INFORMATION SECURITY ADDENDUM

This Information Security Addendum (“ISA”) is incorporated into and forms part of the agreement from which it was linked (“Agreement”) between Customer and Nautilus (in each case, as defined in the Agreement). In the event of a conflict between the terms of this ISA and the Agreement with respect to the subject matter of this ISA, the terms of this ISA will control.    

1.         Definitions. Capitalized terms used but not defined in this Exhibit will have the meanings given to them in the Agreement. As used in this ISA, the following terms will have the following meanings:

1.1.                  “Data Protection Law” means any law or regulation regarding privacy, data protection, or data security applicable to the processing of Personal Information by Nautilus to provide the Services to Customer.

1.2.                  “Covered Systems” means any system that is owned or controlled by Nautilus or its agents, vendors, contractors, processors, or other party authorized by Nautilus that stores or processes Customer Data Information as that term is defined below.

1.3.                  “Customer Data” means data being processed by Nautilus on behalf of Customer as part of the Services, as that term is defined in the applicable Agreement.

1.4.                  “Security Incident” means any actual or reasonably suspected unauthorized or impermissible acquisition, use, access, destruction or accidental loss, alteration, or disclosure of Customer Data Information.  The term Security Incident shall not include a loss of information that is immaterial, such as through file compression, metadata redaction, or deduplication/threading.

 

2.         Security Measures.  Nautilus will employ commercially reasonable security measures to protect the confidentiality, integrity, and availability of Customer Data through an information security program that applies to all Covered Systems and includes administrative, physical, and technical safeguards (“Measures”) consistent with industry-standard practices for:

2.1.         Account management of user account and credentials for user accounts, including administrator accounts and service accounts.

2.2.         Access controls, including minimum password complexity, multi-factor authentication, and application of the principle of least privilege.

2.3.         Data security controls, including policies for encrypting Customer Data, both in transit and at rest.

2.4.         Network security controls such as anti-virus and anti-malware controls, firewall protection and intrusion detection systems, and vulnerability management processes, including patch management processes, that are designed to identify, assess, track, and remediate security vulnerabilities.

2.5.         Maintaining and monitoring operating system and application user-level audit logs, including by ensuring that logs are retained for an adequate period of time.

2.6.         Data loss prevention controls such as website restrictions, email monitoring, and restriction or secure management of removable media containing Customer Data.

2.7.         Third-party risk management to identify and mitigate risks related to suppliers, vendors, and others capable of introducing security risks to Covered Systems.

2.8.         Physical security measures to protect areas where Customer Data may be accessed, including restricting physical access and storing records containing Customer Data in locked facilities, areas, or containers.

2.9.         Secure disposal or destruction of Customer Data, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards.

2.10.         Business continuity and disaster recovery processes designed to prevent, circumvent, and restore operations in the event of, an interruption in services.

2.11.         Training for employees and other personnel who may be granted access to Covered Systems or Customer Data.

 

3.         Information Security Incident Management. Nautilus will establish and maintain a Security Incident Response Program which requires Nautilus’s employees, agents, and independent contractors to report promptly to Nautilusany Security Incident, and which includes processes to respond to any Security Incident.

3.1.                  The Security Incident Response Program will include actions to identify, assess, investigate, mitigate, and contain any Security Incident affecting Covered Systems, including actions to remedy or mitigate the circumstances that permit any Security Incident, to prevent, mitigate, or halt any disclosure of Customer Data, and to safely restore operations.

3.2.                  Nautilus will notify Customer about any Security Incident within 72 hours. Nautilus will cooperate with Customer as reasonably necessary to facilitate Customer’s compliance with any applicable Data Protection Laws. 

 

 4.         Partial or Full Delegations of Responsibility.  Nothing in this Exhibit shall modify the parties’ ability to subcontract or assign some or all of the rights or obligations arising under the Agreement.  To the extent that either party opts to delegate, subcontract, or assign any of its rights or responsibilities under the Agreement, the delegating party shall (i) be responsible for ensuring that its subprocessors, subcontractors, agents, delegates, and assignees implement measures at least as protective as those set forth in this Exhibit; and (ii) fully indemnify the other party for any damages it may incur (including reasonable costs and attorneys’ fees) arising out of an actual or suspected breach of this Exhibit by either party or its subprocessors, subcontractors, agents, delegates, or assignees.