Polar Security Data Security and Privacy Principles

1. Definitions

Capitalized terms used herein have the meanings given below or if not defined below, the meanings given in the applicable written contract between Polar Security and Customer for the Polar Security Services.
Customer – is the entity to which Polar Security is providing the Polar Security Services under an Polar Security Services Document.
Components – are the application, platform, or infrastructure elements of an Polar Security Service that Polar Security operates and manages.
Content – consists of all data, software, and information that Customer or its authorized users provide, authorize access to, or input to Polar Security Services.
DSP – is this Polar Security Data Security and Privacy Principles document.
Polar Security Cloud Services – are "as a service" Polar Security offerings that Polar Security makes available via a network, such as software as a service, platform as a service, or infrastructure as a service.
Polar Security Services Document – is a Transaction Document and any other document that is incorporated into a written contract between Polar Security and a Customer and that addresses details of a specific Polar Security Service.
Polar Security Services – are (a) Polar Security Cloud Services, (b) other Polar Security service offerings, including infrastructure or application service offerings that Polar Security delivers and dedicates to or customizes for a Customer, and (c) any other services, including consulting, maintenance, or support, that Polar Security provides to a Customer.
Security Incident – is an unauthorized access and unauthorized use of Content.
Transaction Document – is a document that details the specifics of transactions, such as charges and a description of and information about an Polar Security Cloud Service. Examples of Transaction Documents include statements of work, service descriptions, ordering documents and invoices for an Polar Security Cloud Service. There may be more than one Transaction Document applicable to a transaction.

2. Overview

The technical and organizational measures provided in this DSP apply to Polar Security Services (including any Components) only where Polar Security has expressly agreed to comply with the DSP in a written contract between Polar Security and Customer. For clarity, those measures do not apply where Customer is responsible for security and privacy or as specified below.
a. Customer is responsible for determining whether a Polar Security Service is suitable for Customer's use and implementing and managing security and privacy measures for components that Polar Security does not provide or manage within the Polar Security Services. Examples of Customer responsibilities for Polar Security Services include: (1) the security of systems and applications built or deployed by the Customer upon an infrastructure as a service or platform as a service offering or upon infrastructure, Components or software that Polar Security manages for a Customer, and (2) Customer end-user access control and application level security configuration for a software as a service offering that Polar Security manages for a Customer or an application service offering that Polar Security delivers to a Customer.
b. Customer acknowledges that Polar Security may modify this DSP from time to time at Polar Security's sole discretion and such modifications will replace prior versions as of the date that Polar Security publishes the modified version. Notwithstanding anything to the contrary in any written contract between Polar Security and Customer, the intent of any modification will be to: (1) improve or clarify existing commitments, (2) enable Polar Security to appropriately prioritize its security focus to address evolving data and cybersecurity threats and issues, (3) maintain alignment to current adopted standards and applicable laws, or (4) provide additional features and functionality. Modifications will not degrade the security or data protection features or functionality of Polar Security Services.
c. In the event of any conflict between this DSP and a Polar Security Services Document, the Polar Security Services Document will prevail and if the conflicting terms are in a Transaction Document, they will be identified as overriding the terms of this DSP and will only apply to the specific transaction.

3. Data Protection

a. Polar Security will treat all Content as confidential by not disclosing Content except to Polar Security employees, contractors, and suppliers (including subprocessors), and only to the extent necessary to deliver the Polar Security Services.
b. Security and privacy measures for each Polar Security Service are implemented in accordance with Polar Security's security and privacy by design practices to protect Content processed by an Polar Security Service, and to maintain the availability of such Content pursuant to the applicable written contract between Polar Security and Customer, including applicable Polar Security Services Documents.
c. Additional security and privacy information specific to an Polar Security Service may be available in the relevant Polar Security Services Document or other standard documentation to aid in Customer's initial and ongoing assessment of an Polar Security Service's suitability for Customer's use. Such information may include evidence of stated certifications and accreditations, information related to such certifications and accreditations, data sheets, FAQs, and other generally available documentation. Polar Security will direct Customer to available standard documentation if asked to complete Customer-preferred security or privacy questionnaires.

4. Security Policies

a. Polar Security will maintain and follow written IT security policies and practices that are integral to Polar Security's business and mandatory for all Polar Security employees. The Polar Security Chief Information Security Officer will maintain responsibility and executive oversight for such policies, including formal governance and revision management, employee education, and compliance enforcement.
b. Polar Security will review its IT security policies at least annually and amend such policies as Polar Security deems reasonable to maintain protection of Polar Security Services and Content.
c. Polar Security will maintain and follow its standard mandatory employment verification requirements for all new hires and will extend such requirements to wholly-owned Polar Security subsidiaries. In accordance with Polar Security internal processes and procedures, these requirements will be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation, and additional checks as deemed necessary by Polar Security. Each Polar Security company is responsible for implementing these requirements in its hiring process as applicable and permitted under local law.
d. Polar Security employees will complete Polar Security's security and privacy education annually and certify each year that they will comply with Polar Security's ethical business conduct, confidentiality, and security policies, as set out in Polar Security's Business Conduct Guidelines. Additional training will be provided to any persons granted privileged access to Components that is specific to their role within Polar Security's operation and support of the Polar Security Services, and as required to maintain compliance and accreditations stated in any relevant Polar Security Services Document.

5. Compliance

a. For standard (non-custom) Polar Security Cloud Services, the measures implemented and maintained by Polar Security within each Polar Security Cloud Service will be subject to annual certification of compliance with ISO 27001 or SSAE SOC 2, or both, unless stated otherwise in a Polar Security Services Document.
b. Additionally, Polar Security will maintain compliance and accreditation for the Polar Security Services as defined in a Polar Security Services Document.
c. Upon request, Polar Security will provide evidence of the compliance and accreditation required by 5a. and 5b., such as certificates, attestations, or reports resulting from accredited independent third-party audits (accredited independent third-party audits will occur at the frequency required by the relevant standard).
d. Polar Security is responsible for these data security and privacy measures even if Polar Security uses a contractor or supplier (including subprocessors) in the delivery or support of a Polar Security Service.

6. Security Incidents

a. Polar Security will maintain and follow documented incident response policies consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines or equivalent industry standards for computer security incident handling and will comply with the data breach notification terms of the applicable written contract between Polar Security and Customer.
b. Polar Security will investigate Security Incidents of which Polar Security becomes aware, and, within the scope of the Polar Security Services, Polar Security will define and execute an appropriate response plan. Customer may notify Polar Security of a suspected vulnerability or incident by submitting a request through the incident reporting process specific to the Polar Security Service (as referenced in an Polar Security Services Document) or, in the absence of such process, by submitting a technical support request.
c. Polar Security will notify Customer without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by Polar Security to affect Customer. Polar Security will provide Customer with reasonably requested information about such Security Incident and the status of any Polar Security remediation and restoration activities.

7. Physical Security and Entry Control

a. Polar Security will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Polar Security managed facilities (data centers) used to host the Polar Security Services. Auxiliary entry points into such data centers, such as delivery areas and loading docks, will be controlled and isolated from computing resources.
b. Access to Polar Security-managed data centers and controlled areas within those data centers will be limited by job role and subject to authorized approval. Such access will be logged, and such logs will be retained for not less than one year. Polar Security will revoke access to Polar Security-managed data centers upon separation of an authorized employee. Polar Security will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.
c. Any person granted temporary permission to enter a Polar Security-managed data center facility or a controlled area within such a data center will be registered upon entering the premises, must provide proof of identity upon registration, and will be escorted by authorized personnel. Any temporary authorization to enter, including deliveries, will be scheduled in advance and require approval by authorized personnel.
d. Polar Security will take precautions to protect the physical infrastructure of Polar Security-managed data center facilities against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

8. Access, Intervention, Transfer and Separation Control

a. Polar Security will maintain a documented security architecture for Components. Polar Security will separately review such security architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense-in-depth standards prior to implementation.
b. Polar Security may use wireless networking technology in its maintenance and support of the Polar Security Services and associated Components. Such wireless networks, if any, will be encrypted and require secure authentication and will not provide direct access to Polar Security Cloud Services networks. Polar Security Cloud Services networks do not use wireless networking technology.
c. Polar Security will maintain measures for a Polar Security Service that are designed to logically separate and prevent Content from being exposed to or accessed by unauthorized persons. Polar Security will maintain appropriate isolation of its production and non-production environments, and, if Content is transferred to a non-production environment, for example to reproduce an error at Customer's request, security and privacy protections in the non-production environment will be equivalent to those in production.
d. Polar Security will encrypt Content not intended for public or unauthenticated viewing when transferring Content over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, or FTPS, for Customer's secure transfer of Content to and from the Polar Security Services over public networks.
e. Polar Security will encrypt Content at rest if and as specified in a Polar Security Services Document. If an Polar Security Service includes management of cryptographic keys, Polar Security will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.
f. If Polar Security requires access to Content to provide the Polar Security Services, and if such access is managed by Polar Security, Polar Security will restrict access to the minimum level required. Such access, including administrative access to any underlying Components (privileged access), will be individual, role-based, and subject to approval and regular validation by authorized Polar Security personnel following the principles of segregation of duties. Polar Security will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner's separation or upon the request of authorized Polar Security personnel, such as the account owner's manager.
g. Consistent with industry standard practices, and to the extent natively supported by each Component, Polar Security will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, password change frequency, and secure transfer and storage of such passwords and passphrases.
h. Polar Security will monitor use of privileged access and maintain security information and event management measures designed to: (1) identify unauthorized access and activity, (2) facilitate a timely and appropriate response, and (3) enable internal and independent third-party audits of compliance with documented Polar Security policy.
i. Logs in which privileged access and activity are recorded will be retained in compliance with Polar Security's worldwide records management plan. Polar Security will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.
j. To the extent supported by native device or operating system functionality, Polar Security will maintain computing protections for its end-user systems that include, but may not be limited to, endpoint firewalls, full disk encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.
k. Polar Security will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with NIST guidelines for media sanitization.

9. Service Integrity and Availability Control

a. Polar Security will: (1) perform security and privacy risk assessments of the Polar Security Services at least annually, (2) perform security testing and vulnerability assessments of the Polar Security Services before production release and at least annually thereafter, (3) enlist a qualified independent third party, IBM X-Force™ or, if specified in an Polar Security Services Document, another qualified testing service to perform penetration testing of the Polar Security Cloud Services, at least annually, (4) perform automated vulnerability scanning of underlying Components of the Polar Security Services against industry security configuration best practices, (5) remediate identified vulnerabilities from security testing and scanning, based on associated risk, exploitability, and impact, and (6) take reasonable steps to avoid disruption to the Polar Security Services when performing its tests, assessments, scans, and execution of remediation activities.
b. Polar Security will maintain measures designed to assess, test, and apply security advisory patches to the Polar Security Services and associated systems, networks, applications, and underlying Components within the scope of the Polar Security Services. Upon determining that a security advisory patch is applicable and appropriate, Polar Security will implement the patch pursuant to documented severity and risk assessment guidelines, based on Common Vulnerability Scoring System ratings of patches, when available. Implementation of security advisory patches will be subject to Polar Security change management policy.
c. Polar Security will maintain policies and procedures designed to manage risks associated with the application of changes to Polar Security Services. Prior to implementation, changes to a Polar Security Service, including its systems, networks, and underlying Components, will be documented in a registered change request that includes a description of and reason for the change, implementation details and schedule, a risk statement addressing impact to the Polar Security Service and its clients, expected outcome, rollback plan, and documented approval by authorized personnel.
d. Polar Security will maintain an inventory of all information technology assets used in its operation of Polar Security Services. Polar Security will continuously monitor and manage the health, including capacity, and availability of Polar Security Services and underlying Components.
e. Each Polar Security Service will be separately assessed for business continuity and disaster recovery requirements through appropriate business impact analysis and risk assessments intended to identify and prioritize critical business functions. Each Polar Security Service will have, to the extent warranted by such risk assessments, separately defined, documented, maintained, and annually validated business continuity and disaster recovery plans consistent with industry standard practices. Recovery point and time objectives for an Polar Security Service, if provided for in the relevant Polar Security Services Document, will be established with consideration given to the Polar Security Service's architecture and intended use. Physical media intended for off-site storage, if any, such as media containing backup files, will be encrypted prior to transport.