Vendor Information Security Terms between the Registrant and Flextronics Telecom Systems Ltd. dated July 30, 2021
EX-10.29 4 panwex1029q421supplieragre.htm EX-10.29 Document
VENDOR INFORMATION SECURITY TERMS
These Information Security Terms (“Terms”) is made and entered into of the latter date of execution (“Effective Date”) by and between:
Flextronics Telecom Systems Ltd. (“Vendor”)
Suite 402, St. James Court, St. Dennis Street, Port Louis Mauritius
If Company is located in the Americas:
Palo Alto Networks, Inc.,
3000 Tannery Way, Santa Clara
California 95054, United States
If Company is located in any other country:
Palo Alto Networks (Netherlands) B.V.
De Entrée 99-197, Oval Tower, 5th Floor
1101 HE Amsterdam, the Netherlands
(collectively, "Palo Alto Networks")
Palo Alto Networks and Company may also be referred to herein individually as a “Party” or collectively as the “Parties” throughout this Agreement.
IN WITNESS WHEREOF, Parties hereto have caused their respective authorized representatives to execute this Agreement as of the Effective Date.
|☒ Palo Alto Networks, Inc.||Company:|
|□ Palo Alto Networks (Netherlands) B.V.||Flextronics Telecom Systems Ltd|
|(to be completed by Palo Alto Networks)|
|Signed:||/s/ Vonnie French||Signed:||/s/ B. Vijayandran A/L S. Balasingam|
|Print Name:||Vonnie French||Print Name:||B. Vijayandran A/L S. Balasingam|
|Title:||SVP, Worldwide Operations||Title:||DIRECTOR|
|Date:||2021-07-23||Date:||June, 30, 2021|
Vendor Information Security Terms – 2019MAR211111 page 1 of 7
a.“Agreement(s)” shall mean the commercial agreement between Palo Alto Networks and the Vendor that outlines the commercial terms applicable to the services pursuant to which the Protected Information shall be processed. This could be, amongst others, a Professional Services Agreement or a Software-as-a-Service Agreement.
b.“Data Protection Law(s)” shall mean all applicable privacy and security laws, including but not limited to (i) domestic and international data privacy and data protection legislation; (ii) security and breach notification laws; (iii) generally accepted privacy and security industry standards; and (iv) the European Union General Data Protection Regulation (“GDPR”).
c.“Encryption” means encryption that is based on industry-tested, accepted and uncompromised algorithms that meets at least the NIST standards for encryption algorithms, as updated.
d.“Personal Data” shall mean any information related to any identified or identifiable natural person, such as Palo Alto Networks personnel, customers, subcontractors, partners or any other third party (including third parties’ personnel) (“Individuals”), that Vendor has received or collected for processing pursuant to the Agreement(s). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such information includes, without limit, names, contact information, e-mail addresses, and other categories of information as agreed upon for each service.
e.“Protected Information” shall mean information that Palo Alto Networks provides to Vendor during the course of the Agreement, including, Personal Information, Confidential Information as defined in the Agreement, and other material data, financial affairs, customer information, product information, intellectual property, trade secrets or proprietary information.
f. “Security Incident” shall mean: (i) the loss, misuse or breach, by any means, of Protected Information; (ii) the inadvertent, unauthorized, and/or unlawful Processing of any Protected Information that compromises its security, confidentiality, or integrity.
a.Vendor must maintain a written information security program that:
i.is managed by a senior employee responsible for overseeing and implementing the program;
ii.includes appropriate technical and organizational security measures reasonably designed to protect Protected Information against unauthorized or unlawful processing and against accidental loss or destruction, or damage; and
iii.is appropriate to the nature, size, and complexity of Vendor’s business operations.
b.Vendor must only process Protected Information in accordance with the Agreement for the purpose of meeting its obligations under the Agreement.
Vendor Information Security Terms – 2019MAR211111 page 1 of 7
c.Vendor must, at all times, have in place appropriate technical and organizational security measures so that Protected Information is protected against unauthorized or unlawful processing and against accidental loss or destruction, or damage.
d.Vendor shall conduct a risk assessment periodically, and will promptly implement, at its sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the assessment or of any scanning, vulnerability or penetration testing. Vendor shall perform at least:
i.quarterly vulnerability scans
ii.annual penetration tests.
a.Vendor must take reasonable steps to ensure the reliability of any of its employees who process Protected Information.
b.Vendor must ensure that all of its employees are informed of the confidential nature of Protected Information and are aware both of the Vendor’s obligations and their personal duties and obligations under the Agreement and under applicable laws.
c.Vendor must inform employees that failure to meet their responsibilities for processing Protected Information may result in disciplinary action.
d.Vendor shall remain legally responsible for obligations which are performed by employees and for the acts or omissions of employees as if they were acts or omissions of the Vendor.
a.Vendor may engage agents or sub-contractors to provide the services or any material part of the services or to process any Protected Information with written notification to the Palo Alto Networks Contact identified above.
b.Vendor must ensure all agents or sub-contractors provide sufficient guarantees in respect of technical and organizational measures governing the processing of Protected Information and must take reasonable steps to ensure agents or sub- contractors comply with those measures.
c.Vendor must ensure any written contract it has with an agent or sub- contractor requires them to act on its instructions only and imposes obligations upon them to observe the confidentiality and security of Protected Information they may be required to process.
d.Vendor must ensure that all agents or sub-contractors meet, as a minimum, all requirements detailed in this document.
e.Vendor will remain responsible for obligations which are performed by agents or sub-contractors and for the acts or omissions of agents and sub-contractors as if they were acts or omissions of the Vendor.
5.Controlling Access to Data
a.Vendor must ensure that only its employees who may be required by the Vendor to assist it in meeting its obligations under the Agreement will have access to Protected Information.
b.Vendor must enforce the principle of least privilege (i.e. each individual is only given the minimum access capabilities necessary to meet business requirements) when providing employees with access to systems containing Protected Information.
c.Vendor must ensure only its system administrators have privileges to create access accounts to systems containing Protected Information.
d.Access to systems containing Protected Information must be controlled by a secure log- on procedure. Users must not share names, accounts or passwords.
Vendor Information Security Terms – 2019MAR212222 page 2 of 7
e.Vendor must ensure that each user accessing systems containing Protected Information is uniquely identifiable.
f.Vendor must ensure that employees accessing Protected Information remotely are authenticated using two-factor authentication mechanisms via a secure connection.
g.Access to Protected Information, including user accounts and passwords, must be revoked immediately when no longer required.
h.Vendor must maintain reasonable information details of all employees with access to Protected Information. Vendor must perform regular reviews of user access to Protected Information (e.g. at least every 6 months and promptly after any changes such as promotion, demotion or termination of employment).
i.Vendor must keep security event logs on systems storing, processing or transmitting Protected Information to permit tracking of system activity (e.g. date, who, where). Security event logs must be retained for a minimum period of 365 days and reviewed regularly for unauthorized or unlawful activity.
j.Vendor must ensure that appropriate physical access controls are in place where Protected Information is stored.
k.Access shall not be granted in public areas and output such as printouts shall be to areas where only those organization staff who are authorized to access the Protected Information can reach it.
6.Storing Protected Information
a.Vendor must ensure Protected Information in its information systems is logically segregated from other client’s data using appropriate access control mechanisms.
b.Electronic and paper records containing Protected Information must be stored in a locked room or area where access is controlled.
i.Personal Information should not be stored on external hard drives or removable media (e.g. USB Thumb Drives, CDs or DVDs) without providing notification to Palo Alto Networks Contact.Backups may be taken if this provides no more access than when the information is within the computer system. Backup media must be subject to secure storage. Additional controls such as Encryption shall be used.
c.Protected Information stored by Vendor must be secured using Encryption.
d.Vendor must ensure appropriate anti-virus/anti-malware detection software is implemented across all information systems processing Protected Information in its organization. Vendor must also ensure the anti-virus/anti-malware software is up-to- date using the most recent virus and malware signatures and definitions.
7.Transferring Protected Information
a.Vendor must not disclose Protected Information to a third party in any circumstances other than as specified in the Agreement or at the specific written request of the Palo Alto Networks Contact.
b.Subject to Vendor’s disaster recovery and business continuity obligation under 1.10 (Backup and Disaster Recovery), Vendor must not under any circumstances transfer, use or process Personal Information to the extent it is subject to GDPR, outside the European Economic Area unless authorized in writing to do so by the Palo Alto Networks Contact.
c.In relation to transfers of Protected Information to and from Palo Alto Networks and any agent or sub-contractor:
Vendor Information Security Terms – 2019MAR213333 page 3 of 7
i.All electronic transfers of Protected Information must be secured using Encryption. Protected Information shall not be sent in the clear over unencrypted connections.
ii.When transferring Protected Information on paper, the document must be labelled Palo Alto Networks Confidential and sent by secure mail courier using double-wrapped envelopes, sealed in a way that tampering with the seal is immediately evident.
iii.When transferring Protected Information using removable media (e.g. CD, memory stick, external hard drives) all media must be labelled ‘Palo Alto Networks Confidential’, must be secured using appropriate Encryption and sent using double-wrapped envelopes, sealed in a way that tampering with the seal is immediately evident.
iv.If Vendor uses a secure mail courier for transferring Protected Information it must ensure the courier only delivers the envelope to a specified contact after examination of an original and valid photographic identity document (e.g. Palo Alto Networks issued pass, driving license or passport). Following delivery, a signature must be obtained as confirmation of receipt. If the specified recipient is not available, then delivery must be delayed or if delivery cannot be completed then the envelope must be returned unopened.
v.Vendor must always seek the Palo Alto Networks Contact’s written permission before transferring Protected Information that does not meet the above criteria.
vi.The chain of custody for Palo Alto Networks Information shall be clearly defined and tracked via formal handovers including signatures for acceptance.
vii.Vendor must maintain, for the duration of the Agreement and then for as long as is required by law, complete and accurate records of all transfers of Personal Information in connection with the Agreement.
8.Deletion or Return Protected Information
a.Upon termination or expiration of the Agreement or at any time per Palo Alto Networks’ written request, Vendor shall: (i) return to Palo Alto Networks all data, including but not limited to, all paper and electronic files, materials, documentation, notes, plans, drawings, and all copies thereof, and ensure that all electronic copies of such Protected Information are deleted from Vendor’s (and where applicable, its subcontractors’) systems: or (ii) if requested by Palo Alto Networks in writing, destroy, delete and render unrecoverable (in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization) from Vendor’s systems (and where applicable, its subcontractors’) all Protected Information. Where possible, secure destruction shall be verified by a second authorized individual. Vendor shall certify in writing within thirty (30) days of Palo Alto Networks’ request for destruction that these actions have been completed.
a.Vendor must ensure incident management procedures are in place throughout its organization and they are communicated to all staff, and incidents are logged.
b.Any Security Incident where Palo Alto Networks Protected Information has been compromised shall be reported to Vendor’s management immediately and flagged as a Security Incident. Such incidents will be recorded and investigated in accordance with Vendor’s security incident management procedures.
Vendor Information Security Terms – 2019MAR214444 page 4 of 7
c.Vendor must notify without undue delay the Palo Alto Networks Contact of any confirmed Security Incident. Vendor must provide Palo Alto Networks with all reasonable information, data and documentation relating to the Security Incident. Vendor shall immediately take all commercially reasonable measures to mitigate the harmful effects of the Security Incident and/or to prevent such Security Incident from reoccurring.
d.Vendor must immediately notify the Palo Alto Networks Contact of:
i. Any request for disclosure of Protected Information by a law enforcement authority or any notice or communication from any supervisory or government body which relates directly or indirectly to the processing of Protected Information received by the Vendor;
ii.Any complaint, notice or communication which relates directly or indirectly to the processing of Protected Information or to either party’s compliance with any Data Protection Laws; and/or
iii.Any subject access request by an individual concerning his or her Personal Data and must provide Palo Alto Networks with full co-operation and assistance in relation to any such request, complaint, notice or communication and shall not respond unless Palo Alto Networks has instructed the Vendor to do so or as provided in the Agreement.
10.Backup and Disaster Recovery
a.Vendor must maintain a disaster recovery and business continuity plan defining how Protected Information will be recovered from backup tapes and offsite information systems, and how the business will continue operating during the recovery period.
b.Vendor must perform regular encrypted backups of Protected Information processed on its information systems. The regularity of backup will depend on the type, volume and frequency of change of Protected Information processed by Vendor and agreed with the Palo Alto Networks Contact.
a.Vendor must maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Protected Information. Vendor must employ documented secure programming guidelines, standards, and protocols in the development of applications that process or store any Protected Information.
b.Vendor must have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all applications that store or process Protected Information.
c.Vendor must use a threat model methodology to identify the key risks to the important assets and functions provided by all applications that store or process Protected Information, conduct an analysis of the most common programming errors, and document in writing that they have been mitigated.
d.Vendor will patch all workstations and servers with all current operating system, database and application patches deployed in Vendor’s computing environment according to a schedule predicated on the criticality of the patch. Vendor must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched.
e.Vendor will employ an effective, documented change management program with respect to the Services as an integral part of its security profile. This includes logically or physically separate environments from production for all development and testing.
Vendor Information Security Terms – 2019MAR215555 page 5 of 7
Vendor shall not use Protected Information in development or testing environments, unless the Protected Information has been sufficiently sanitized such that it does not pose a risk of a Security Incident.
f. Vendor must notify the Palo Alto Networks contact upon system changes that result in a material reduction of security and work with Vendor in good faith to resolve such gaps.
a.Vendor must ensure that all of its employees who process Protected Information are trained in Data Protection Laws and in the manner of dealing with Protected Information.
b.Vendor will conduct information security awareness training for all employees involved in the delivery of service. This should ensure that everyone involved is aware of the need to protect Palo Alto Networks information assets and the associated policies and procedures. Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses.
a.Vendor will perform annual audits at Vendor’s chosen locations in line with Vendor’s existing corporate IT and data security policy. Upon request from Palo Alto Networks, Vendor will select an independent qualified third-party auditor to conduct, at Vendor’s expense, at least annual audits of the security of its data centers, its computers, and its computing environments used to process Protected Information.
b.Each audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or security framework (e.g. SOC 2). Audit reports generated by such audits will be Vendor’s confidential information and will contain material findings by the auditor. At Palo Alto Network’s request and under non-disclosure agreement, Vendor will provide the audit report so that Palo Alto Networks can verify Vendor’s compliance with the adopted security framework.
c.Upon request from Palo Alto Networks, but not more than once during each 12-month period unless preceded by a Security Incident, Vendor shall complete a Palo Alto Networks provided information security program questionnaire (“Security Review”). Vendor agrees to fully cooperate with such Security Review and implement all commercially reasonable changes to its information security program, that as a result of the Security Review, are required to ensure Vendor’s compliance with this Exhibit, at Vendor’s sole cost and expense.
d.Vendor acknowledges and agrees that Palo Alto Networks or a Palo Alto Networks – appointed third-party (collectively, “Monitor”) has the right, for the purposes of verifying compliance with the requirements of these Terms, to review the terms, records and/or facilities of Vendor and Vendor’s subcontractors or affiliates that provide goods and/or services related to or involving the processing, transport or storage of Palo Alto Networks Information. Palo Alto Networks will announce its intent to review Vendor in accordance with these Terms by providing at least five (5) business days’ notice to Vendor. Vendor will provide Monitor with access to its site, systems and records as reasonably necessary to assess compliance with the requirements of these Terms. At Palo Alto Networks’ reasonable request, Vendor will provide Monitor, with a personal site guide while on-site. Vendor will make available to Monitor, for in-person or phone interviews, any Vendor employees and/or contractors for provision of information and cooperation related to the verification hereunder. Such verification will be at Palo Alto
Vendor Information Security Terms – 2019MAR216666 page 6 of 7
Networks’ expense, unless it reveals material non-compliance with the requirements of these Terms, in which case will be borne by Vendor.
14.Termination and Survival
a.These Terms shall be effective as of its Effective Date and continue until terminated by Palo Alto Networks.
b.Vendor shall cease to process Protected Information upon the termination or expiration of the Agreement.
c.The provisions in these Terms relating to the protection of Protected Information shall survive termination of the Agreement or these Terms and remain in effect for as long as Vendor has Protected Information.
Vendor Information Security Terms – 2019MAR217777 page 7 of 7