Information Security & Controls Addendum
This Information Security & Controls Addendum between Ice Cream Social, Inc., a Delaware corporation (“Ice Cream Social”) and the User identified in the User Agreement to which this is an addendum (“User”), sets forth the terms and conditions relating to the security controls that Ice Cream Social has adopted when Processing User Data in association with the Services to be rendered by Ice Cream Social to User pursuant to the User Agreement (the “Agreement”). Information regarding security controls used by Ice Cream Social’s Subprocessors are referred to in section V below.
“User Data” means, any and all data and information including, but not limited to, User confidential information, Personal Data (as defined in the Agreement), financial data, and account data which is (i) disclosed at any time to Ice Cream Social or its personnel by User in anticipation of, in connection with or incidental to the performance of Ice Cream Social’s services for or on behalf of User; (ii) Processed (as defined below) at any time by Ice Cream Social or its Personnel in connection with or incidental to the performance of Ice Cream Social’s services for or on behalf of User; or (iii) derived by Ice Cream Social or its Personnel from the information described in (i) and (ii) above.
“User Systems” means any User’s information systems, applications, databases, infrastructure (including without limitation, software and hardware), platforms, and networks.
“Ice Cream Social Systems” mean Ice Cream Social’s information systems, applications, tools, software, hardware, databases, infrastructure, platforms, and networks used with respect to Processing User Data in any manner.
“High Privilege Account” means an account with system level administrative or super-user access to information systems, applications or databases, administration of accounts and passwords on a system, or ability to override system, or application controls.
“Personnel” means the individual employees, agents, consultants or contractors of Ice Cream Social or User (as applicable).
“Public Cloud” means multi-tenant environment, where a service provider makes resources, such as applications, storage and computing infrastructure, available to the general public over the Internet.
“Process” or “Processed” or “Processing” means any operation or set of operations performed upon User Data, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, analyzing, recording, organizing, processing, adapting, storing, maintaining, altering, retrieving, transmitting, consulting, using, disclosing or destroying such data.
“Subprocessor” means any third party service provider appointed by Ice Cream Social (in accordance with the terms of the Agreement) to Process User Data.
2. Information Security Risk Management Requirements
Ice Cream Social shall maintain official written policies and procedures for the administration of information security throughout its organization to ensure the security, availability, integrity and confidentiality of Ice Cream Social Systems, User Systems and User Data.
- Ice Cream Social shall have an IT security function with clearly defined information protection roles, responsibilities and accountability.
- Ice Cream Social Personnel with access to User Data and/or User Systems shall participate in the information security awareness training provided by Ice Cream Social on a periodic basis (no less frequently than annually).
3. Information Security Requirements
- Information Systems Audit
- Ice Cream Social shall perform internal vulnerability assessments on Ice Cream Social Systems used to provide the services to User. Furthermore, Ice Cream Social shall perform an external vulnerability assessment on all external internet facing Ice Cream Social Systems that impact User Data. Such assessments will be conducted not less frequently than semi-annually.
- Ice Cream Social shall use its best efforts to remediate any finding rated as high or critical (or similar rating representing similar risk) in any assessments or audits of Ice Cream Social Information Systems within 30 days. Additionally, Ice Cream Social shall use its best efforts to remediate any finding rated as medium within 90 days. If such findings are not able to be or are not remediated within the time period provided, Ice Cream Social must notify User immediately with a proposed action plan to remediate.
- Upon reasonable request (not less than ten (10) business days), Ice Cream Social shall provide formal reports for any assessments or audits performed on User-related Ice Cream Social’s Information Systems, which shall include at a minimum the scope of the assessment or audit and any finding rated as a medium and above.
2. Operations Security
- Ice Cream Social shall implement and maintain security controls to detect and prevent unauthorized access, intrusions, computer viruses and malware on its Information Systems to protect User Data including:
- Ensuring that security client software which includes anti-virus and malware protection is set to receive automatic virus definitions as well as managed patches and updates.
- Installing of critical security patches for operating systems and applications within 30 days of publication, and within 90 days for other types of patches and updates;
- Installed versions of operating systems, software and firmware for all systems are licensed and Ice Cream Social supported.
- Ice Cream Social shall implement and maintain a security event logging system to log all authorized and unauthorized access attempts to associated systems, data or application services. Security event logs shall be maintained for at least one year.
3. Access Control
- Ice Cream Social shall limit access to Ice Cream Social Systems, User Systems and/or User Data to a limited number of authorized Personnel and Subprocessors so that they may perform their respective duties in support of the obligations set forth in the applicable Agreement with Ice Cream Social.
- Ice Cream Social shall assign a unique ID to all authorized Personnel prior to granting access to Ice Cream Social Systems and User Data.
- Ice Cream Social shall implement processes to support the secure creation, modification and deletion of accounts and High Privilege Accounts.
- Ice Cream Social shall terminate any separating Ice Cream Social Personnel’s access no later than the date of separation, whether physical or logical, that may provide access to User Data and/or User Systems.
- Ice Cream Social shall ensure a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies (such as token devices), including the following password requirements at minimum:
- Temporary passwords must be provided to Ice Cream Social Personnel in a secure method, with expiration on first use.
- User account credentials (e.g. password) must not be shared or stored in clear text.
- Complex password best practices must be enforced that include minimum password length, lockout, and set expiration period.
- Default or accounts with empty or null passwords are prohibited.
- Information systems (including User Systems and Ice Cream Social Systems) must not be left authenticated when unattended and must be password protected when not in use.
4. Network & Data Transmission Security
- Ice Cream Social shall implement firewall protection, intrusion detection system (IDS) and standards designed in a risk based manner to maintain the integrity of User Data at all times, and that restrict connections between untrusted networks and any system components in the environment.
- Ice Cream Social shall implement encryption with respect to all records and files containing User Data transmitted across public networks or wirelessly.
5. System & Storage Security
- Ice Cream Social shall implement and maintain physical and technical controls designed to:
- Guard against unauthorized access to disruption, altering, or removal of Ice Cream Social Systems, User Systems, and User Data.
- Ensure that no User Data is physically or virtually co-mingled with any of Ice Cream Social’s (or any third party’s) other data, unless the data is logically separated.
- Ice Cream Social shall ensure that all User Data will be Processed and maintained solely on designated target systems and that no User Data at any time will be Processed on or transferred to any portable computing device or any removable media (e.g. thumb drives or external hard drives) other than physically secured retention media solely used for the purpose of backup or data retention for business continuity planning/disaster recovery purposes, which shall be encrypted to industry standards.
- Ice Cream Social shall ensure that Ice Cream Social Personnel must not store any User Data on personally-owned devices (e.g. tablets and mobile devices).
- Ice Cream Social shall identify and implement risk based data loss prevention controls to protect User Data as required by regulatory compliance obligations.
6. Application Security
- Ice Cream Social shall have a documented software development lifecycle process which includes requirements gathering, system design, integration testing, user acceptance testing, and system acceptance.
- Ice Cream Social shall provide all developers secure software development training and information regarding vulnerabilities discovered along with prevention and remediation measures for those vulnerabilities.
- Ice Cream Social shall design and develop all applications in accordance with the following core security principles:
- Least Privilege – Recommends that accounts have the least amount of privilege required to perform their business processes.
- Minimize Attack Surface – Recommends reducing entry points that can be exploited by malicious users.
- Separation of Duties – Recommends that different entities have different roles.
- Fail Secure – Recommends limiting amount of information exposed on errors encountered by a system or application.
- Defense in Depth –Recommends layered security mechanisms that will increase security of the system as a whole.
- Complete Mediation – Recommends access to all resources of a system is always validated.
- Single Point of Failure – Recommends adding redundancy to critical systems.
- Ice Cream Social shall develop all web applications based on secure coding practices such as the Open Web Application Security Project (OWASP) or NIST SP 800-95 guidelines for web services.
- Ice Cream Social shall use industry best practice quality control methods to ensure that software developed by Ice Cream Social or its contractors does not introduce security vulnerabilities to User’s computing or application environment. This includes identifying risks through threat and vulnerability analyses, including scanning for the Open Web Application Security Project (OWASP) Top 10 most critical web application security risks and remediating risks prior to delivery of systems or applications.
4. Subprocessor Compliance
Ice Cream Social’s Subprocessors and security details are set out below:
- Amazon Web Services
- AWS uses encryption on all applications and databases via AWS. Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit.
- AWS WAF is enabled for application level firewall protection and helps protect web applications or APIs against common web exploits and bots.
- Ice Cream Social takes advantage of AWS’ ability to isolate specific IPs on specified ports to connect directly to the servers. This helps to control traffic to Ice Cream Social Systems, including the kind of traffic that can reach Ice Cream Social Systems.
2. Conformance Cybersecurity
1. Conformance Cybersecurity have been appointed to conduct penetration testing. It provides PCI Security Standards Council (PCI SSC) Qualified Security Assessor (QSA) services.
- Sendgrid provides email related services to Ice Cream Social. Details of how Sendgrid retains and deletes personal data when providing services can be found here: [https://support.sendgrid.com/hc/en-us/articles/4410760485403-Data-Retention-and-Deletion-in-Twilio-Products].
- Sendgrid’s security policy (available at [https://sendgrid.com/policies/security/]) sets out that:
- Sendgrid data centers have SOC2 Type 2 reports. Sendgrid has SOC2 Type II certification.
- Sendgrid regularly scans its applications for vulnerabilities, using a combination of static source code analysis and dynamic testing. They offer two-factor authentication for added protection and encrypt all data in transit using TLS and have an independent penetration test conducted on an annual basis.
- Access to Sendgrid’s systems and data is restricted only to those who need access in order to provide the necessary support. Sendgrid carries out background checks for employees, has signed confidentially agreements in place, have termination/access removal processes and acceptable use agreements in place.
- Sendgrid has redundant, geographically separate data centers allowing it to provide consistent services. In the event one data centers becomes unavailable, it can recover quickly so that emails can still be sent.
4. TicketSocket, Inc.
- TicketSocket, Inc. is Ice Cream Social’s parent company. Ice Cream Social has appointed TicketSocket to provide services related to the operation of Ice Cream Social, including in providing services and support to customers of Ice Cream Social. TicketSocket’s security processes are similar to Ice Cream Social’s, as set out in this Addendum.