Data Security Addendum



SERVICENOW LIGHTSTEP OBSERVABILITY SERVICE - DATA SECURITY ADDENDUM

All capitalized terms not defined in this Lightstep DSA have the meaning given to them in other parts of the Agreement as modified by the Lightstep Addendum (the “Lightstep Agreement”).

1. SECURITY PROGRAM

While providing the Lightstep Service, ServiceNow, will maintain a written information security program of policies, procedures and controls aligned to ISO27000 Series, or substantially equivalent standard, governing the processing, storage, transmission, and security of Customer Data (the “Security Program”). The Security Program includes industry-standard practices designed to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Security Program will be updated to address new and evolving security technologies, changes to industry standard practices, and changing security threats, although no such update will materially reduce the commitments, protections or overall level of service provided to Customer as described herein.

1.1. SECURITY ORGANIZATION. A Chief Information Security Officer will be designated as responsible for coordinating, managing, and monitoring the information security function, policies, and procedures.

1.2. RISK MANAGEMENT. Information security risk assessments will be performed as part of a risk governance program that is established with the objective to regularly test, assess, and evaluate the effectiveness of the Security Program. Such assessment shall be designed to recognize and assess the impact of risks and implement identified risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats.

2. CERTIFICATIONS AND AUDITS

2.1. CERTIFICATIONS AND ATTESTATIONS. Sufficient controls to meet certification and attestation for the objectives stated in SOC 2 Type 2 (or equivalent standards) shall be maintained for the Security Program supporting the Lightstep Service. At least once per calendar year, an assessment shall be obtained against such standards and audit methodologies by an independent third-party auditor will be obtained and reports made available to the Customer.

3. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

3.1. TECHNICAL SECURITY MEASURES.

3.1.1. DATA CENTER FACILITIES. The data center facilities include (1) either a SOC 1 attestations or ISO 27001 certificate; (2) physical access restrictions and monitoring that shall include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (e.g. fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (3) fire detection and fire suppression systems both localized and throughout the data center floor.

3.1.2. ACCESS ADMINISTRATION. Access to the Lightstep Service by employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to Lightstep Service. Individuals are assigned a unique user account. Individual user accounts shall not be shared. Access privileges are based on job requirements. Access to systems and data are limited to that required for the personnel to undertake their duties and are revoked upon termination of employment or consulting relationships. Access entitlements are reviewed by management quarterly. Infrastructure access includes appropriate user account and authentication controls.

3.1.3. LOGGING AND MONITORING. The production infrastructure log activities are secured in a manner designed to prevent tampering, and are monitored for anomalies by a trained security team.

3.1.4. FIREWALL SYSTEM. An industry-standard firewall is installed and managed to protect systems by residing on the network to inspect ingress connections routed to the Lightstep Service.

3.1.5. VULNERABILITY MANAGEMENT. vulnerability scans will be conducted to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, it will be applied within an appropriate timeframe in accordance with the then-current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in production systems.

3.1.6. ANTIVIRUS. Antivirus, anti-malware, and anti-spyware software are updated on regular intervals.

3.1.7. CHANGE CONTROL. Changes to applications supporting the Lightstep Service, and infrastructure, if infrastructure is owned by ServiceNow are evaluated to minimize risk and such changes are implemented following the then-current standard operating procedure.

3.1.8. DATA ENCRYPTION IN TRANSIT. Industry standard encryption to encrypt Customer Data in transit over public networks will be used.

3.1.9. DATA ENCRYPTION AT REST. To the extent available, the Lightstep Service will leverage the built-in data at rest encryption capability provided by the Infrastructure as a Service (IaaS) hosting provider.

3.2. ORGANIZATIONAL SECURITY MEASURES. 3.2.1. PERSONNEL SECURITY. Background screening will be performed on ServiceNow employees and contractors who have access to Customer Data in accordance with operating procedures and applicable Law.

3.2.2. SECURITY AWARENESS AND TRAINING. Security and privacy awareness training that includes appropriate training and education will be performed for ServiceNow employees and contractors who have access to Customer Data. Such training is conducted at time of hire and at least annually throughout employment.

4. SERVICE CONTINUITY

4.1. DATA BACKUP. Backups are performed in accordance with operating procedures.

4.2. DISASTER RECOVERY. ServiceNow shall (i) maintain a disaster recovery (“DR”) related plan that is consistent with industry standards for the Lightstep Service; (ii) test the DR plan at least once every year; and (iii) document any action plans within the summary test results to promptly address and resolve any deficiencies, concerns, or issues that prevented or may prevent the Lightstep Service from being recovered in accordance with the DR plan.

5. MONITORING AND INCIDENT MANAGEMENT

5.1. MONITORING, MANAGEMENT AND NOTIFICATION. 5.1.1. INCIDENT MONITORING AND MANAGEMENT. Infrastructure activity on the Lightstep Service will be (i) monitored and analyzed for security incidents; and (ii) responded to in a timely manner in accordance with the then current standard operating procedure. Response teams will be engaged as may be necessary to address a security incident.

5.1.2. BREACH NOTIFICATION. ServiceNow shall provide a report to Customer for any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a “Breach”) without undue delay following determination by ServiceNow that a Breach has occurred.

5.1.3. REPORT. The initial report will be made to Customer’s designated security contact(s) (or if no such contact(s) are designated, to the primary technical contact designated by Customer). As information is collected or otherwise becomes available, it will be provided without undue delay, including any further information regarding the nature and consequences of the Breach to allow Customer to notify relevant parties, including affected individuals, government agencies, and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information from whom additional information may be obtained.

5.1.4. CUSTOMER OBLIGATIONS. Customer will cooperate as necessary by providing any information that is reasonably requested to resolve any security incident, including any Breach, identify its root cause(s), and prevent a recurrence. Customer is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.

5.2. COOKIES. The Lightstep Service uses cookies to provide necessary functionality of the Lightstep Service.

6. PENETRATION TESTS

6.1. BY A THIRD-PARTY. Third-party vendors are contracted to perform a penetration test on the application annually to identify vulnerabilities and remediation options. Executive reports from the penetration testing will be available to Customer upon written request.

7. SHARING THE SECURITY RESPONSIBILITY

7.1. SERVICE CAPABILITIES. The Lightstep Service includes a variety of security settings that allow Customer to configure security for their own use. The Lightstep Service allows, among other things, Customer to: (a) authenticate users before accessing the Lightstep Service, and (b) encrypt passwords. Customer manages each user’s access to and use of the Lightstep Service by assigning to each user a credential and user role that controls the level of access to the Lightstep Service. Customer is responsible for protecting the confidentiality of each user’s login and password and managing each user’s access to the Lightstep Service. To the extent ServiceNow makes available to Customer documented best practices for securing Customer’s use of the Lightstep Service, Customer shall be responsible for implementing such best practices for securing its use of the Lightstep Service.

7.2. LIMITATIONS. Notwithstanding anything to the contrary in this Lightstep DSA or other parts of the Lightstep Agreement, ServiceNow’s obligations herein are only applicable to the Lightstep Service. This Lightstep DSA does not apply to: (a) information shared with ServiceNow that is not Customer Data; (b) data in Customer’s VPN or a third-party network; (c) any data processed by Customer or its users in violation of the Lightstep Agreement or this Lightstep DSA; or (d) ServiceNow offerings that are not the Lightstep Service.