This Annex II forms part of the Agreement and sets out the minimum technical and organizational measures that Vendor will implement to protect RingCentral Data.
1. Information Security Management. Vendor will maintain appropriate cybersecurity measures to safeguard the security of RingCentral Data. In no event shall Vendor take precautions any less stringent than those employed to protect its own proprietary and confidential information. In addition, Vendor agrees to develop and maintain any additional cybersecurity measures as may be required by applicable Privacy Laws. Vendor will maintain a cybersecurity and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of RingCentral Data with comprehensive administrative, technical, procedural and physical measures conforming to generally recognized industry standards and best practices that include the following:
i. Cybersecurity Program. Vendor must keep RingCentral Data secure from accidental, unauthorized or unlawful access, use, disclosure, alteration, destruction and / or loss by using administrative, technical, procedural, and physical safeguards that are reasonable and appropriate to the circumstances, taking into account the nature of RingCentral Data and the scope, context and purposes of the processing (individually, a “Safeguard”; all Safeguards collectively, the “Cybersecurity Program”).
ii. Documentation. Vendor will maintain documentation that describes in detail Your Cybersecurity Program and the specific Safeguards You employ (“Written Security Policy, Procedure, and Standards, Technical implementation details”).
iii. Changes. Vendor will refrain from making any changes to Your Cybersecurity Program or specific Safeguards that reduce the level of security provided to RingCentral Data.
iv. Network Security. Vendor agrees to maintain network security that includes industry standard firewall protection and periodic vulnerability scans for the relevant Computing Systems.
v. Server and Endpoint Security. Vendor agrees to ensure that Your Computing Systems are patched and up-to-date with all appropriate security updates as designated by the relevant manufacturer or authority (e.g. Microsoft notifications, etc.) and are free of known viruses, worms, spyware, adware, malware, and other malicious and unwanted software and programs.
vii. Independent security assessments. Vendor agrees to use independent third parties to perform annual penetration tests and security audits covering the systems, environments and networks where RingCentral Data is stored, processed and accessed. Vendor agrees to remediate all medium and higher severity findings and observations from such assessments.
viii. Strong Authentication. Vendor will enforce Strong Authentication for any remote access to RingCentral Data and any remote use of Nonpublic Information Resources. Additionally, Vendor will enforce Strong Authentication for any administrative and/or management access to Vendor security infrastructure and Vendor log data including but not limited to firewalls, Identity and Access Management systems, security monitoring infrastructure, and computing logs such as firewall logs, server logs, DNS logs, etc.
ix. Physical and Environmental Security. Vendor will have in place physical premise security and environmental protections for Your Computing Systems, meeting ISO 27001/27002 standards.
x. Data Security and Data Transparency: Upon request from RingCentral, Vendor agrees to provide RingCentral with an inventory or data map of RingCentral Data that is in Vendor’s possession or control, including locations of such data, and control measures that are in place for the protection of RingCentral Data.
xi. Personnel confidentiality: Vendor will ensure that any person that Vendor authorizes to process RingCentral Data (including Your staff, agents and subcontractors) will be subject to a strict duty of confidentiality (whether contractual or statutory).
xii. Cybersecurity Awareness and Training: Vendor will have a cybersecurity awareness and training program in place that includes how to implement and comply with Cybersecurity Program and promote a culture of security awareness through periodic communications from the organization's senior leadership.
xiii. Contingency Planning: Vendor will have policies and procedures for responding to emergencies, cybersecurity incidents and other events (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage or remove access to RingCentral Data.
xiv. Storage and Transmission Security: Vendor will have security measures to guard against unauthorized access to RingCentral Data that is being transmitted over a public electronic communications network or stored electronically. Such measures include requiring encryption of any RingCentral Data stored on desktops, laptops, smartphones, tablets and other mobile devices and removable storage media.
xv. Secure Disposal: Vendor will have policies and procedures regarding the secure disposal of tangible property containing RingCentral Data, considering available technology, so that RingCentral Data cannot be practicably read or reconstructed.
xvi. Monitoring and Logging. Vendor will have intrusion detection systems, full audit trail logging, and security event detection and monitoring in place for networks, servers, and applications where RingCentral Data is stored, processed, or transmitted. Vendor will log and maintain for 12 months all physical and logical access to RingCentral Data, including command history logging of all logical access. Vendor will also log and store all security events for 12 months, including but not limited to ACL logs, IDS logs, and SIM/SIEM events.
xvii. Passwords: When passwords are used to access RingCentral Data, Vendor will enforce Strong Authentication in all instances. Where practicable, Vendor will use a second authentication factor before granting access to RingCentral Data with a password.
a) Passwords must be complex and meet the following password construction requirements:
1. Be a minimum of eight (8) characters in length.
2. Include characters from at least two (2) of these groupings: alpha, numeric, and special characters.
3. Not be the same as the UserID with which they are associated.
b) Non-random PINs must meet the following:
1. Be a minimum of four (4) numbers; and
2. Not contain more than two (2) sequential numbers.
c) Require passwords and PIN expiration at regular intervals not to exceed ninety (90) calendar days.
d) When providing users with a new or reset password, or other authentication credentials, use a secure method to provide this information and maintain a written policy requiring reset at first login whenever a temporary credential is used.
xviii. Encryption: Vendor agrees to use Strong Encryption with minimum key lengths of 256-bits for symmetric encryption and 2048-bits for asymmetric encryption to protect RingCentral Data:
a) when transmitted over any network;
b) when stored (at rest); or
c) whenever authentication credentials are stored.
xix. Least privilege: Vendor agree to enforce the rule of least privilege by requiring application, database, network and system administrators to restrict user access to only the commands, data and Information Resources necessary for them to perform authorized functions.
xx. Access Management: Vendor agrees to have formal processes in place to grant, prevent and terminate access to RingCentral Data. The access should be limited to users who are required this access to perform their job responsibilities. Vendor agree to have documented Access Management procedures in place.
2. Adequate Security Measures and Procedures. Upon RingCentral’s request, and following all necessary confidentiality undertakings, Vendor will provide RingCentral, at Vendor’s expense, a third-party certification, third-party audit report, or written statement of a Vendor officer certifying that Vendor and its affiliates, agents, contractors, consultants, joint ventures and other Third Parties having access to or control of RingCentral Data have complied with all of the requirements of this Security Attachment (the “Certification”). Such Certification must have been conducted within the last twelve (12) months of the request. If RingCentral believes such internal controls and cybersecurity measures as expressed in this documentation are inadequate to safeguard the RingCentral Data, RingCentral may require the adoption of additional reasonable controls, security measures, and procedures. If Vendor fails to do so within a reasonable time, such failure shall be deemed to be a material breach of the Agreement, and RingCentral shall be permitted to terminate the Agreement immediately.
3. Definitions. For the purposes of this Security Attachment:
a) “Computing Systems” shall be defined as networks, servers, computers (inclusive of smartphones and tablet computers), applications, and other technology infrastructure that Vendor uses to deliver services in fulfillment of their obligations under the Agreement.
b) “Nonpublic Information Resources” means those Information Resources used under the Agreement to which access is restricted and cannot be gained without proper authorization and identification.
c) “Sensitive Authentication Data” means the most current PCI Security Standards Council definition, as updated or amended from time to time. In determining whether a breach of this Security Attachment has occurred, “Sensitive Authentication Data” shall mean the definition of the PCI Security Standards Council in effect at the time of the breach.
d) “Strong Authentication” means the use of authentication mechanisms and authentication methodologies stronger than the passwords required by the applicable requirements herein. Examples of Strong Authentication mechanisms and methodologies include digital certificates, two-factor authentication, and one-time passwords.