FOR PROFESSIONAL SERVICES
This Splunk Agreement for Professional Services and its addenda (the “Agreement”) govern Splunk’s delivery of certain Services that Customer has requested. Such Services are delivered by Splunk in accordance with the Statement of Work, which will form a part of this Agreement, and will be subject to the terms and conditions contained herein.
- Definitions. Capitalized terms used but not otherwise defined in this Agreement have the meanings set forth in Exhibit A.
- Splunk Security, Compliance and Insurance.
2.1 Splunk Security Practices. Splunk shall comply with the policies, plans, and procedures set forth in the Exhibit B, Information Security Addendum.
- 2.2 Background Checks. For U.S.-based projects, Splunk shall not assign an employee to perform Services under a Statement of Work unless Splunk has run the following background check on the employee: Criminal Felony & Misdemeanor; SSN Validation; Federal Criminal; SSN Trace; Employment Report – Three (3) Employers; Education Report – One (1) Institution; Global Sanctions & Enforcement; Prohibited Parties; Widescreen Plus National Criminal Search. Customer acknowledges that such background checks may not be permitted or customary outside the United States.
2.3 Security on Customer Premises. While on Customer’s premises, Splunk Personnel shall comply with all reasonable security practices and procedures generally prescribed by Customer, however no Customer terms that conflict with the terms in Exhibit B or this Agreement shall apply, and such conflicting terms shall have no effect.
2.4 Insurance. During the term of this Agreement, Splunk shall maintain insurance policies in the types and amounts described below at its own expense.
- Commercial General Liability Insurance with a limit of not less than $1,000,000 per occurrence and a general aggregate limit of not less than $2,000,000.
- Business Auto Insurance with a limit of not less than $1,000,000 per accident. Such Insurance will cover liability arising out of “hired and non-owned” automobiles.
- Worker’s Compensation Insurance as required by workers’ compensation, occupational disease and occupational health and safety laws, statutes and regulations.
- Technology Errors & Omissions Insurance with a limit of not less than $3,000,000.
- Umbrella/Excess Insurance with a limit of not less than $3,000,000.
- Performance of Services by Splunk. Splunk will perform the Services in accordance with the terms of this Agreement and of the Statement of Work. Splunk reserves the right to subcontract any of the Services provided any such subcontractor meets the requirements and conditions of this Agreement and the Statement of Work. Splunk will be responsible for the compliance of subcontractor with the terms herein and the Statement of Work. Splunk may change or replace Personnel as required. Nothing in this Agreement restricts Splunk’s right to perform similar services for any other customer or to assign any Personnel to perform similar services for any other company, provided that Splunk complies with its obligations to protect Customer’s Confidential Information.
- Changes to Statements of Work. Customer may submit to Splunk written requests to change the scope of Services described in a Statement of Work (each such request, a “Change Order Request”). If Splunk elects to consider such a Change Order Request, then Splunk will promptly notify Customer if it believes that the Change Order Request requires an adjustment to the fees or to the schedule for the performance of the Services. In such event, the parties will negotiate in good faith a reasonable and equitable adjustment to the fees and/or schedule, as applicable. Splunk will continue to perform Services pursuant to the existing Statement of Work and will have no obligation to perform any Change Order Request unless and until the parties have agreed in writing to such an equitable adjustment.
- Customer Responsibilities.
5.1 Cooperation. Customer acknowledges that its timely provision of (and Splunk’s access to) its facilities, equipment, assistance, cooperation, data, information and materials from Customer’s officers, agents and employees (the “Cooperation”) is essential to Splunk’s performance of the Services. Splunk shall not be liable for any delay or deficiency in performing the Services if Customer does not provide the necessary Cooperation. As part of the Cooperation, Customer shall (1) designate a project manager or technical lead to liaise with Splunk while it performs the Services; (2) allocate and engage additional resources as may be required to assist Splunk in performing the Services; and (3) making available to Splunk any data, information and any other materials required by Splunk to perform the Services, including any data, information or materials specifically identified in the Statement of Work (collectively, “Customer Materials”). Customer will be responsible for ensuring that all such Customer Materials are accurate and complete.
5.2 Permissions for Access. In the event Customer requires any Personnel to sign any waivers, releases, or other documents as a condition for Splunk Personnel to gain access to Customer’s premises for performance of the Services (“Access Documents”), Customer agrees: (a) that Personnel who will be required to sign Access Documents will sign on behalf of Splunk, (b) that any additional or conflicting terms in Access Documents with this Agreement shall have no effect, and (c) Customer shall pursue any claims for breach of any terms in the Access Documents against Splunk and not the individual signing.
- Designated Contacts. Each party will designate in each Statement of Work a person who will be the primary point of contact between the parties for all matters relating to the Services. A party may change the primary contact by written notice to the other party.
- Relationship of the Parties. Splunk is performing the Services as an independent contractor. Splunk is not an employee, agent, joint venturer or partner of Customer. Neither party has the authority to bind or act on behalf of the other party in any capacity or circumstance whether by contract or otherwise. Splunk acknowledges and agrees that its Personnel are not eligible for or entitled to receive any compensation, benefits, or other incidents of employment that Customer makes available to its employees. Splunk is solely responsible for all taxes, expenses, withholdings, and other similar statutory obligations arising out of the relationship between Splunk and its Personnel and the performance of Services by such Personnel.
- Payment by Customer.
- 8.1 Fees for Services. Customer will pay Splunk the fees set forth in the applicable Statement of Work. All prepaid Education and Professional Services must be redeemed within twelve (12) months from the date of purchase/invoice. At the end of the twelve (12) month term, any remaining pre-paid unused Education or Professional Services will expire; no refunds will be provided for any remaining pre-paid unused Education or Professional Services. Unless otherwise specifically stated in a Statement of Work, Education is invoiced and payable in advance.
- 8.2 Splunk Expenses. Unless otherwise specified in the Statement of Work, Customer will reimburse Splunk for all reasonable expenses incurred by Splunk while performing the Services, including without limitation, transportation, lodging, meal and out-of-pocket expenses, and third party online and offline research services directly related to the provision of Services. Splunk will provide, upon request, documentation of all such expenses in excess of US $25 with each related invoice.
- 8.3 Payment Terms. Splunk will invoice Customer on a regular basis for all applicable fees and expenses incurred in connection with the performance of the Services and other payments due under this Agreement and any Statement of Work. Customer will pay each such invoice within thirty (30) days from the date of invoice. Any amounts under an invoice that remain unpaid after thirty (30) days shall accrue interest beginning on the date that is thirty (30) days after the Customer’s receipt thereof at the rate of one and one half percent (1.5%) per month or the maximum amount permitted by law, whichever is lower.
- 8.4 Taxes. All fees, expenses, and other amounts payable to Splunk hereunder do not include any sales, use, value added, excise, or other applicable taxes, tariffs or duties, payment of which will be the sole responsibility of Customer (excluding any taxes based on Splunk’s net income). Customer will promptly reimburse Splunk for any such amounts that Splunk pays on Customer’s behalf.
- 9.1. Customer. Customer will own all rights, title and interest in any work product specifically identified in a Statement of Work as Customer owned (“Work Product”), including all Intellectual Property Rights therein. Splunk hereby assigns to Customer all rights, title and interest in and to the Work Product (excluding all Splunk Materials incorporated into the Work Product or on which the Work Product is based), including all Intellectual Property Rights therein. At Customer’s request and expense, Splunk shall assist and cooperate with Customer in all reasonable respects and shall execute documents, and take such further acts reasonably requested by Customer to enable it to acquire, transfer, maintain, perfect and enforce its ownership rights in the Work Product.
- 9.2. Splunk. Subject to Customer’s rights in the Customer Materials and in the Work Product, Customer agrees that Splunk shall own (and Customer hereby assigns to Splunk) all materials, software, tools, utilities, technology, processes, inventions, devices, methodologies, specifications, documentation, data, inventions, works of authorship and other innovations of any kind, including, without limitation, any improvements or modifications to Splunk’s proprietary computer software programs and related materials, that Splunk, or Personnel working for or through Splunk, may make, conceive, develop or reduce to practice, alone or jointly with others, in the course of performing the Services or as a result of such Services (collectively, “Professional Services Materials”), including all Intellectual Property Rights therein.
Customer acknowledges that Splunk, in its sole discretion, shall have the right to license the Professional Services Materials or any portion thereof into products or services for use by other licensees or customers of Splunk. At Splunk’s request and expense, Customer shall assist and cooperate with Splunk in all reasonable respects and shall execute documents, give testimony and take such further acts reasonably requested by Splunk to enable Splunk to acquire, transfer, maintain, perfect and enforce Intellectual Property Rights and other legal protection for the Professional Services Materials.
- 9.3. License to Customer. Subject to the terms and conditions of this Agreement, Splunk grants to Customer a worldwide, non-exclusive, non-transferable, non-sub-licensable, revocable license to the Professional Services Materials solely for Customer’s internal business purpose. Customer shall not, without the written consent of Splunk, (a) use the Professional Services Materials except as expressly authorized in this Agreement; (b) copy the Professional Services Materials (except for reasonable backup purposes); (c) modify, adapt, or create derivative works of the Professional Services Materials; (d) rent, lease, loan, resell, transfer, sublicense (including but not limited to offering any of the functionality of the Professional Services Materials on a service provider, hosted or time sharing basis) or distribute the Professional Services Materials to any third party; (e) decompile, disassemble or reverse-engineer the Professional Services Materials or otherwise attempt to derive the Professional Services Materials source code; or (f) authorize any third parties to do any of the above. For the avoidance of doubt, Professional Services Materials shall not include any Splunk software (“Splunk Software”) and any Splunk Software shall be licensed pursuant to a Splunk Software License Agreement entered into between the parties.
- 10.1. Use and Disclosure of Confidential Information. The receiving party of Confidential Information (“Recipient”) agrees: (i) to maintain the Confidential Information of the party disclosing such information (the “Discloser”) in the strictest of confidence; (ii) not to disclose such Confidential Information to any third parties; and (iii) not to use any such Confidential Information for any purpose other than in furtherance of this Agreement and the activities described herein. Recipient will treat Confidential Information of the Discloser with the same degree of care as it accords to its own Confidential Information, but in no event with less than reasonable care. Recipient may disclose the Confidential Information of Discloser to its directors, officers, employees, consultants, and subcontractors (collectively, “Representatives”) who have a bona fide need to know such Confidential Information, but solely to the extent necessary to perform the Services and for no other purpose, provided that each such Representative first executes a written agreement (or is otherwise already bound by a written agreement) that contains use and nondisclosure restrictions at least as protective of the other party’s Confidential Information as those set forth in this Agreement. Recipient shall be responsible for any breach of these confidentiality obligations by its Representatives, which shall be considered a breach by Recipient. Any disclosure of Confidential Information to Recipient by (a) Discloser or any of its affiliates or (b) any unaffiliated third party at the request of Discloser shall be deemed to be a disclosure made by Discloser under this Agreement.
- 10.2. Exclusions. The obligations of Recipient under this Confidentiality section shall not apply to any Confidential Information that (a) is now or thereafter becomes generally known or available to the public, through no act or omission on the part of Recipient (or any of its Representatives, affiliates, or agents) or any third party subject to any use or disclosure restrictions with respect to such Confidential Information; (b) was known by or lawfully in the possession of Recipient, prior to receiving such information from Discloser, without restriction as to use or disclosure; (c) is rightfully acquired by Recipient from a third party who has the right to disclose it and who provides it without restriction as to use or disclosure; or (d) is independently developed by Recipient independently without access to any Confidential Information of Discloser.
- 10.3. Required Disclosures. The provisions of this Confidentiality section will not restrict Recipient from disclosing Discloser’s Confidential Information to the extent required by any law or regulation or compelled by a court or administrative agency of competent jurisdiction, provided that, to the extent permissible under law, Recipient uses reasonable efforts to give Discloser reasonable advance notice of such required disclosure in order to enable Discloser to prevent or limit disclosure. Recipient shall only disclose that portion of such Confidential Information that, in the opinion of its legal counsel, is reasonably required to be disclosed and shall exercise all commercially reasonable efforts to obtain assurance that confidential treatment will be accorded to the Confidential Information it discloses.
- 10.4. Independent Development. Recipient reserves the right to develop and market any technology, products or services or pursue business opportunities that compete with or are similar to those disclosed by Discloser under this Agreement without the use of the Discloser’s Confidential Information. Nothing contained in this Agreement shall prohibit or restrict Recipient from employing general ideas, concepts or techniques which may be retained in the unaided human memory by Recipient Personnel in the course of their review of the Confidential Information (but without any attempt to memorize such information). The foregoing sentence shall not, however, grant Recipient any rights under any patents or copyrights.
- 10.5. Return or Destruction of Confidential Information. Upon termination of this Agreement or an applicable Statement of Work, Recipient will promptly return to Discloser, or at Discloser’s option, destroy, all tangible items and embodiments containing or consisting of Discloser's Confidential Information and all copies thereof and provide written certification of such destruction or return by an authorized person.
- 10.6. Injunctive Relief. Each party acknowledges that the unauthorized use or disclosure of Discloser’s Confidential Information would cause Discloser to incur irreparable harm and significant damages, the degree of which may be difficult to ascertain. Accordingly, each party agrees that Discloser will have the right to obtain immediate equitable relief to enjoin any unauthorized use or disclosure of its Confidential Information, in addition to any other rights and remedies that it may have at law or otherwise.
- Splunk Warranty to Customer. Splunk warrants that the Services will be performed in a good and workmanlike manner consistent with applicable industry standards. This warranty will be in effect for a period of thirty (30) days from the completion of any Services. As Customer’s sole and exclusive remedy and Splunk’s entire liability for any breach of the foregoing warranty, Splunk will, at its sole option and expense, promptly re-perform any Services that fail to meet this limited warranty or refund to Customer the fees paid for the non-conforming Services.
THE EXPRESS WARRANTIES IN THIS SECTION ARE IN LIEU OF, AND SPLUNK DISCLAIMS, ALL OTHER WARRANTIES, REPRESENTATIONS OR CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, ACCURACY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT, INTEGRATION AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. BECAUSE THIS DISCLAIMER OF WARRANTY MAY NOT BE VALID IN SOME STATES OR JURISDICTIONS, THE ABOVE DISCLAIMER MAY NOT APPLY TO COMPANY. SPLUNK DOES NOT WARRANT THAT THE OPERATION OF THE SPLUNK MATERIALS OR ANY OF THE SERVICES PERFORMED PURSUANT TO ANY STATEMENT OF WORK WILL BE UNINTERRUPTED OR ERROR-FREE.
- Mutual Indemnity. Each party (an “Indemnifying Party”) will defend (or settle), indemnify and hold harmless at its expense, any action brought against the other party (an “Indemnified Party”) by a third party to the extent that it is based upon a claim for bodily injury, personal injury (including death) to any person, or damage to tangible property resulting from the negligent acts or willful misconduct of the Indemnifying Party or its Personnel hereunder, and will pay any reasonable, direct, out-of-pocket costs, damages and reasonable attorneys’ fees attributable to such claim that are awarded in final judgment against the Indemnified Party (or are payable in settlement by the Indemnified Party); provided that the Indemnified Party: (i) promptly notifies the Indemnifying Party in writing of the claim; (ii) grants the Indemnifying Party sole control of the defense and settlement of the claim; and (iii) provides the Indemnifying Party, at the Indemnifying Party’s expense, with all assistance, information and authority reasonably required for the defense and settlement of the claim. The Indemnifying Party will have no obligation under this Section to the extent any claim is based on the negligent acts or willful misconduct of the Indemnified Party or its employees or subcontractors.
- Mutual Limitation of Liability. NEITHER PARTY SHALL BE LIABLE TO THE OTHER OR TO ANY THIRD PARTY FOR ANY SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS OR, FOR CUSTOMER, COSTS OF PROCURING SUBSTITUTE SERVICES) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES OR ANY WORK PRODUCT, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF THE OTHER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SPLUNK’S TOTAL LIAIBILITY TO CUSTOMER, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID TO SPLUNK BY CUSTOMER UNDER THE STATEMENT OF WORK GIVING RISE TO ANY LIABILITY HEREUNDER.
- Agreement Term and Termination
- 14.1. Term. This Agreement will commence on the Effective Date and, unless terminated earlier in accordance with the terms of this Agreement, will remain in force and effect for as long as Splunk is performing Services pursuant to any Statement of Work.
- 14.2. Termination. Each party will have the right to terminate this Agreement or any Statement of Work if the other party breaches any material term of this Agreement or Statement of Work and fails to cure such breach within thirty (30) days after receipt of written notice thereof. Notice of termination of any Statement of Work shall not be considered notice of termination of this Agreement unless specifically stated in the notice; provided, however, any termination of this Agreement shall automatically terminate all Statement(s) of Work.
- 14.3. Effect of Termination. Upon the expiration or termination of this Agreement or of any Statement of Work: (i) each party will promptly return to the other party all Confidential Information of the other party in its possession or control; and (ii) Customer will, within thirty (30) days after receipt of Splunk’s invoice, pay all accrued and unpaid fees and expenses. Notwithstanding the foregoing, the Recipient may retain copies of project notes and work product for reference purposes, which the Recipient shall continue to treat as Confidential Information under this Agreement. For the avoidance of doubt, anything that is stored on routine back-up media solely for the purpose of disaster recovery shall be subject to destruction in due course, provided that, employees are precluded from accessing such information in the ordinary course of business prior to destruction.
- 14.4. Survival. Any terms of this Agreement that by their nature extend beyond the Agreement termination remain in effect until fulfilled, and apply to both parties’ respective successors and assigns.
- General Provisions
- 15.1. Assignment. Customer may not assign, delegate or transfer this Agreement, in whole or in part, by agreement, operation of law or otherwise without prior written approval by Splunk, which approval shall not be unreasonably withheld. Splunk may assign this Agreement in whole or in part to an Affiliate upon written notice to Customer (such notice to be delivered electronically or otherwise), or to a successor or acquirer, as the case may be, in connection with a merger or acquisition, or the sale of all or substantially all of Splunk’s assets or ownership rights or the sale of that portion of Splunk’s business to which this Agreement relates. Any attempt to assign this Agreement other than as permitted herein will be null and void. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties’ permitted successors and assigns.
- 15.2. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law rules of any jurisdiction, the application of which is expressly excluded. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in San Francisco, California and the parties hereby consent to personal jurisdiction and venue therein.
- 15.3. Compliance with Law. Each party shall comply with all laws, regulations and ordinances applicable to such party.
- 15.4. Notices. All notices required or permitted under this Agreement will be in writing and delivered in person, by confirmed facsimile transmission, by overnight delivery service, or by registered or certified mail, postage prepaid with return receipt requested, and in each instance will be deemed given upon receipt. All communications will be sent to the addresses set forth above or to such other address as may be specified by either party to the other party in accordance with this Section. Notice given by counsel to a party shall be considered notice given by a party. Any notice or demand shall be deemed to have been given upon actual delivery (or refusal of delivery).
- 15.5. Waiver. The failure by either party to enforce any provision of this Agreement will not constitute a waiver of any other right hereunder or of any subsequent enforcement of that or any other provision.
- 15.6. Entire Agreement. This Agreement, including all Statements of Work, and any confidentiality or nondisclosure agreement entered into between the parties constitute the complete and exclusive understanding and agreement between the parties and supersede any and all prior or contemporaneous agreements, communications and understandings, written or oral, relating to their subject matter. In the event of a conflict between the provisions of this Agreement and the provisions of a Statement of Work, the provisions of the Statement of Work will govern and control. Any waiver, modification or amendment of any provision of this Agreement or any Statement of Work will be effective only if in writing and signed by duly authorized representatives of both parties. Any pre-printed terms and conditions contained or referenced by either party in a quote, purchase order, acceptance, invoice or any similar document purporting to modify the terms and conditions contained in this Agreement shall be disregarded unless otherwise expressly agreed to in a separate written amendment to this Agreement signed by both parties. Any quote, purchase order, acceptance, invoice or any similar document purporting to modify the terms and conditions of this Agreement shall have no effect as amendments of, objections to, or modification of this Agreement.
- 15.7. Severability. All rights and remedies, whether conferred hereunder or by any other instrument or law, will be cumulative and may be exercised singularly or concurrently. If a court of competent jurisdiction holds any provision of this Agreement invalid or unenforceable, the remaining provisions of the Agreement will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law.
- 15.8. Force Majeure. Neither party will be responsible for any failure or delay in its performance under this Agreement (except for the payment obligations) due to causes beyond its reasonable control, including, but not limited to, labor disputes, strikes, lockouts, shortages of or inability to obtain labor, energy, raw materials or supplies, war, acts of terror, riot, acts of God or governmental action.
- 15.9. Counterparts. This Agreement may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. This Agreement may be executed by facsimile, electronic communication in portable document format (.pdf) or duplicate originals, and the parties agree that their electronically transmitted signatures shall have the same effect as manually transmitted signatures.
Affiliate – A corporation, partnership, or other legal entity controlling, controlled by or under common control with a party, but only so long as such control continues. “Control” as used here means direct or indirect ownership of greater than fifty percent (50%) of the voting or equivalent rights in such entity.
Confidential Information – Any technical or business information, ideas, materials, know-how or other subject matter that is disclosed by one party to the other party that: (1) if disclosed in writing, is marked “confidential” or “proprietary” at the time of such disclosure; (2) if disclosed orally, is identified as “confidential” or “proprietary” at the time of such disclosure, and is summarized in a writing sent by the disclosing party to the receiving party within thirty (30) days after any such disclosure; or (3) under the circumstances, a person exercising reasonable business judgment would understand to be confidential or proprietary. Such Confidential Information shall include, but is not limited to, research, products, software, services, database, business plans, development materials, inventions, processes, specifications, technology designs, drawings, diagrams, engineering materials, physical configuration of technology, marketing materials, techniques, mask works, documentation, customer information, pricing information, procedures, data concepts, financial information and employee files. Without limiting the foregoing, (a) Splunk Confidential Information includes the Professional Services Materials, (b) Customer Confidential Information includes Customer Materials and Work Product, and (c) Confidential Information of both parties includes the terms of this Agreement and any Statement of Work hereunder.
Customer – The company or other legal entity that has engaged Splunk to perform the Services outlined in the Statement of Work.
Effective Date – The date the agreement is signed by both parties.
Intellectual Property Rights – All rights in works of authorship, including copyrights, moral rights, mask works and copyright applications and registrations; all trademark and trade name rights and similar rights; all trade secret rights; all patent and industrial property rights and rights in patent applications, renewals, extensions, combinations, divisions and reissues.
Order – Any Splunk quote or ordering document accepted by Customer or Customer’s purchase order or other ordering document submitted to Splunk (directly or indirectly through an authorized partner) to order Splunk Software or Services that references the terms set forth in an applicable Splunk quote or ordering document.
Personnel – Any employee, consultant, contractor, or subcontractor of Splunk.
Services – The services outlined in the Statement of Work.
Splunk – Splunk Inc. and/or any of its Affiliates.
Statement of Work – The statements of work and/or any and all applicable Order(s) that describe the specific services to be performed by Splunk, including any work product to be delivered by Splunk, as executed by both Splunk and Customer.
INFORMATION SECURITY ADDENDUM
Splunk’s Information Security Program. Splunk’s information security program (“ISP”), the elements of which are described below, is designed to help: (i) protect the confidentiality, integrity, and availability of Customer data against any anticipated threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; accidental loss or destruction or damage; and (ii) safeguard information as set forth in any local, state or federal regulations applicable to any service provided by Splunk. Splunk’s ISP contains administrative, technical, and physical safeguards that are appropriate to: (i) the size, scope and type of Splunk’s business; (ii) the amount of resources available to Splunk; (iii) the type of information that Splunk stores; and (iv) the need for security and confidentiality of such information.
- Security Awareness Training. Security awareness training includes mandatory security training about the handling and securing of confidential information and sensitive information such as personally identifiable information, financial account information, and health information consistent with applicable law, and periodic security awareness communications and security courses that focus on end-user awareness.
- Security Policies and Procedures. Information Security, Use and Management Policies are designed to (i) educate employees and contractors regarding appropriate use, access to and storage of confidential and sensitive information; (ii) restrict access to confidential and sensitive information to members of Splunk’s workforce who have a “need to know” such information; (iii) prevent terminated employees from accessing Splunk information post-termination; and (iv) impose disciplinary measures for failure to abide by such policies. Splunk performs background checks of its employees at time of hire, as permitted by law.
- Physical and Environmental Access Controls. Splunk limits physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to its data centers is limited to authorized individuals. Splunk also has camera or video surveillance systems at critical internal and external entry points. Splunk applies air temperature and humidity controls for its data centers and protects against loss due to power failure.
- Vulnerability Management. Splunk regularly performs vulnerability scans and addresses detected vulnerabilities on a risk basis. Periodically, Splunk engages third parties to perform network vulnerability assessments and penetration testing.
- Cyber Incident Response Plan. Splunk has an incident response plan to manage and minimize the effects of unplanned cyber events that includes procedures to be followed in the event of an actual or potential security breach, including: an internal incident response team with a response leader; an investigation team performing a root causes analysis and identifying affected parties; internal reporting and notification processes; documentation of responsive actions and remediation plans; and a post-incident review of events.
- Risk Identification & Assessment. Splunk uses a risk assessment program to help it identify foreseeable internal and external risks to Splunk’s information resources and determine if its existing controls, policies, and procedures are adequate to address the identified risks.
- Vendors. Third-party vendors (collectively, “Vendors”) with access to Splunk confidential information are subject to risk assessments to gauge the sensitivity of Splunk information being shared. Vendors are expected to comply with any pertinent contract terms relating to the security of Splunk data, as well as any applicable Splunk policies or procedures. Periodically, Splunk may ask the Vendor to re-evaluate its security posture to aid compliance.