Accruent's Security Addendum
This Security Addendum (“Addendum”) is entered into by and between Accruent and its applicable client (on behalf of itself and its Affiliates, “Client”) and is incorporated by reference into, and forms a part of, the governing terms and conditions or other written or electronic agreement between Accruent and Client (the “Agreement”) for the provision of Accruent’s Services (as defined in the Agreement) to reflect the parties’ agreement regarding information security . Except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. In the event of a conflict between this Addendum and the Agreement, this Addendum will govern. Terms used but not defined herein shall have their respective meanings as set forth in the Agreement.
- SECURITY
Accruent shall use reasonable methods and safeguards designed to protect the Client Data, including from any unauthorized collection, access, use, storage, disposal, and disclosure, by its employees, agents, or subcontractors. To fulfill its obligations under this Section, Accruent shall have in place, at a minimum, physical, technical, administrative, and organizational safeguards that provide for and are designed to ensure: (a) protection of business facilities, computing equipment, equipment with information storage capability, and backup systems containing Client Data; (b) network, application (including databases) and platform security; (c) business systems are designed to optimize security and proper disposal of Client Data according to the terms of this Addendum and the Agreement; (d) secure transmission and storage of Client Data (including encryption that meets or exceeds current industry standards, as detailed in Section 7.2, below); (e) authentication and access control mechanisms over Client Data, operating systems and equipment; (f) personnel security, including background checks consistent with applicable law; (g) annual training to Accruent’s employees on physical, technical, and administrative information security safeguards and confidentiality; (h) that Client Data is stored in data centers that have industry standard security controls, and (i) restrictions to ensure that Client Data files are not placed on any notebook hard drive or removable media, such as compact disc or flash drives, unless encrypted.
- DATA BREACH
2.1 In the event Accruent experiences a Data Breach, Accruent will notify Client of the Data Breach as soon as practicable, but in no case later than seventy-two (72) hours after the event with relevant information including the nature of the Data Breach, the nature of the Client Data affected, the categories and number of users concerned, the number of Client Data records concerned, and measures taken to address the Data Breach. "Data Breach" means any improper, unauthorized or unlawful access to use of or disclosure of data subject personal information directly caused by Accruent's breach of this Addendum.
2.2 Accruent shall take prompt steps to remedy the Data Breach where reasonably practicable in accordance with Applicable Law. Client is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities in relation to any Data Breach.
- VULNERABILITY MANAGEMENT
3.1 Accruent shall maintain policies designed to ensure that Accruent assets, systems and software used to store, process, transmit or maintain Client Data are protected from known or reported vulnerabilities to external threats to functionalities or security by installing applicable and necessary security patches within a reasonable timeframe. Accruent will provide application penetration test executive summary reports upon written request.
3.2 Accruent shall evaluate security alerts, advisories, and directives from relevant external sources to determine: (a) exposure to such vulnerabilities, and (b) appropriate measures to address the associated risk.
- DISASTER RECOVERY
4.1 Accruent shall maintain a documented and appropriate disaster recovery policy designed to enable it to continue or resume providing Services in a timely manner after a disruptive event (“Disaster Recovery Plan”). In the event a disaster is declared, Accruent will initiate the Disaster Recovery Plan and shall use commercially reasonable efforts to resume access to Client’s Services at Accruent’s back-up data center facility in accordance with Accruent’s recovery time objectives.
4.2 Accruent shall annually test and monitor the effectiveness of its Disaster Recovery Plan, including safeguards, controls, systems, and procedures, evaluate and modify the Disaster Recovery Plan as needed to address newly-identified internal and external risks to the security, confidentiality, and integrity of the Client Data.
- RECORDS, INFORMATION AND AUDIT
5.1 Client may, no more than once annually and with thirty (30) days' advanced written notice, request a SOC 1, or SOC 2 report, or a bridge letter by contacting audit.compliance@accruent.com. Client must include informatio on Accruent product(s), the type of audit report requested, and contact information in the request.
5.2 Client may, no more than once annually and with thirty (30) days’ advanced written notice, submit an industry-standard security questionnaire for Accruent to complete.
- DATA LOCATION AND ENCRYPTION
6.1 Accruent will work with reputable hosting providers for its SaaS Services that have industry-standard security precautions for the type of information maintained, which and shall include, but not be limited to, procedures and measures designed to prevent unauthorized access to the SaaS Services and unauthorized use of and/or modification of Client Data.
6.2 Client Data may be encrypted at rest, in motion, or both during transport, in accordance with the table below.