BrightMove Security Standards

This document describes security standards of BrightMove applicable to its Services.

Additional security features of the Services may be described in the Security Bulletin.

BrightMove’s privacy policy (which applies to the information collected about Customer’s employees and contractors) is separate from this Addendum and is available for reference

BrightMove may update this Addendum from time to time to document changes in security policies for the Services, in accordance with “Change Management” below.

Definitions

“Customer Data” means what is defined in the applicable service agreement as “Customer Data” or “Your Data”, provided that such data is electronic data and information submitted by or for an authorized user to the Services.

“BrightMove Network” means the servers, networking equipment, and software systems that are within BrightMove’s control and are used to provide the Services.

Capitalized terms not otherwise defined in this document have the meanings assigned to them in the applicable service agreement or the Data Processing Addendum (“DPA”) to such agreement, as the case may be.

Information Security Program

In General

BrightMove maintains an information security program designed to:

• enable Customer to secure Customer Data against accidental or unlawful or otherwise unauthorized loss, access, or disclosure,
• identify reasonably foreseeable risks to the security and availability of the BrightMove Network, and
• minimize physical and logical security risks to the data processed by and stored within the BrightMove Network, including through regular risk assessment and testing.

BrightMove has designated employees who are responsible for coordinating the information security program.

Specific Components

BrightMove’s information security program includes the following components:

Logical Security

Access Controls.

BrightMove Personnel/Contractors. BrightMove makes the BrightMove Network accessible only to authorized BrightMove employees and/or contractors, and only as necessary to maintain and provide the Services. BrightMove’s access controls are designed to:

1. restrict unauthorized access to data, and
2. segregate each customer’s data from other data belonging to other customers.

BrightMove:

1. restricts employee/contractor access to the BrightMove Network in accordance with least privilege principles based on personnel job functions,
2. requires human review and approval prior to provisioning access to the BrightMove Network above least privileged principles, including administrator accounts;
3. requires at least quarterly review of BrightMove Network access privileges;
4. revokes BrightMove Network access privileges in a timely manner when employees or contractors change roles or upon termination of their relationship with BrightMove.

Network Infrastructure. Access to the infrastructure that runs the BrightMove Network is managed through the use of firewalls or functionally equivalent technology as well as Service-specific authentication controls.

User Accounts. The Services contain features that allow users to manage access controls and to implement policies to manage authorizations for access to the Services. BrightMove shall not be responsible for unauthorized access to any customer data through any user account where access and provisioning of such user account is managed or controlled by the customer.

Vulnerability Assessments. BrightMove performs regular external vulnerability assessments and penetration testing of the BrightMove Network, investigates identified issues, and tracks them to resolution in a timely manner. 

Application Security. Before publicly launching new Services or significant new features of Services, BrightMove performs an application security review designed to identify, mitigate and remediate security risks.

Change Management. BrightMove maintains controls designed to log, authorize, test, approve and document changes to existing BrightMove Network resources, and documents change details within its change management or deployment tools. BrightMove tests changes according to its change management standards prior to migration to production. BrightMove maintains processes designed to detect unauthorized changes to the BrightMove Network and track identified issues to a resolution.

Data Integrity. BrightMove maintains controls designed to provide data integrity during transmission, storage and processing within the BrightMove Network. BrightMove provides Customer the ability to delete Customer Data from the BrightMove Network.

Business Continuity and Disaster Recovery. BrightMove maintains a formal risk management program designed to support the continuity of its critical business functions (“Business Continuity Program”). The Business Continuity Program includes processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair BrightMove’s provision of the Services (a “BCP Event”). The Business Continuity Program includes a three-phased approach that BrightMove will follow to manage BCP Events, as follows:

Activation & Notification Phase. As BrightMove identifies issues likely to result in a BCP Event, BrightMove will escalate, validate and investigate those issues. During this phase, BrightMove will analyze the root cause of the BCP Event.

Recovery Phase. BrightMove assigns responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected Services.

Reconstitution Phase. BrightMove leadership reviews actions taken and confirms that the recovery effort is complete and the affected portions of the Services and BrightMove Network have been restored. Following such confirmation, BrightMove conducts a post-mortem analysis of the BCP Event.

Incident Management. BrightMove maintains corrective action plans and incident response plans to respond to potential security threats to the BrightMove Network. BrightMove’s incident response plans have defined processes to detect, mitigate, investigate, and report security incidents. The BrightMove incident response plans include incident verification, attack analysis, containment, data collection, and problem remediation. BrightMove will maintain a BrightMove Security Bulletin (as of the Effective Date, [url]) which publishes and communicates security related information that may affect the Services and provides guidance to mitigate the risks identified.

Storage Media Decommissioning. BrightMove maintains a media decommissioning process that is conducted prior to final disposal of storage media used to store Customer Data. Prior to final disposal, storage media that was used to store Customer Data is degaussed, erased, purged, physically destroyed, or otherwise sanitized in accordance with industry standard practices designed to ensure that the Customer Data cannot be retrieved from the applicable type of storage media.

Physical Security

Access Controls.

BrightMove has:

1. implemented and maintains physical safeguards designed to prevent unauthorized physical access, damage, or interference to the BrightMove Network,
2. uses appropriate control devices to restrict physical access to the BrightMove Network to only authorized persons who have a legitimate business need for such access,
3. monitors physical access to the BrightMove Network using intrusion detection systems designed to monitor, detect, and alert appropriate personnel of Security Incidents,
4. logs and regularly audits physical access to the BrightMove Network, and
5. performs periodic reviews to validate adherence with these standards.

Availability

BrightMove has:

1. implemented redundant systems for the BrightMove Network designed to minimize the effect of a malfunction on the BrightMove Network,
2. designed the BrightMove Network to anticipate and tolerate hardware failures, and
3. implemented automated processes designed to move customer data traffic away from the affected area in the case of hardware failure.

BrightMove Employees

Employee Security Training. BrightMove maintains employee security training programs regarding BrightMove information security requirements. The security awareness training programs are reviewed and updated at least annually.

Background Checks. Where permitted by law, and to the extent available from applicable governmental authorities, BrightMove requires that each employee undergo a background investigation that is reasonable and appropriate for that employee’s position and level of access to the BrightMove Network.

Continued Evaluation. BrightMove conducts periodic reviews of the information security program for the BrightMove Network, and will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.