BugSplat, LLC (“BugSplat”) maintains an Information Security Program (“ISP”) in conformance with the requirements set forth below, which may be incorporated by reference into a Customer License Agreement (the “Agreement”). In the event of a conflict between the terms of this document and the terms of the Agreement, the terms of the Agreement will apply.
Security Standards. The ISP is designed to: (a) protect the confidentiality, integrity, and availability of information and data, including personal data, that is provided or made available to BugSplat under the Agreement (“Customer Data”) against any anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; accidental loss or destruction or damage; and (b) safeguard the Customer Data as required by any local, state or federal regulations applicable to any Service provided by BugSplat under the Agreement. The ISP contains administrative, technical, and physical safeguards appropriate to: (a) the size, scope and type of BugSplat’s business and the Service it provides; (b) the type of information that BugSplat stores; and (c) the need for security and confidentiality of such information.
Security Policies and Procedures
BugSplat will maintain and implement security policies and procedures that are reasonably designed to cause all employees, Infrastructure Operator, and any subcontractors to process Customer Data in accordance with the Information Security Program. “Infrastructure Operator” means the vendor who hosts BugSplat’s physical servers. Amazon Web Services (AWS) is the current Infrastructure Operator.
BugSplat will implement disciplinary measures against employees and contractors who fail to abide by its security policies and procedures
BugSplat will use commercially reasonable efforts ensure that its security infrastructure is consistent with industry standards for firewalls, intrusion prevention, and intrusion detection.
BugSplat development workstations will include endpoint protection software which is consistent with industry standards.
Security Awareness Training
BugSplat will maintain up-to-date security awareness training for employees and contractors with access to Customer Data consistent with applicable law.
Security awareness training includes:
The handling and securing of Customer Data
Response plans for potential security events
Details about the company’s enforcement of security policies and procedures
Physical Environment, Access Control and Monitoring
Infrastructure Operator establishes physical controls for access to network and servers that access Customer Data.
Infrastructure Operator establishes camera monitoring at hosting environment entrance and exit points.
Infrastructure Operator has implemented and maintains appropriate temperature and humidity controls and monitoring for the server environment.
Logical Access Controls
BugSplat has established controls designed to prevent network access to Customer Data without proper authentication
BugSplat ensures that authentication includes account passwords that are unique to each employee or contractor, and two-factor or multi-factor authentication or other mechanism appropriate to protect against brute force account attacks.
BugSplat will ensure that its employee and contractor accounts provide access to Customer Data to only those employees who require access to provide services to Customer.
BugSplat will ensure that all access to Customer Data is logged by BugSplat and that a process is in place for monitoring these logs and notifying BugSplat of unusual activity.
At a minimum, BugSplat will review account access and activity on a quarterly basis.
BugSplat has an internal review mechanism for any change which may affect authentication, authorization, or auditing mechanisms.
BugSplat will immediately terminate an employee’s access to Customer Data when such employee is terminated or contractor service is suspended or discontinued.
BugSplat maintains remote backups of production servers on an appropriate schedule.
BugSplat tests data recovery from backups at least quarterly.
BugSplat maintains a formal disaster recovery plan that supports any documented service level agreement.
BugSplat provides backup and recovery services for all Customer Data.
BugSplat and Infrastructure Operator maintain business continuity and incident response plans to minimize the impact of unplanned events, including cyber security, physical, or natural disaster.
BugSplat incident response plans support the goal of resuming service within 48 hours of an incident that disables any service.
BugSplat’s incident response plans include providing Customer with notification and details about the cause and remediation of any incident.
Storage and Transmission Security
Customer Data is logically segregated from any third-party data.
Transport Layer Security with a key strength of at least 256 bits and industry standard ciphers are used for movement of Customer Data.
Customer Data is encrypted at rest with a key strength of at least 256 bits using industry standard ciphers.
BugSplat uses industry standard measures to protect Customer Data by strong access controls.
BugSplat will conduct regular internal security audits.
BugSplat will contract with a third party to do external security assessment and penetration tests, tests are performed on at least an annual basis.
BugSplat will securely destroy, or at Customer’s request, return through a secure method, any Customer Data that is no longer needed to fulfill obligations to Customer, or on termination or expiration of the Agreement with Customer
BugSplat will periodically review internal and external threats to the service and use industry standard methods to confirm that existing controls, policies, and procedures provide sufficient mitigation.
BugSplat will conduct a risk assessment on the security practices of any of its third-party contractors or vendors prior to providing access to Customer Data. Any BugSplat third-party supplier with access to Customer Data must adhere to terms substantially similar to those in the BugSplat ISP.
BugSplat will verify that its risk assessment is sufficient to satisfy compliance with this ISP.
The data sub-processors used by BugSplat are:
Change and Configuration Management
BugSplat policies and procedures ensure at least one additional engineer reviews and signs off on any changes to production systems, applications, or databases that may have an impact on security or service availability.
BugSplat has processes that support identifying and applying necessary security patches from all software, libraries, or hardware firmware in use.
Change of Compliance
BugSplat will notify Customer within thirty days if it is no longer possible to satisfy the security policies and procedures outlined in this document. At its option, Customer may terminate services upon such notification and receive a pro-rata refund of any fees already paid for the period following such termination.