Professional Services Information Security Addendum

1. Splunk’s ISP is reasonably designed to help protect the confidentiality, integrity, and availability of Confidential Information against any anticipated threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss, destruction or damage.
2. Splunk’s ISP contains technical and organizational measures that are appropriate to: (i) the nature, size, and complexity of Splunk’s business; (ii) the resources available to Splunk; (iii) the type of information that Splunk stores; and (iv) the need for security and confidentiality of such information.
3. Splunk’s Chief Information Security Officer leads Splunk’s ISP and develops, reviews and approves (together with other stakeholders, such as Product Security, Legal and Internal Audit) Splunk Security Policies (as defined below).

1. Splunk maintains information security, use and management policies (collectively “Security Policies”) designed to educate employees and contractors regarding appropriate use, access to and storage of Confidential Information; restrict access to Confidential Information to members of Splunk’s workforce who have a “need to know” such information; prevent terminated employees from accessing Splunk information and information systems post-termination; and imposing disciplinary measures for failure to abide by such policies. Splunk performs background checks of its employees at time of hire, as permitted by law. Where feasible and as applicable, Splunk endeavors to align its Security Policies to ISO 27001 level standards for information security.
2. Splunk Security Policies are available to employees via the corporate intranet. Splunk reviews, updates and approves Security Policies once annually to maintain their continuing relevance and accuracy.

New employees are required to complete security training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Security Policies, as well as other corporate policies, such as the Splunk Code of Conduct. This includes requiring Splunk employees to annually re-acknowledge the Code of Conduct and other Splunk policies as appropriate. Splunk conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.

Splunk limits physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to its data centers is limited to authorized individuals and employs camera or video surveillance systems at critical internal and external entry points. Splunk applies air temperature and humidity controls for its data centers and protects against loss due to power failure.

Splunk employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its networks and production systems. Splunk’s monitoring includes a review of changes affecting systems’ handling authentication, authorization, and auditing; and privileged access to Splunk production systems. Splunk uses the principle of “least privilege” (meaning access denied unless specifically granted) for access to customer data.

1. Splunk employs an incident response framework (the “Splunk Incident Response Framework” or “SIRF”) to manage and minimize the effects of unplanned security events. The SIRF includes procedures to be followed in the event of an actual or potential security breach, including: (i) an internal incident response team with a response leader; (ii) an investigation team performing a root cause analysis and identifying affected parties; (iii) internal reporting and notification processes; documenting responsive actions and remediation plans; and (iv) a post-incident review of events.
2. For Services performed outside the US, Splunk provides notice without undue delay after becoming aware of a Data Breach. As used in this PS-ISA, Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data as defined under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) while being transmitted, stored or otherwise processed by Splunk. If Customer reasonably determines notification is required under GDPR, Splunk will provide reasonable assistance to the extent required, including assistance in notifying the relevant supervisory authority and providing a description of the Data Breach.
3. For Services performed within the US, Splunk provides notice of a breach of Personal Information, as defined under the California Consumer Privacy Act of 2018 (“CCPA”), as required under California law.

Technical security measures to guard against unauthorized access to Customer data that is being transmitted over a public electronic communications network or stored electronically.

Policies and procedures regarding the disposal of tangible and intangible property containing Customer Confidential Information so that wherever possible, Customer Confidential Information cannot be practicably read or reconstructed.

Splunk employs a risk assessment program to help it reasonably identify foreseeable internal and external risks to Splunk’s information resources and determine if its existing controls, policies, and procedures are adequate to address the identified risks.

Third-party vendors (collectively, “Vendors”) with access to Confidential Information are subject to contractual obligations of confidentiality and risk assessments to gauge the sensitivity of information being shared. Vendors are expected to comply with any pertinent contract terms relating to the security of data, as well as any applicable Splunk policies or procedures. Periodically, Splunk may ask the Vendor to re-evaluate its security posture to help ensure compliance.