Vendor Information Security Addendum

Vendor Information Security Addendum 

This Vendor Information Security Addendum (“InfoSec Addendum”) forms a part of, and is subject to, the agreement(s) between Vendor and Flock Group Inc (“Flock”) for Vendor’s services (the “Agreement”). All capitalized terms used but not defined herein will have the meaning ascribed to them in the Agreement. To the extent of any conflict between this InfoSec Addendum and any other agreement between Vendor and Flock, this InfoSec Addendum shall control.

1. General Applicability and Compliance Requirements

1.1. Vendor shall comply with the terms of this Addendum, which sets out minimum cybersecurity requirements applicable related to any products or services provided to Flock by Vendor.

1.2. Vendor is responsible for taking all necessary measures and steps to comply with the requirements in this Addendum.

2. Definitions

2.1. “Vendor Systems” means all applications, electronic systems, databases, and associated technology that Vendor uses in order to perform its obligations under the Agreement.

2.2. “Sensitive Information” means any Confidential Information, Personal Information, or Protected Health Information Vendor may access under the Agreement.

2.3. “Network” means communication infrastructure, including but not limited to wifi, LTE, ethernet, routers, and switches. 

2.4. “Flock Data” means any data, content, or information made available by or on behalf of Flock, or collected by Vendor, in connection with Vendor’s performance of the services provided to Flock under the Agreement.

“Information System” means a discrete set of resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, including but not limited to servers, computers, laptops, cell phones, and tablets.

3. Device Security. Vendor shall:

3.1. deploy multiple layers of defense on Vendor Systems to protect Sensitive Information against accidental or unlawful destruction or alteration, and unauthorized or improper disclosure or access, including firewalls, Network intrusion detection, endpoint detection and response, and host-based intrusion detection systems. All security monitoring systems, including firewalls and intrusion detection systems, must be monitored 24 hours per day, 365 days per year;

3.2. employ the latest industry-standard anti-Malware, antivirus, and malicious code detection and protection products on all Vendor Systems, including Networks, workstations and servers used to provide any products or services to Flock; and

3.3. implement Data Loss Prevention (DLP) controls (e.g., DLP software, disabling USB ports, and URL/web filtering) to detect and prevent compromise or unauthorized removal of Flock Data and Sensitive Information, from Vendor Systems and Networks. Ports/services on Vendor Systems that are not used shall be disabled.

4. Cloud Security. Vendor shall: 

4.1. deploy multiple layers of defense on Vendor Systems to protect Sensitive Information against accidental or unlawful destruction or alteration, and unauthorized or improper disclosure or access, including firewalls, Network intrusion detection, endpoint detection and response, and host-based intrusion detection systems. All security monitoring systems, including firewalls and intrusion detection systems, must be monitored 24 hours per day, 365 days per year;

4.2. employ web application firewall; and

4.3. Encrypt all data at rest, and in transit, regardless of data store type.

5. Logging. Vendor shall:

5.1. maintain audit logs from Vendor Systems, as well as Network devices and applications, for a minimum period of 12 months from the time of event or logging;

5.2. store log files on a centralized logging server with sufficient details in order to assist in the identification of the source of an issue and enable a sequence of events to be recreated; and

5.3. ensure that:

5.3.1. logs record date and time, user or service account, and IP address/hostname for all access and authentication attempts;

5.3.2. log data captures, at a minimum, Information System, Network device, and application security related event information, alerts, failures, and errors;

5.3.3. integrity of log files is maintained and protected from tampering by restricting access to systems that store log files; and

5.4.4. logs are continually monitored, reviewed, and analyzed for suspicious and unauthorized activity and to verify the integrity of the logging process.

6. Authentication. Vendor shall:

6.1. employ multi-factor authentication (MFA) on all user accounts;

6.2. implement the principle of Least Privilege, granting users only the minimum access rights necessary to perform their job functions;

6.3. ensure a formal, documented process for user provisioning (adding), modification (changing permissions), and de-provisioning (removing) access immediately upon termination or change of role;

6.4. ensure all passwords and other authentication secrets are stored securely using industry-standard cryptographic hashing and salting techniques.

7. Auditing. 

7.1. Vendor shall: 

7.1.1. comply with and maintain in good standing SOC2 Type II, ISO 27001 or other equivalent; and

7.1.2. if processing, accessing, or storing CJIS data, remain compliant with the latest version of CJIS Security Policy.

7.2. Subject to the terms of this Section 7, Vendor shall make available to Flock reasonable information necessary to demonstrate compliance with the Agreement and this InfoSec Addendum and shall permit an annual audit by Flock or a mutually agreed to third-party auditor (“Auditor”) in relation to the controls required under this InfoSec Addendum.

7.3. Flock or Auditor may, in accordance with applicable law, at Flock’s expense and no more than annually, perform an audit of Vendor’s data protection and information security practices with written notice provided reasonably, but at least thirty (30) business days in advance. The audit shall take place over not more than one day, unless Vendor permits otherwise, during Vendor’s normal business hours on a mutually agreed schedule that will minimize the audit’s impact on Vendor’s operations. Flock or Auditor shall comply with Vendor’s security requirements related to the performance of the audit. 

7.4. Upon Flock’s reasonable written request and no more than once per year, Vendor shall complete Flock’s reasonable data protection and information security questionnaire. 

7.5. If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2 report or similar and current qualified third-party audit report or certificate, Flock agrees to accept such report in lieu of conducting an audit.

7.6. All information provided to Flock by Vendor under this Section 7 is considered Vendor Confidential Information. 

8. Security Incident Notification. Vendor shall: 

8.1. notify Flock in the event of a suspected data breach within 72 hours by emailing security@flocksafety.com; and

8.2. upon request from Flock, supply a detailed report of any such incident.

9. Sub-processors. Vendor shall: 

9.1. ensure all sub-processors and critical suppliers comply with this InfoSec Addendum;

9.2. promptly notify Flock of any changes to existing or new sub-processors; and

9.3. allow Flock to out-put of any existing or new sub-processors that do not meet the standards set forth in this Addendum.

10. Data. Vendor shall return or securely destroy, in Flock’s discretion, all Flock Data in Vendor’s possession within 30 days of (i) a request from Flock, or (ii) termination of the Agreement, and will provide written certification to Flock of such return or destruction. 

11. Patching. Vendor shall patch vulnerabilities within the following time frames based on CVE/NVD severity: 

11.1. Critical - 7 days

11.2. High - 14 days

11.3. Medium - 30 days

11.4. Low - 90 days

11.5. Informational - 120 days

12. Encryption. Vendor shall encrypt all Flock Data at rest, in transit, and in use, according to the following standards: