Information Security Addendum

Sprig Information Security Addendum

Sprig Technologies, Inc. (“Sprig”) implements and maintains a commercially reasonable information security program that includes technical and organizational measures designed to ensure an appropriate level of security for Company Data (as defined in the Agreement) taking into account the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Company Data, and the nature of the Company Data to be protected having regard to the state of the art and the cost of implementation. This Sprig Information Security Addendum (“Addendum”) details the security program applicable to the provision of Sprig’s Services (“Services”), and forms part of and is subject to the terms and conditions of the Sprig Services Agreement or other agreement mutually signed by Company and Sprig that governs Company’s use of the Services (“Agreement”). Capitalized terms used and not defined herein have the same meaning as in the Agreement.

Security Program.
1. SOC 2 Type 2 Certified. Sprig shall maintain a risk-based security program to systematically manage and protect the organization’s business information and the information of its customers and partners. With respect to the Services, Sprig has completed a SOC 2 Type 2 audit, and will complete a SOC 2 Type 2 audit annually throughout the term of the Agreement or until such time as Sprig receives any industry certification applicable to the Services which replaces such certification. Upon written request from Company, Sprig will provide a copy of such then-current certifications and audit reports subject to confidentiality terms.
2. Security Governance Committee. Sprig shall maintain a security committee composed of leaders across business units that oversees the company’s security program. This committee shall meet regularly to review the operational status of the company’s security program (including risks, threats, remediation actions, and other security-related issues) and drive continuous security improvement throughout the business.
3. Security Incident Response Policy. Sprig shall maintain policies and procedures to (1) investigate and respond to security incidents, including procedures to assess the threat of relevant vulnerabilities or security incidents using defined incident classifications and categorizations and (2) establish remediation and mitigation actions for events, including artifact and evidence collection procedures and defined remediation steps.
4. Policy Maintenance. All security and privacy related policies shall be documented, reviewed, updated, and approved by management at least annually.
5. Communication and Commitment. Security and privacy policies and procedures shall be published and communicated to all relevant and applicable personnel and subcontractors. Security shall be addressed at the highest levels of the company with executive management regularly discussing security issues and leading company-wide security initiatives.
6. Data Breach Notification and Response. Sprig will comply with the Data Breach-related obligations directly applicable to it under Data Protection Laws. Taking into account the nature of processing and the information available to Sprig, Sprig will assist Company by notifying it of a confirmed Data Breach without undue delay or within the time period required under Data Protection Laws, and in any event no later than seventy-two (72) hours following such confirmation. To the extent available, this notification will include Sprig’s then-current assessment of the following: (a) the nature of the Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) the likely consequences of the Data Breach; and (c) measures taken or proposed to be taken by Sprig to address the Data Breach, including, where applicable, measures to mitigate its possible adverse effects. Sprig will provide timely and periodic updates to Company as additional information regarding the Data Breach becomes available. Company acknowledges that any updates may be based on incomplete information. Sprig will not assess the contents of Company Data for the purpose of determining if such Company Data is subject to any requirements under Data Protection Laws. Nothing in this InfoSec Addendum will be construed to require Sprig to violate, or delay compliance with, any legal obligation it may have with respect to a Data Breach or other security incidents generally. “Company Data” means any data, content or materials including End-User Data that Company (including its Users) submits to its Services accounts, including from Third-Party Platforms. “Company Personal Data” means Personal Data that Company uploads or otherwise inputs into the Services and which is processed in connection with the provision of the Services under the Agreement by Sprig on behalf of Company. “Data Breach” means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data processed by Sprig and/or its subprocessors in connection with the provision of the Services. “Data Protection Laws” means any applicable law or regulation relating to the processing of Personal Data, including, but not limited to the Directive 95/46/EC (Data Protection Directive) or the GDPR.
Personnel Security.
1. Background Screening. Personnel who have access to Company Data shall be subject to background screening (as allowed by local laws) that shall include verification of identity and a check of criminal records.
2. Confidentiality Obligations. Personnel who have access to Company Data shall be subject to a binding contractual obligation with Sprig to keep the Company Data confidential.
3. Security Awareness Training. Personnel shall receive training upon hire and at least annually thereafter covering security practices and privacy principles.
4. Code of Conduct. Sprig shall maintain a code of conduct and business ethics policy requiring ethical behavior and compliance with applicable laws and regulations.
Third-Party Security.
1. Screening. Sprig shall maintain policies and procedures designed to ensure that all new sub-processors, SaaS applications, IT software, and IT service solutions are subject to reasonable due diligence to confirm their ability to meet corporate security and compliance requirements as well as business objectives.
2. Contractual Obligations. Sprig shall maintain controls designed to ensure that contractual agreements with sub-processors include confidentiality and privacy provisions as appropriate to protect Sprig’s interests and to ensure Sprig can meet its security and privacy obligations to customers, partners, employees, regulators, and other stakeholders.
3. Monitoring and Review. As practicable, Sprig shall periodically review existing third-party sub-processors in a manner designed to ensure the sub-processor’s compliance with contractual terms, including any security and availability requirements. This review program shall review sub-processors at least annually (regardless of length of contractual term) to determine whether the sub-processor/solution is still meeting the company’s objectives and the sub-processor’s performance, security, and compliance postures are still appropriate given the type of access and classification of data being accessed, controls necessary to protect data, and applicable legal and regulatory requirements.
Physical Security.
1. Corporate Data Security. Sprig’s systems used to process Company Data shall be protected by measures designed to control logical or physical access; equipment used to process Company Data cannot be upgraded or reconfigured without appropriate authorization and protection of the information; and Company Data shall be disposed of in a manner that would prevent its reconstruction.
2. Data Center Security. Sprig leverages Amazon Web Services (AWS) data centers for hosting the Services. AWS follows industry best practices and complies with numerous standards. Details on AWS data center physical security are available at https://aws.amazon.com/compliance/data-center/controls/.
Solution Security.
1. Software Development Life Cycle (SDLC). Sprig shall maintain a software development life cycle policy that defines the process by which personnel create secure products and services and the activities that personnel must perform at various stages of development (requirements, design, implementation, verification, documentation and delivery).
2. Secure Development. Product management, development, test and deployment teams are required to follow secure application development policies and procedures that are aligned to industry-standard practices, such as OWASP Top 10.
3. Vulnerability Assessment. Sprig shall conduct risk assessments, vulnerability scans and audits (including third-party penetration testing of a representative instance of the Services at least annually). Identified product solution issues shall be scored using the Common Vulnerability Scoring System (CVSS) risk-scoring methodology based on risk impact level and the likelihood and potential consequences of an issue occurring. Vulnerabilities are remediated on the basis of assessed risk. Upon the written request of Company, Sprig shall provide an executive summary of the most recent third-party penetration test to Company.
Operational Security.
1. Access Controls. Sprig shall maintain policies, procedures, and logical controls to establish access authorizations for employees and third parties. Such controls shall include:
  1. requiring unique user IDs to identify any user who accesses systems or Company Data;
  2. managing privileged access credentials in a privileged account management system;
  3. requiring that user passwords are (a) of sufficient length; (b) stored in an encrypted format; (c) subject to reuse limitations; and
  4. automatically locking out users’ IDs when a number of erroneous passwords have been entered.
2. Least Privilege. Personnel shall only be permitted access to systems and data as required for the performance of their roles; only authorized personnel are permitted physical access to infrastructure and equipment; authorized access to production resources for the Services is restricted to employees requiring access; and access rights are reviewed and certified at least annually.
3. Malware. Sprig shall utilize measures intended to detect and remediate malware, viruses, ransomware, spyware, and other intentionally harmful programs that may be used to gain unauthorized access to information or systems.
4. Encryption. Sprig shall use Internet industry-standard encryption methods to protect data in transit and at rest as appropriate to the sensitivity of the data and the risks associated with loss; all laptops and other removable media, including backups, on which Company Data is stored shall be encrypted.
5. Business Continuity and Disaster Recovery (BCDR). Sprig shall maintain formal BCDR plans designed to ensure Sprig’s systems and services remain resilient in the event of a failure, including natural disasters or system failures, and such plans shall be reviewed, updated, and approved by management at least annually.
6. Data Backups. Sprig shall backup data and systems using alternative site storage available for restore in case of failure of the primary system. All backups shall use Internet industry-standard encryption methods to protect backups in transit and at rest.
7. Change Management. Sprig shall maintain change management policies and procedures to plan, test, schedule, communicate, and execute changes to the infrastructure, systems, networks, and applications applicable to the Services.
8. Network Security. Sprig shall implement industry-standard technologies and controls designed to protect network security, including firewalls, intrusion detection systems, monitoring, and network segmentation. Networks shall be designed and configured to restrict connections between trusted and untrusted networks, and network designs and controls shall be reviewed at least annually.
9. Data Segregation. Sprig shall implement logical controls, including logical separation, access controls and encryption, to segregate Company Personal Data from data of other Sprig customers in the Services. Sprig shall additionally ensure that production and non-production data and systems are separated.