In provision of Software and/or Services, the ‘Service Provider or Service Providers’ here forth, may have access to personally identifiable information, sensitive data, payment data, other business information intended to be treated as confidential, including any third party information provided to Service Provider for the purposes of providing the Services ("Customer Information"). Service Provider shall implement technical and organizational measures to protect all Customer Information against unauthorized disclosure, loss and misuse (“Information Security Measures”) as follows:
 

1.    Information Security Plan. Service Provider has a written information security plan that describes its program to protect Customer Information.  As part of the plan, Service Provider:

  • a) Shall maintain an Information Security program based on generally accepted industry Information Security standards and frameworks (e.g., the then current version of ISO/IEC 27001 or NIST Cybersecurity Framework).
  • b) Designates one or more employees to coordinate its information security program.
  • c) Designs and implements a safeguards program, and regularly monitors and tests it.
  • d) Selects service providers that can maintain appropriate safeguards, ensures that its contract requires them to maintain safeguards, and oversees their handling of Customer Information; and
  • e) Evaluates and adjusts the program considering relevant circumstances, including changes in Cvent’s business or operations, or the results of security testing and monitoring.

2. Employee Management and Training. Service Provider also secures Customer Information by:

  • a) Checking references or doing background checks before hiring employees who will have access to Customer Information;
  • b) Asking every new employee to sign an agreement to follow Service Provider’s confidentiality and security standards for handling Customer Information;
  • c) Limiting access to Customer Information to employees who have a business reason to see it;
  • d) Enforcing employees to use “strong” passwords that must be changed on a regular basis; 
  • e) Using password-activated screen savers to lock employee computers after a period of inactivity;
  • f)  Having policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices;
  • g) Training employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including: 
  • i) Locking rooms and file cabinets where records are kept;
  • ii) Not sharing or openly posting employee passwords in work areas;
  • iii) Abiding by the clean desk and clear screen policy;
  • iv) Encrypting sensitive customer information when it is transmitted electronically via public networks;
  • v) Reporting suspicious attempts to obtain Customer Information to designated personnel.
  • h) Having policies for employees who telecommute to use protections against viruses, spyware, and other unauthorized intrusions;
  • i) Imposing disciplinary measures for security policy violations.
  • j) Preventing terminated employees from accessing Customer Information by immediately deactivating their passwords and usernames and taking other appropriate measures.
  • k) Security Awareness Training: Service provider shall maintain an Information Security Awareness Program geared to its employees, contractors and relevant third parties to provide understanding for Company’s Information Security Program, common threats and risks to Customer Data resources, as well as fulfillment of their Information Security responsibilities. Security Awareness training shall be conducted on an annual basis, topics covered may include, but are not limited to, Security Policy & Incident Recording, Acceptable Use, Information Classification and Privacy, specifically, concerning GDPR and CCPA, and other applicable global regulations.

3.  Data Protection

  • a) Controls to protect Customer Data may include, but are not limited to, the following: Protecting Customer Data in transit and while at rest, by implementing strong cryptography controls using AES-256 for specifically handling PII and Customer financial data.
  • b) Service Provider will not store Customer Information on its own systems or media unless required for the services provided to Cvent , if done data  shall be encrypted and all databases logically separated to ensure the confidentiality of Customer Data.
  • c) Service Provider will delete any confidential information communicated by Cvent via emails, file shares or other such means immediately after use, via   securely disposing or destroying Customer Data using techniques consistent with NIST 800-88, “Guidelines for Media Sanitization” or other similar industry standards.
  • d) Read relevant industry publications for news and emerging threats and available defenses;
  • e) Assess third parties on regular basis against security and risk management policies and standards;
  • f) Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to Customer Information including by:
  • i) Checking with software vendors regularly to get and install patches timely that resolve software vulnerabilities
  • ii) Multi-factor authentication over a secured VPN connection to any systems hosting Production Data 
  • iii) Processes to provision user access with formally approved authorization using unique authentication IDs per individual 
  • iv) Managing and reviewing privileged user access rights on a quarterly basis and performing a full review on an annual basis
  • v) Prompt removal of user access upon termination of employee.
  • vi) User passwords and other login information used to facilitate user identification and access to Cvent information systems shall be protected from unauthorized access by secure login mechanisms. Passwords shall be required to be changed every ninety (90) days and accounts shall be disabled after a specific number of invalid login attempts.  
  • vii) Role-Based Access Controls shall be in place to ensure that only authorized Employees have access to any systems that could store or transmit Customer Data.             
  • viii) Using anti-virus and anti-spyware software that updates automatically.
  • ix) Maintaining up-to-date firewalls
  • x) Regularly ensuring that ports not used for its business are closed; and
  • xi) Promptly passing along information and instructions to employees regarding any new security risks or possible breaches.

g. Uses appropriate oversight or audit procedures, including by:

  • i) Keeping logs of activity on its network and monitoring them for signs of unauthorized access to Customer Information;
  • ii)  Using an up-to-date intrusion detection system to alert its personnel in the event of attacks; and
  • iii)  Monitoring both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from its system to an unknown user.

h. Takes steps to preserve the security, confidentiality and integrity of Information in the event of a breach, such as by:

  • i) Taking immediate action to secure any information that has or may have been compromised;
  • ii) Preserving and reviewing files or programs that may reveal how the breach occurred; 
  • iii) Notifying Cvent if any personal information is subject to a breach that poses a significant risk of identity theft or related harm;
  • iv) Notifying law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm; and
  • v) Checking to see if breach notification is required under applicable state law.

4. Information Security Standards, Audits and Safeguards: 

a. Cvent Security Audits

  • i) During the Term of the Agreement, Cvent will audit Service Provider’s performance of its obligations under the Agreement including without limitation information security obligations. Cvent will give Service Provider at least thirty (30) days prior written notice of any intended audit, and Service Provider shall use commercially reasonable efforts to provide or procure for Cvent access to information, facilities and materials it shall reasonably require to undertake the audit, subject to Cvent requiring the auditor to enter into a reasonable confidentiality agreement with Service Provider restricting disclosure of any of its own or its other customer’s confidential information.
  • ii) Service Provider will address to remediate any critical findings identified by Cvent in such audits within mutually agreed upon timeframes  

b. Incident Notification and Response

  • i) Service Provider will promptly notify Cvent within forty-eight (48) hours after being aware of any confirmed information security incidents involving the unauthorized disclosure, access or loss of any Customer Information (a “Security Incident”). The notice shall include the approximate date and time of the Breach and a summary of relevant, then-known facts, including a description of measures being taken to further investigate and address the Breach.
  • ii) The parties agree with respect to any confirmed Security Incident that (i) Service Provider shall promptly investigate the cause of such Incident and shall at its sole expense take all reasonable steps to (a) mitigate any harm caused, (b) prevent any future reoccurrence, and (c) comply with applicable data breach notification laws including the provision of credit monitoring and other fraud prevention measures.
  • iii) Service Provider will continuously scan the information systems connecting to Cvent network with an industry acceptable anti-virus and anti-malware which kept updated. Any systems suspected to be infected shall not be used to connect to Cvent network and will be immediately disconnected by the Service Provider
  • iv) Service Provider will allow Cvent to run anti-virus scans on the information systems of the Service Provider used to connect to Cvent network. Any identified issues will be escalated to Cvent and immediate action will be taken to resolve the issue.
  • v) Service Provider will be responsible for any damages incurred on Cvent’s data and/or systems arising from the Service Provider’s information systems, employees or network.

c. Security Risk Assessments

  • i) Prior to or upon onboarding the Service Provider shall complete Cvent’s online Security Assessment Questionnaire (SAQ) and shall address or provide a plan to address any open risks or vulnerabilities that are discovered during the Security Assessment (SA). The SA and any remediation plan that need to be provided to Cvent shall be completed within 30 calendar days.  
  • ii) In addition, the Service Provider shall provide its most recent pen test report and SOC 2 or PCI-DSS Reports and / or ISO 27001 certificate to Cvent prior to onboarding. If there are any open vulnerabilities in the pen test or SOC report, a plan will be provided to Cvent within 30 calendar days to address these. 
  • iii) For all new Service Providers, or Service Providers where there is a renewal or an amendment to an existing contract, Cvent will perform a third-party risk assessment (TPRA) by requesting completion of the Security Assessment Questionnaire (SAQ), to ensure that the Service Provider at least meets expected industry security best practices for the services provided to Cvent. This assessment is launched and completed before any contract or MSA is executed or renewed between the two entities.
  • iv) For existing Service Providers that provides services to Cvent, the Service Provider understands that Cvent may periodically perform TPRAs to ensure Service Provider continues to maintain industry accepted security best practices.
  • v) Service Provider understands that the TPRA will be completed via an online electronic form where answers to assessment questions and evidence artifacts may be uploaded. Cvent will assess the responses and evidence provided and will work with Service Provider to complete the assessment. 
  • vi) Service Provider understands that as part of the assessment, Cvent may request external third-party penetration tests that Service Provider may have undergone within the last 12 months. Supplier will conduct penetration tests on its infrastructure and on its web facing application if being provided to Cvent as part of the service, at least once every year and remediate all Critical, High findings in 30 days and Medium findings in 60 days.
  • vii) Service Provider understand that as part of the assessment, Cvent may request any letters of certification or attestation letters that Service Provider may have obtained from external audits. Examples of such certifications or letters may include and are not limited to SOC 1, SOC 1, PCI-DSS, ISO 27001, CSA, etc.
  • viii) Service Provider shall cooperate with Cvent to complete the assessment in a timely manner
  • ix) In the event that Cvent finds issues or risks as a result of the assessment, it will provide Service Provider with a risk report which may require risk mitigation actions or plans by the Service Provider. Service Provider shall cooperate with Cvent to address the risk items and respond to the risk report in a timely manner. 

Information Security Requirements: 

Definitions
  1. “Demilitarized Zone” or “DMZ” is a network or sub-network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet. A DMZ helps prevent outside users from gaining direct access to internal Information Resources. The DMZ must be separated from the untrusted external network by use of a firewall and must be separated from the trusted internal network by use of another firewall or similar technological controls. Inbound packets from the untrusted external network must terminate within the DMZ and must not be allowed to flow directly through to the trusted internal network. All inbound packets which flow to the trusted internal network must only originate within the DMZ.

 

  1. “Information Resources” means any systems, applications, and network elements, and the information stored, transmitted, or processed with these resources used by Service Provider in fulfillment of its obligations under the Agreement.

 

  1. “Strong Encryption” means the use of encryption technologies with minimum key lengths of 128-bits (prior to April 1, 2016) or 256-bits (on or after April 1, 2016) for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it will protect the encrypted information from unauthorized access and is adequate to protect the confidentiality and privacy of the encrypted information.

 

System Security
  1. Actively monitor industry resources (e.g.www.cert.org, www.cert.org pertinent software vendor mailing lists and websites) for timely notification of all applicable security alerts pertaining to Service Provider networks and Information Resources.
  1. Scan externally-facing Information Resources with applicable industry standard security vulnerability scanning software (including, but not limited to, network, server, and application scanning tools) at a minimum monthly.
  1. Scan internal Information Resources with applicable industry standard security vulnerability scanning software (including, but not limited to, network, server, application and database scanning tools) at a minimum monthly.
  1. Upon Cvent’s request, furnish to Cvent an Executive Summary of its most current scanning results for the Information Resources.
  1. Deploy one or more Intrusion Detection Systems (IDS) in an active mode of operation.
  1. Have and use a documented process to remediate security vulnerabilities in the Information Resources, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be, or is in the process of being exploited.
  1. Assign security administration responsibilities for configuring host operating systems to specific individuals.
  1. Ensure that its security staff has reasonable and necessary experience in information/network security.
  1. Ensure that all of Service Provider’s Information Resources are and remain ‘hardened’ including, but not limited to, removing or disabling unused network services (e.g., finger, rlogin, ftp, simple TCP/IP services) and installing a system firewall, TCP Wrappers or similar technology.
  1. Change all default account names and/or default passwords. 
  1. Limit system administrator/root (or privileged, super user, or the like) access to host operating systems only to individuals requiring such high-level access in the performance of their jobs.
  1. Require system administrators to restrict access by users to only the commands, data and Information Resources necessary to perform authorized functions.

Physical Security
  1. Ensure that all of Service Provider’s networks and Information Resources are located in secure physical facilities with access limited and restricted to authorized individuals only for prevention of unauthorized physical access or exposure, damage, loss, and/or theft of Customer Data
  1. Monitor and record, for audit purposes, access to the physical facilities containing networks and Information Resources used in connection with Service Provider’s performance of its obligations under the Agreement.
  1. Hosting facilities shall be equipped with 24/7 camera monitoring with logs retained for forensics.
  1. Entry to the facilities shall have layered security controls, including badged access for authorized individuals and strict visitor policies.
  1. Hosting facilities shall have safeguards against fire hazards and electricity outages with such safeguards maintained and tested regularly.
  1. Storage media containing Customer Data shall be encrypted and be securely overwritten prior to its disposal or re-use.

Disaster Recovery
  1. Meet minimum Recovery Point Objective and Recovery Time Objective requirements, in which services are restored within a timeframe not to exceed four (4) hours.

Network Security
  1. Protect Customer Information by the implementation of a network demilitarized zone (“DMZ”). Web servers servicing Cvent shall reside in the DMZ. Information Resources (such as database servers) shall reside in a trusted internal network.
  1. Network filtering devices, firewalls, intrusion detection systems, anti-virus & anti-malware solutions, and logging capabilities to detect and respond to unauthorized or suspicious activity
  1. Upon Cvent’s request, provide to Cvent a logical network diagram illustrating at a high level (with security-sensitive details redacted or summarized) the Information Resources (including, but not limited to, firewalls, servers, etc.) that will be used to protect Customer Information.
  1. Have a documented process and controls in place to detect and handle unauthorized attempts to access Customer Information.
  1. Where applicable, use Strong Encryption for the transfer of Customer Information outside of Service Provider’s controlled facilities or when transmitting Customer Information over any untrusted network.

Information Security
  1. Isolate Customer Information from any other third-party data or Service Provider’s own applications and data by using physically separate servers or alternatively by using logical access controls where physical separation of servers are not implemented.
  1. Have a documented procedure for the secure backup, transport, storage, and disposal of Customer Information
  1. Where physical and logical security of Customer Information cannot be assured, store Customer Information using Strong Encryption.
  1. Limit access to Customer Information, including, but not limited to, paper hard copies, only to authorized persons or systems.
  1. Be compliant with any applicable government- and industry-mandated information security standards.

Privacy Issues
  1. Restrict access to any Customer Information to only authorized individuals.
  1. Do not store Customer Information on removable media (e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, external hard drives) except: (a) for backup and data interchange purposes as allowed and required under contract, and (b) using Strong Encryption.

Identification and Authentication
  1. Assign unique User Ids to individual users.
  1. Have and use a documented lifecycle management process for User Ids including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all Information Resources and across all environments (e.g., production, test, development, etc.)
  1. Enforce the rule of least privilege (i.e., limiting access to only the commands and Information necessary to perform authorized functions according to one’s job function).
  1. Limit failed login attempts to no more than six (6) successive attempts and lock the user account upon reaching that limit. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity or, where such capability exists, can be automatically reactivated after at least three (3) minutes from the last failed login attempt.
  1. Terminate interactive sessions, after a period of inactivity not to exceed fifteen (15) minutes.
  1. Require password expiration at regular intervals not to exceed ninety (90) days.
  1. Use an authentication method based on the sensitivity of Information. When passwords are used, they must meet these minimum requirements:
  • Passwords must be a minimum of six (6) characters in length.
  • Passwords must contain characters from at least two (2) of these groupings: alpha, numeric, and special characters.
  • Passwords must not be the same as the user id with which they are associated.

Password construction must be complex Notes:  1. When systems or applications do not enforce these password requirements, users and administrators must be instructed to comply with these password requirements when selecting passwords.
  1. Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards).

Software and Data Integrity
  1. Have current antivirus software installed and running to scan for and promptly remove viruses.
  1. Separate non-production Information Resources from production Information Resources.
  1. Have a documented software change control process including back out procedures.
  1. For applications that utilize a database that hosts Customer Information, have application and database transaction and access logging features enabled and retain logs for a minimum of six (6) months. Review the logs to identify any suspicious flags. Service Provider will monitor access to the Customer Information over its network and set alerts for copying or modification of Customer Information not executed by the Customer e.g. copy of Customer Information by Service Provider’s internal resources to mobile devices
  1. Perform quality assurance testing for the application functionality and security components (e.g., testing of authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture) during initial implementation and upon any modifications and updates.

Monitoring and Auditing Controls
  1. Restrict access to security logs to only authorized individuals.
  1. Review, on no less than a weekly basis, security logs for anomalies and document and resolve all logged security problems in a timely manner.
  1. Retain complete and accurate security logs for a reasonable period of time and in accordance with applicable industry practice.

Reporting Violations
  1. Have and use a documented procedure to follow in the event of an actual unauthorized intrusion or other security violation resulting in unauthorized disclosure or misuse of Customer Confidential Information, including but not limited to, a physical security or computer security incident (e.g., hacker activity or the introduction of a virus or malicious code), that involves any Information Resources used by Service Provider in fulfillment of its obligations under the Agreement.  An intrusion or violation shall be deemed to have actually occurred where Service Provider has performed an initial investigation of suspicious activity and determined by a clear preponderance of evidence that (1) an unauthorized access to Information Resources occurred, and (2) Customer’s Confidential Information was accessed by or disclosed without authorization or otherwise used for any purpose not permitted under the Agreement. 

Contact information: Use Cvent’s primary business contact under the Agreement.
  1. Provide Cvent with regular status updates on any actual unauthorized intrusion or other security violation, as defined in the preceding section, including any material findings and response plan (and estimated timeline) or material changes thereto.

Security Policies and Procedures
  1. Ensure that all personnel, subcontractors, or representatives performing work on any Customer Information or the resources used to house Customer Information under the Agreement are in compliance with these Security Requirements.
  1. At a minimum annually, review these Security Requirements to ensure that Service Provider is in compliance with the requirements.
  1. Service Provider shall certify against industry security certifications like SOC 2 , SOC1,PCI DSS, ISO 27001 and others as needed.