Security Services Addendum
The Security Services offering by PDQ Digital Media provides Clients with a scalable information security solution, capable of detecting and notifying on potential security threats against a Client’s environment. This proprietary set of systems and processes utilizes state of the art hardware, software, and security industry professionals to observe and monitor Client network(s), endpoint(s), and other related events to detect anomalous actions and security threats.
PDQ will examine the Client’s current computer networking platform, its hosting, and data security requirements to the extent Client has provided PDQ access, and confirms that the agreed upon Service(s) may interact and operate with the Client’s platform and provide a secure environment in accordance with the specifications, and in accordance with industry standards set forth in the agreed upon Statement of Work (SOW).
If the agreement between PDQ and the Client is terminated or expires, Client shall have the option to either renew the agreement or replace the PDQ Security Services with a third-party provider of its choosing. Upon request, PDQ shall undertake commercially reasonable efforts to transition Client to the new provider as quickly, economically and efficiently as possible and if possible, will do so in a way that provides the most seamless and secure transition with minimal business interruptions to Client.
4. SERVICES AND FEATURES
Threat Management Platform
This product offering utilizes Client provided security event logs from different sources (such as firewalls, switches, and servers) and correlates those logs with threat signatures and behavioral analytics to identify activity that may signal the operators of a potential threat event. These threat behavior patterns are gathered from, and updated based on subscribed industry threat intelligence feeds, proprietary threat intelligence, or other data provided by the Client.
This offering is the process of using an automated tool to regularly scan systems against a known list of available operating system patches, hotfixes, and/or updates to determine if these should be applied on those systems. If the scans determine that patches are needed, the Patch Management Solution will identify the patch and will schedule the patch installation through a change control process. This product is limited in scope to PDQ currently supported operating systems.
Critical Environment Recovery
The Critical Environment Recovery component of the service will make use of the same disaster recovery services already provided by PDQ through its other service offerings. Critical Environment Recovery will be a required component of all security service offerings and packages but will be limited in scope to client servers defined in the agreed upon Statement of Work (SOW).
Firewall Switch Management
Many organizations do not have the skill and/or expertise on industry best practices to appropriately manage their firewalls and switches. Especially for companies using more advanced layer 7 firewalls, internal personnel may not have the necessary training or resources to effectively maintain and monitor these devices as designed. Additionally, when internal administrators do make changes to their firewalls and switches, they frequently do so without keeping adequate history of the changes, therefore not having the proper documentation required for compliance reasons. PDQ’s Firewall/Switch Management offering will include both the appropriate management of the firewalls and switches, as well as the necessary documentation, including managing and tracking the authentication for users making changes, as well as tracking the prior configurations to allow for the roll-back of changes if needed.
The Vulnerability Assessment offering scans Client approved internal and external networks using automated tools that utilize known threat vectors to test for vulnerabilities. In cases where a Certified Scanning Vendor’s services are necessary, PDQ will engage one of its partners to perform these services on their behalf, at a pre-negotiated frequency as agreed to with the client and their compliance requirements.
Performance Monitoring includes reporting on performance trends, proactive monitoring of alerts, and conducting analyses on performance metrics; such as up/down frequency & bandwidth usage, processors, memory, and storage utilization. Reporting method and frequency will be defined in the associated Statement of Work (SOW).
End Point Security
The End Point Security Service manages the security of server and end-user devices, such as PC workstations and laptops, by using anti-malware software. This service offering will monitor, maintain, and manage the endpoint agents, ensuring they are up-to-date and functional.
5. BEST PRACTICES
PDQ shall implement the following best practices with regard to development and deployment of the Products and Services. PDQ shall maintain appropriate systems security for the PDQ’s Service in accordance with commercially reasonable industry standards and practices designed to protect all data and information provided by or on behalf of Client that is input into, displayed on or processed by the PDQ’s Service and all output therefrom (“Client Data”) from theft, unauthorized disclosure and unauthorized access. Such systems security includes, among other things: (1) implementation of application vulnerability tests and mitigation processes; (2) direct all PDQ-Client electronic communications via a secure web portal, a secure file share, or encrypted email; and (3) the following safeguards:
- All access is authenticated, communication secured using industry best practices, and logged.
- Systems identity is tied to an individual user by the use of credentials and by a second factor authentication mechanism.
- Reasonable authentication controls that conform to industry recognized standards are provided.
- Ensure that authorized users are only allowed to perform actions within their privilege level.
- Control access to protected resources based upon role or privilege level.
- Mitigate and defend against privilege escalation attacks as feasible, to available technology standards and best practices.
- Passwords conform to best practices, including:
- Encrypting passwords using “hashing” and “salting” techniques.
- Enforcing password complexity.
- Limiting failed attempts before account lockout.
- Not allowing storage and transmittal of passwords in clear text.
- Password reset does not send credentials.
- Where appropriate, PDQ shall securely log (with time and date) commands requiring additional privileges to enable a complete audit trail of activities.
- Data at Rest
- Client Data is encrypted using industry best practices.
- Backups of Client Data have the same controls as production data.
- Data in Transit
- Client Data in transit to or from Client will be encrypted (e.g., SSL, VPN, SFTP, certificate-based authentication).
- Client Data sent over browser should use SSLv3 or better.
- In a multi-tenant environment, PDQ shall provide appropriate security controls and robust cryptographic methods to protect and isolate Client Data from other tenants.
- Applying Principle of Least Privilege: Proper controls should be in place to ensure that access is limited to personnel who must see Client Data in order to fulfill their job functions.
- Where possible, confidential data should be masked with one-way hashing algorithms.
- Client Data should not be replicated to non-production environments.
- Intrusion Detection
PDQ shall implement and maintain an intrusion detection monitoring process at the network and host level to protect PDQ Services and to detect unwanted or hostile network traffic. PDQ shall update its intrusion detection software continuously, on a scheduled basis following the availability of updates by the chosen software provider. PDQ shall implement measures to ensure that PDQ is alerted when the system or service detects unusual or malicious activity. PDQ shall notify Client within twenty four (24) hours of any significant intrusion that involves a breach of customer’s data.
- Penetration Tests
PDQ shall conduct penetration tests at least once per year on its Client-wide computing environment through a 3rd party Qualified Security Assessor (QSA), and appropriately dispose of the risks identified. Due to the high-risk nature of these reports, the reports and findings will not be publicly disclosed, or made available for client inspection. PDQ will however make available upon request, a letter from the QSA of satisfactory disposition of identified threat concerns. Clients will not be authorized to conduct vulnerability scans, assessments, or penetration tests against the PDQ service infrastructure.
- Infrastructure Security
PDQ shall configure the infrastructure (e.g., servers and network devices) and platforms (e.g., OS and web servers) to be secure following these best practices:
- Audit Logging: Client authorizes PDQ to collect, use, store, transfer, monitor and otherwise process logs from all systems subscribed to PDQ’s Service. These log types include, but is not limited to, security logs, web server logs, application logs, system logs and network event logs. PDQ monitors its networks 24/7 using the latest SIEM and behavioral analytics technologies. The Client acknowledges that these logs can contain source and destination IP addresses, user accounts used, bad passwords attempted, click and screen entries, and other personally identifiable data elements.
- Duplicate copies of these logs will be maintained, and an offsite archival copy will reduce risk of loss due to tampering.
- Network Security
- PDQ shall comply with industry standards, separating perimeter networks from endpoints hosted in the private network using industry standard firewalls or micro-segmentation techniques based on Software Defined Networking technologies. PDQ shall update and maintain its infrastructure using an industry standard maintenance and change control methodology.
- PDQ shall monitor and test its perimeter devices on a regular basis, and, if deficiencies are discovered, PDQ shall promptly troubleshoot and remediate these deficiencies.
- Vulnerability Management
In addition to the third-party vulnerability assessments described above, PDQ shall implement commercially reasonable processes designed to protect Client Data from system vulnerabilities, including:
- Perimeter Scanning: PDQ shall perform perimeter scanning through the use of embedded sensors within PDQ’s infrastructure providing information to our centralized SIEM tool.
- Internal Infrastructure Scanning: PDQ shall perform internal infrastructure scanning through the use of embedded sensors within PDQ’s infrastructure providing information to our centralized SIEM tool.
- Malware Scanning: Where possible PDQ utilizes an advanced behavior and signature based anti-virus/anti-malware (APT) tool, along with application whitelisting techniques to protect its infrastructure from the threat of unauthorized malicious software.
- Secure Configuration
PDQ utilizes an industry standard methodology for platform hardening and secure configuration, in order to reduce attack scope and surface. Through the use of micro-segmentation techniques, lateral communication is further restricted to known communication pairs and patterns.
- Security Procedures
- Incident Response
PDQ shall maintain security incident management policies and procedures, including detailed security incident escalation procedures. In the event of a breach of PDQ’s security or confidentiality obligations, impacting a client's environment or data, PDQ agrees to notify affected Client(s) by telephone and email of such an event within twenty-four (24) hours of discovery. PDQ will also promptly perform an investigation into the breach, take appropriate remedial measures, and assign a Single-Point-of-Contact (SPoC). This SPoC or their designee, will be available for security questions or concerns twenty-four (24) hours per day, seven (7) days per week, during the scope of PDQ’s investigation.
- Patch Management
PDQ shall use a patch management process and tool set to keep all servers up to date with appropriate security and feature patches.
- Documented Remediation Process
PDQ shall use a documented remediation process designed to timely address all identified threats and vulnerabilities with respect to the PDQ Service.
- Employee Termination Procedures
- PDQ shall promptly terminate all credentials and access to privileged password facilities, such as Identity and Access Management Systems, upon termination of employment.
- Security Policy
PDQ shall maintain a written information security policy that is approved annually by PDQ and published and communicated to all PDQ employees and relevant third parties. PDQ shall maintain a dedicated security and compliance function to design, maintain and operate security in support of its “trust platform” in line with industry standards. This function shall focus on system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk management and treatment statements of applicability and PDQ management.
- Security Training
PDQ shall ensure, at no expense to Client, that all PDQ employees and Clients complete relevant training required to operationalize the procedures and practices outlined herein, including security awareness training, on at least an annual basis.
- Security Reviews
PDQ and Client may meet at least once annually to discuss: (1) the effectiveness of the PDQ’s security platform; and (2) any updates, patches, fixes, innovations or other improvements made to electronic data security by other commercial providers or for other customers of PDQ that PDQ or Client believe will improve the effectiveness of the PDQ’s security platform for Client.
- Third-Party Audits and Compliance Standards
- PDQ shall provide Client with a copy of SOC2 or similar audit results, in no more than thirty (30) days after PDQ receives the results or reports. Client has the right to, or to engage a third party on its behalf to, visit PDQ’s offices up to four (4) times per calendar year in order to conduct due diligence and auditing procedures on PDQ’s business operations related to the PDQ’s Service in terms of technical infrastructure, system interaction, organization, quality, quality control, personnel involved with services for Client, and general resources in terms of skills and personnel.
- PDQ will furnish evidence of a successful SSAE No. 18 audit upon Client request to the extent permitted by law and subject to applicable regulatory restrictions and confidentiality obligations. PDQ must verify that the audit certifies all infrastructure and applications that support and deliver services to Client Data.
- PCI-DSS Compliance
PDQ shall maintain policies, practices and procedures sufficient to comply with the Payment Card Industry Data Security Standard, as the same may be amended from time to time, with respect to the PDQ’s Service.
- Vulnerability Assessments
PDQ shall conduct application vulnerability assessments at least annually. These assessments will be conducted with a 3rd party Qualified Security Assessor (QSA). Due to the high-risk nature of these reports, the reports and findings will not be publicly disclosed, or made available for client inspection. PDQ will however make available upon request, a letter from the QSA of satisfactory disposition of identified threat concerns. Clients will not be authorized to conduct vulnerability scans, assessments, or penetration tests against the PDQ application platforms.
- Physical Security
PDQ shall limit access to its facilities utilized in performing the PDQ’s Service to employees and authorized visitors using commercially reasonable industry standard physical security methods. At a minimum, such methods shall include visitor sign-ins, restricted access key cards and locks for employees; limited access to server rooms and archival backups; and burglar/intrusion alarm systems.
- Business Continuity
PDQ shall have a business continuity plan in place for the restoration of critical processes and operations of the PDQ’s Service at the location(s) from which the PDQ’s Service is provided. PDQ shall also have an annually tested plan in place to assist PDQ in reacting to a disaster in a planned and tested manner. PDQ shall provide Client with a copy of its then-current plan promptly following Client’s written request for same.
- PDQ Internal Systems Backup Management
- PDQ shall perform full backups of internal systems and database(s) containing Client Data no less than once per day without interruption of the PDQ Service. PDQ shall also provide off-site archival storage on no less than a weekly basis of all backups of the internal systems and database(s) containing Client Data on secure server(s) or other commercially acceptable secure media. Such data backups will be encrypted, sent off-site to a secure location each business day and stored/retained for seven (7) years.
- In order to recover from a Datacenter failure Incident, the required backed-up data will be replicated over at least two (2) geographically dispersed data centers at any point in time. Backup snapshots may be periodically sent to another data center. Data retention for an in-datacenter failure Incident will utilize twenty-four (24) hourly snapshots, fourteen (14) daily backups and three (3) monthly backups. This backup policy is designed to support both a partial or full recovery of the system expediently.
Client has the right to, or to engage a third party on its behalf to, at its own expense, visit PDQ’s offices once per calendar year in order to conduct due diligence and auditing procedures on PDQ’s business operations related to the PDQ’s Service in terms of technical infrastructure, systems interaction, organization, quality, quality control, personnel involved with services for customers, and general resources in terms of skills and personnel. Understanding the proprietary and intellectual property nature of this access, Client agrees to execute and abide by a Non-Disclosure Agreement, and limit the documentation or removal of this information from PDQs premises.
6. CLIENT RESPONSIBILITIES
Client shall document and promptly report all errors or malfunctions of a system covered under this agreement to PDQ. PDQ shall provide all necessary spare parts and/or other hardware to maintain equipment owned by it necessary to the fulfillment of any service under this Schedule.
Client shall not use anything whether tangible or intangible which is appurtenant to and/or provided by this agreement for any unlawful purpose or for any purpose which is prohibited by PDQ’s Network Abuse Policy and/or Acceptable Use Policy as is posted on its website.
Customer acknowledges that PDQ performance and delivery of the Services are contingent upon: (A) Customer providing safe and hazard-free access to its personnel, facilities, equipment, hardware, network and information, and (B) Customer’s timely decision-making and provision of timely, accurate and complete information and reasonable assistance, including, granting of approvals or permissions, as (A) and (B) are deemed reasonably necessary and reasonably requested for PDQ to perform, deliver and/or implement the Services. Customer will promptly obtain and provide to PDQ any required licenses, approvals or consents necessary for PDQ’s performance of the Services. PDQ will be excused from its failure to perform its obligations under this Addendum to the extent such failure is caused solely by Customer’s delay in performing or failure to perform its responsibilities under this MSA and/or the Service Order/SOW.
7. STATEMENT OF WORK; RESPONSIBILITY MATRIX
A Statement of Work (“SOW”) and Responsibility Matrix (“RM”) shall be used to specify the specific duties, scope, locations, deliverables, standards, activities, and general requirements for any Information Security Service offered by PDQ to a Client.
- No Product Warranty
PDQ makes no express or implied warranties of product merchantability or fitness for any particular purpose. While all services are designed to be resilient, it is up to the Client to plan for disasters and it is always recommended to keep an off-site backup of critical data in event of critical failure or disaster.
- Disclaimer of Warranty
PDQ WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY A DISTRIBUTED DENIAL-OF-SERVICE ATTACK, VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR COMPUTER EQUIPMENT, COMPUTER PROGRAMS, DATA NETWORK OR OTHER PROPRIETARY MATERIAL RESULTING FROM YOUR USE OF THE SERVICES, PDQ DIGITAL MEDIA’S WEBSITE OR THE SERVICE OR ITEMS PURCHASED OR OBTAINED THROUGH THE WEBSITE OR THE SERVICE OR TO YOUR DOWNLOADING OF ANY MATERIAL POSTED ON IT, OR ON ANY WEBSITE LINKED TO IT. NEITHER PDQ DIGITAL MEDIA NOR ANY PERSON ASSOCIATED WITH PDQ MAKES ANY WARRANTY OR REPRESENTATION TO ANY USER WITH RESPECT TO THE COMPLETENESS, SECURITY, RELIABILITY, QUALITY, FUNCTIONALITY OR AVAILABILITY OF THE SERVICES. WITHOUT LIMITING THE FOREGOING, NEITHER PDQ DIGITAL MEDIA NOR ANYONE ASSOCIATED WITH PDQ REPRESENTS OR WARRANTS THAT THE SERVICE WILL BE RELIABLE, ERROR-FREE, INTRUSION PROOF OR UNINTERRUPTED, THAT DEFECTS WILL BE CORRECTED, FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS OR THAT THE SERVICES WILL OTHERWISE MEET THE NEEDS OR EXPECTATIONS OF CLIENTOR ANY USER. EXCEPT FOR THE WARRANTY SET FOR ABOVE, PDQ PROVIDES THE SERVICE, AND ALL ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES. PDQ DIGITAL MEDIA HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR PARTICULAR PURPOSE.
PDQ DIGITAL MEDIA’S AGGREGATE LIABILITY (WHETHER IN CONTRACT, TORT OR OTHERWISE) FOR ALL CLAIMS OF LIABILITY ARISING OUT OF, OR IN CONNECTION WITH, THE AGREEMENT SHALL NOT EXCEED THE AMOUNTS PAID BY CLIENTFOR THE SERVICES GIVING RISE TO A CLAIM FOR LIABILITY. THE FOREGOING DOES NOT AFFECT ANY WARRANTIES WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW. THIS SECTION SHALL SURVIVE ANY EXPIRATION OR TERMINATION OF THE AGREEMENT.
IN NO EVENT WILL PDQ DIGITAL MEDIA, ITS AFFILIATES OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE SERVICES OR ANY WEBSITES ASSOCIATED WITH IT, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE. THE FOREGOING DOES NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
- Limitation on Time to File Claims
- Notice of Loss
PDQ is not liable for any loss or corruption of data. Clients are always encouraged to retain a copy of data. In the event of loss or destruction of or damage to Client data, PDQ will provide notification to Client via e-mail to an address provided by the Client. Client must ensure that the e-mail address is valid.
By entering this Agreement and by using the Services, Client consents to, and hereby agrees that PDQ Digital Media may access Client’s networks and computer systems including the access to and use, disclosure, interception, transmission, receipt, analysis, processing, copying, editing, encryption, decryption, and storage of Client information and that of its employees, agents and those it authorizes to use the Services, whether encrypted or in clear text (“Client’s Information”) for the purpose of providing the Services, including, without limitation, analyzing Client’s network traffic, and for storage and retention of Client’s Information for future reference and analysis. Client represents and warrants that it complies with all applicable data collection and transfer laws and regulations of the countries in which it operates and that it has duly obtained all consents, permits or licenses, in writing or electronically that may be necessary under applicable laws from its employees, agents, and those it authorizes to use the Services in order to enable PDQ Digital Media to provide the Services under the Agreement. Prior to using the Services, or at any other time reasonably determined by PDQ Digital Media, Client will provide PDQ Digital Media true and correct copies of such consents.
Client shall defend, indemnify and hold harmless the PDQ Digital Media Indemnified Parties from and against any damages, orders, decrees, judgments, liabilities, claims, actions, lawsuits, costs and expenses (including, without limitation, costs of litigation and attorneys’ fees) (“Claims”) incurred by the PDQ Digital Media Indemnified Parties or finally adjudicated against the PDQ Digital Media Indemnified Parties arising out of or resulting from: (i) infringement of intellectual property rights, including, without limitation, copyright, trademark, trade secret, patent, and common law rights in connection with Client’s Information, networks, or computer systems; (ii) violation of applicable laws or policies by Client, including, without limitation in connection with Client Information, networks, or computer systems; (iii) failure by Client to secure all necessary consents, permits, and licenses, including without limitation, in connection with Customer’s Information, networks, or computer systems; (iv) breach of warranty by Client; (v) breach of this Agreement by Client; (vi) use of Services by Client or Client Affiliates; (vii) negligence, intentional misconduct or other wrongful acts or omissions by Customer; and (viii) Claims alleging that PDQ Digital Media was not authorized to provide Services requested by Customer.
This Section states each party’s exclusive remedies for any third-party claim or action, and nothing in this Agreement or elsewhere will obligate either party to provide any greater indemnity to the other.
PDQ Digital Media may assign, subcontract or delegate in whole or in part this Agreement, or any rights, duties, obligations or liabilities under this Agreement, by operation of law or otherwise, provided that PDQ Digital Media shall remain responsible for the performance of Services under this Agreement. Otherwise, neither party may assign this Agreement without the permission of the other party, which permission shall not be unreasonably withheld, conditioned or delayed.
The subsections of this section define the recurring and non-recurring charges and fees pursuant to this schedule.
- MONTHLY RECURRING FEES
The Initial Monthly Recurring Charges are the initial monthly fees charged for this Schedule. This fee may be modified by mutual agreement of Client and Provider based on changes to the initial configurations, covered devices, or other similar environment variables.
- NON-RECURRING SERVICE FEES
The non-recurring services and fees associated with this Schedule include but are not limited to any Out-of-Scope fees and/or the fees for any associated labor and other services provided under a Statement of Work or for the migration/installation/implementation of Client’s production environment from its current state to Provider’s Cloud/Hosting environment or for other purposes agreed to by Provider and Client, including, but not limited to, those defined in a Statement of Work as one time or non-recurring fees or services whether created at the time of or subsequent to the execution of this agreement.
- INITIAL SETUP FEES
The initial setup fees and charges for this Schedule are the one-time non-recurring fees associated with the initial setup of Client’s services. This fee may be modified by mutual agreement of Client and Provider based on changes to the initial configurations, scope, covered devices or other similar environment variables. Initial Setup Fees do not include the charges for Data Migration. Data Migration Fees will be specified and covered under a separate Statement of Work or Project.
Last Update: 04/17/2020 - 18:27pm