Cvent Information Security Measures

In its provision of services, Cvent may have access to confidential information of Customer and to personally identifiable information of Customer’s event registrants, survey respondents and others (collectively, “Customer Data”).  Cvent has implemented administrative, technical, and physical safeguards and other reasonable measures that are appropriate to protect Customer Data against unauthorized disclosure, loss and misuse (“Information Security Measures”) as provided below, and Cvent will continue to perform these or equivalent measures subject to the terms and conditions of the Agreement:

1. Information Security Program. Cvent shall maintain an Information Security program based on generally accepted industry Information Security standards and frameworks (e.g., the then current version of ISO/IEC 27001 or NIST Cybersecurity Framework). Cvent shall also maintain PCI-DSS compliance for all Cvent services and/or systems which process, transmit and/or store credit card information. The Information Security program shall be in place to plan, implement, manage and monitor processes to meet Cvent information security objectives and requirements applicable to Cvent Services. The Information Security program shall also include performing Information Security Risk Assessments. The Information Security Risk Assessments will be performed on an annual basis with a purpose of identifying, ranking and resolving security risks through treatment activities according to a documented, risk-based methodology. Results of internal Information Security Risk Assessments are deemed Confidential to Cvent and are not available for external review or use.
    
2. Information Security Policy. Cvent shall maintain a policy that identifies Information Security Program goals and sets forth Information Security control objectives. The policy shall outline critical roles and responsibilities for Information Security across Cvent’s business operations and govern maintenance of relevant implementation standards, guidelines and/or procedures. It shall also be reviewed annually and communicated to employees and applicable third parties. Cvent’s Information Security Policy and its associated Information Security Procedures can be shared with customers upon request (and Cvent shall support one request per customer organization on an annual basis).
    
3. Information Security Awareness and Employee Training. Cvent shall maintain an Information Security Awareness Program geared to its employees and relevant third parties to provide understanding for Cvent’s Information Security Program, common threats and risks to Customer Data resources, as well as fulfillment of their Information Security responsibilities. As part of the Security Awareness Program, Security Awareness training shall be conducted on an annual basis to all employees and contractors of Cvent; topics covered may include, but are not limited to, Security Policy & Incident Recording, Acceptable Use, Information Classification and Privacy, specifically, concerning GDPR and CCPA.
    
4. Personnel Security. Cvent shall further provide for the security of Customer Data by requiring all Cvent employees undergo identity and criminal background checks upon hire, as permitted by applicable law. Cvent employees shall agree to adopting appropriate measures and requirements upon on-boarding to maintain the confidentiality and non-disclosure of Customer Data. All employees may be subject to disciplinary actions if in violation of Cvent’s security policies and/or customer obligations, as mandated through Cvent’s policies. All employees are required to sign a Non-Disclosure Agreement and Acceptable Use Policy which outlines the acceptable use of Cvent assets and Customer Data handling.
    
5. Physical Security. Cvent information hosting and processing facilities shall maintain secure areas and physical entry controls to provide for prevention of unauthorized physical access or exposure, damage, loss, and/or theft of Customer Data. Hosting facilities shall be equipped with 24/7 camera monitoring with logs retained for forensics. Entry to the facilities shall have layered security controls, including badged access for authorized individuals and strict visitor policies. Equipment housing Customer Data within facilities as well as mobile computing devices shall be reasonably safeguarded against unauthorized physical access, damage, loss or theft, as well as environmental threats that may disrupt processing of Customer Data. Hosting facilities shall have safeguards against fire hazards and electricity outages with such safeguards maintained and tested regularly. Storage media containing Customer Data shall be encrypted and be securely overwritten prior to its disposal or re-use. Customer Data will be accessed outside the USA by Cvent’s designated employees using strict data security and access controls, for the sole purpose of supporting the necessary activities required for the agreed upon services.
    
6. Access Control. Cvent shall maintain reasonable access controls to authorize, limit and monitor Cvent employee and Cvent contractor access to Customer Data maintained in Cvent’s information systems. Controls shall include: multi-factor authentication over a secured VPN connection to any systems hosting Production Data; processes to provision user access with formally approved authorization using unique authentication IDs per individual; managing and reviewing privileged user access rights on a quarterly basis and performing a full review on an annual basis; and prompt removal of user access upon termination of employee or contractor status with Cvent. User passwords and other login information used to facilitate user identification and access to Cvent information systems shall be protected from unauthorized access by secure login mechanisms. Passwords shall be required to be changed every ninety (90) days and accounts shall be disabled after a specific number of invalid login attempts.  Role-Based Access Controls shall be in place to ensure that only authorized Employees have access to any systems that could store or transmit Customer Data.             
    
7. Customer Data Protection. Cvent shall maintain reasonable controls to safeguard Customer Data maintained in Cvent systems from unauthorized access, exposure, modification, and/or loss. Controls to protect Customer Data may include, but are not limited to, the following: Protecting Customer Data in transit and while at rest, as required by Cvent’s Information Classification standard, by implementing strong cryptography controls using AES-256 for specifically handling PII and Customer financial data. All backups containing Customer Data shall be encrypted and all databases logically separated to ensure the confidentiality of Customer Data. Procedures shall be in place for maintaining encrypted backups of Customer Data in a secure area(s) and securely disposing or destroying Customer Data using techniques consistent with NIST 800-88, “Guidelines for Media Sanitization” or other similar industry standards.
    
8. Network and System Security. Cvent shall maintain reasonable controls to operate Information Systems that maintain Customer Data. Controls include, but are not limited to: logical and/or physical network segmentation for Development and/or Production regions, network segregation between DMZs and systems hosting sensitive data, controlling and monitoring network access, network filtering devices, firewalls, intrusion detection systems, anti-virus & anti-malware solutions, and logging capabilities to detect and respond to unauthorized or suspicious activity. Cvent shall actively monitor for known security events and anomalies that may pose a threat to Customer Data. Additionally, Cvent shall also maintain a Change Management process to control significant planned and unplanned changes to Cvent’s Information Systems.
    
9. Vulnerability Management. Cvent shall maintain processes to identify, evaluate and address vulnerabilities that may be present on Cvent Information Systems and SaaS applications. Cvent shall perform annual penetration testing and quarterly vulnerability scanning on all publicly-addressable systems as well as internal production and corporate systems. PCI ASV scans shall be conducted for all publicly addressable systems within PCI scope and work with an industry accredited third party to perform penetration testing on all Cvent PCI-scoped systems. Customers shall be provided with an Executive Summary report of our external scan report upon written request. Cvent uses the Common Vulnerability Scoring System (CVSS) 3.1 and internal risk assessment methodologies to prioritize vulnerabilities and address within reasonable timeframes to reduce the risk of potential exploitation that may lead to system compromise, loss of system availability, or unauthorized access to system(s) or Customer Data. Defined risk levels and corresponding timeframes in accordance with the aforementioned standards are as follows: Critical (Prioritized over other work until fixed, in no case later than 7 days), High (30 days), Medium (90 days) and Low (at the discretion of Cvent). Cvent shall assess different risk levels and remediation timelines in its sole discretion, based upon business impact of the remediation and the underlying risk of the vulnerability. Any vulnerabilities that cannot be resolved are subject to a formal Risk Acceptance with appropriate documented justification, with relevant compensating controls in place and formal approval from C-Level Management.
    
10. Secure Software Development. Cvent shall maintain processes to identify, evaluate and address risks to the development of its software solutions. Cvent shall maintain an independent test/development environment, separate from production computing resources, for any testing of new software and/or changes to existing software. Production data will not be used for software testing and development purposes unless sanitized and deemed necessary for any intended testing that needs to be performed; all efforts will be made to first utilize mock/test data. Cvent maintains a change control process for application changes pushed to production computing environments. Changes shall require approvals and specific tasks to be performed, including: Development, Code Review, Testing, Approval of Changes, and Documentation of Changes. Cvent requires all software developers to undergo training on secure coding practices in line with OWASP Top 10 guidelines.
     
11. Third Party/Supply Chain Security. Cvent shall maintain a process to identify, evaluate and manage risks associated with third-party vendors and/or service providers. Third parties that access, process, or store Customer Data shall undergo Risk Assessment. Reassessments of critical third parties shall be performed on an annual basis. Risks identified through risk assessments shall be prioritized and documented by Cvent.
     
12. Security Incident Management. Cvent shall maintain processes to identify, respond to, contain and minimize the impact of Information Security incidents to Customer Data. A “Security Incident” shall be defined as an event that results in the unauthorized disclosure of any personally identifiable or confidential Customer Data.  In the event of a Security Incident of Customer Data while maintained in Cvent systems, Cvent shall notify Customer no later than forty-eight (48) hours after the Breach has been confirmed. The notice shall include the approximate date and time of the Breach and a summary of relevant, then-known facts, including a description of measures being taken to further investigate and address the Breach.
     
13. Business Continuity Management. Cvent shall maintain controls to recover Information Systems hosting Customer Data to reasonably acceptable levels in the event of an unplanned disruption whose root cause is attributed to an entity or force beyond Cvent’s reasonable ability to control. Controls shall include a Business Continuity or Disaster Recovery Plan, which includes, but may not be limited to addressing backup(s) of Customer Data; a process to test such backup(s) at regular intervals; providing a description of resources and steps required to recover Information Systems to acceptable levels of performance and performing testing of the Business Continuity or Disaster Recovery Plan(s) on an annual basis. 
     
14. Compliance and Audits. Cvent shall hire a qualified external audit firm to conduct an audit of Cvent’s product offerings and its supporting infrastructure and processes on an annual basis. The audits shall result in a valid certificate/report for an industry acceptable framework such as SOC1, SOC2, PCI DSS, ISO 27001 and others as needed. Upon written request, Cvent shall share any relevant audit certificates or its SOC reports with its customers when requested in writing by the customer.