.svg?format=pjpg&auto=webp){kind=logo}
.svg?format=pjpg&auto=webp)
.svg?format=pjpg&auto=webp)
.svg?format=pjpg&auto=webp)
.svg?format=pjpg&auto=webp)
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
.svg?format=pjpg&auto=webp){kind=icon}
Contentstack Security Addendum
Last Updated: October 14, 2024
This Contentstack Security Addendum (“Security Addendum”) is incorporated into, and forms part of, the Contentstack Master Agreement or other written or electronic agreement between Contentstack and the Customer (each such agreement, the “Agreement”) and applies to Contentstack’s corporate controls for safeguarding personal data/personal information ("Personal Data") that is processed by Contentstack and transferred amongst Contentstack affiliates. Capitalized words and expressions used in this Security Addendum which are not defined in this Security Addendum shall bear the meaning set out in the Agreement.
1. Objectives and Exceptions
Contentstack takes information security seriously. As such, Contentstack has implemented a security policy aligned with an industry-standard or standards (such as ISO27001 or SOC2) that is designed to take reasonable steps to protect:
(a) the confidentiality, integrity, and availability of Personal Data that Contentstack processes; and
(b) against accidental, unauthorized, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss, or destruction of Personal Data.
This Security Addendum pertains only to those components and areas over which Contentstack has control and is responsible. It does not apply to any changes, modifications, configurations or other actions taken by Customer or Customer's clients with respect to other aspects of the Customer's solution.
2. Security Measures - Overview
Contentstack has reasonable and appropriate security measures and procedures to manage and control identified security risks commensurate with Contentstack's legal and contractual obligations. Such security measures and procedures include physical, technical and organizational safeguards that are:
(a) appropriate in consideration of the sensitivity of the Personal Data involved and the significance of Contentstack processing to the protection of an individual’s rights with regard to their Personal Data and
(b) no less rigorous than (i) those maintained by Contentstack's own systems and information of a similar nature and (ii) accepted industry standards for ensuring the confidentiality, integrity and availability of Personal Data.
Further information on Contentstack security measures is set out in the sections below.
3. Physical Security Measures
(a) Physical Security and Access Control – Contentstack's security measures and procedures ensure that all systems hosting Personal Data are maintained in a physically secure environment that:
- ensures barriers to unauthorized access and that access restrictions at physical locations containing Personal Data (such as buildings, computer facilities, and records storage facilities) are designed and implemented to permit access only to authorized individuals;
- detect any unauthorized access that may occur, including 24 x 7 security personnel at all relevant locations;
- have provisions or redundancy to protect against fire and natural disasters; and
- provide redundant power, network, and cooling systems.
(b) Physical Security for Media – Contentstack's security measures and procedures are designed to protect and prevent the unauthorized viewing, copying, alteration or removal of any media containing Personal Data.
(c) Media Destruction – Contentstack's security measures and procedures are designed to destroy removable media containing Personal Data that is no longer used, or alternatively, to render Personal Data on such removable media unintelligible and not capable of reconstruction by any technical means before reuse of such removable media is allowed.
4. Technical Security Measures
(a) Customer Controls. In the event Customer implements single sign on capability, certain access controls on hosted Customer systems, such as User password length and character requirements, limits on lockout and password reuse are under the exclusive control and responsibility of the Customer.
(b) Access Controls on Information Systems. Contentstack's security measures and procedures are intended to allow access to all systems hosting Personal Data to be protected through the use of access control systems that: (i) uniquely identify each member of Contentstack's staff requiring access; (ii) grant access only to authorized persons and are based on the principle of least privileges; (iii) prevent unauthorized persons from gaining access to Personal Data; (iv) appropriately limit and control the scope of access granted to any authorized person and (v) log all relevant access events. These security measures and procedures may include Contentstack implementing and maintaining:
- Access Rights Policies – Contentstack's policies and procedures regarding the granting of access rights to Personal Data are designed to ensure that only authorized and trained members of Contentstack's staff have access. Contentstack has an accurate and up-to-date list of all staff who have access to the Personal Data, and Contentstack has the ability to promptly disable access by staff upon the termination of their employment.
- Authorization Procedures for Persons Entitled to Access – Contentstack's security measures and procedures establish and configure authorization profiles in order to ensure that members of Contentstack's staff only have access to Personal Data and resources that they need to know to perform their duties and that they are only able to access Personal Data within the scope and to the extent covered by their access permission. The access will be allocated on the basis of segregation of duties, least privilege, and on a role basis.
- Authentication Credentials and Procedures – Contentstack's security measures and procedures for authentication of authorized members of Contentstack staff include:
- systems transmitting and storing Personal Data are designed to prevent access by unauthorized users;
- when privileged access (e.g., root or superuser level access) is granted to systems that handle Personal Data, such access is logged; and
- laptop encryption for all Contentstack staff who access Personal Data.
- Access Control from outside the Secured Area – Contentstack's security measures and procedures are designed to prevent Contentstack's information systems or Personal Data from being accessed by unauthorized persons from outside the secure area.
- Access Monitoring – Contentstack's security measures and procedures monitor access to Contentstack's information systems and Personal Data, and maintain records of system or applicable access attempts (both successful and failed).
- Intrusion Detection – Contentstack's security measures and procedures are designed (i) to ensure that Personal Data and Contentstack's assets and/or information systems are protected against the risk of intrusion by an intrusion detection system (IDS) and (ii) to monitor each and every instance of access to Personal Data and/or Contentstack's assets and information systems to detect the same and to respond to the same promptly.
- Network Security – Contentstack's security measures and procedures are designed to ensure that Contentstack's network is protected from external and internal threats using tools and infrastructure such as firewalls, ACLs, IDS/IPS, and other controls as reasonably necessary. Contentstack's network is scanned for vulnerabilities, and penetration testing is performed at least once a year. Event logging is in place to ensure that intrusion attempts into the Contentstack network are logged.
- Mobile Technology Security - Contentstack's security measures and procedures are designed to ensure that any mobile or portal system and/or storage device that processes Personal Data has software that will encrypt Personal Data when the device is outside of the designated data processing facility and/or during transport. The encryption software used meets the requirements of generally available commercial software designed to provide disc/media encryption.
(c) Data Management Controls
- Data Monitoring Tools – this tool contains technical functionality that permits Customers to determine access rights. Customer is responsible for reviewing and monitoring Personal Data to ensure compliance with their legal and contractual obligations.
- Data Destruction – Contentstack's security measures and procedures are designed to destroy Personal Data when appropriate and in accordance with Contentstack's legal and contractual obligations.
- Data Availability Control – Contentstack's security measures and procedures are designed to ensure data availability, including procedures to ensure that Personal Data is protected from accidental destruction or loss and against data loss caused by a power shortage or interruptions in the power supply.
- Software Patching – Contentstack's security measures and procedures are designed to ensure the updating and patching of all computer software and network device software to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches.
- Infrastructure Management - Contentstack's security measures and procedures are designed to demonstrate infrastructure management with a change control process, including risk assessment based on industry standards, testing, and implementation of applicable security procedures as are present in this Data Management Controls section with respect to infrastructure under Contentstack control and responsibility.
- Backup, Retention, and Recovery – Contentstack's backup and recovery security measures and procedures are designed to ensure data availability in the event of loss of Personal Data or Contentstack information systems from any cause. All Personal Data is encrypted when stored and backed up.
- Hardening - Contentstack's security measures and procedures are designed to ensure that all servers, network devices and systems are hardened to ensure that default accounts are disabled and unused services are stopped.
- Application Security - Contentstack's security measures and procedures are designed to ensure that the Contentstack application is reviewed regularly. Access to the Contentstack application may be accomplished through a 128-bit SSL channel. Contentstack's code audits will occur at least once per year based on applicable industry standards.
5. Organizational Security Measures
(a) Responsibility – Contentstack's security measures and procedures are designed to ensure that responsibility for information security management is assigned to appropriately skilled and senior staff. As permitted by applicable law, background checks are carried out on all Contentstack employees with access to Personal Data.
(a) Qualification of Employees – Contentstack's security measures and procedures are designed to ensure the reliability, technical expertise and personal integrity of all Contentstack staff with access to Contentstack information systems and/or Personal Data.
(c) Obligations of Contentstack Employees – Contentstack security measures and procedures are designed to verify that any employee, agent or contractor accessing the Personal Data knows their obligations and the consequences of any security breach.
6. Training and Education
Contentstack's training and education program is designed to ensure that Contentstack's staff are trained in and adequately aware of their responsibilities under this Security Addendum.
7. Incident Management/Escalation
Contentstack has an incident response plan for dealing with any security incidents, including escalation paths to senior management based on the incident classification or severity, incident contact lists, initial responses, investigation log, system recovery, issue and eradication and reporting, review and follow up procedures with appropriate reports to regulatory and law enforcement agencies.
8. Customer
The customer acknowledges that the measures set out in this security addendum are subject to technical progress and development and that Contentstack may update or modify such from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Software and Services during a Subscription Term.
