Common use of Technical and Organizational Security Measures Clause in Contracts

Technical and Organizational Security Measures. Cloudflare has implemented and shall maintain an information security program in accordance with ISO/IEC 27000 standards. Cloudflare’s security program shall include: Measures of encryption of Personal Data Cloudflare implements encryption to adequately protect Personal Data using: ● state-of-the-art encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities; ● trustworthy public-key certification authorities and infrastructure; ● effective encryption algorithms and parameterization, such as a minimum of 128-bit key lengths for symmetric encryption, and at least 2048-bit RSA or 256-bit ECC key lengths for asymmetric algorithms. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Cloudflare enhances the security of processing systems and services in production environments by: ● employing a code review process to increase the security of the code used to provide the Services; and testing code and systems for vulnerabilities before and during use; ● maintaining an external bug bounty program; ● using checks to validate the integrity of encrypted data, and ● employing preventative and reactive intrusion detection. Cloudflare deploys high-availability systems across geographically-distributed data centers. Cloudflare implements input control measures to protect and maintain the confidentiality of Personal Data including: ● an authorization policy for the input, reading, alteration and deletion of data; ● authenticating authorized personnel using unique authentication credentials (passwords) and hard tokens; ● automatically signing-out user IDs after a period of inactivity; ● protecting the input of data, as well as the reading, alteration and deletion of stored data; and ● requiring that data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked and secure. Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident Cloudflare implements measures to ensure that Personal Data is protected from accidental destruction or loss, including by maintaining: ● disaster-recovery and business continuity plans and procedures; ● geographically-distributed data centers; ● redundant infrastructure, including power supplies and internet connectivity; ● backups stored at alternative sites and available for restore in case of failure of primary systems; and ● incident management procedures that are regularly tested. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing Cloudflare’s technical and organizational measures are regularly tested and evaluated by external third-party auditors as part of Cloudflare’s Security & Privacy Compliance Program. These may include annual ISO/IEC 27001 audits; AICPA SOC 2 Type II; PCI DSS Level 1; and other external audits. Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments. Measures for user identification and authorization Cloudflare implements effective measures for user authentication and privilege management by: ● applying a mandatory access control and authentication policy; ● applying a zero-trust model of identification and authorization; ● authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens; ● allocating and managing appropriate privileges according to role, approvals, and exception management; and ● applying the principle of least privilege access. Measures for the protection of data during transmission Cloudflare implements effective measures to protect Personal Data from being read, copied, altered or deleted by unauthorized parties during transmission, including by: ● using state-of-the-art transport encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities; ● using trustworthy public-key certification authorities and infrastructure; ● implementing protective measures against active and passive attacks on the sending and receiving systems providing transport encryption, such as adequate firewalls, mutual TLS encryption, API authentication, and encryption to protect the gateways and pipelines through which data travels, as well as testing for software vulnerabilities and possible backdoors; ● employing effective encryption algorithms and parameterization, such as a minimum of 128-bit key lengths for symmetric encryption, and at least 2048-bit RSA or 256-bit ECC key lengths for asymmetric algorithms; ● using correctly implemented and properly maintained software, covered under a vulnerability management program, and tested for conformity by auditing; ● enforcing secure measures to reliably generate, manage, store and protect encryption keys; and ● audit logging, monitoring, and tracking data transmissions. Measures for the protection of data during storage Cloudflare implements effective measures to protect Personal Data during storage, controlling and limiting access to data processing systems, and by: ● using state-of-the-art encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities; ● using trustworthy public-key certification authorities and infrastructure; ● testing systems storing data for software vulnerabilities and possible backdoors; ● employing effective encryption algorithms and parameterization, such as requiring all disks storing Personal Data to be encrypted with AES-XTS using a key length of 128-bits or longer. ● using correctly implemented and properly maintained software, covered under a vulnerability management program, and tested for conformity by auditing; ● enforcing secure measures to reliably generate, manage, store and protect encryption keys; ● identifying and authorizing systems and users with access to data processing systems; ● automatically signing-out users after a period of inactivity; and ● audit logging, monitoring, and tracking access to data processing and storage systems. Cloudflare implements access controls to specific areas of data processing systems to ensure only authorized users are able to access the Personal Data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including: ● employee policies and training in respect of each employee’s access rights to the Personal Data; ● applying a zero-trust model of user identification and authorization; ● authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens; ● monitoring actions of those authorized to delete, add or modify Personal Data; ● release data only to authorized persons, including the allocation of differentiated access rights and roles; and ● controlling access to data, with controlled and documented destruction of data. Measures for ensuring physical security of locations at which Personal Data are processed Cloudflare maintains and implements effective physical access control policies and measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers, and related hardware) where the Personal Data are processed or used, including by: ● establishing secure areas; ● protecting and restricting access paths; ● establishing access authorizations for employees and third parties, including the respective documentation; ● all access to data centers where Personal Data are hosted are logged, monitored, and tracked; and ● data centers where Personal Data are hosted are secured by security alarm systems, and other appropriate security measures. Measures for ensuring events logging Cloudflare has implemented a logging and monitoring program to log, monitor and track access to personal data, including by system administrators and to ensure data is processed in accordance with instructions received. This is accomplished by various measures, including: ● authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens; ● applying a zero-trust model of user identification and authorization; ● maintaining updated lists of system administrators’ identification details; ● adopting measures to detect, assess, and respond to high-risk anomalies; ● keeping secure, accurate, and unmodified access logs to the processing infrastructure for twelve months; and ● testing the logging configuration, monitoring system, alerting and incident response process at least once annually. Measures for ensuring system configuration, including default configuration Cloudflare maintains configuration baselines for all systems supporting the production data processing environment, including third-party systems. Configuration baselines should align with industry best practices such as the Center for Internet Security (CIS) Level 1 benchmarks. Automated mechanisms must be used to enforce baseline configurations on production systems, and to prevent unauthorized changes. Changes to baselines are limited to a small number of authorized Cloudflare personnel, and must follow change control processes. Changes must be auditable, and checked regularly to detect deviations from baseline configurations. Cloudflare configures baselines for the information system using the principle of least privilege. By default, access configurations are set to “deny-all,” and default passwords must be changed to meet Cloudflare’s policies prior to device installation on the Cloudflare network, or immediately after software or operating system installation. Systems are configured to synchronize system time clocks based on International Atomic Time or Coordinated Universal Time (UTC), and access to modify time data is restricted to authorized personnel. Measures for internal IT and IT security governance and management Cloudflare maintains internal policies on the acceptable use of IT systems and general information security. Cloudflare requires all employees to undertake general security and privacy awareness training at least every year. Cloudflare restricts and protects the processing of Personal Data, and has documented and implemented: ● a formal Information Security Management System (ISMS) in order to protect the confidentiality, integrity, authenticity, and availability of Cloudflare’s data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations; and ● a formal Privacy Information Management System (PIMS) in order to protect the confidentiality, integrity, authenticity, and availability of the policies and procedures supporting Cloudflare’s global managed network, as both a processor and a controller of customer information. Cloudflare will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. Cloudflare shall take reasonable steps to ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this Annex 2. Measures for certification/assurance of processes and products The implementation of Cloudflare’s ISMS and related security risk management processes have been externally certified to the industry-standard ISO/IEC 27001. The implementation of Cloudflare’s comprehensive PIMS has been externally certified to the industry-standard ISO/IEC 27701, as both a processor and controller of customer information. Cloudflare maintains PCI DSS Level 1 compliance for which Cloudflare is audited annually by a third-party Qualified Security Assessor. Cloudflare has undertaken other certifications such as the AICPA SOC 2 Type II certification in accordance with the AICPA Trust Service Criteria, and details of these and other certifications that Cloudflare may undertake from time to time will be made available on Cloudflare’s website. For transfers to (sub-) Processors, also describe the specific technical and organizational measures to be taken by the (sub-) Processor to be able to provide assistance to the controller (and, for transfers from a Processor to a sub-Processor, to the data exporter).