Updated: February 2020
Professional Services Information Security Addendum
This Professional Services Information Security Addendum (“PS-ISA”) sets forth the administrative, technical and physical safeguards Splunk takes to protect Confidential Information when performing Professional Services. The PS-ISA is based on Splunk’s Information Security Program (“ISP”), which changes over time. Splunk may update this PS-ISA to reflect changes in its ISP, provided those changes do not materially diminish the level of security herein provided.
This PS-ISA is made a part of the Configuration and Implementation Services Exhibit to the Splunk General Terms (“Agreement”) and applies only to the Configuration and Implementation Services set forth in an applicable Statement of Work. Any capitalized terms used, but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this PS-ISA, the terms of this PS-ISA will apply.
- Splunk’s Information Security Program and Security Program Office
- Splunk’s ISP is reasonably designed to help protect the confidentiality, integrity, and availability of Confidential Information against any anticipated threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss, destruction or damage.
- Splunk’s ISP contains technical and organizational measures that are appropriate to: (i) the nature, size, and complexity of Splunk’s business; (ii) the resources available to Splunk; (iii) the type of information that Splunk stores; and (iv) the need for security and confidentiality of such information.
- Splunk’s Chief Information Security Officer leads Splunk’s ISP and develops, reviews and approves (together with other stakeholders, such as Product Security, Legal and Internal Audit) Splunk Security Policies (as defined below).
- Security Policies and Procedures
- Splunk maintains information security, use and management policies (collectively “Security Policies”) designed to educate employees and contractors regarding appropriate use, access to and storage of Confidential Information; restrict access to Confidential Information to members of Splunk’s workforce who have a “need to know” such information; prevent terminated employees from accessing Splunk information and information systems post-termination; and imposing disciplinary measures for failure to abide by such policies. Splunk performs background checks of its employees at time of hire, as permitted by law. Where feasible and as applicable, Splunk endeavors to align its Security Policies to ISO 27001 level standards for information security.
- Splunk Security Policies are available to employees via the corporate intranet. Splunk reviews, updates and approves Security Policies once annually to maintain their continuing relevance and accuracy.
- Security Training and Awareness
New employees are required to complete security training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Security Policies, as well as other corporate policies, such as the Splunk Code of Conduct. This includes requiring Splunk employees to annually re-acknowledge the Code of Conduct and other Splunk policies as appropriate. Splunk conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
- Physical and Environmental Access Controls
Splunk limits physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to its data centers is limited to authorized individuals and employs camera or video surveillance systems at critical internal and external entry points. Splunk applies air temperature and humidity controls for its data centers and protects against loss due to power failure.
- Logical Access Controls
Splunk employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its networks and production systems. Splunk’s monitoring includes a review of changes affecting systems’ handling authentication, authorization, and auditing; and privileged access to Splunk production systems. Splunk uses the principle of “least privilege” (meaning access denied unless specifically granted) for access to customer data.
- Incident Response Plan and Breach Notification
- Splunk employs an incident response framework (the “Splunk Incident Response Framework” or “SIRF”) to manage and minimize the effects of unplanned security events. The SIRF includes procedures to be followed in the event of an actual or potential security breach, including: (i) an internal incident response team with a response leader; (ii) an investigation team performing a root cause analysis and identifying affected parties; (iii) internal reporting and notification processes; documenting responsive actions and remediation plans; and (iv) a post-incident review of events.
- For Services performed outside the US, Splunk provides notice without undue delay after becoming aware of a Data Breach. As used in this PS-ISA, Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data as defined under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) while being transmitted, stored or otherwise processed by Splunk. If Customer reasonably determines notification is required under GDPR, Splunk will provide reasonable assistance to the extent required, including assistance in notifying the relevant supervisory authority and providing a description of the Data Breach.
- For Services performed within the US, Splunk provides notice of a breach of Personal Information, as defined under the California Consumer Privacy Act of 2018 (“CCPA”), as required under California law.
- Storage and Transmission Security
- Secure Disposal
Policies and procedures regarding the disposal of tangible and intangible property containing Customer Confidential Information so that wherever possible, Customer Confidential Information cannot be practicably read or reconstructed.
- Risk Identification and Assessment
Splunk employs a risk assessment program to help it reasonably identify foreseeable internal and external risks to Splunk’s information resources and determine if its existing controls, policies, and procedures are adequate to address the identified risks.
Third-party vendors (collectively, “Vendors”) with access to Confidential Information are subject to contractual obligations of confidentiality and risk assessments to gauge the sensitivity of information being shared. Vendors are expected to comply with any pertinent contract terms relating to the security of data, as well as any applicable Splunk policies or procedures. Periodically, Splunk may ask the Vendor to re-evaluate its security posture to help ensure compliance.