How We Protect Your Service Data (Enterprise Services)
The Buildworks Group is committed to providing a robust and comprehensive security program for Enterprise Services, including the security measures set forth in these Supplemental Terms (“Enterprise Security Measures”). During the Subscription Term, these Enterprise Security Measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as We deem reasonably necessary.
Enterprise Security Measures Utilized by Us
We will abide by these Enterprise Security Measures to protect Service Data as is reasonably necessary to provide the Enterprise Services:
1. Security Policies and Personnel. We have and will maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is and will be reviewed on a regular basis to provide for continued effectiveness and accuracy. We have, and will maintain, a full-time information security team responsible for monitoring and reviewing security infrastructure for Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.
2. Data Transmission. We will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of Service Data. These safeguards include encryption of Service Data at rest and in transmission with Our user interfaces or APIs (using TLS or similar technologies) over the internet, except for any Non-Buildworks Service that does not support encryption, which You may link to through the Enterprise Services at Your election.
3. Audits and Certifications. Upon Subscriber’s request, and subject to the confidentiality obligations set forth in this Agreement, Buildworks shall make available to Subscriber that is not a competitor of Buildworks (or Subscriber’s independent, third-party auditor that is not a competitor of Buildworks) information regarding Buildworks’s compliance with the obligations set forth in this Agreement in the form of the Buildworks’s ISO 27001 certification and/or SOC 2 (under appropriate non-disclosure protections), or SOC 3 reports.
4. Incident Response. We have an incident management process for security events that may affect the confidentiality, integrity, or availability of Our systems or data that includes a response time under which Buildworks will contact its subscribers upon verification of a security incident that affects Your Service Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes 24×7 centralized monitoring systems and on-call staffing to respond to service incidents. Unless ordered otherwise by law enforcement or government agency, You will be notified within seventy-two (72) hours of a Service Data Breach. “Service Data Breach” means an unauthorized access or improper disclosure that has been verified to have affected Your Service Data.
5. Access Control and Privilege Management. We restrict administrative access to production systems to approved personnel. We require such personnel to have unique IDs and associated cryptographic keys. These keys are used to authenticate and identify each person’s activities on Our systems, including access to Service Data. Upon hire, Our approved personnel are assigned unique keys. Upon termination of personnel, or where compromise of such key is suspected, these keys are revoked. Access rights and levels are based on Our employees’ job function and role, using the concepts of least-privilege and need-to-know basis to match access privileges to defined responsibilities.
6. Network Management and Security. The Sub-Processors utilized by Us for hosting services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our security team utilizes industry standard utilities to provide defense against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular external vulnerability scans and audits.
7. Data Center Environment and Physical Security. The Sub-Processors’ environments which are utilized by Us for hosting services in connection with Our provision of the Enterprise Services employ the following security measures:
A security organization responsible for physical security functions 24x7x365.
Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.
N+1 uninterruptible power supply and HVAC systems, backup power generator architecture and advanced fire suppression.
Technical and Organizational Enterprise Security Measures for Third-Party Service Providers Who Process Service Data
These terms were last updated on November 8, 2020.