This Security Exhibit outlines essential confidentiality, privacy, and data security practices (“Practices”) pertaining to the Customer Data provided to F12.net Inc. (F12.net) in order for F12.net to fulfill its obligations under the Agreement. These Practices incorporate the actions necessary to adhere to F12.net’s policies and procedures defined by its Information Technology Security Policies and Procedures (“Security Program”).
F12.net may update or modify these Practices from time to time provided such updates and modifications will not result in a degradation of the overall security of the Products and/or Support Services during the term of the Agreement. These Practices will not apply to Beta Versions.
Capitalized terms have the meaning defined herein or in the Agreement, and certain capitalized terms are defined at the end of this Exhibit.
Security Attestation and Risk Management
Security Attestation. F12.net will maintain SOC 2 Type II and CyberSecure Canada certifications or their equivalents during the Term of the Agreement. F12.net engages an independent third party to conduct annual security testing of its corporate IT network, datacenters, and F12 Connect.
Upon Customer’s reasonable written request at any time during the Term of the Agreement, F12.net will promptly provide Customer with information related to F12.net’s Practices, which may include one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant third party audits, reviews, tests, or certifications of F12.net’s systems or processes, including an annual SOC 2 report; (iii) a summary of F12.net’s operational practices related to data protection and security; and (iv) making F12.net’s Personnel reasonably available for security-related discussions with Customer.
Risk Management. F12.net maintains a documented risk management program that includes a quarterly risk assessment approved by senior management.
Policies, Standards, and Procedures
Policies and Standards. F12.net maintains policies or standards addressing the following areas:
Security Response. F12.net monitors for actual or reasonably suspected (a) unauthorized or unlawful access to or disclosure, loss, exposure or use of any Customer Data within F12.net corporate systems, or (b) unauthorized access to any facility, computer network or system within F12.net containing any Customer Data (collectively, “Security Incidents”).
Backup & Availability. Customer Data and the Products are replicated to hosted datacenters within the same geographic region. Backups are performed on a periodic basis, encrypted, and remotely stored.
Business Continuity Program. F12.net maintains a program designed to ensure that the necessary steps will be taken to develop and maintain viable recovery strategies and business continuity plans. F12.net will perform testing, conduct annual exercises, and provide training and enhancements to its business continuity program designed to ensure the continuity of F12.net’s services in the event of a disaster.
Data Handling and Protection
Data Regionalization. Upon subscribing to one or more of F12.net’s Services, Customer may select the data center region(s) in which Customer Data is stored. Customer Data may be transferred to and/or allowed to be accessed by Personnel located in the regions set forth at https://f12.net/data-supplement for Service operations and Support Services. Operational log files and files submitted for analysis by F12.net Support Services are stored in Canada.
Customer Data in Transit. Interactions between F12.net Personnel and any connections containing Customer Data are to be protected using a standard cryptographic protocol such as Transport Layer Security (“TLS”).
Customer Data at Rest. Customer Data stored within F12.net’s datacentres are encrypted at minimum with AES 256 bit encryption.
Encryption Algorithms. F12.net will utilize standard production ciphers capable of a minimum of AES256-SHA2 with 2048 bit key strength or equivalent.
Multi-tenancy and Data Segregation. F12.net will create, implement and maintain no less than industry standard logical data segregation in a multi-tenant environment designed to ensure Customer Data is not viewable by unauthorized users. F12.net logically isolates Customer Data, and the Customer controls the specific Customer Data stored in the Service.
Data Return and Deletion. F12.net provides its customers a mechanism that can be used to delete their user data. Customer Data may be deleted upon request, except for backups and monitoring data which will be deleted within 90 days.
Customer Data Handling. F12.net maintains appropriate data security controls addressing the following areas:
- Logical access controls including user sign-on identification and multi-factor authentication
- Data access controls (e.g., complex and hashed password protection)
- Multiple authentication failures that result in the temporary lockout of accounts
Inactivity timeout that logs the user out and require re-authentication to access the Service
- Security awareness program for all F12 employees
Personnel are prohibited from copying Customer Data to removable media without written permission from the Customer.
All production servers are hardened, monitored, and updated as per industry practices (NIST SP 800-123).
Secure Application Development
Least Privilege. Only authorized Personnel with a specific business purpose shall be allowed access to production and development resources and all access shall be appropriately approved.
Manual Code Review. To prevent malicious code insertion, F12.net requires code review by a second peer F12 application developer or by an F12 application development manager for all F12.net’s internally developed software.
Automated testing. F12.net Personnel are required to test each build of software prior to deployment to the production environment.
Management of Vulnerabilities. F12.net conducts a software vulnerability scan on all internally developed software. To the extent that scan identifies any critical or high-risk vulnerabilities as determined by F12.net, F12.net will remediate those vulnerabilities.
Change Management. All changes must contain documentation and relevant rollback plans. Each change is reviewed, approved, and tested prior to deployment or software release.
F12 Cloud Infrastructure Protection
Data Centers. The F12 Cloud is provided through secure data centers. F12.net maintains industry standard physical and environmental controls that are designed to protect the availability, confidentiality, and availability of the Product.
Data Center Controls. All data centers are SOC 2 or equivalent compliant facilities that provide redundant power, backup generators, and redundant cooling systems. Network connectivity is provided through multiple Tier 1 providers. Physical access to all data center floor space is secured according to industry standards, which measures may include security cameras, proximity cards, biometric scanners, and complete access logging, or equivalent measures.
F12.net conducts security assessments of its sub-processors that process Customer Data (“Sub-processors”). F12.net reviews Sub-processors’ security practices periodically to ensure effectiveness of their security operational practices.
Change of Sub-processors. F12.net’s current Sub-processors are listed at https://f12.net/data-supplement. In the event of the addition of a new Sub-processor, F12.net will provide notice to Customer (which notice may be provided through email, updates to https://f12.net/data-supplement, or such other reasonable means and updating that information at the foregoing link shall, upon Customer’s continued use of its Services thereafter, be deemed to constitute Customer’s receipt of that notice).
“Agreement” means the Master F12 Subscription and Services Agreement, incorporating the Services Schedules and any other exhibits, addenda, or attachments hereto, and any fully executed Order Form(s).
“Authorized Parties” means Customer’s or an Affiliate’s Employees and third-party providers who are authorized by Customer in writing to access and use the Services including the Customer Data.
“Beta Versions” mean beta, preview or other pre-release Products or features.
“Customer” means the customer of F12.net that has entered into the Agreement with F12.net and to which these Practices apply.
“Customer Data” means electronic data or information submitted to the Services by Customer or Authorized Parties, which may include Personal Information.
“F12 Connect” means F12’s service enablement application that provides ticket creation and management, user identity management, product ordering, licensing management, and reporting within the Customer’s environment.
“Personnel” means an employee of F12, or contractors engaged by F12 (excluding Sub-processors).