Updated: February 2020

Information Security Addendum

(For Use With On-Premises Products Only)

This Information Security Addendum (“ISA”) sets forth the administrative, technical and physical safeguards Splunk takes to protect Confidential Information as part of its Information Security Program (“ISP”). Splunk may update this ISA from time to time to reflect changes in Splunk’s ISP, provided such changes do not materially diminish the level of security herein provided.

This ISA is made a part of your Splunk General Terms (“Agreement”) with Splunk. Any capitalized terms used, but not defined herein, shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this ISA, the terms of this ISA will apply. This ISA does not apply to Third-Party Content purchased or acquired through Splunk.com, to any Evaluation or Free Software, or to any Extensions.

Splunk’s Hosted Services (including without limitation Splunk’s hybrid services, which are cloud enabled Offerings for On-Premise Products) include their own security provisions as applicable. Please reference the Specific Hosted Services Terms and Splunk Protects for security information regarding Hosted Services. This ISA does not apply to the security of Hosted Offerings.

During the Term of the Agreement, Splunk agrees to maintain an ISP in conformance with the requirements set forth below.

  1. Splunk’s Information Security Program and Security Program Office
    1. Splunk’s ISP is reasonably designed to help protect the confidentiality, integrity, and availability of Confidential Information against any anticipated threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss, destruction or damage.
    2. Splunk’s ISP contains technical and organizational measures that are appropriate to: (i) the nature, size, and complexity of Splunk’s business; (ii) the resources available to Splunk; (iii) the type of information that Splunk stores; and (iv) the need for security and confidentiality of such information.
    3. Splunk’s Chief Information Security Officer leads Splunk’s ISP and develops, reviews and approves (together with other stakeholders, such as Product Security, Legal and Internal Audit) Splunk Security Policies (as defined below).
  2. Security Policies and Procedures
    1. Splunk maintains information security, use and management policies (collectively “Security Policies”) designed to educate employees and contractors regarding appropriate use, access to and storage of Confidential Information; restrict access to Confidential Information to members of Splunk’s workforce who have a “need to know” such information; prevent terminated employees from accessing Splunk information and information systems post-termination; and imposing disciplinary measures for failure to abide by such policies. Splunk performs background checks of its employees at time of hire, as permitted by law. Where feasible and as applicable, Splunk endeavors to align its Security Policies to ISO 27001 level standards for information security.
    2. Splunk Security Policies are available to employees via the corporate intranet. Splunk reviews, updates and approves Security Policies once annually to maintain their continuing relevance and accuracy.
  3. Security Training and Awareness

    New employees are required to complete security training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Security Policies, as well as other corporate policies, such as the Splunk Code of Conduct. This includes requiring Splunk employees to annually re-acknowledge the Code of Conduct and other Splunk policies as appropriate. Splunk conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.

  4. Physical and Environmental Access Controls

    Splunk limits physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to its data centers is limited to authorized individuals and employs camera or video surveillance systems at critical internal and external entry points. Splunk applies air temperature and humidity controls for its data centers and protects against loss due to power failure.

  5. Logical Access Controls

    Splunk employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its networks and production systems. Splunk’s monitoring includes a review of changes affecting systems’ handling authentication, authorization, and auditing; and privileged access to Splunk production systems. Splunk uses the principle of “least privilege” (meaning access denied unless specifically granted) for access to customer data.

  6. Threat and Vulnerability Management
    1. As part of its threat and vulnerability management program (“TVM”), Splunk:
      1. monitors for vulnerabilities in supported versions of the Software that are acknowledged by vendors, reported by researchers or discovered internally;
      2. verifies vulnerabilities, rates them according to industry-standard ratings systems, and identifies them for mitigation or fixes based on severity level;
      3. issues mitigations or fixes in minor and major product releases, as part of its maintenance program, which may include cumulative fixes for certain vulnerabilities; and
      4. makes reasonable efforts to expedite maintenance releases for supported versions that may be affected in the case of critical risk and high impact vulnerabilities.
    2. The current version of Splunk Product Security Policy, which provides further detail on Splunk’s TVM, is available at: https://www.splunk.com/page/securityportal.
    3. Splunk regularly performs vulnerability scans and addresses detected vulnerabilities on a risk basis. Periodically, Splunk engages third-parties to perform network vulnerability assessments and penetration testing.
  7. Incident Response Plan and Breach Notification
    1. Splunk employs an incident response framework (the “Splunk Incident Response Framework” or “SIRF”) to manage and minimize the effects of unplanned security events. The SIRF includes procedures to be followed in the event of an actual or potential security breach, including: (i) an internal incident response team with a response leader; (ii) an investigation team performing a root cause analysis and identifying affected parties; (iii) internal reporting and notification processes; documenting responsive actions and remediation plans; and (iv) a post-incident review of events.
    2. For Customers located outside the US, Splunk provides notice without undue delay after becoming aware of a Data Breach. As used in this ISA, Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data as defined under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) while being transmitted, stored or otherwise processed by Splunk. If Customer reasonably determines notification is required under GDPR, Splunk will provide reasonable assistance to the extent required, including assistance in notifying the relevant supervisory authority and providing a description of the Data Breach.
    3. For Customers located within the US, Splunk provides notice of a breach of Personal Information, as defined under the California Consumer Privacy Act of 2018 (“CCPA”), as required under California law.
  8. Storage and Transmission Security

    Technical security measures to guard against unauthorized access to Customer data that is being transmitted over a public electronic communications network or stored electronically.

  9. Secure Disposal

    Policies and procedures regarding the disposal of tangible and intangible property containing Customer Confidential Information so that wherever possible, Customer Confidential Information cannot be practicably read or reconstructed.

  10.   Risk Identification and Assessment

    Splunk employs a risk assessment program to help it reasonably identify foreseeable internal and external risks to Splunk’s information resources and determine if its existing controls, policies, and procedures are adequate to address the identified risks.

  11.   Secure Development
    1. Splunk’s Software Development Life Cycle (“SDLC”) methodology governs the acquisition, development, implementation, configuration, maintenance, modification, and management of software components.
    2. For major product releases, Splunk uses a risk-based approach when applying its standard SDLC methodology, which may include such things as performing security architecture reviews, open source security scans, dynamic application security testing, network vulnerability scans and external penetration testing in the development environment. Splunk performs security code review for critical features if needed; and performs code review for all features in the development environment. Splunk scans packaged software to verify it’s free from trojans, viruses, malware and other malicious threats.
    3. Splunk utilizes a code versioning control system to maintain the integrity and security of application source code. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
    4. As noted above, this ISA, including its SDLC methodology, does not apply to any Extensions (Customer’s or Splunk’s) or to Third- Party Content, including any made available on splunkbase.com. For information on the inspection process for applications available on splunkbase.com, see AppInspect.
  12.   Vendors

    Third-party vendors (collectively, “Vendors”) with access to Confidential Information are subject to contractual obligations of confidentiality and risk assessments to gauge the sensitivity of information being shared. Vendors are expected to comply with any pertinent contract terms relating to the security of data, as well as any applicable Splunk policies or procedures. Periodically, Splunk may ask the Vendor to re-evaluate its security posture to help ensure compliance.