": "3RWggff6Twf", "uri": "/contracts/3RWggff6Twf#secure-software-development", "label": "Commercial License Agreement", "score": 27.6490650177, "published": true}, {"hash": "hkQYUYUGRzC", "uri": "/contracts/hkQYUYUGRzC#secure-software-development", "label": "Hosted Application Terms and Conditions", "score": 24.3251190186, "published": true}], "size": 5, "snippet": "(a) Licensor shall ensure all Products have been developed in accordance with principles of secure software development consistent with software development industry best practices, including, security design review, secure coding practices, risk based testing and remediation requirements.\n(b) Licensor must use reasonable measures to secure the software development environment of the Products from unauthorized access.\n(c) Licensor shall include cybersecurity guidance in the Product documentation provided to GE. This documentation shall include guidance on how to configure the Products and/or the surrounding environment to best ensure security. It shall also include guidance on which logical or physical ports are required for the product to function. If authentication is used to protect access to any service or capability of the Products, regardless of the intended user of that service/capability, the Supplier shall ensure:\n(i) the Products shall not provide access to that service or capability using a default account/password;\n(ii) the Products shall not provide access to that service or capability using a \u201cBackdoor\u201d account or password;\n(iii) the Products\u2019 associated authentication and password change processes shall be implemented with an appropriately secure cryptographic level; and\n(iv) GE shall be able to change any passwords supported by the Products.\n(d) Services or capabilities that are not required to implement the Product\u2019s functionality shall by default be disabled, or shall require authentication to protect access to this service or capability.\n(e) In the event that any wireless technology is incorporated in any Product, Licensor shall document that the wireless technology complies with standard operational and security requirements specified in applicable wireless standard(s) or specification(s) (e.g., applicable IEEE standards, such as 802.11).\n(f) In the event that any cryptographic systems are contained in the Product, Supplier shall only use cryptographic methods that are \u201cApproved\u201d as defined in the Federal Information Processing Standard (FIPS) Security Requirements for Cryptographic Modules (FIPS 140-2), and Supplier shall provide an automated remote key-establishment (update) method that protects the confidentiality and integrity of the cryptographic keys.", "hash": "483d71ec592b79c3e2589f9947de1046", "id": 1}, {"snippet_links": [{"key": "security-process", "type": "clause", "offset": [13, 29]}, {"key": "taking-into-consideration", "type": "clause", "offset": [84, 109]}], "samples": [{"hash": "blSGb8IZRAF", "uri": "/contracts/blSGb8IZRAF#secure-software-development", "label": "Privacy Terms", "score": 35.9384117126, "published": true}, {"hash": "fznMC9mQidl", "uri": "/contracts/fznMC9mQidl#secure-software-development", "label": "Master Subscription Agreement", "score": 35.6648979187, "published": true}, {"hash": "2fVadV3N9MU", "uri": "/contracts/2fVadV3N9MU#secure-software-development", "label": "Master Subscription Agreement", "score": 35.0073509216, "published": true}], "size": 4, "snippet": "Well defined security process that is implemented and monitored throughout the SDLC taking into consideration confidentiality, availability and integrity requirements.", "hash": "e4a7ce89fe70d78a5679f93c4994124a", "id": 2}, {"snippet_links": [{"key": "data-importer", "type": "clause", "offset": [0, 13]}, {"key": "policies-and-procedures", "type": "clause", "offset": [29, 52]}, {"key": "to-ensure", "type": "clause", "offset": [53, 62]}, {"key": "infrastructure-development", "type": "definition", "offset": [100, 126]}, {"key": "services-for", "type": "clause", "offset": [238, 250]}, {"key": "vulnerabilities-and-defects", "type": "clause", "offset": [267, 294]}, {"key": "security-assessment", "type": "clause", "offset": [433, 452]}, {"key": "requirements-for", "type": "clause", "offset": [509, 525]}, {"key": "third-party-systems", "type": "clause", "offset": [538, 557]}], "samples": [{"hash": "kKxcZpT16sS", "uri": "/contracts/kKxcZpT16sS#secure-software-development", "label": "Data Processing Agreement", "score": 35.3383331299, "published": true}, {"hash": "2kgHIuNnFSZ", "uri": "/contracts/2kgHIuNnFSZ#secure-software-development", "label": "Data Processing Agreement", "score": 34.9496325545, "published": true}, {"hash": "jiDdKBuNtM7", "uri": "/contracts/jiDdKBuNtM7#secure-software-development", "label": "Data Processing Agreement", "score": 34.024394989, "published": true}], "size": 3, "snippet": "Data Importer shall maintain policies and procedures to ensure that system, device, application and infrastructure development is performed in a secure manner. This includes review and test of all Data Importer applications, products and services for common security vulnerabilities and defects, employing defense-in-depth strategy through the use of multiple layers of security boundaries and technologies, periodic pen testing and security assessment of these services, defining baseline configurations and requirements for patching of third party systems.", "hash": "6a358d9fd538c2e081aaef1c07387ae0", "id": 5}, {"snippet_links": [{"key": "policies-and-procedures", "type": "clause", "offset": [71, 94]}, {"key": "industry-standard-practices", "type": "definition", "offset": [108, 135]}, {"key": "equivalent-standard", "type": "definition", "offset": [182, 201]}, {"key": "all-personnel", "type": "clause", "offset": [204, 217]}, {"key": "responsible-for", "type": "clause", "offset": [218, 233]}, {"key": "design-and-development", "type": "clause", "offset": [253, 275]}, {"key": "development-practices", "type": "clause", "offset": [352, 373]}], "samples": [{"hash": "i7zoO6T3rzR", "uri": "/contracts/i7zoO6T3rzR#secure-software-development", "label": "Public Sector Subscription Terms of Service", "score": 31.4745864868, "published": true}], "size": 3, "snippet": "ServiceNow shall implement and maintain secure application development policies and procedures aligned with industry standard practices such as the OWASP Top Ten (or a substantially equivalent standard). All personnel responsible for secure application design and development will receive appropriate training regarding ServiceNow\u2019s secure application development practices.", "hash": "d85e770f8df70dfe8901d65d7543e533", "id": 6}, {"snippet_links": [{"key": "and-address", "type": "clause", "offset": [53, 64]}, {"key": "development-of", "type": "clause", "offset": [78, 92]}, {"key": "software-solutions", "type": "clause", "offset": [97, 115]}, {"key": "an-independent", "type": "clause", "offset": [138, 152]}, {"key": "development-environment", "type": "definition", "offset": [158, 181]}, {"key": "computing-resources", "type": "definition", "offset": [208, 227]}, {"key": "new-software", "type": "clause", "offset": [248, 260]}, {"key": "changes-to", "type": "clause", "offset": [268, 278]}, {"key": "existing-software", "type": "definition", "offset": [279, 296]}, {"key": "production-data", "type": "clause", "offset": [298, 313]}, {"key": "software-testing", "type": "clause", "offset": [335, 351]}, {"key": "development-purposes", "type": "definition", "offset": [356, 376]}, {"key": "necessary-for", "type": "definition", "offset": [405, 418]}, {"key": "test-data", "type": "definition", "offset": [515, 524]}, {"key": "change-control-process", "type": "definition", "offset": [544, 566]}, {"key": "application-changes", "type": "clause", "offset": [571, 590]}, {"key": "tasks-to-be-performed", "type": "clause", "offset": [681, 702]}, {"key": "code-review", "type": "definition", "offset": [728, 739]}, {"key": "approval-of-changes", "type": "clause", "offset": [750, 769]}, {"key": "documentation-of-changes", "type": "clause", "offset": [775, 799]}, {"key": "software-developers", "type": "clause", "offset": [820, 839]}, {"key": "secure-coding-practices", "type": "clause", "offset": [863, 886]}], "samples": [{"hash": "ks9LnaU4z9d", "uri": "/contracts/ks9LnaU4z9d#secure-software-development", "label": "GDPR Data Protection Addendum", "score": 33.6757926941, "published": true}, {"hash": "gwa3GOau5X4", "uri": "/contracts/gwa3GOau5X4#secure-software-development", "label": "Data Processing Addendum", "score": 27.3586578369, "published": true}], "size": 2, "snippet": "Cvent shall maintain processes to identify, evaluate and address risks to the development of its software solutions. Cvent shall maintain an independent test/development environment, separate from production computing resources, for any testing of new software and/or changes to existing software. Production data will not be used for software testing and development purposes unless sanitized and deemed necessary for any intended testing that needs to be performed; all efforts will be made to first utilize mock/test data. Cvent maintains a change control process for application changes pushed to production computing environments. Changes shall require approvals and specific tasks to be performed, including: Development, Code Review, Testing, Approval of Changes, and Documentation of Changes. Cvent requires all software developers to undergo training on secure coding practices in line with OWASP Top 10 guidelines.", "hash": "2ed706874b673b077f088d4d6eb40a3a", "id": 7}, {"snippet_links": [{"key": "new-feature", "type": "definition", "offset": [4, 15]}, {"key": "product-enhancement", "type": "definition", "offset": [20, 39]}, {"key": "security-review", "type": "definition", "offset": [68, 83]}, {"key": "review-process", "type": "definition", "offset": [169, 183]}, {"key": "adherence-to-standards", "type": "definition", "offset": [210, 232]}, {"key": "penetration-testing", "type": "definition", "offset": [258, 277]}, {"key": "to-validate", "type": "definition", "offset": [301, 312]}, {"key": "security-vulnerabilities", "type": "definition", "offset": [316, 340]}, {"key": "our-platform", "type": "definition", "offset": [350, 362]}], "samples": [{"hash": "a0SkQd4UBYb", "uri": "/contracts/a0SkQd4UBYb#secure-software-development", "label": "Data Processing Agreement", "score": 31.4163703918, "published": true}, {"hash": "9WmcxeHS6Hb", "uri": "/contracts/9WmcxeHS6Hb#secure-software-development", "label": "Data Processing Agreement", "score": 29.2887496948, "published": true}, {"hash": "27dx4QdLKU6", "uri": "/contracts/27dx4QdLKU6#secure-software-development", "label": "Data Processing Agreement", "score": 27.5325126648, "published": true}], "size": 3, "snippet": "Any new feature and product enhancement we implement goes through a security review during design. Additionally, any code committed to our code base goes through a code-review process ensuring code quality and adherence to standards. We also perform regular penetration testing and automatic scanning to validate no security vulnerabilities exist in our platform.", "hash": "2742afe0536c7881813a4b4b1b45178f", "id": 3}, {"snippet_links": [{"key": "in-connection-with", "type": "clause", "offset": [53, 71]}, {"key": "processing-of-customer-personal-data", "type": "clause", "offset": [76, 112]}, {"key": "development-practices", "type": "clause", "offset": [160, 181]}, {"key": "production-environments", "type": "clause", "offset": [226, 249]}, {"key": "secure-communication", "type": "clause", "offset": [337, 357]}, {"key": "management-practices", "type": "clause", "offset": [415, 435]}, {"key": "object-code", "type": "definition", "offset": [687, 698]}, {"key": "source-code", "type": "clause", "offset": [703, 714]}, {"key": "code-analysis", "type": "clause", "offset": [766, 779]}, {"key": "applications-for", "type": "clause", "offset": [806, 822]}, {"key": "performance-under", "type": "clause", "offset": [900, 917]}, {"key": "denial-of-service", "type": "clause", "offset": [918, 935]}], "samples": [{"hash": "VwxAzagtZB", "uri": "/contracts/VwxAzagtZB#secure-software-development", "label": "Data Processing Addendum", "score": 35.5766601562, "published": true}, {"hash": "cyKN5VR3XRM", "uri": "/contracts/cyKN5VR3XRM#secure-software-development", "label": "Data Processing Addendum", "score": 35.1083908081, "published": true}, {"hash": "3soNLR9Lq6g", "uri": "/contracts/3soNLR9Lq6g#secure-software-development", "label": "Data Processing Addendum", "score": 34.5506477356, "published": true}], "size": 3, "snippet": "Talos represents and warrants that any software used in connection with the Processing of Customer Personal Data is or has been developed using secure software development practices, including: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (i) testing of web applications for vulnerabilities using web application scanners; and (j) testing software for performance under denial of service and other resource exhaustion attacks.", "hash": "39cefac78119baf313a2a8a16e6377b8", "id": 4}, {"snippet_links": [{"key": "supplier-shall", "type": "clause", "offset": [0, 14]}, {"key": "policies-and-procedures", "type": "clause", "offset": [69, 92]}, {"key": "industry-standard-practices", "type": "definition", "offset": [106, 133]}, {"key": "equivalent-standard", "type": "definition", "offset": [180, 199]}, {"key": "all-personnel", "type": "clause", "offset": [202, 215]}, {"key": "responsible-for", "type": "clause", "offset": [216, 231]}, {"key": "design-and-development", "type": "clause", "offset": [251, 273]}, {"key": "development-practices", "type": "clause", "offset": [348, 369]}], "samples": [{"hash": "jL9Zp9NQIco", "uri": "/contracts/jL9Zp9NQIco#secure-software-development", "label": "Supplier Terms", "score": 33.3729019165, "published": true}, {"hash": "3boX9hK0U57", "uri": "/contracts/3boX9hK0U57#secure-software-development", "label": "Cloud Data Processing Addendum", "score": 33.3646888733, "published": true}], "size": 2, "snippet": "Supplier shall implement and maintain secure application development policies and procedures aligned with industry standard practices such as the OWASP Top Ten (or a substantially equivalent standard). All personnel responsible for secure application design and development will receive appropriate training regarding Supplier\u2019s secure application development practices.", "hash": "29d4f82701e2ba7be0ec127d164bbd21", "id": 8}, {"snippet_links": [{"key": "in-connection-with", "type": "clause", "offset": [55, 73]}, {"key": "the-processing", "type": "clause", "offset": [74, 88]}, {"key": "of-customer", "type": "clause", "offset": [89, 100]}, {"key": "confidential-information", "type": "clause", "offset": [103, 127]}, {"key": "development-practices", "type": "clause", "offset": [175, 196]}, {"key": "production-environments", "type": "clause", "offset": [241, 264]}, {"key": "secure-communication", "type": "clause", "offset": [352, 372]}, {"key": "management-practices", "type": "clause", "offset": [430, 450]}, {"key": "object-code", "type": "definition", "offset": [702, 713]}, {"key": "source-code", "type": "clause", "offset": [718, 729]}, {"key": "code-analysis", "type": "clause", "offset": [781, 794]}, {"key": "applications-for", "type": "clause", "offset": [821, 837]}, {"key": "performance-under", "type": "clause", "offset": [915, 932]}, {"key": "denial-of-service", "type": "clause", "offset": [933, 950]}], "samples": [{"hash": "kmjCE0nolrH", "uri": "/contracts/kmjCE0nolrH#secure-software-development", "label": "Data Processing Addendum", "score": 33.0773353577, "published": true}], "size": 1, "snippet": "Company represents and warrants that any software used in connection with the processing of Customer\u2019s Confidential Information is or has been developed using secure software development practices, including: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; (i) testing of web applications for vulnerabilities using web application scanners; and (j) testing software for performance under denial of service and other resource exhaustion attacks.", "hash": "d531b828a0f75b3176771b90abf6bc66", "id": 9}, {"snippet_links": [{"key": "production-environments", "type": "clause", "offset": [55, 78]}, {"key": "in-place", "type": "clause", "offset": [149, 157]}, {"key": "live-data", "type": "clause", "offset": [250, 259]}, {"key": "prior-agreement", "type": "definition", "offset": [286, 301]}, {"key": "the-data", "type": "clause", "offset": [307, 315]}, {"key": "the-production", "type": "clause", "offset": [354, 368]}, {"key": "segregation-of-duties", "type": "clause", "offset": [384, 405]}, {"key": "systems-development", "type": "definition", "offset": [516, 535]}, {"key": "security-vulnerabilities", "type": "definition", "offset": [557, 581]}, {"key": "security-breaches", "type": "clause", "offset": [592, 609]}, {"key": "secure-development", "type": "clause", "offset": [688, 706]}, {"key": "best-practice", "type": "clause", "offset": [707, 720]}, {"key": "subject-to", "type": "clause", "offset": [766, 776]}, {"key": "quality-assurance", "type": "clause", "offset": [777, 794]}], "samples": [{"hash": "k60TJ6KRtb", "uri": "/contracts/k60TJ6KRtb#secure-software-development", "label": "General Purchasing Conditions", "score": 35.5829353333, "published": true}], "size": 1, "snippet": "11.1 The 3rd Party must ensure that production and non-production environments are appropriately controlled by ensuring the following components are in place: \u2022 Segregation of production and non-production environments with segregation of duty. \u2022 No live data to be used in test unless prior agreement from the data owners and controls commensurate with the production environment. \u2022 Segregation of duties between production and non-production development.\n11.2 The 3rd Party must have an established and consistent Systems Development framework to prevent security vulnerabilities and Cyber Security breaches which contains the following components: \u2022 Systems are developed in line with Secure Development best practice (e.g., OWASP). \u2022 Code is securely stored and subject to Quality Assurance. \u2022 Code is adequately protected from unauthorised modification once testing has been signed off and delivered into production.", "hash": "441141c7370d528f64948530e736a270", "id": 10}], "next_curs": "CmQSXmoVc35sYXdpbnNpZGVyY29udHJhY3RzckALEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IiRzZWN1cmUtc29mdHdhcmUtZGV2ZWxvcG1lbnQjMDAwMDAwMGEMogECZW4YACAA", "clause": {"parents": [["international-data-transfers", "International Data Transfers"], ["technical-security-measures", "Technical Security Measures"], ["information-security-program", "Information Security Program"], ["general", "GENERAL"], ["malicious-software", "Malicious Software"]], "title": "Secure Software Development", "children": [["supplemental-terms", "Supplemental Terms"], ["competent-supervisory-authority", "Competent Supervisory Authority"], ["", ""], ["annex-i", "Annex I"]], "size": 31, "id": "secure-software-development", "related": [["software-development", "Software Development", "Software Development"], ["licensed-software", "Licensed Software", "Licensed Software"], ["antivirus-software", "Antivirus software", "Antivirus software"], ["service-monitoring-analyses-and-oracle-software", "SERVICE MONITORING, ANALYSES AND ORACLE SOFTWARE", "SERVICE MONITORING, ANALYSES AND ORACLE SOFTWARE"], ["embedded-software", "Embedded Software", "Embedded Software"]], "related_snippets": [], "updated": "2025-07-24T04:27:57+00:00"}, "json": true, "cursor": ""}}