Cybereason and Observe Launch New SDR Solution, Converging SIEM and XDR to Revolutionize Security with Observability.
ADDENDUM 1 TO EXHIBIT A
ADDENDUM 1 TO EXHIBIT A
SUB-PROCESSING AGREEMENT
This Sub-Processing Agreement (“SPA”) forms part of Exhibit A of the Cybereason Alliance Agreement (“Agreement”) between Cybereason, Inc. (“Cybereason”), and its majority-owned subsidiaries, and _________________ (“PARTNER”). This SPA shall be effective as of the Effective Date of the Agreement.
This SPA applies to Cybereason’s Processing of Personal Data as a Sub-Processor (defined below) to PARTNER, in connection with the provision of the services under the Agreement (“Services”), as such Services relate to PARTNER’s provision of the MSSP services under its services agreement with its Customer (as defined below). This SPA applies, provided that PARTNER’s Processing of such PARTNER Personal Data on behalf of its Customer is subject to applicable European Data Protection Legislation or the CCPA (as defined below). This SPA is intended to address requirements of (i) European Data Protection Legislation, including Articles 28(3) and 28(4) of the GDPR (as defined below), and (ii) the CCPA for Service Providers. This SPA shall be effective for the term of the Agreement or until deletion or return of PARTNER Personal Data as instructed by PARTNER under this SPA, whichever is earlier.
1.1. For the purposes of this SPA:
1.1.1. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations;
1.1.2. “Customer" means the customer of PARTNER and the Controller of PARTNER Personal Data;
1.1.3. “Data Security Incident” means any breach of security to Cybereason’s technical and organizational measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PARTNER Personal Data transmitted, stored or otherwise Processed by Cybereason. For clarity, Data Security Incident does not include security events detected through the Services;
1.1.4. “PARTNER Personal Data” means Personal Data submitted or made available by PARTNER to Cybereason, on behalf of PARTNER’s Customers, for the performance of Cybereason’s Services under the Agreement;
1.1.5. “Europe” means for the purposes of this SPA (i) the European Economic Area, consisting of the European Union (“EU”) Member States, Iceland, Lichtenstein and Norway; (ii) Switzerland; and (iii) the UK;
1.1.6. “EuropeanData Protection Legislation” means all applicable legislation in Europe relating to data protection, privacy and security, including without limitation, (i) the GDPR, together with any national implementing laws in Europe; (ii) the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, together with any national implementing laws in Europe, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications; and (iii) all applicable laws in Europe relating to the interception or monitoring of communications, including emails and text messages, such as the UK Investigatory Powers Act 2016, as amended, repealed, consolidated or replaced from time to time;
1.1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
1.1.8. “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for monetary or other valuable consideration;
1.1.9. “Standard Contractual Clauses” means the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU;
1.1.10. “Sub-Processor” means the entity engaged by the Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Controller; and
1.1.11. “Controller”, “Data Subject”, “Personal Data”, “Processing”, “Processor”, “Sell” and “Service Provider” will each have the meaning given in the GDPR or CCPA. Personal Data shall also mean “Personal Information” as such term is defined in the CCPA.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2.1. Types of PARTNER Personal Data and Categories of Data Subjects. PARTNER Personal Data may relate to individuals about whom data is submitted or made available by Customer or any Customer end user through the Software Platform and Services, including IP addresses, machine names and other device identifiers, user names, location-related data, hardware and software characteristics and configurations, network traffic information, and information about device, application and online activities, the extent of which is determined by Customer (or any Customer end user) in its sole discretion.
2.2. Subject Matter, Nature and Purpose of the Processing. Cybereason may Process PARTNER Personal Data in connection with provisioning the Services to PARTNER. PARTNER Personal Data will be collected, analyzed and stored by Cybereason for purposes of providing the Services set forth in the Agreement, this SPA and any applicable Statement of Work.
2.3. Duration of the Processing. PARTNER Personal Data will be Processed for the duration of the Agreement until return or deletion, as instructed by PARTNER under Section 9 of this SPA.
3.1. The parties acknowledge and agree that PARTNER’s Customers are the Controllers of PARTNER Personal Data, PARTNER is the Processor on behalf of the Controllers, and Cybereason is a Sub-Processor. Unless otherwise required by applicable law, Cybereason will only Process PARTNER Personal Data as a Sub-Processor on behalf of and in accordance with the Controllers’ written instructions (which are provided to Cybereason by PARTNER on behalf of the Controllers) as set out in this SPA, the Agreement, or by other written agreement of the parties. Cybereason is hereby instructed to Process PARTNER Personal Data to the extent necessary to enable Cybereason to provide the Services and performance of the Agreement, this SPA and any applicable Statement of Work, or as otherwise required by applicable law. As part of providing the Services, PARTNER agrees that Cybereason may (i) de-identify or aggregate PARTNER Personal Data and (ii) Process PARTNER Personal Data for purposes of identifying threats and malicious activity, mitigating fraud, financial loss or other harm; establishing, exercising or defending legal claims; and building, analyzing and improving Cybereason’s products, services and systems.
3.2. If Cybereason cannot Process PARTNER Personal Data in accordance with PARTNER’s instructions due to an applicable legal requirement, Cybereason will (i) promptly notify PARTNER of that legal requirement before the relevant Processing, to the extent permitted by applicable law.
3.3. PARTNER shall, in its use of the Services, Process PARTNER Personal Data in accordance with the requirements of applicable European Data Protection Legislation. PARTNER’s instructions to Cybereason for the Processing of PARTNER Personal Data shall comply with European Data Protection Legislation and the Controllers’ instructions.
3.4. In connection with the performance of this SPA and the Agreement, PARTNER authorizes Cybereason to transfer PARTNER Personal Data from Europe, if applicable, to any jurisdiction in which Cybereason or its Sub-Processors are located, including, but not limited to, the United States, Japan, Israel and to any other country that is recognized by the European Commission as providing an adequate level of protection for Personal Data. In the event the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) are replaced during the term of the DPA and Cybereason elects to certify to such replacement frameworks for the duration of this DPA, transfers of PARTNER Personal Data to the United States will be made pursuant to such replacement frameworks. For other transfers, PARTNER and Cybereason shall execute the Standard Contractual Clauses or adopt such other transfer mechanism approved under applicable European Data Protection Legislation. By signing this SPA, PARTNER hereby authorizes Cybereason to enter into the EU Standard Contractual Clauses for and on PARTNER’s or Controllers’ behalf (as exporters) with Cybereason’s own affiliates and Sub-Processors, in order to ensure an adequate level of protection to PARTNER Personal Data as required by European Data Protection Legislation. In case of any conflict between this SPA and such EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail to the extent necessary to comply with European Data Protection Legislation.
3.5. Where Cybereason receives PARTNER Personal Data as a data importer (as defined in the Standard Contractual Clauses) in a country outside Europe that is not subject to a European Commission adequacy decision, and the provision of the Services requires Cybereason to move such PARTNER Personal Data onwards to a Cybereason affiliate or Sub-Processor, Cybereason shall provide an adequate level of protection for such PARTNER Personal Data as required by European Data Protection Legislation, including by providing the same level of privacy protection for such PARTNER Personal Data as is required by an onward data transfer agreement based on Standard Contractual Clauses (or such other transfer mechanism approved under applicable European Data Protection Legislation) (“Onward Data Transfer Agreement”). By signing this DPA, PARTNER authorizes Cybereason to enter into an Onward Data Transfer Agreement, as may be required, in order to provide such level of protection as required by European Data Protection Legislation. In case of any conflict between this DPA and such Onward Data Transfer Agreement, the Onward Data Transfer Agreement shall prevail to the extent necessary to comply with European Data Protection Legislation.
3.6. For the purposes of Section 3.4 above (as applicable), the parties agree that Exhibit A and Exhibit B to this SPA shall be deemed to be Appendix 1 and 2 of the EU Standard Contractual Clauses.
3.7. Cybereason shall Process PARTNER Personal Data as a Service Provider and shall not (i) Sell PARTNER Personal Data, or (ii) retain, use or disclose PARTNER Personal Data for any purpose other than for the specific purpose of performing the services specified in the Agreement or this SPA, or as otherwise permitted by the CCPA.
4.1. Cybereason will take reasonable steps to ensure that personnel whom Cybereason authorizes to Process PARTNER Personal Data on its behalf are subject to confidentiality obligations with respect to that PARTNER Personal Data.
5.1. Cybereason will implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to PARTNER Personal Data, including, as appropriate, the measures required by Article 32 of the GDPR. PARTNER agrees that Cybereason may implement adequate alternative security measures from time to time, provided the security level of the alternative measures is not materially decreased.
6.1. PARTNER hereby grants general written authorization to Cybereason to appoint Sub-Processors to perform specific Processing activities on its behalf. A list of sub-Processors currently engaged by Cybereason in connection with the Services is attached hereto as Exhibit C(as may be updated by Cybereason from time to time in accordance with this SPA). Cybereason will inform PARTNER of any intended changes concerning the addition or replacement of its Sub-Processors and PARTNER will have an opportunity to object to such changes on objectively and reasonably justifiable grounds related to the inability of such Sub-Processors to protect PARTNER Personal Data in accordance with the relevant obligations of this SPA or European Data Protection Legislation, within fourteen (14) calendar days after being notified. If PARTNER objects, Cybereason will use reasonable efforts to find an alternative Sub-Processor to perform the specific Processing activities. If a suitable alternative Sub-Processor or other solution cannot be found, then Cybereason may terminate the relevant part of the Agreement to which the Sub-Processors services relate without liability to PARTNER.
6.2. Before engaging any Sub-Processor to Process PARTNER Personal Data, Cybereason will enter into a binding written agreement with the Sub-Processor that imposes on the Sub-Processor obligations that are no less protective than those imposed on Cybereason under this SPA. Where the Sub-Processor fails to fulfil its data protection obligations, Cybereason will remain fully liable to PARTNER for the performance of such Sub-Processors obligations.
7.1. At PARTNER’s request, Cybereason shall provide PARTNER with reasonable assistance (including by appropriate technical and organizational measures) necessary for the fulfilment of the PARTNER’s obligations to the Controllers’ with respect to:
7.1.1. responding to requests for the exercise of Data Subjects’ rights or requests;
7.1.2. keeping Personal Data secure; and
7.1.3. conducting of data protection impact assessments and consultation with Data Protection Authorities by Controllers if the Controllers are required to do so under European Data Protection Legislation,
Cybereason will provide such assistance only to the extent that such assistance is strictly necessary for the fulfilment of the PARTNER’s obligations to the Controllers’ and relates to the Cybereason’s Processing of PARTNER Personal Data, taking into account the nature of the Processing and the information available to Cybereason.
7.2. PARTNER shall be responsible for any costs and expenses arising from provision by Cybereason of the assistance contemplated under this Section 7.
8.1. Cybereason will notify PARTNER without undue delay after it becomes aware of any confirmed Data Security Incident. At PARTNER’s request, Cybereason will provide PARTNER with reasonable assistance necessary to enable PARTNER to comply with its data breach notification obligations under European Data Protection Legislation. PARTNER shall be responsible for any costs and expenses arising from provision by Cybereason of the assistance contemplated under this Section 8.1.
8.2. Cybereason will not assess the contents of PARTNER Personal Data in order to identify information subject to any specific legal requirements under European Data Protection Legislation or other applicable law. PARTNER and the Controllers shall be solely responsible for complying with any European Data Protection Legislation data breach notification requirements applicable to PARTNER and fulfilling any third-party notification obligations related to any Data Security Incident.
9.1. Upon the expiration or earlier termination of the Agreement, Cybereason will delete or return, at PARTNER’s election, all PARTNER Personal Data in the possession or control of Cybereason, unless the continued retention of such PARTNER Personal Data is permitted by applicable law. PARTNER shall be responsible for all fees and expenses, charged at prevailing rates, associated with the return or deletion of PARTNER Personal Data.
9.2. Notwithstanding the foregoing, Cybereason may retain (i) PARTNER Personal Data as required by law or expressly agreed by PARTNER and (ii) PARTNER Personal Data, which is stored in accordance with regular computer back-up operations, in compliance with Cybereason’s disaster recovery and business continuity protocols. Cybereason shall not actively or intentionally Process such PARTNER Personal Data for any other purpose, unless required to do so by applicable law.
10.1. Cybereason will, at PARTNER’s request, reasonably cooperate with PARTNER to provide PARTNER with such information that is reasonably necessary to enable PARTNER to demonstrate compliance with the obligations set forth in this SPA and allow for and contribute to audits, including inspections, conducted by PARTNER or a qualified independent third-party assessor who is reasonably acceptable to Cybereason and bound by confidentiality obligations satisfactory to Cybereason, to the extent that such information is within Cybereason’s control and Cybereason is not precluded from disclosing it by applicable law, a duty of confidentiality, a legal privilege or protection, or any other obligation owed to a third party. Audits and inspections shall be conducted no more than once per year, during the term of the Agreement, during regular business hours, and shall be subject to (i) a written request submitted to Cybereason at least forty-five (45) days in advance of the proposed audit date; (ii) a detailed written audit plan, and scope reviewed and approved by Cybereason, which is only to involve information of relevance to PARTNER Personal Data; and (iii) Cybereason’s on-site security policies. Such audits will take place only in the presence of a designated representative of Cybereason. The audits shall not be performed by a competitor of Cybereason, or be permitted to disrupt Cybereason’s Processing activities or compromise the security and confidentiality of Personal Data pertaining to other Cybereason clients. Cybereason may charge PARTNER a reasonable fee for such audit.
10.2. Cybereason will inform PARTNER if, in its opinion, an instruction from PARTNER infringes European Data Protection Legislation. PARTNER acknowledges that Cybereason is under no obligation to perform a detailed legal examination with respect to the compliance of PARTNER’s instructions with European Data Protection Legislation.
11.1. PARTNER acknowledges that Cybereason is reliant on PARTNER for direction as to the extent to which Cybereason is entitled to Process PARTNER Personal Data on behalf of PARTNER in performance of the Services. Consequently, Cybereason will not be liable under the Agreement or this SPA for any losses arising from a claim brought by a Data Subject, or other third party, arising from any action or omission by Cybereason, to the extent that such action or omission resulted from PARTNER’s (or any Controller’s) instructions or from PARTNER’s failure to comply with its obligations under European Data Protection Legislation or any agreement with the Controllers.
11.2. Notwithstanding any provisions to the contrary included in this SPA, each party’s liability towards the other party under or in connection with this SPA will be limited in accordance with the provisions of the Agreement.
Exhibit A - Appendix 1 to the Standard Contractual Clauses
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
The data exporter is PARTNER’s customer, who is the Controller.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
The data importer is PARTNER as Processor and/or Cybereason (and its Sub-Processors) as sub-processors.
Data subjects
The Personal Data transferred concern the following categories of data subjects:
Data subjects are defined in the SPA (see Section 2)
Categories of data
The personal data transferred concern the following categories of data:
Categories of Personal Data are defined in the SPA (see Section 2).
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
None.
Processing operations
The Processing activities defined in the SPA (see Section 2) and in the Agreement.
Exhibit B - Appendix 2 to the Standard Contractual Clauses /Onward Data Transfer Agreement
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Contents
Introduction
Cybereason Security Processes and Policies
Risk Management
Access Management
Change Management
DR
Cybereason Infrastructure Security
Production Environment
Corporate Environment
Cybereason Application Security
SDLC
Application Penetration Tests
Cybereason Security Monitoring
Events Management
Vulnerability Management
Incident Response
Physical Security
Production Environment
Corporate Environment
Cybereason is a cyber-security SaaS company. As such, the security of its assets and of its customers is of the highest importance. Cybereason conducts a continuous risk assessment process, that is the basis for all security related decisions and workplans.
This document describes the Cybereason security posture, in the various aspects of it. This document is a high level description and does not dive into technical details. This document refers to security aspects with regards to Cybereason’s technical architecture and the processes around it. There are other aspects of security that are not described in this document.
2.1 Risk Management
Cybereason’s security domain is managed by the VP of Information Security. The security posture is constantly being assessed and reviewed according to a risk assessment process, examining the threats and exposures resulting from business conditions and technical changes.
Cybereason has a security policy structure based on the ISO-27001 structure. The policies are communicated to employees regularly.
2.2 Access Management
Access configuration in Cybereason is done in a role based approach, where access is granted to roles and positions rather than individuals. Onboarding/offboarding of employees to/from a certain role initiates an immediate process of access change. Leaving employees access change is done within 24 hours of notification. Access rights are reviewed at least annually.
Access management flow requires proper authorization, a business justification, and is documented.
Access is granted on a need-to basis and according to the least privileged principle.
Access management is done using unique named accounts, and avoiding shared accounts.
Password policy and lockout policy are enforced on each system.
Administrative access and remote access always require a 2 factor authentication process in place.
2.3 Change Management
Change management in Cybereason is done according to a documented and strict process, where every change is reviewed and assessed from various aspects. If approved, a plan is formed that includes impact analysis, rollback plan, and a maintenance window.
2.4 DR
Cybereason has a DR process based on AWS features. The process allows us to reach an RTO of 4 hours maximum, and an RPO of 0 (meaning - no data loss).
2.5 Audit and Compliance
Cybereason is audited by external auditors to comply with ISO-27001 security standard.
Cybereason is also audited regularly in a SOC-2 audit process by Ernst and Young.
3.1 Production Environment
Cybereason’s production environment is hosted on AWS cloud. The environment is built within a virtual private cloud (VPC).
The network within the VPC is segmented. Each customer has its own segment, hosting its dedicated servers.
Traffic between segments and to/from the internet is filtered by AWS Security Groups. The rules are managed strictly according to an Access Management flow, and are reviewed regularly.
Connectivity into the VPC is done over a site-to-site VPN.
Cybereason use AWS Shield for DDoS protection on sensitive components.
Below is a diagram describing the production environment and its network security controls
All servers within the production environment are hardened according to CIS hardening standards.
The servers are patched regularly. Critical/High severity security patches are deployed asap. All other patches are put into maintenance schedule. Patches are tested before being deployed to production.
A Cybereason sensor is installed on each server. The sensor reports to an internal instance of Cybereason, monitored by the internal security team.
Cybereason’s configuration management tools confirm and enforce configuration setups on the servers regularly, running over any local change that may have been done on the servers.
All communication between Cybereason components is encrypted and is based on authentication.
Data at rest is encrypted per customer request, using AWS volume encryption features.
Key management is done according to Cybereason’s policies.
3.2 Corporate Environment
Cybereason’s corporate environment is built by the same standards as the production environment.
The corporate network is segmented, separating user groups and server groups according to level of sensitivity and access needs.
Workstations and servers within the corporate environment are patched regularly and are configured according to Cybereason’s security flows.
Security measures that include a Cybereason sensor, AV, personal firewall and HIPS are installed on each of the workstations and servers, and are managed centrally.
4.1 SDLC
Cybereason’s SDLC process includes security team as a stake holder.
The security team is involved in all R&D plans, in the various phases of the SDLC - setting requirement, designing, reviewing coding procedures and testing.
The guidelines followed by at Cybereason are based on OWASP guides.
Code review is done as a peer-review and is part of the development process, and a mandatory requirement for uploading code to the code repository.
4.2 Application Penetration Tests
Cybereason performs an independent application penetration test at least annually. Its findings are remediated according to severity where High and Critical findings are remediated immediately.
Cybereason performs internal testing ongoingly on relevant features and scenarios.
5.1 Events Management
Cybereason uses a SIEM system for security monitoring. All security related audit is sent/pulled by the SIEM system ongoingly. The SIEM is configured to trigger alerts and create reports based on set scenarios and suspicious indications.
5.2 Vulnerability Management
Cybereason runs regular vulnerability scans on its network ranges. The findings are analyzed and put into a remediation plan.
5.3 Incident Response
Cybereason has an Incident Response process in place. The process includes remediation of the incident, investigation of the root cause and mitigating its exposure, and a structured communication model for incident handling.
6.1 Production Environment
Cybereason’s production environment is hosted on AWS cloud. AWS data centers are managed according to physical security best practices and are audited to comply with most common security standards (e.g. PCI DSS, HIPAA, ISO 27001 etc.).
6.2 Corporate Environment
Cybereason’s offices are managed according to physical security best practices. Access to the office requires using a named badge. On off hours, a personal code is also required additionally to the card.
A CCTV setup covers all sensitive areas and provides full traceability within the office space.
An alarm system alerts on every movement or unauthorized entrance to the office in off hours.
Cybereason offices are located in secure buildings with a guard stationed 24/7 at the building entrance.
Exhibit C - List of Sub-Processors
|
Sub-Processors |
Type of Processing |
|
· Amazon Web Services (AWS) |
· Cloud infrastructure provider |
|
· Google LLC (Google Cloud) |
· Cloud infrastructure provider |
|
· Wandera, Inc. |
· Mobile security system solution provider (to the extent purchased by Customer) |