Updated: February 2020
This Professional Services Information Security Addendum (“PS-ISA”) sets forth the administrative, technical and physical safeguards Splunk takes to protect Confidential Information when performing Professional Services. The PS-ISA is based on Splunk’s Information Security Program (“ISP”), which changes over time. Splunk may update this PS-ISA to reflect changes in its ISP, provided those changes do not materially diminish the level of security herein provided.
This PS-ISA is made a part of the Configuration and Implementation Services Exhibit to the Splunk General Terms (“Agreement”) and applies only to the Configuration and Implementation Services set forth in an applicable Statement of Work. Any capitalized terms used, but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this PS-ISA, the terms of this PS-ISA will apply.
During the Term of the Agreement, Splunk agrees to maintain an ISP in conformance with the requirements set forth below.
New employees are required to complete security training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Security Policies, as well as other corporate policies, such as the Splunk Code of Conduct. This includes requiring Splunk employees to annually re-acknowledge the Code of Conduct and other Splunk policies as appropriate. Splunk conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
Splunk limits physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to its data centers is limited to authorized individuals and employs camera or video surveillance systems at critical internal and external entry points. Splunk applies air temperature and humidity controls for its data centers and protects against loss due to power failure.
Splunk employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its networks and production systems. Splunk’s monitoring includes a review of changes affecting systems’ handling authentication, authorization, and auditing; and privileged access to Splunk production systems. Splunk uses the principle of “least privilege” (meaning access denied unless specifically granted) for access to customer data.
Technical security measures to guard against unauthorized access to Customer data that is being transmitted over a public electronic communications network or stored electronically.
Policies and procedures regarding the disposal of tangible and intangible property containing Customer Confidential Information so that wherever possible, Customer Confidential Information cannot be practicably read or reconstructed.
Splunk employs a risk assessment program to help it reasonably identify foreseeable internal and external risks to Splunk’s information resources and determine if its existing controls, policies, and procedures are adequate to address the identified risks.
Third-party vendors (collectively, “Vendors”) with access to Confidential Information are subject to contractual obligations of confidentiality and risk assessments to gauge the sensitivity of information being shared. Vendors are expected to comply with any pertinent contract terms relating to the security of data, as well as any applicable Splunk policies or procedures. Periodically, Splunk may ask the Vendor to re-evaluate its security posture to help ensure compliance.
Splunk’s Information Security Program and Security Program Office
Security Policies and Procedures
Security Training and Awareness
Physical and Environmental Access Controls
Incident Response Plan and Breach Notification
Storage and Transmission Security
Risk Identification and Assessment