Effective July 7, 2020
This Information Security Addendum (“ISA”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”). Capitalized terms used but not defined in this Addendum have the meanings ascribed in the Agreement.
1.1 This ISA describes the minimum information security standards that Code42 maintains to protect your Customer Data. Requirements in this ISA are in addition to any requirements in the Agreement.
1.2 Code42 follows AICPA guidelines and regularly reviews controls as described in Code42’s SOC2 audit report. For your convenience, Code42 references some of the applicable SOC2 controls in this ISA. See the SOC2 report for exact language. Code42 will provide you with a copy of the SOC2 independent auditor report upon request.
1.3 The CrashPlan for Small Business offering is not SOC2 certified, and the references to specific SOC2 controls (e.g. SOC: A-4) are not applicable.
2. Data storage
Code42 is a global enterprise, and Customers have the ability to select geographically specific Code42 data centers in which to preserve Customer file data to adhere to local or corporate policies.
3. Encryption and key management
3.1 Code42 uses industry-standard encryption techniques to encrypt Customer file data at rest and in transit (SOC: C-10).
3.2 The Code42 system is configured by default to encrypt Customer file data at the source using AES 256-bit encryption. Customer file data remains encrypted in transit and at rest, and decryption is controlled by the Customer (SOC: C-8). A copy of the archive encryption key is held in escrow in the Code42 managed keystore (SOC: C-11). Customers manage Code42 access via the administration console. If you are on a legacy implementation that enables you to disable encryption and you have done so, this section (3.2) does not apply. Encryption keys are generated using a cryptographically strong random number that complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules (SOC: C-12).
3.3 Transmitted Customer file data is MD5 check-summed at multiple points during the backup process, including after encryption at the source to provide destinations the ability to detect tampering or corruption without having encryption keys for the original data. (SOC: C-9)
4. Support and maintenance
Code42 deploys changes to the Cloud Services during scheduled maintenance windows, details of which are posted to the Code42 website prior to the scheduled period. In the event of a service interruption, Code42 posts a notification to the website describing the affected services. Code42 provides status updates, high level information regarding upgrades, information regarding new releases, and minimum release version requirements via the Code42 website (SOC: CM-11).
5. Incident response and notification
5.1 “Incident” means a security event that compromises the confidentiality, integrity or availability of an information asset. "Breach" means an Incident that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party.
5.2 Code42 has an incident response plan, including a breach notification process, to assess, escalate, and respond to identified physical and cyber security incidents that impact the organization, Customers, or result in data loss. Discovered intrusions and vulnerabilities are resolved in accordance with established procedures. The incident response plan is reviewed and updated annually and more frequently as needed (SOC: OPS-4).
5.3 If there is a Breach involving your Customer Data, Code42 will (A) notify you within 24 hours of discovery of the Breach, (B) reasonably cooperate with you with respect to such Breach, and (C) take appropriate corrective action to mitigate any risks or damages involved with the Breach to protect your Customer Data from further compromise. Code42 will take any other actions that may be required by applicable law as a result of the Breach.
6. Code42 security program
6.1 Scope and Contents. Code42 maintains a written security program that (A) complies with applicable global industry recognized information security frameworks, (B) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of data and (C) is appropriate to the nature, size and complexity of Code42’s business operations.
6.2 Security Program Changes. Code42 policies, standards, and operating procedures related to confidentiality, integrity and availability are made available to personnel via the corporate intranet. Security policies and procedures are reviewed, updated (as needed), and approved at least annually to maintain their continuing relevance and accuracy. Personnel are required to review and acknowledge these policies and procedures during on-boarding and annually thereafter (SOC: ORG-2). Code42’s Code of Conduct, Diversity, Anti-harassment & Anti-discrimination Policy, and Employee Handbook are made available to personnel via the corporate intranet. They are reviewed, updated (as needed), and approved at least annually to maintain their continuing relevance and accuracy. Personnel are required to review and acknowledge these during on-boarding and annually thereafter (SOC: ORG-7).
6.3 Security Officer. The Code42 Chief Information Security Officer and security governance group develop, maintain, review, and approve Code42’s security standards and policies.
6.4 Security Training & Awareness. All Code42 personnel are required to complete security awareness training at least on an annual basis (SOC: ORG-8). Code42 conducts periodic security awareness education and communications regarding creating and maintaining a secure workplace. (SOC: COM-11).
7. Risk management
7.1 A security risk assessment and management process is in place to identify and remediate potential threats to Code42. Risk ratings are assigned to all identified risks, and remediation is managed by security personnel. Executive management is kept apprised of the risk posture of the organization (SOC: RM-1).
7.2 Code42 has an insider threat risk management program to monitor, alert and investigate threats posed by both non-malicious and/or malicious actors inside the organization on an on-going basis. Identified issues are reviewed and investigated as appropriate (SOC: RM-2).
8. Access control program
8.1 Code42 assigns application and data rights based on Active Directory user security groups and roles. Security access requests are approved by the designated individual prior to provisioning (SOC: LA-1). Security groups and roles are created based on the principle of least privilege.
8.2 Code42 classifies informational assets in accordance with its data classification guideline (SOC: C-5).
9. User access management
9.1 Code42 promptly disables application, platform and network access for terminated users upon notification of termination (SOC: LA-7).
9.2 Administrator access to confidential and restricted systems, including corporate and cloud networks, is reviewed on a semiannual basis for appropriateness. Additionally, Cloud production environment administrator access and corporate systems administrator access to select systems that provide broad privileged access, is reviewed quarterly. Any inappropriate access is removed promptly. SOC: LA-8).
9.3 Code42 uses separate administrative accounts to perform privileged functions, and accounts are restricted to authorized individuals (SOC: LA-9).
10. Password management and authentication controls
Authentication mechanisms are in place that require users to identify and authenticate to the network with their unique user ID and password. Code42 has established minimum password parameters for the corporate network via the Active Directory system (SOC: LA-2).
11. Remote access and cloud access
Remote access to the corporate network is secured through a virtual private network (VPN) solution with two-factor authentication (SOC: LA-3). Access to the cloud network requires two authentication steps; authorized users must log on to the corporate network and then authenticate using separate credentials through a secure shell (SSH) jump box server (SOC: LA-4).
12. Asset configuration and security
Endpoint Detection and Response (EDR) technology is installed and activated on all Code42 workstations to monitor for virus and malware infections. Endpoint devices are scanned in real-time. Monitoring is in place to indicate when an anti-virus agent does not check in for prolonged periods of time. Issues are investigated and remediated as appropriate. Virus definition updates are pushed out to endpoint devices automatically from the EDR technology as they become available. (SOC: LA-11). Code42 uses full-disk encryption on Code42 endpoints. Endpoint devices are monitored and encrypted using industry recognized tools. IT administrators are alerted of discrepancies in security policies and settings identified from the tools (SOC: LA-12). Code42 maintains and regularly updates an inventory of corporate and cloud infrastructure assets, and systematically reconciles the asset list annually (SOC: OPS-5).
13. Threat and vulnerability management and security testing
Code42 has established a Threat and Vulnerability Management (TVM) program to monitor for vulnerabilities on an on-going basis (SOC: RM-3). Monthly internal and external vulnerability scans are conducted using industry-recognized vulnerability scanning tools. Identified vulnerabilities are evaluated and documented within a Jira ticket and remediated to address the associated risk(s). (SOC: RM-6). External penetration tests are conducted by an independent third party on an annual basis to detect application security vulnerabilities. Critical findings from these tests are evaluated, documented, and remediated (SOC: RM-7).
14. Logging and monitoring
Code42 continuously monitors application, infrastructure, network, data storage space and system performance (SOC: OPS-1). Code42 utilizes a security information event monitoring (SIEM) system. The SIEM pulls real-time security log information from servers, firewalls, routers, intrusion detection system (IDS) devices, end users, and administrator activity. The SIEM is configured for alerts and is monitored on an ongoing basis. Logs contain details on the date, time, source, and type of events. Information and works events worthy of real-time review are reviewed (SOC: OPS-2).
15. Change management
Code42 change management policies and procedures are established for requesting, testing, and approving application, infrastructure, and product related changes. All changes receive a risk score based on risk and impact criteria. Lower risk release changes generate automated change tickets and have various levels of approval based on risk score. High risk-rated changes require manual change tickets to be created and are reviewed by approvers based on change type. Planned changes to the corporate and/or cloud production environments are reviewed regularly. Change documentation and approvals are maintained in a ticketing system (SOC: CM-1). Product development changes undergo various levels of review and testing based on change type, including security and code reviews, regression, and user acceptance testing prior to approval for deployment (SOC: CM-2). Following the successful completion of testing, changes are reviewed and approved by appropriate managers prior to implementation to production (SOC: CM-3). Dedicated environments separate from production exist for development and testing activities. (SOC: CM-9).
16. Secure development
Code42 has established a Software Development Life Cycle (SDLC) methodology that governs the acquisition, development, implementation, configuration, maintenance, modification, and management of infrastructure and software components. The SDLC methodology is consistent with Code42 security, availability, processing integrity and confidentiality policies (SOC: CM-4). Prior to the final release of a new version to the production cloud environment, code is being pushed through lower tier environments for testing and certification (SOC: CM-6). Secure coding guidelines are established based on leading industry standards, updated as needed, and are available to personnel via the intranet. Developers receive secure coding training (SOC: CM-7). Code42 utilizes a code versioning control system to maintain the integrity and security of the application source code (SOC: CM-8).
17. Network security
Network perimeter defense solutions, including an IDS and firewalls, are in place to monitor, detect, and prevent malicious network activity. Security operations personnel monitor items detected and take appropriate action (SOC: LA-15). Firewall rule changes that meet the criteria for the corporate change management criteria follow the change management process and require approval by the appropriate approvers (SOC: LA-16). Code42’s corporate and Cloud networks are logically segmented by Virtual Local Area Networks (VLANs) and firewalls monitor traffic to restrict access to authorized users, systems, and services (SOC: LA-17).
18. Third party security
Code42 assesses and manages the risks associated with existing and new vendors. Code42 employs a risk-based scoring model for each vendor (SOC: MON-2). Code42 communicates security and confidentiality requirements and operational responsibilities to third parties through contractual agreements as necessary (e.g., Master Service Agreement, Non-Disclosure Agreement, Information Security Addendum, Data Processing Addendum) (SOC: COM-9). Physical security controls and assurance reports are evaluated on an annual basis for data centers. The impact of any issues identified is assessed and remediation, if necessary, is tracked (SOC: MON-3).
19. Physical security
Physical access to Code42 offices is granted based on job responsibilities and work location. Access to offices can only be approved by appropriate personnel. Physical access is removed when access is no longer required and as a component of the employee termination process (SOC: LA-22). Personnel and visitors are required to display identity badges at all times within Code42 offices. Visitor logs are maintained for personnel visiting the offices, and visitors are required to be escorted by Code42 personnel (SOC: LA-23). Badge readers control access to restricted areas within Code42 offices and data center locations. Unauthorized badge access attempts are denied and logged. Tailgating is prohibited by Code42 policy (SOC: LA-21).
20. Oversight and audit
Internal audits are aligned to Code42’s information security program and compliance requirements. Code42 conducts internal control assessments to validate that controls are operating effectively. Issues identified from assessments are documented, tracked and remediated as appropriate (SOC: MON-1). Internal controls related to security, availability, processing integrity and confidentiality are audited by an external independent auditor at least annually and in accordance with applicable regulatory and industry standards.
21. Business continuity plan
Code42 has a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) in place to manage significant disruptions to operations and infrastructure. These plans are reviewed and updated periodically and approved on an annual basis by the Chief Information Security Officer (SOC: A-5). Business continuity exercises are conducted to evaluate the tools, processes and subject matter expertise of Code42 in response to a specific incident. Summaries of the results of the exercises are documented and issues identified are tracked and followed up on for remediation (SOC: A-6).
22. Human resources security
Code42 requires personnel to sign a confidentiality agreement as a condition of employment (SOC: C-2). Code42 has a new employee hiring procedure in place to guide the hiring process, and background verification checks are completed for potential Code42 personnel in accordance with relevant laws and regulations (SOC: ORG-5). Code42 maintains a disciplinary process to take action against personnel that do not comply with company policies, including but not limited to, those put in place to meet its security, confidentiality, and availability commitments and requirements (SOC: ORG-3).