Vendor may have access to Confidential Information, including Personal Data of Cvent, its employees, agents, contractors and customers (and other individuals or consumers) (collectively, “Cvent Information”). Vendor shall implement appropriate safeguards and take other industry standard measures to protect all Cvent Information against unauthorized disclosure, use, dissemination, access, or loss and misuse (“Information Security Measures”) as provided below. Capitalized terms used but not defined herein have the same meaning as set out in the Data Processing Addendum or the Agreement.

Definitions

Demilitarized Zone” or “DMZ” is a network or sub-network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet. A DMZ helps prevent outside users from gaining direct access to internal Information Resources. The DMZ must be separated from the untrusted external network by use of a firewall and must be separated from the trusted internal network by use of another firewall or similar technological controls. Inbound packets from the untrusted external network must terminate within the DMZ and must not be allowed to flow directly through to the trusted internal network. All inbound packets which flow to the trusted internal network must only originate within the DMZ.

Information Resources” means any systems, applications, and network elements, and the information stored, transmitted, or processed with these resources used by Vendor in fulfillment of its obligations under the Agreement.

Security Incident” means any accidental, unlawful, or unauthorized disclosure, access, use, alteration, destruction, or loss of any Cvent Information.

Strong Encryption” means the use of encryption technologies with minimum key lengths of 128-bits (prior to April 1, 2016) or 256-bits (on or after April 1, 2016) for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it will protect the encrypted information from unauthorized access and is adequate to protect the confidentiality and privacy of the encrypted information.

Vendor shall:

Information Security Plan

  1. Have a written information security plan that describes its program to protect Cvent Information.
  2. Maintain an information security program based on generally accepted industry information security standards and frameworks (for e.g., the then current version of ISO/IEC 27001, PCI-DSS, SOC 2, NIST Cybersecurity Framework).
  3. Designate one or more employees to coordinate its information security program.
  4. Design and implement a safeguards program and regularly monitor and test it.
  5. Select service providers that maintain appropriate safeguards, ensure that their contracts with them requires them to maintain appropriate safeguards, and oversee their handling of Cvent Information.
  6. Evaluate and adjust the program considering relevant circumstances, including changes in Cvent’s business or operations, or the results of security testing and monitoring

Employee Management and Training

  1. Check references and conduct background checks before hiring employees who will have access to Cvent Information.
  2. Upon request, provide attestations confirming that they have conducted the necessary background checks and/or provided the required training to their employees.
  3. Require every employee to sign an agreement to follow Vendor’s confidentiality and security standards for handling Cvent Information.
  4. Limit access to Cvent Information to employees who have a business reason to see it.
  5. Enforce Vendor employees’ use of “strong” passwords that must be changed on a regular basis (see below for specification).
  6. Use password-activated screen savers to lock employee computers after a period of inactivity.
  7. Maintain policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices.
  8. Train employees to take basic steps to maintain the security, confidentiality, and integrity of Cvent Information, including
    1. locking rooms and file cabinets where records are kept,
    2. not sharing or openly posting employee passwords in work areas,
    3. abiding by the clean desk and clear screen policy,
    4. encrypting sensitive Cvent Information when it is transmitted electronically via public networks,
    5. reporting suspicious attempts to obtain Cvent Information to designated personnel
  9. Maintain policies for employees who telecommute to use protections against viruses, spyware, and other unauthorized intrusions.
  10. Impose disciplinary measures for security policy violations.
  11. Prevent terminated employees from accessing Cvent Information by immediately deactivating their passwords and usernames and taking other appropriate measures.
  12. Implement and maintain an Information Security Awareness Program geared towards its employees, contractors and relevant third parties to provide understanding for Vendor’s Information Security Program, common threats, and risks to Cvent Information resources, as well as fulfillment of their Information Security responsibilities. Any and all Contractors provided to Cvent by Vendor shall be required to complete a Security Awareness & Privacy training provided by Cvent prior to onboarding said contractor to provide Services to Cvent. Security Awareness trainings shall be conducted at least annually, and the topics covered should include, but are not limited to, email phishing assessments and reinforcement education, secure code training, role-based targeted security trainings for specific teams and departments, annual crisis management and emergency response exercises, annual IT disaster recovery and continuity plan testing, training and exercises, acceptable use, information classification and privacy, social engineering, and applicable security and privacy laws and regulations; specifically concerning GDPR and CCPA.

System Security

  1. Actively monitor industry resources (e.g.www.cert.org, www.cert.org pertinent software vendor mailing lists and websites) for timely notification of all applicable security alerts pertaining to Vendor networks and Information Resources.
  2. Scan externally facing Information Resources with applicable industry standard security vulnerability scanning software (including, but not limited to, network, server, and application scanning tools) monthly at minimum.
  3. Scan internal Information Resources with applicable industry standard security vulnerability scanning software (including, but not limited to, network, server, application, and database scanning tools) monthly at minimum.
  4. Upon Cvent’s request, furnish to Cvent an Executive Summary of its most current scanning results for the Information Resources.
  5. Deploy one or more Intrusion Detection Systems (IDS) in an active mode of operation.
  6. Have and use a documented process to remediate security vulnerabilities in the Information Resources, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be, or is in the process of being exploited.
  7. Assign security administration responsibilities for configuring host operating systems to specific individuals.
  8. Ensure that its security staff has reasonable and necessary experience in information/network security.
  9. Ensure that all of Vendor’s Information Resources are and remain ‘hardened’ including, but not limited to, removing, or disabling unused network services (e.g., finger, rlogin, ftp, simple TCP/IP services) and installing a system firewall, TCP Wrappers or similar technology.
  10. Change all default account names and/or default passwords.
  11. Limit system administrator/root (or privileged, super user, or the like) access to host operating systems only to individuals requiring such high-level access in the performance of their jobs.
  12. Require system administrators to restrict access by users to only the commands, data, and Information Resources necessary to perform authorized functions.

Physical Security

  1. Ensure that all of Vendor’s networks and Information Resources are located in secure physical facilities in the US, with access limited and restricted to authorized individuals only for prevention of unauthorized physical access or exposure, damage, loss, and/or theft of Cvent Information.  Back-up facilities shall have the same level of security as primary facilities, and primary and back-up facilities must reside apart at an industry acceptable distance.
  2. Monitor and record, for audit purposes, access to the physical facilities containing networks and Information Resources used in connection with Vendor’s performance of its obligations under the Agreement.
  3. Hosting facilities shall be equipped with 24/7 camera monitoring with logs retained for forensics.
  4. Entry to the facilities shall have layered security controls, including badged access for authorized individuals and strict visitor policies.
  5. Hosting facilities shall have safeguards against fire hazards and electricity outages with such safeguards maintained and tested regularly.
  6. Storage media containing Cvent Information shall be encrypted and be securely overwritten prior to its disposal or re-use.
  7. Equipment housing Cvent Information within facilities as well as mobile computing devices will be reasonably safeguarded against unauthorized physical access, damage, loss, or theft, as well as environmental threats that may disrupt processing of Cvent Information.

Access Control

Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to Cvent Information by:

  1. Checking with software vendors regularly to get and install patches timely that resolve software vulnerabilities,
  2. Implement multi-factor authentication over a secured VPN connection to any systems hosting production data,
  3. Implement processes to provision user access with formally approved authorization using unique authentication IDs per individual,
  4. Manage and review privileged user access rights on a quarterly basis and perform a full review at minimum on an annual basis.
  5. Promptly remove user access upon termination of employee
  6. Ensure user passwords and other login information used to facilitate user identification and access to Cvent information systems shall be protected from unauthorized access by secure login mechanisms. Passwords shall be required to be changed every ninety (90) days and user accounts shall be disabled after a specific number of invalid login attempts.
  7. Ensure role-based access controls are in place to ensure that only authorized employees have access to any systems that could store or transmit Cvent Information.
  8. Use anti-virus and anti-spyware software that updates automatically.
  9. Maintaining up to date firewalls.
  10. Regularly ensure that ports not used for Vendor’s business are closed.
  11. Promptly pass along information and instructions to employees regarding any new security risks or possible breaches

Disaster Recovery

  • Meet minimum Recovery Point Objective and Recovery Time Objective requirements, in which services are restored within a timeframe not to exceed four (4) hours.

Network Security

  1. Protect Cvent Information by the implementation of a network demilitarized zone (“DMZ”). Web servers servicing Cvent shall reside in the DMZ. Information Resources (such as database servers) shall reside in a trusted internal network.
  2. Network filtering devices, firewalls, intrusion detection systems, anti-virus & anti-malware solutions, and logging capabilities to detect and respond to unauthorized or suspicious activity.
  3. Upon Cvent’s request, provide to Cvent a logical network diagram illustrating at a high level (with security-sensitive details redacted or summarized) the Information Resources (including, but not limited to, firewalls, servers, etc.) that will be used to protect Cvent Information.
  4. Have a documented process and controls in place to detect and handle unauthorized attempts to access Cvent Information.
  5. Where applicable, use Strong Encryption for the transfer of Cvent Information outside of Vendor’s controlled facilities or when transmitting Cvent Information over any untrusted network.
  6. Have controls to protect Cvent Information which should include but not be limited to: protecting Cvent Information in transit and while at rest, by implementing strong cryptography controls using AES-256 for specifically handling personally identifiable information and financial data.
  7. Not store, download, copy, or duplicate Cvent Information on its own systems or media unless required for the Services provided to Cvent. If Cvent Information is required to be stored, downloaded, copied or duplicated on Vendor’s own systems or media for the purposes of the Services, such Cvent Information shall be encrypted, and all databases logically separated to ensure the confidentiality of Cvent Information and shall be stored in US locations only.

Information Security

  1. Isolate Cvent Information from any other third-party data or Vendor’s own applications and data by using physically separate servers or alternatively by using logical access controls where physical separation of servers is not implemented.
  2. Have a documented procedure for the secure backup, transport, storage, and disposal of Cvent Information
  3. Delete any confidential information communicated by Cvent via emails, file shares or other such means immediately after use, via securely disposing or destroying Cvent Information using techniques consistent with NIST 800-88, “Guidelines for Media Sanitization” or other similar or then current industry standards.
  4. Where physical and logical security of Cvent Information cannot be assured, store Cvent Information using Strong Encryption.
  5. Limit access to Cvent Information, including, but not limited to, paper/hard copies, only to authorized persons or systems.
  6. Be compliant with any applicable government- and industry-mandated information security standards.
  7. Restrict access to any Cvent Information to only authorized individuals.
  8. Do not store Cvent Information on removable media (e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, external hard drives) except: (a) for backup and data interchange purposes as allowed and required under contract, and (b) using Strong Encryption.

Identification and Authentication

  1. Assign unique User Ids to individual users.
  2. Have and use a documented lifecycle management process for User Ids including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all Information Resources and across all environments (e.g., production, test, development, etc.).
  3. Enforce the rule of least privilege (i.e., limiting access to only the commands and Information necessary to perform authorized functions according to one’s job function).
  4. Limit failed login attempts to no more than six (6) successive attempts and lock the user account upon reaching that limit. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity or, where such capability exists, can be automatically reactivated after at least three (3) minutes from the last failed login attempt.
  5. Terminate interactive sessions, after a period of inactivity not to exceed fifteen (15) minutes.
  6. Require password expiration at regular intervals not to exceed ninety (90) days.
  7. Use an authentication method based on the sensitivity of Information. When passwords are used, password construction must be complex and must meet these minimum requirements:
  8. Passwords must be a minimum of eight (8) characters in length.
  9. Passwords must contain characters from at least two (2) of these groupings: alpha, numeric, and special characters.
  10. Passwords must not be the same as the user id with which they are associated.
  11. When systems or applications do not enforce these password requirements, users and administrators must be instructed to comply with these password requirements when selecting passwords.
  12. Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards).

Software and Data Integrity

  1. Have current antivirus software installed and running to scan for and promptly remove viruses.
  2. Separate non-production Information Resources from production Information Resources.
  3. Have a documented software change control process including back out procedures.
  4. For applications that utilize a database that hosts Cvent Information, have application and database transaction and access logging features enabled and retain logs for a minimum of six (6) months. Review the logs to identify any suspicious flags. Vendor will monitor access to Cvent Information over its network and set alerts for copying or modification of Cvent Information not executed by Cvent e.g. copy of Cvent Information by Vendor’s internal resources to mobile devices.
  5. Perform quality assurance testing for the application functionality and security components (e.g., testing of authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture) during initial implementation and upon any modifications and updates.

Monitoring and Auditing Controls

  1. Keep logs of activity on its network and monitor them for signs of unauthorized access to Cvent Information.
  2. Use an up-to-date intrusion detection and prevention system to alert its personnel in the event of attacks.
  3. Monitor both inbound and outbound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from its system to an unknown user.
  4. Restrict access to security logs to only authorized individuals.
  5. Review, on no less than a weekly basis, security logs for anomalies and document and resolve all logged security problems in a timely manner.
  6. Retain complete and accurate security logs for a reasonable period of time and in accordance with applicable industry practice.
  7. Keep abreast of relevant industry publications for news and emerging threats and available defenses.
  8. Assess third parties on a regular basis against security and risk management policies and standards. 

Incident Notification and Response 

  1. Continuously scan the information systems connecting to Cvent network with an industry acceptable anti-virus and anti-malware which kept updated. Any systems suspected to be infected shall not be used to connect to Cvent network and will be immediately disconnected by the Vendor.
  2. Allow Cvent to run anti-virus scans on the information systems of the Vendor used to connect to Cvent network. Any identified issues will be escalated to Cvent, and immediate action will be taken to resolve the issue.
  3. Be responsible for any damages incurred on Cvent Information and/or systems arising from the Vendor’s information systems, employees, or network.
  4. Have and use a documented procedure to follow in the event of an actual unauthorized intrusion or other security violation resulting in Security Incident, including but not limited to, a physical security or computer security incident (e.g., hacker activity or the introduction of a virus or malicious code), that involves any Cvent Information used by Vendor in fulfillment of its obligations under the Agreement.  An intrusion or violation shall be deemed to have actually occurred where Vendor has performed an initial investigation of suspicious activity and determined by a clear preponderance of evidence that (1) unauthorized access to Information Resources occurred, and (2) Cvent Information was accessed by or disclosed without authorization or otherwise used for any purpose not permitted under the Agreement.
  5. Promptly notify Cvent within forty-eight (48) hours after being aware of a Security Incident. The notice shall include the approximate date and time of the Security Incident and a summary of relevant, then-known facts, including a description of measures being taken to further investigate and address the Security Incident.
  6. With respect to any confirmed Security Incident (i) promptly investigate the cause of such Incident and at its sole expense take all reasonable steps to (a) mitigate any harm caused, (b) prevent any future reoccurrence, and (c) comply with applicable data breach notification laws including the provision of credit monitoring and other fraud prevention measures.
  7. In the event of a Security Incident:
    1. Take immediate action to secure any information that has or may have been compromised,
    2. Preserve and review files or programs that may reveal how the Security Incident occurred,
    3. Notify Cvent if any personal information is subject to a breach that poses a significant risk of identity theft or related harm,
    4. Notify law enforcement if the breach may involve criminal activity or there is evidence that the Security Incident has resulted in identity theft or related harm, and
    5. Check to see if breach notification is required under applicable law.
  8. Provide Cvent with regular status updates on any actual unauthorized intrusion or other security violation, as defined in the preceding section, including any material findings and response plan (and estimated timeline) or material changes thereto.

Security Policies and Procedures

  1. Ensure that all personnel, subcontractors, or representatives performing work on any Cvent Information, or the resources used to house Cvent Information under the Agreement are in compliance with these Security Requirements.
  2. At a minimum annually, review these Security Requirements to ensure that Vendor is compliant with the requirements.
  3. Demonstrate and certify its compliance with industry security certifications like SOC 2, SOC1, PCI DSS, ISO 27001 and others as needed.

Audits and Risk Assessments

  1. During the Term of the Agreement, Cvent reserves the right to audit or engage an external audit firm to conduct an audit of Vendor’s performance of its obligations under the Agreement, including without limitation, information security obligations. Cvent will give Vendor at least thirty (30) days prior written notice of any intended audit, and Vendor shall:
  2. Use commercially reasonable efforts to provide or procure for Cvent access to information, facilities and materials it shall reasonably require to undertake the audit, subject to Cvent requiring its auditor to enter into a reasonable confidentiality agreement with Vendor restricting disclosure of any of its own or its other customer’s confidential information.Remediate any critical findings identified by Cvent or its auditors in such audits within mutually agreed upon timeframes.
  3. Prior to or upon onboarding, complete Cvent’s online Security Assessment Questionnaire (SAQ) and address or provide a plan to address any open risks or vulnerabilities that are discovered during the Security Assessment (SA). The SA and any remediation plan that needs to be provided to Cvent shall be completed within 30 calendar days of discovery.
  4. Provide its most recent penetration test report, SOC 2 Type II report, PCI-DSS Attestation of Compliance (AoC) and/or ISO 27001 certificate to Cvent prior to onboarding. If there are any open vulnerabilities in the pen test or SOC report, a plan will be provided to Cvent within 30 calendar days of discovery to address these.

Cvent will perform a third-party risk assessment (TPRA) by requesting completion of the Security Assessment Questionnaire (SAQ), to ensure that the Vendor at least meets expected industry security best practices for the services provided to Cvent. This assessment shall be completed before any agreement for Services or renewal agreement is executed.

  1. For existing Vendors that provide services to Cvent, the Vendor understands and accepts that Cvent may periodically perform TPRAs to ensure Vendor continues to maintain industry accepted security best practices.
  2. Vendor understands that the TPRA will be completed via an online electronic form where answers to assessment questions and evidence artifacts may be uploaded. Cvent will assess the responses and evidence provided and will work with the Vendor to complete the assessment.
  3. Vendor understands that as part of the assessment, Cvent may request external third-party penetration tests that Vendor may have undergone within the last 12 months. Supplier will conduct penetration tests on its infrastructure and on its web facing application if being provided to Cvent as part of the service, at least once every year and remediate all Critical findings immediately, High findings within 30 days and Medium findings within 60 days.
  4. Vendor understands that as part of the assessment, Cvent may request letters of certification or attestation letters that Vendor may have obtained from external audits. Examples of such certifications or letters may include and are not limited to SOC 1, SOC 1, PCI-DSS, ISO 27001, CSA, etc.
  5. Vendor shall cooperate with Cvent to complete the assessment in a timely manner.
  6. In the event that Cvent finds issues or risks as a result of the assessment, it will provide Vendor with a risk report which may require risk mitigation actions or plans by the Vendor. Vendor shall cooperate with Cvent to address the risk items and respond to the risk report in a timely manner.