Effective Date: May 2021
This Splunk Observability Cloud Security Addendum (CSA) sets forth the administrative, technical and physical safeguards Splunk takes to protect Confidential Information, including Customer Content (Security Program). Splunk may update this CSA from time to time to reflect changes in Splunk’s security posture, provided such changes do not materially diminish the level of security herein provided.
This CSA is made a part of your Splunk General Terms (Agreement) with Splunk and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement or Documentation, as applicable. In the event of any conflict between the terms of the Agreement and this CSA, this CSA will control. This CSA does not apply to Splunk Observability Cloud subscriptions purchased or acquired through Splunk.com, including without limitation Trial, Evaluation, Beta or Free Licenses
This CSA describes the information security standards that Splunk maintains to protect Confidential Information, including Customer Content, in addition to any requirements set forth in the Agreement.
The CSA is designed to protect the confidentiality, integrity and availability of Confidential Information, including Customer Content, against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration or destruction; and accidental loss, destruction or damage in accordance with laws applicable to the provision of the Service.
Splunk Security Program
Scope and Content. Splunk Security Program: (a) complies with industry recognized information security standards; (b) includes administrative, technical and physical safeguards designed to protect the confidentiality, integrity and availability of Confidential Information, including Customer Content; and (c) is appropriate to the nature, size and complexity of Splunk’s business operations.
Security Policies, Standards and Methods. Splunk maintains security policies, standards and methods (collectively, Security Policies) designed to safeguard the processing of Confidential Information, including Customer Content, by employees and contractors in accordance with this CSA.
Security Program Office. Splunk’s Chief Information Security Officer (CISO) leads Splunk’s Security Program and the CISO Office develops, reviews and approves, together with appropriate stakeholders, Splunk’s Security Policies.
Security Program Updates. Splunk Security Program Policies are available to employees via the corporate intranet. Splunk reviews, updates and approves Security Policies annually to maintain their continuing relevance and accuracy. Employees receive information and education about Splunk’s Security Policies during onboarding and annually thereafter.
Security Training and Awareness. New employees are required to complete security training as part of the new hire process and receive ongoing annual and targeted training (as needed and appropriate to their role) to help maintain compliance with Splunk’s Security Policies, as well as other corporate policies, such as the Splunk Code of Conduct. This includes requiring Splunk employees to annually re-acknowledge the Code of Conduct and other Splunk policies as appropriate. Splunk conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
Splunk manages cybersecurity risks in accordance with its Risk Assessment Method, which defines how Splunk identifies, prioritizes and manages risks to its information assets and the likelihood and impact of them occurring.
Splunk management reviews documented risks to understand their potential impact to the business, determine appropriate risk levels and treatment options. Mitigation plans are implemented to address material risks to business operations, including data protection.
Splunk deploys changes to the Services continuously. Splunk posts information regarding any disruption to the Service that results in downtime at https://status.signalfx.com/.
Splunk follows documented change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes.
Changes undergo appropriate levels of review and testing, including security and code reviews, regression testing and user acceptance prior to approval for implementation.
Software development and testing environments are maintained and logically separated from the production environment.
Incident Response and Breach Notification
Splunk has an incident response plan (the Splunk Incident Response Framework or SIRF) and team to assess, respond, contain and remediate (as appropriate) identified security issues, regardless of their nature (e.g., physical, cyber, product). Splunk reviews and updates the SIRF annually to reflect emerging risks and “lessons learned.”
Splunk notifies Customers without undue delay after becoming aware of a Data Breach. As used herein, Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Content under the applicable Agreement, including Personal Data as defined under the General Data Protection Regulation (EU) 2016/679 (GDPR), while being transmitted, stored or otherwise processed by Splunk.
In the event of a Data Breach involving Personal Data, if a customer reasonably determines notification is required by law, Splunk will provide reasonable assistance to the extent required for the Customer to comply with applicable data breach notification laws, including assistance in notifying the relevant supervisory authority and providing a description of the Data Breach.
In the event of a conflict between the breach notification provisions in this CSA and those set forth in an applicable Business Associate Agreement (BAA) with Splunk, the BAA breach notification terms will apply.
Governance and Audit
For Hosted Services provisioned on AWS provided IaaS, third party Splunk conducts internal control assessments on an ongoing basis to validate that controls are designed and operating effectively. Issues identified from assessments are documented, tracked and remediated as appropriate.
Third party audits are performed as part of our certification process (further below) to validate the ongoing governance of control operations and their effectiveness. Issues identified are documented, tracked, and remediated as appropriate.
Access and User Management
Splunk implements reasonable controls to manage user authentication for employees or contractors with access to Customer Content, including without limitation, assigning each employee or contractor with unique and/or time limited user authorization credentials for access to any system on which Customer Content is accessed and prohibiting employees or contractors from sharing their user authorization credentials.
Splunk allocates system privileges and permissions to users or groups on a “least privilege” principle and reviews user access lists and permissions to critical systems on a quarterly basis, at minimum.
New users must be pre-approved before Splunk grants access to Splunk corporate and cloud networks and systems. Pre-approval is also required before changing existing user access rights.
Splunk promptly disables application, platform and network access for terminated users upon notification of termination.
Password Management and Authentication Controls
Authorized users must identify and authenticate to the network, applications, and platforms using their user ID and password. Splunk’s enterprise password management system requires minimum password parameters.
Authorized users are required to change passwords at pre-defined intervals consistent with industry standards.
SSH key authentication and enterprise password management applications are utilized to manage access to the production environment.
Two-factor authentication (2FA) is required for remote access and privileged account access for Customer Content production systems.
Encryption and Key Management
Splunk uses industry-standard encryption techniques to encrypt Customer Content in transit. The Splunk Service is configured by default to encrypt user data files using transport layer security (currently, TLS 1.2+) encryption for web communication sessions.
Splunk relies on policy controls to help ensure sensitive information is not transmitted over the Internet or other public communications unless it is encrypted in transit.
Splunk encrypts at rest Customer credentials to third-party systems integrated with the Service using a minimum encryption protocol of Advanced Encryption Standard (AES) 256-bit encryption.
Splunk uses encryption key management processes to help ensure the secure generation, storage, distribution and destruction of encryption keys.
Threat and Vulnerability Management
Splunk has a Threat and Vulnerability Management (TVM) program to continuously monitor for vulnerabilities that are discovered internally through vulnerability scans, offensive exercises (red team), and employees; or externally reported by vendors, researchers or others.
Splunk documents vulnerabilities and ranks them based on severity level as determined by the likelihood and impact ratings assigned by TVM. Splunk assigns appropriate team(s) to conduct remediation and track progress to resolution as needed.
An external vendor conducts annual security penetration tests on the Service and on Splunk’s corporate environment to detect network and application security vulnerabilities. Findings from these tests are evaluated, documented and assigned to the appropriate teams for remediation based on severity level. In addition, Splunk conducts quarterly internal penetration tests on the Service and remediates findings as appropriate.
Logging and Monitoring
Monitoring tools and services are used to monitor systems across Splunk (e.g. application, infrastructure, network and storage) for performance and utilization.
Event data is aggregated and stored using appropriate security measures. Logs are stored in accordance with Splunk’s data retention policy.
The Splunk Security Team continuously reviews alerts and follows up on suspicious events as appropriate.
Splunk’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, implementation, configuration, maintenance, modification, and management of software components.
For major and minor product releases, Splunk uses a risk-based approach when applying its standard SDLC methodology, which includes such things as performing security architecture reviews, open source security scans, code review, dynamic application security testing, network vulnerability scans and external penetration testing. Splunk performs security code review for critical features if needed; and performs code review for all features in the development environment. Splunk scans packaged software to ensure it’s free from trojans, viruses, malware and other malicious threats.
Splunk utilizes a code versioning control system to maintain the integrity and security of application source code. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
The SDLC methodology does not apply to free Applications developed by Splunk or to Third Party Content, including any made available on splunkbase.com. For information on the inspection process for applications available on splunkbase.com, see AppInspect.
Splunk uses industry standard technologies to prevent unauthorized access or compromise of Splunk’s network, servers or applications, which include such things as logical and physical controls to segment data, systems and networks according to risk. Splunk monitors demarcation points used to restrict access such as firewalls and security group enforcement points.
Users must authenticate with two-factor authentication prior to accessing Splunk networks containing Customer Content.
Splunk conducts security due diligence and risk assessments of its vendors prior to onboarding and thereafter manages vendor security through its risk management program.
Splunk management reviews the documented risks associated with vendors to understand the potential impact to the business. Mitigation plans are implemented to address material risks to business operations, including data protection.
Splunk’s agreements with vendors that impose security obligations on them which are necessary for Splunk to maintain its security posture as set forth in this Addendum. Confidential Information is shared only with those who are subject to appropriate confidentiality terms with Splunk.
Splunk uses a risk-based approach to monitor vendor security practices and compliance with their agreements with Splunk.
Splunk grants physical access to Splunk facilities (including Splunk-operated data centers where applicable) based on role. Splunk removes physical access when access is no longer required, including upon termination.
Employees and visitors must visibly display and wear, identity badges when in Splunk facilities. Visitors must always be accompanied. Splunk logs visitor access to Splunk facilities.
Splunk reviews data center physical access, including remote access, on a quarterly basis to confirm that access is restricted to authorized personnel.
Splunk employs additional measures to protect its employees and assets, including video surveillance systems, onsite security personnel and such other technologies deemed industry best practice.
Disaster Recovery Plan
Splunk has a written Disaster Recovery Plan to manage significant disruptions to the Service. Splunk management updates and approves the Plan annually.
Splunk personnel perform annual disaster recovery tests. Test results are documented and corrective actions are noted.
Data backup, replication, and recovery systems/technologies are deployed to support resilience and protection of Customer Content.
Backup systems are configured to encrypt backup media.
Asset Management and Disposal
Splunk maintains and regularly updates an inventory of Service infrastructure assets and reconciles the asset list monthly.
Documented, standard build procedures are utilized for installation and maintenance of production servers.
Documented data disposal policies are in place to guide personnel on the procedure for disposal of Confidential Information, including Customer Content.
Upon expiration or termination of the Agreement, Splunk will return or delete Customer Content in accordance with the terms of the Agreement. If deletion is required, Customer Content will be securely deleted, except that Customer Content stored electronically in Splunk’s backup or email systems may be deleted over time in accordance with Splunk’s records management practices.
Splunk retains Customer Content stored in its cloud computing services for at least thirty (30) days after the expiration or termination of the Agreement.
Human Resources Security
Splunk personnel sign confidentiality agreements and acknowledge Splunk’s Acceptable Use Policy during the new employee onboarding process.
Splunk conducts background verification checks for potential Splunk personnel with access to Confidential Information, including Customer Content in accordance with relevant laws and regulations. The background checks are commensurate to an individual's job duties.
CSA Proof of Compliance
Splunk Observability Cloud Standard: Security Audits. At least once a year, Splunk Observability Cloud undergoes a SOC 2, Type II security audit* by an independent third party that attests to the effectiveness of the controls Splunk has in place to safeguard the systems and operations where Customer Content is processed, stored or transmitted. At a minimum, the audit covers the Security, Confidentiality, and Availability control criteria developed by the American Institute of Certified Public Accountants (AICPA). *Splunk Observability Cloud SOC 2, Type II security audit is currently limited to Services provisioned on AWS provisioned IaaS. Upon request, Splunk will supply Customer with a summary copy of Splunk’s annual audit reports, which will be deemed Confidential Information under the Agreement.