Information Security Addendum

Effective July 27, 2022

This Information Security Addendum (“ISA”) applies whenever it is incorporated by reference into the Master Services Agreement between you and CrashPlan (“Agreement”). Capitalized terms used but not defined in this ISA have the meanings ascribed in the Agreement.

1. Purpose

1.1. This ISA describes the minimum information security standards that CrashPlan maintains to protect your Customer Data. Requirements in this ISA are in addition to any requirements in the Agreement.

1.2. CrashPlan follows AICPA guidelines and regularly reviews controls as described in CrashPlan’s SOC2 independent auditor report (“SOC2 Report”). For your convenience, CrashPlan references some of the applicable SOC2 controls in this ISA. See the SOC2 Report for exact language. CrashPlan will provide you with a copy of the SOC2 Report upon request.

1.3. The CrashPlan for Small Business Offering is not SOC2 certified, and the references to specific SOC2 controls (e.g. SOC: A-4) are not applicable.

2. Encryption and key management

2.1. CrashPlan uses industry-standard encryption techniques to encrypt Customer Data at rest and in transit (SOC: C-10).

2.2. The CrashPlan system is configured by default to encrypt your files at the source using AES 256-bit encryption (SOC: C-8). All connections are authenticated and encrypted using industry standard encryption technology (SOC: C-11).

2.3. Transmitted Customer Data is check-summed at the destination during the collection process. (SOC: C-9)

3. Support and maintenance

CrashPlan deploys changes to the Cloud Services during scheduled maintenance windows, details of which are posted to the CrashPlan website prior to the scheduled period. In the event of a service interruption, CrashPlan posts a notification to the website describing the affected services. CrashPlan provides status updates, high level information regarding upgrades, new release availability, and minimum release version requirements via the CrashPlan website (SOC: CM-11).

4. Incident response and notification

4.1. “Incident” means a security event that compromises the confidentiality, integrity or availability of a CrashPlan information asset. “Breach” means an Incident that results in the confirmed disclosure, not just potential exposure, of Customer Data to an unauthorized party.

4.2. CrashPlan has an incident response plan, including a breach notification process, to assess, escalate, and respond to identified physical and cyber security Incidents that impact the organization, customers, or result in data loss. Discovered intrusions and vulnerabilities are resolved in accordance with established procedures. The incident response plan is reviewed and updated annually and more frequently as needed (SOC: OPS-4).

4.3. If there is a Breach involving your Customer Data, CrashPlan will (A) notify you within 24 hours of discovery of the Breach, (B) reasonably cooperate with you with respect to such Breach, and (C) take appropriate corrective action to mitigate any risks or damages involved with the Breach to protect your Customer Data from further compromise. CrashPlan will take any other actions that may be required by applicable law as a result of the Breach.

5. CrashPlan security program

5.1. Scope and Contents. CrashPlan maintains a written security program that (A) complies with applicable global industry recognized information security frameworks, (B) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data and (C) is appropriate to the nature, size and complexity of CrashPlan’s business operations.

5.2. Security Program Changes. CrashPlan policies (including the CrashPlan Code of Conduct), standards, and operating procedures related to security, confidentiality, integrity and availability are made available to all CrashPlan personnel via the corporate intranet. Security policies are reviewed, updated (as needed), and approved at least annually to maintain their continuing relevance and accuracy. CrashPlan personnel are required to review and acknowledge Security policies during on-boarding and annually thereafter (SOC: ORG-2).

5.3. Security Officer. The CrashPlan Chief Information Security Officer and security governance group develop, maintain, review and approve CrashPlan Security Policies.

5.4. Security Training & Awareness. All CrashPlan personnel are required to complete security awareness training at least annually (SOC: ORG-8). CrashPlan conducts periodic security awareness education to give personnel direction for creating and maintaining a secure workplace (SOC: COM-11).

6. Risk management

6.1. CrashPlan has a security risk assessment and management process to identify and remediate potential threats to CrashPlan. Risk ratings are assigned to all identified risks, and remediation is managed by security personnel (SOC: RM-1). Executive management is kept apprised of the risk posture of the organization.

6.2. CrashPlan has an established insider threat risk management program to monitor, alert and investigate threats posed by both non-malicious and malicious actors inside the organization on an on-going basis. Identified issues are reviewed and investigated as appropriate (SOC: RM-2).

7. Access control program

7.1. CrashPlan assigns application and data rights based on security groups and roles, which are created based on the principle of least privilege. Security access requests are approved by the designated individual prior to provisioning access (SOC: LA-1).

7.2. CrashPlan classifies informational assets in accordance with the CrashPlan data classification guideline (SOC: C-5).

8. User access management

8.1. Access to CrashPlan systems and networks is disabled promptly upon notification of termination. (SOC: LA-7).

8.2. CrashPlan reviews administrator access to confidential and restricted systems, including corporate and cloud networks, on a semiannual basis. CrashPlan reviews administrator access to the cloud production environment and to select corporate systems that provide broad privileged access on a quarterly basis. Any inappropriate access is removed promptly (SOC: LA-8).

8.3. CrashPlan uses separate administrative accounts to perform privileged functions, and accounts are restricted to authorized personnel (SOC: LA-9).

9. Password management and authentication controls

Authentication mechanisms require users to identify and authenticate to the corporate network with their unique user ID and password. CrashPlan requires minimum password parameters for the corporate network via a directory service system (SOC: LA-2).

10. Remote access and cloud access

Remote access to the corporate network is secured through a virtual private network (VPN) solution with two-factor authentication (SOC: LA-3). Access to the cloud network requires two authentication steps; authorized users must log on to the corporate network and then authenticate using separate credentials through a jump box server (SOC: LA-4).

11. Asset configuration and security

Endpoint detection and response (EDR) technology is installed and activated on all CrashPlan endpoints to monitor for virus and malware infections. Endpoint devices are scanned in real-time. Monitoring is in place to indicate when an anti-virus agent does not check in for prolonged periods of time. Issues are investigated and remediated as appropriate. Virus definition updates are automatically pushed out to endpoint devices from the EDR technology as they become available. (SOC: LA-11). CrashPlan uses full-disk encryption on endpoint devices. Endpoint devices are monitored and encrypted using industry recognized tools. CrashPlan has tools to identify and alert IT administrators of discrepancies between CrashPlan security policies and a user’s endpoint settings (SOC: LA-12). CrashPlan maintains and regularly updates an inventory of corporate and cloud infrastructure assets and systematically reconciles the asset inventory annually (SOC: OPS-5).

12. Threat and vulnerability management and security testing

CrashPlan’s Threat and Vulnerability Management (TVM) program monitors for vulnerabilities on an on-going basis (SOC: RM-3). CrashPlan conducts monthly internal and external vulnerability scans using industry-recognized vulnerability scanning tools. Identified vulnerabilities are evaluated, documented and remediated to address the associated risk(s). (SOC: RM-6). External penetration tests are conducted annually by an independent third party. Significant findings from these tests are evaluated, documented and remediated (SOC: RM-7).

13. Logging and monitoring

CrashPlan continuously monitors application, infrastructure, network, data storage space and system performance (SOC: OPS-1). CrashPlan utilizes a security information event monitoring (SIEM) system. The SIEM pulls real-time security log information from servers, firewalls, routers, intrusion detection system (IDS) devices, end users and administrator activity. The SIEM is configured for alerts and is monitored on an ongoing basis. Logs contain details on the date, time, source, and type of events. CrashPlan reviews this information and works events worthy of real-time review. SOC: OPS-2).

14. Change management

CrashPlan has change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes. All changes receive a risk score based on risk and impact criteria. Low risk changes generate automated change tickets and have various levels of approval based on risk score. High risk changes require manual change tickets to be created and are reviewed by approvers based on change type. Planned changes to the corporate or cloud production environments are reviewed regularly. Change documentation and approvals are maintained in a ticketing system (SOC: CM-1). Product development changes undergo various levels of review and testing based on change type, including security and code reviews, regression and user acceptance testing prior to approval for deployment (SOC: CM-2). Following the successful completion of testing, changes are reviewed and approved by appropriate managers prior to implementation to production (SOC: CM-3). CrashPlan uses dedicated environments separate from production for development and testing activities. Access to move code into production is limited and restricted to authorized personnel. (SOC: CM-9).

15. Secure development

CrashPlan has a software development life cycle (SDLC) process, consistent with CrashPlan security policies, that governs the acquisition, development, implementation, configuration, maintenance, modification and management of CrashPlan infrastructure and software components (SOC: CM-4). Prior to the final release of a new CrashPlan system version to the production cloud environment, code is pushed through lower tier environments for testing and certification (SOC: CM-6). CrashPlan follows secure coding guidelines based on leading industry standards. These guidelines are updated as needed and available to personnel via the corporate intranet. CrashPlan developers receive annual secure coding training (SOC: CM-7). CrashPlan utilizes a code versioning control system to maintain the integrity and security of the application source code (SOC: CM-8).

16. Network security

CrashPlan uses network perimeter defense solutions, including an IDS and firewalls, to monitor, detect and prevent malicious network activity. Security personnel monitor items detected and take appropriate action (SOC: LA-15). Firewall rule changes (that meet the corporate change management criteria) follow the change management process and require approval (SOC: LA-16). CrashPlan’s corporate and cloud networks are logically segmented by virtual local area networks (VLANs) and firewalls monitor traffic to restrict access to authorized users, systems and services (SOC: LA-17).

17. Third party security

CrashPlan assesses and manages the risks associated with existing and new third-party vendors. CrashPlan employs a risk-based scoring model for each third party (SOC: MON-2). CrashPlan requires third parties enter into contractual commitments that contain security, availability, processing integrity and confidentiality requirements and operational responsibilities as necessary (SOC: COM-9). CrashPlan evaluates the physical security controls and assurance reports for data centers on an annual basis. CrashPlan assesses the impact of any issues identified and tracks any remediation efforts (SOC: MON-3).

18. Physical security

CrashPlan grants access to data centers and CrashPlan offices by job responsibility, and access is removed as part of the CrashPlan separation or internal job transfer process when access is no longer required ( SOC: LA-21; SOC: LA-22). Access to CrashPlan offices is managed by a badging system that logs access, and any unauthorized attempts are logged and denied. CrashPlan personnel and visitors are required to display identity badges at all times within CrashPlan offices. CrashPlan maintains visitor logs and requires visitors to be escorted by CrashPlan personnel (SOC: LA-23).

19. Oversight & audit

Internal audits are aligned to CrashPlan’s information security program and compliance requirements. CrashPlan conducts internal control assessments to validate that controls are operating effectively. Issues identified from assessments are documented, tracked and remediated (SOC: MON-1). Internal controls related to security, availability, processing integrity and confidentiality are audited by an external independent auditor at least annually and in accordance with applicable regulatory and industry standards.

20. Business continuity plan

CrashPlan maintains a Business Continuity Plan and a Disaster Recovery Plan to manage significant disruptions to CrashPlan operations and infrastructure. These plans are reviewed and updated periodically and approved annually by the Chief Information Security Officer (SOC: A-5). CrashPlan conducts business continuity exercises to evaluate CrashPlan tools, processes and subject matter expertise in response to specific incidents. Results of these exercises are documented and issues identified are tracked to remediation (SOC: A-6).

21. Human resources security

CrashPlan has procedures in place to guide the hiring process. Background verification checks are completed for CrashPlan personnel in accordance with relevant laws and regulations (SOC: ORG-5). CrashPlan requires personnel to sign a confidentiality agreement as a condition of employment (SOC: C-2). CrashPlan maintains a disciplinary process to take action against personnel that do not comply with company policies, including CrashPlan security policies. (SOC: ORG-3).

End of document