These measures supplement the Archer Security and Privacy Terms. Archer requires Suppliers who handle Archer Data to adhere to certain minimum organizational and technical security measures.
Supplier must develop, maintain and/or implement a comprehensive written information security program that adheres to these measures. Supplier’s information security program shall include administrative, technical and physical safeguards to protect Archer Data that are no less rigorous than accepted industry practices (including, without limitation, the International Organization for Standardization’s standards: ISO/IEC 27001:2013 – Information Security Management Systems – Requirements and ISO-IEC 27002:2013 – Code of Practice for Information Security Controls, or American Institute of CPAs (AICPA) Service Organization Control (SOC) 2 standard) and other security measures designed to: (i) ensure the security and confidentiality of Archer Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Archer Data; and (iii) protect against any actual or suspected unauthorized processing, loss, use, disclosure or acquisition of or access to any Archer Data. Without limiting the generality of the foregoing, such measures shall include, at a minimum:
- Secure user authentication protocols. Use a multifactor authentication login solution to govern user access to Supplier information technology environment, including, without limitation, in connection with access to: (a) any VPN connections into Supplier’s corporate information technology environment (including Supplier’s e-mail system if it can be accessed from the Internet); (b) any connections into Supplier’s production information technology environment; and (c) any other software or services Supplier may use in its performance under the Applicable Agreements that may transmit, process or store Archer Data.
- Secure access control measures. To the extent that Supplier provides a SaaS solution to Archer, it must integrate with a Archer approved Single Sign On (SSO) solution, via SAML.
- Handling Archer Data. Maintain a boundary between Supplier’s corporate and production information technology environments, including, without limitation, maintaining controls gating access into the production boundary and limiting access to the production information technology environment to those individuals whose roles require such access. Supplier must provide for segregation between Archer Data and Supplier’s other customers’ data located in Supplier’s production information technology environment. Supplier must not move Archer Data out from Supplier’s corporate or production information technology environment unless Supplier receives Archer’s prior written consent. Specifically, Archer Data must not be downloaded to phones, tablets, laptops, or desktops, and must not be shared with third parties outside of Supplier’s corporate or production information technology environments.
- Secure transmission. If Supplier’s handling of Archer Data involves the transmission of Archer Data over a network, Supplier shall ensure a level of security appropriate to the risks associated with transmission and the nature of the Archer Data (e.g., personal data) including, without limitation, the use of secure, actively supported, versions of Transport Layer Security (TLS) for transport encryption.
- At-rest encryption. Encryption of Archer Data stored at rest utilizing industry standard encryption algorithms (e.g., AES).
- Secure configuration. Implementation of network, device, application, database and platform security controls consistent with industry standards (e.g., SANS Information Security Policy Templates, DSIA STIGs).
- Ongoing monitoring and response. Implementation and maintenance of continuous end-point detection and response tools and an updated anti-malware capability. Proactively monitor, detect, and alert suspicious or malicious activity within Supplier’s corporate and production information technology environments, as applicable. Supplier must also maintain an incident response program capable of responding and remediating to security incidents upon discovery.
- Software development lifecycle and change management. Implement and maintain secure software development lifecycle capability taking into account the Open Web Application Security Project best practices and formal change management procedures that consider the security impact of changes before they are made.
- Vulnerability management. A security vulnerability management program that includes regular detection and remediation of vulnerabilities in systems that transmit, process or store Archer Data. The program must include procedures to assess and mitigate vulnerabilities based upon criticality and validate remediation work.
- Vulnerability remediation. Promptly fix high and critical severity findings, including applying security patches as required, to Supplier’s corporate and production information technology environment, including, without limitation, Supplier’s servers, endpoints, and endpoint management systems. Any vulnerabilities rated ‘critical’ and ‘high’ severity not addressed within sixty (60) days of Supplier becoming aware of the vulnerability must be reported to Archer, including identifying any risks to Archer Data arising from Supplier’s inability to fix the vulnerability.
- Application and network penetration testing. At least once per year, have an independent third-party perform tests with the intent of testing Supplier’s application and network security. These tests must be performed upon: (i) any SaaS solutions Supplier is providing to Archer; (ii) all aspects of the Internet-facing perimeter of Supplier’s network infrastructure; and (iii) Supplier’s corporate and production information technology environment. Upon request, Supplier must provide Archer with information summarizing which third party performed such tests and the related scope and summary of results.
- Personnel security. Supplier must implement and maintain reasonable personnel security and integrity procedures and practices, including, without limitation, conducting background checks in accordance with applicable laws.
Security awareness. A security training and awareness program that is delivered in connection with new hire onboarding and annually thereafter.
Furthermore, to the extent that as part of performing under the Applicable Agreements, Supplier transmits, stores or processes cardholder data (as such term is defined in the Payment Card Industry Data Security Standard (“PCI DSS”)) on behalf of Archer, then, in connection therewith, Supplier must comply with the PCI DSS. Furthermore, Supplier shall perform any and all tasks, assessments, reviews, penetration tests, scans and other activities required (including any compliance guidance issued by the PCI Security Standards Council) or otherwise to validate Supplier’s compliance with the PCI DSS as it relates to the system elements and portions of the cardholder data environment (as such terms are defined in the PCI DSS) for which Supplier responsible. Upon Archer’s request, Supplier shall deliver to Archer a copy of its annual PCI Attestation of Compliance to verify such compliance.
In support hereof, from time to time, upon Archer’s reasonable request, Supplier shall promptly complete a certificate representing and warranting to Archer its ongoing compliance with the foregoing measures, as well as to furnish to Archer any information Archer reasonably determines is necessary for it to ascertain that Supplier is performing in compliance herewith.