Last updated

Data Processing Addendum

This data processing addendum and its Annexes ("DPA") forms part of the Subscription Agreement or other written or electronic agreement between Redocly and Customer for the purchase of the Redocly Products ("Agreement") to reflect the parties agreement with regard to the Processing of Personal Data. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below). For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Controller Affiliates.

In the course of providing the Products to Customer pursuant to the Agreement, Redocly may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data. This DPA shall replace any comparable or additional rights relating to the Processing of Customer Data contained in the Agreement (including any existing data processing addendum to the Agreement).

The parties agree as follows:

1. Definitions

"Affiliate" means any entity under the control of a party where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity.

"Controller" means an entity that determines the purposes and means of the processing of Personal Data.

“Customer Data” means any and all Personal Data that Redocly processes as a Processor on behalf of the Customer in course of providing the Products under the Agreement.

"Controller Affiliates" means any of Customer's Affiliate(s): (a) (i) that are subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (ii) permitted to use the Products pursuant to the Agreement between Customer and Redocly, but have not signed their own Sales Order and are not a “Customer” as defined under the Agreement, (b) if and to the extent Redocly processes Customer Data for which such Affiliate(s) qualify as the Controller.

"Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Customer Data under the Agreement, including, where applicable, EU Data Protection Law and the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

"EU Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (ii) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”);and (iii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; (iv) the UK Privacy and Electronic Communications (EC Directive) Regulations 2003, and their applicable national implementations (in each case, as may be amended, superseded or replaced).

"EU Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector, and applicable national implementations of (i) and (ii) (in each case, as may be amended, superseded or replaced).

“EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time

"Group" means any and all Affiliates that are part of an entity's corporate group.

"Personal Data" means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.

"Processor" means an entity that processes Personal Data on behalf of the Controller.

"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Redocly and/or its Sub-processor's in connection with the provision of the Products.

"Sub-processor" means any Processor engaged by Redocly or its Affiliates to assist in fulfilling its obligations with respect to providing the Products pursuant to the Agreement or this DPA. Sub-processors may include third parties or members of the Redocly Group but shall exclude any Redocly employee or consultant.

“UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office, in force as of 21 March 2022.

2. Scope and Applicability of this DPA

2.1 Scope. This DPA applies where and only to the extent that Redocly processes Customer Data as a Processor on behalf of the Customer in the course of providing the Products and such Customer Data is subject to Data Protection Laws.

2.2 Role of the Parties. As between Redocly and Customer, Customer is the Controller of Customer Data, and Redocly shall process Customer Data only as a Processor on behalf of Customer. Nothing in the Agreement or this DPA shall prevent Redocly from using or sharing any data that Redocly would otherwise collect and process independently of Customer's use of the Products. Any processing of Personal Data under the Agreement shall be performed in accordance with applicable Data Protection Laws. Redocly shall inform Customer if it can no longer comply with its obligations under applicable Data Protection Laws. However, Redocly is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to Redocly as a service provider.

2.3 Customer Obligations. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Redocly; and (ii) it has provided notice and obtained (or shall obtain) all consents (where required) and rights necessary under Data Protection Laws for Redocly to process Customer Data and provide the Products pursuant to the Agreement and this DPA.

2.4 Redocly Processing of Customer Data. As a Processor, Redocly shall process Customer Data only for the following purposes: (i) processing to provide the Products in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; (iii) processing initiated by Users in their use of the Products; and (iv) processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of this Agreement (individually and collectively, the "Purpose") and only in accordance with Customer’s documented lawful instructions. Except as permitted by Data Protection Laws or this DPA, Redocly shall not process Customer Data outside of the direct business relationship between Redocly and Customer; or combine Customer Data received from or on behalf of Customer with Personal Data received from or on behalf of any third party, or collected from Redocly’s own interaction with data subjects. Redocly shall not sell or share for cross-context behavioral advertising purposes any Customer Data. The parties agree that the Agreement (including this DPA) set out the Customer’s complete and final instructions to Redocly in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Redocly.

2.5 Details of Data Processing. The subject matter of the processing of Customer Data by Redocly is the Purpose. Unless otherwise agreed in writing between the parties, the duration of processing, the nature and purpose of the processing, the types of Customer Data and the categories of data subjects processed under the Agreement are further specified in Annex A (Description of the Processing Activities) to this DPA.

3. Subprocessing

3.1 Authorized Sub-processors. Customer agrees that Redocly may engage Sub-processors to process Customer Data on Customer's behalf. The Sub-processors currently engaged by Redocly and authorized by Customer are listed here https://www.redocly.com/sub-processors. Redocly shall notify Customer if it adds or removes Sub-processors at least 10 days prior to any such changes.

3.2 Sub-processor Obligations. Redocly shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Redocly to breach any of its obligations under this DPA.

3.3 Objection to Sub-processors. Customer may object in writing to Redocly’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g. if making Customer Data available to the Sub-processor may violate applicable Data Protection Law or weaken the protections for such Customer Data) by notifying Redocly promptly in writing within five (5) calendar days of receipt of Redocly's notice in accordance with Section 3.1. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution.

4. Security and Audits

4.1 Security Measures. Redocly shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data. Such measures shall, at a minimum, include the measures identified in Annex B ("Security Measures"). Redocly shall ensure that any person who is authorized by Redocly to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.2 Security Incident Response. Upon becoming aware of a Security Incident, Redocly shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

4.3 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Redocly may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Products purchased by the Customer.

4.4 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Products, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Products and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Products.

4.5 Security Reports and Audits. Redocly audits its compliance against recognised data protection and information security standards on a regular basis. Such audits are conducted by independent, experienced personnel, and may include Redocly's internal audit team and/or third party auditors engaged by Redocly. Upon request, Redocly shall supply (on a confidential basis) a summary copy of its then-current audit report(s) ("Report") to Customer, so that Customer can verify Redocly's compliance with this DPA, including to confirm that Redocly processes Customer Data in a manner consistent with Customer’s obligations under Data Protection Laws. Redocly shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Data, including responses to information security and audit questionnaires that are necessary to confirm Redocly's compliance with this DPA, and allow for and contribute to audits at a mutually agreeable time following reasonable written notice, provided that Customer shall not exercise this right more than once per year, except that this right may also be exercised in the event Customer is expressly requested or required to provide this information to a data protection authority, or Redocly has experienced a Security Incident, or other reasonably similar basis. Customer shall have the right upon notice to Redocly to take reasonable and appropriate steps to remediate Redocly’s use of Customer Data in violation of this DPA.

5. International Transfers

5.1 Processing Locations. Redocly may transfer and process Customer Data to and in the United States and anywhere else in the world where Redocly, its Affiliates or its Sub-processors maintain data processing operations. Redocly shall at all times ensure appropriate safeguards to protect the Customer Data processed, in accordance with the requirements of Data Protection Laws.

5.2 With respect to Customer Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Customer to Redocly, the parties agree to comply with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference.

5.3. For purposes of the EU SCCs the parties agree that:

5.3.1. Customer shall act and comply with the obligations, and shall have the rights, of the “data exporter” under the EU SCCs, and Redocly shall act and comply with the obligations of the “data importer” under the EU SCCs;

5.3.2. In Clause 7, the optional docking clause will not apply;

5.3.3. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 3.1 of this DPA;

5.3.4. In Clause 11, the optional language will not apply;

5.3.5. For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland;

5.3.6. For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;

5.3.7. For the purposes of Annex I, Section A (List of Parties), (i) Customer’s and Redocly’s contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller and Redocly is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Products pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;

5.3.8. For the purposes of Annex I, Section B (Description of Transfer): (i) Annex A to this DPA describes Redocly’s Processing of Customer Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Products); (iii) Customer Data will be retained in accordance with Clause 8.5 of the EU SCCs, and this DPA; (iv) Redocly uses Sub-processors to support the provision of the Products. A list of Sub-processors and the nature of the Processing activities can be found at https://redocly.com/sub-processors/.

5.3.9. For the purposes of Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Redocly. If Customer does not communicate a competent supervisory authority to Redocly, the competent supervisory authority shall be the Irish Data Protection Commission.

5.3.10. For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Data as described at Annex B.

5.4. If the transfer of Customer Data is subject to the Swiss Federal Act on Data Protection, the following provisions apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Data is subject to the Swiss Federal Act on Data Protection.

5.5. With respect to transfers from Customer to Redocly of Customer Data originating from the United Kingdom (“UK”), the parties agree to comply with the EU SCCs, complemented by the UK Addendum, which is incorporated herein by reference. The parties agree that, for the purposes of the UK Addendum: the start date is the date of this DPA, the exporter is the Customer and the importer is Redocly, the table is deemed to be completed with the information set out in Section 5.3.7 of this DPA, and by signing this DPA, parties are deemed to have signed the UK Addendum. The “Approved EU SCCs” which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 5.3 of this DPA. The information requested in Annex 1 and 2 of the EU SCCs is provided in Section 5.3.7 – 5.3.10 of this DPA and the list of Sub-processors is available at https://redocly.com/sub-processors/. The importer may end the UK Addendum as set out in section 19 of the UK Addendum.

5.6 Alternative Transfer Mechanism. The parties agree that the data export solution identified in this Section 5 shall not apply if and to the extent that Redocly adopts an alternative data export solution for the lawful transfer of Customer Data (as recognized under applicable Data Protection Law) outside of the EEA, Switzerland or the UK (“Alternative Transfer Mechanism”), in which event, the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism extends to the territories to which Customer Data is transferred).

6 . Return or Deletion of Data

6.1 Upon termination or expiration of the Agreement, Redocly shall (at Customer's election) delete or return to Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Redocly is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Redocly shall securely isolate and protect from any further processing, except to the extent required by applicable law.

7. Rights of Data Subjects and Cooperation

7.1 Data Subject Request. To the extent that Customer is unable to independently access the relevant Customer Data within the Products, Redocly shall (at Customer's expense) taking into account the nature of the processing, provide reasonable cooperation to assist Customer by appropriate technical and organisational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Agreement. In the event that any such request is made directly to Redocly, Redocly shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Redocly is required to respond to such a request, Redocly shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

7.2 Subpoenas and Court Orders. If a law enforcement agency sends Redocly a demand for Customer Data (for example, through a subpoena or court order), Redocly shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Redocly is legally prohibited from doing so.

7.3 Data Protection Impact Assessment. To the extent Redocly is required under EU Data Protection Law, Redocly shall (at Customer's expense) provide reasonably requested information regarding Redocly's processing of Customer Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

8. Controller Affiliates

8.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates, thereby establishing a separate DPA between Redocly and each such Controller Affiliate subject to the provisions of the Agreement and this Section 8 and Section 9. Each Controller Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, a Controller Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Products by Controller Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by a Controller Affiliate shall be deemed a violation by Customer.

8.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Redocly under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.

8.3 Rights of Controller Affiliates. If a Controller Affiliate becomes a party to the DPA with Redocly, it shall, to the extent required under applicable Data Protection Laws, also be entitled to exercise the rights and seek remedies under this DPA, provided that except where applicable Data Protection Laws require the Controller Affiliate to exercise a right or seek any remedy under this DPA against Redocly directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Controller Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Controller Affiliate individually but in a combined manner for all of its Controller Affiliates together.

9. Limitation of Liability

9.1 Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses), and all DPAs between Controller Affiliates and Redocly, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

9.2 For the avoidance of doubt, Redocly and its Affiliates’ total liability for all claims from the Customer and all of its Controller Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Controller Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Controller Affiliate that is a contractual party to any such DPA.

10. Miscellaneous

10.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

10.2 With effect from the effective date of this DPA, this DPA shall be deemed a part of and incorporated into the Agreement so that references in the Agreement to "Agreement" shall be interpreted to include this DPA.

10.3 In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.

10.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Annex A

Details of Processing

(a) Duration. The duration of the processing under this DPA is determined by the Agreement.

(b) Categories of data subjects.

  • Users – Customer's employees, personnel and other staff that are authorized to use the Products under the Customer's account.
  • Documentation Readers - any end users/customers/clients of the Customer whose data is processed through the Products.

(c) Categories of data: Identification and contact data (name, address, e-mail address, telephone number, company name); order information; IT related data (IP addresses, unique device level identifiers, cookies data, online navigation data (including access date and times), location data, browser data language); and any other Personal Data Customer configures the Products to collect. Customer data fields may also be configured as part of the implementation of the Products or as otherwise permitted within the scope of the Products.

(d) Special categories of data (if appropriate). Redocly and/or its Sub-processors contractors do not intentionally collect or process any special categories of data in connection with the provision of the Products under the Agreements.

(e) Purposes of Processing: For the Purposes (as defined in this DPA).

(f) Processing operations: The Customer Data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:

  • storage and other processing necessary to provide, maintain and improve the Products provided to Customer
  • to provide Customer and technical support to the Customer; and
  • disclosures in accordance with the Agreement and as compelled by law.

Annex B

Security Measures

Redocly will implement and maintain technical and administrative safeguards to protect Customer Data against Security Incidents, including by taking the following security measures:

Network protection

  • Have in place a current network diagram with all connections to personal data, including any wireless networks.
  • Access to web administration interfaces must be encrypted or disabled. All administrative access made on a non-console must be encrypted.
  • Configuration files must be secure and synchronized.
  • The firewalls must be configured to not be alterable by its users, including on mobile and employee-owned devices. The firewall, regardless of its installed location, must be enabled at all time.
  • DNS Filtering to block access to malicious websites, phishing sites, and prevent malware from communicating with its command and control servers.
  • Zero Trust Architecture, an IT security model that requires all users, even those inside the organization's network, to be authenticated and authorized.
  • Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered being insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
  • Create a firewall configuration that restricts connections between approved networks and all the components of the system in the environment of personal data. Need to examine the rules of firewalls and routers at least every six months. A rule "blocks all" must still apply in the end. Firewalls must be used at least at every endpoint connecting to the Internet, including mobile and employee-owned devices.
  • Prohibit direct public access between Internet and any component of the system in the environment of personal data. Disable all services and protocols not required (services and protocols not directly needed to perform the specified function of the device).
  • Encrypt all administrative access with the use of technologies such as SSH, VPN, or SSL/TLS for Web-based management and other administrative access.
  • Validation of secure communications.
  • Restrict physical access to publicly accessible network jacks.
  • Restrict physical access to the gateways, mobile handheld devices and wireless access points.
  • Use intrusion detection systems and/or intrusion prevention systems to monitor all traffic in the data environment and report to staff all suspicions relating to potential alterations. Keep all detection and intrusion prevention engines updated.
  • When you access personal data through remote access technologies, prohibit copying, moving and storing of personal data on local hard drives and removable electronic media.
  • Network architecture and its segmentation approach must be setup to permit: isolation, control, supervision and optimization of information flow and control. Those zones must consider internal and external users, privilege levels, business partners, service providers, customers and the general public.
  • The firewall and antivirus logs should be reviewed daily.
  • All firewall rules must be reviewed at least every six months.
  • When necessary, ACLs can be implemented in routers, but firewalls must be given priority at all times (for ACL).
  • Account passwords should be configured using the 'Secret' command replacing the "Password" command (if equipment allows).
  • When configuring a service that doesn’t offer encrypted and strong authentication, the use of a "high port" is mandatory.
  • Mandatory strong (double) authentication for establishing remote connection over the network.
  • Secure communications must be validated / tested before being put into production.
  • Implement physical security measures for all facilities and data centers.

Trainings

Have in place security and privacy awareness training, inclusive of acknowledgment and agreement to abide by organizational security policies, for all personnel upon hire and annually thereafter.

Access Control

  • Limit access to system components and Customer data to only those individuals whose job requires such access.
  • Assignment of privileges is based on individual personnel’s job classification and function.
  • Requirement for a documented approval by authorized parties specifying required privileges.
  • Implementation of an automated access control system.
  • Defining a system of access control for the components of systems with multiple users that restricts access to only users that need access to data and which is set to 'deny all access' unless they are explicitly allowed.
  • Assign all users a unique ID before allowing them to access system components.
  • In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: password or two-factor authentication.
  • Integrate authentication with two factors for all, including remote, access (access to the network from outside the network level) for employees, administrators, and third parties to the network.
  • Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
  • Ensure that proper management of passwords and user authentication is implemented for non-consumer users and administrators.
  • Control the addition, removal, and modification of user IDs, credentials and other objects identifier.
  • Set initial passwords unique to each user and change immediately after the first use.
  • Immediately revoke access for any user who no longer works for the company.
  • Remove or disable inactive user accounts at least every 90 days.
  • Do not use group, shared, or generic accounts and passwords, or other authentication methods.
  • Requiring passwords with at least twelve characters.
  • Define passwords with alphanumeric characters.
  • Prohibit a user to submit a new password identical to previous passwords.
  • Limit repeated access attempts by locking out the user ID after six attempts.
  • Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID
  • If a session is inactive for more than 15 minutes, require the user to re-enter his password to re-activate the terminal.
  • Authenticate all access to any database containing personal data. This includes access by applications, administrators, and all other users. Restrict user direct access or queries to databases to database administrators.
  • Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
  • All actions taken by any individual with root or administrative privileges
  • Automatic disconnect of sessions of remote access technologies after a specific idle period.
  • Implement the principle of least privilege (PoLP), which means giving a user account or process only those privileges which are essential to perform its intended function.
  • Implement quarterly review of access rights. The access rights of employees should be updated as they change roles within the organization to prevent privilege creep.

Data Retention

  • Keep data storage to a minimum.
  • Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.
  • Once data retention periods have expired, data is securely deleted so it cannot be recovered.

Secure Application Development

  • Validation of all input to prevent XSS (Cross-Site Scripting) attacks, attacks by injection, the execution of malicious files, etc.
  • Validation of proper error handling.
  • Validation of secure cryptographic storage.
  • Separate development/test and production environments.
  • Separate obligations between development/test and production environments.
  • Deleting data and the test accounts before production systems become active.
  • Deletion of custom application accounts and the names of user and password before enabling applications or making them available to customers.
  • In order to identify any potential coding vulnerability, review of custom code prior to placing it into production or made available to clients.
  • Operational functionality testing.
  • Develop all Web applications (internal and external, including Web administrative access) on the basis of secure coding best practices such as those described in the OWASP (Open Web Application Security Project). Prevent common coding vulnerabilities in software development processes.
  • Implement secure software development lifecycle processes to integrate security at every phase of software development.
  • Regular penetration testing of applications to discover vulnerabilities.

System Monitoring

  • Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
  • Ensure that all anti-virus mechanisms are current, running and capable of generating audit logs.
  • Install critical security patches within one week of release.
  • Define a process for the identification of new security vulnerabilities.
  • For public-oriented Web applications, address new threats and vulnerabilities on a regular basis.
  • Access to all audit trails.
  • Invalid logical access attempts.
  • Use of identification and authentication mechanisms.
  • Initialization of the audit logs.
  • Creation and deletion of system-level objects.
  • Record at least the following audit trail entries for all system components for each event
  • Synchronize all critical system clocks and hours.
  • Protect audit logs so that they cannot be changed.
  • Integration of threat intelligence to stay updated with the latest security threats.

Change Management Policy

  • Formal approval process and test all network connections and changes to the configurations of firewalls and routers.
  • Check that the network diagram is updated.
  • Test all security patches, as well as any system or software configuration changes before deployment.
  • Documentation of impact.
  • Validation of the management by the appropriate parties.
  • Removal procedures.

Incident Response

Implement an incident response plan. Be prepared to respond immediately to a system breach or availability issue.

Secure Disposal of IT Equipment and Information

Render data on electronic media unrecoverable so that data cannot be reconstructed.

Crypto Measures Standard

  • Protect encryption keys used for encryption of sensitive data against disclosure and misuse.
  • Restrict access to cryptographic keys to the smallest possible number of operators.
  • Store cryptographic keys securely in as few locations and forms as possible.
  • Verify the existence of management procedures for keys used for encryption of personal data.
  • Generation of strong cryptographic keys.
  • Secure the distribution of cryptographic keys.
  • Secure storage of cryptographic keys.
  • Periodic change of cryptographic keys as deemed necessary and recommended by the associated application.
  • Retirement or replacement of obsolete cryptographic keys or suspected to have been compromised.
  • Prevent the substitution of cryptographic keys.
  • Verify the use of encryption (TLS 1.2+) whenever data is transmitted or received over any networks.
  • Encrypt data at rest with AES-256.
  • Consider the future need for encryption algorithms that can resist attacks from quantum computers.

Business continuity and disaster recovery

  • Implement regular backups of essential data and systems.
  • Develop a robust disaster recovery plan to ensure business continuity in case of major incidents.
  • Practice disaster recovery at least annually.

Audit

  • Ensure that Redocly is compliant with any applicable regulations such as GDPR, CCPA, or other privacy regulations.
  • External audit for SOC 2 Type 2 annually.
  • Initiate regular ISO 27001 audit by Dec 1, 2023.