General Contentsquare Security Requirements
Supplier must implement the below Security Requirements in its systems, processes and policies, and ensure the applicability of these Security Requirements upon any of its third party providers.
All capitalized terms not defined in the Definitions provision below, shall have the meanings set forth in the Statement of Compliance or the Agreement.
1. Organization of information security
Supplier shall appoint one or more security officers responsible for coordinating and monitoring the security rules and procedures. Such officers shall have the knowledge, experience, and authority to serve as the owner(s), with responsibility and accountability for information security within the organization.
Supplier shall ensure that all information security responsibilities are defined and allocated in accordance with Supplier’s approved policies for information security. Such policies shall be published and communicated to employees and relevant external parties.
Supplier shall have a risk management framework and conduct a yearly risk assessment of its environment and Systems to understand its risks and apply appropriate controls to manage and mitigate risks before offering its services.
2. Human resources security
Supplier shall inform its personnel about relevant security procedures and their roles and ensure that personnel with access to any Systems and/or Scoped Data are subject to written confidentiality obligations.
Supplier shall further inform its personnel of possible consequences of breaching Supplier’s security policies, procedures and these Security Requirements, which must include disciplinary action and the ability to terminate the contract with such employee or third party provider upon such breach.
Supplier personnel with access to any Systems and/or Scoped Data shall receive annual training covering these Security Requirements, additional privacy and security procedures that may be applicable to the services provided, prevention of unauthorized use or disclosure of Scoped Data,response to any Information Security Incidents, data classification, data confidentiality and types of data processed by Supplier.
Supplier shall perform relevant and appropriate background checks (identity, education, previous jobs, etc.) on any of its personnel and third party providers with access to any Systems and/or Scoped Data, all in compliance with Applicable Laws and Regulations.
3. Asset Management
Assets associated with any Systems and/or Scoped Data, including Supplier’s information processing facilities shall be identified, and an inventory of these assets shall be maintained. Such inventory shall be provided to Supplier upon request.
Supplier shall classify, categorize, and/or tag Scoped Data to help identify it and to allow for access to it to be appropriately restricted.
4. Access control
Based on least privilege principle, Supplier shall restrict access to Scoped Data and Systems at all times solely to those individual personnel and third party providers whose access is essential to the Performance under the Agreement. Wherever possible, Multi-Factor Authentication (MFA) should be implemented.
Supplier shall immediately suspend or terminate the access rights to Scoped Data and Systems for any Supplier’s personnel or third party providers suspected of breaching any of the provisions of these Security Requirements or any Applicable Laws; and Supplier shall remove access rights of all employees or any third party providers immediately upon suspension or termination of their employment, contract, or agreement.
Supplier shall have user account creation and deletion procedures, with appropriate approvals, for granting and revoking access to Scoped Data and/or Systems. These actions must be logged in order to be traceable. Supplier shall use an enterprise access control system that requires its personnel and third party providers revalidation by managers at regular intervals based on the principle of least privilege and need-to-know criteria based on job role.
Supplier shall maintain and update a record of personnel and third party providers authorized to access the Systems or any Scoped Data and Supplier shall review users’ access rights at least every 6 months.
5. Physical and Environmental Security
Supplier shall limit access to offices, where Scoped Data is processed, to authorized individuals and use a variety of industry standard systems to protect against loss of data.
Access to physical equipment containing Contentsquare data must be logged.
6. Operations security
Supplier shall maintain written policies describing its security measures and the relevant procedures and responsibilities of its personnel who have access to any Systems and/or Scoped Data and to its systems and networks. Supplier shall ensure the policies are communicated to all its personnel and third party providers involved in the processing or have access to any System or Scoped Data.
The standards and procedures shall meet or exceed industry best practices and applicable regulations and laws, and include, without limitation: security controls; identification and patching of security vulnerabilities; change control process and procedures; problem management; and incident and crisis detection and management.
Supplier shall maintain logs of administrator and operator activity and data recovery events.
7. Communication security and data transfer
Supplier shall, at a minimum, use the following controls to secure its networks which store or process Scoped Data:
Network traffic shall pass through firewalls, which are monitored at all times. Supplier must implement intrusion prevention systems that allow traffic flowing through the firewalls and LAN to be logged and protected at all times.
Access to network devices for administration must utilize a minimum of 256-bits key, industry standard encryption.
Network, application, and server authentication passwords are required to meet minimum complexity guidelines (at least 12 characters, upper case, lower case, numeral, special character).
Initial user passwords are required to be changed during the first log-on. Supplier shall have a policy prohibiting the sharing of user IDs and passwords.
Firewalls must be deployed to protect the perimeter Scoped data.
When remote connectivity is required for processing of Scoped Data, Supplier shall use VPN servers for the remote access with the following or similar capabilities:
Connections must be encrypted using a minimum key size of 256-bits.
The use of multi-factor authentication is required.
Supplier shall have formal transfer policies in place to protect the transfer of information through the use of all types of communication facilities that adhere to these Security Requirements. Such policies shall be designed to protect transferred information from interception, copying, modification, corruption, mis-routing and destruction.
8. System Acquisition, Development, and Maintenance
Supplier shall adopt security requirements for the purchase, use, or development of information systems, including for application services delivered through public networks.
Supplier will perform an annual penetration test on their internet perimeter network. A summary or the first pages of this report can be shared with Contentsquare upon request.
Supplier shall respond promptly to all reasonable security audit, scanning, discovery, and testing reports requested from Contentsquare, or from regulators (to the extent required by law) and shall cooperate and assist those regulators as required by law.
If any audit or penetration testing exercise referred to above reveals any deficiencies, weaknesses or areas of non-compliance, Supplier shall promptly take such steps as may be required to remedy those deficiencies, weaknesses, and areas of non-compliance as soon as may be practicable in the circumstances. These steps involve the creation of an action plan including an owner and a remediation schedule.
Supplier shall keep Contentsquare informed of the status of any remedial action that is required to be carried out, including the estimated timetable for completing the same, and shall certify to Contentsquare as soon as may be practicable in the circumstances that all remedial actions have been completed.
9. Management of Information Security Incidents and Improvements
Supplier shall establish procedures to ensure a quick, effective, and orderly response to Information Security Incidents.
Supplier shall implement procedures for Information Security Incidents to be reported through appropriate management channels as quickly as possible. All Supplier employees and third party providers should be made aware of their responsibility to report Information Security Incidents as quickly as possible.
Supplier shall maintain a record of Information Security Incidents with a description of the incident, the consequences of the incident, the name of the reporter and to whom the incident was reported, the procedure for rectifying the incident, and the remedial action taken to correct future security incidents.
Supplier shall contract a cybersecurity insurance that would cover response, investigation and notification costs in case of major incidents.
10. Information Security Aspects of Business Continuity Management
Supplier shall maintain emergency and contingency plans for the facilities in which Supplier information systems that process Scoped Data are located. To ensure that they are valid and effective during adverse situations, Supplier shall verify the established and implemented information security continuity controls at regular intervals.
Supplier’s redundant storage and its procedures for recovering data shall be designed to reconstruct Scoped Data in its original state from before the time it was lost or destroyed.
Suppliers shall test their Disaster Recovery Plan annually and RTO/RPO shall be compared with the contractual objectives.
11. Notification and Communication Obligations
Supplier shall immediately (i.e., within 48 hours) notify ContentSquare’s security team (security@contentsquare.com) if any of the following events occur:
any Information Security Incident or compromise of any System or Scoped Data;
an Information Security Incident that negatively impacts the confidentiality, integrity, and availability of information that is processed, stored and transmitted using a computer in connection with Scoped Data;
failure or inability to maintain compliance with these Security Requirements or Applicable Laws.
12. Audit clause
Contentsquare may perform yearly audits, or at any other time in case of suspected Information Security Incident, to ensure that Supplier follows these Security Requirements, providing a 30 days notice, unless it is due to a suspected Information Security Incident.
13. Definitions
Information Security Incident | Means a suspected, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, theft, loss, corruption, or destruction of Scoped Date or to Contentsquare Systems; interference with information technology operations; interference with system operations; or breach by Supplier of Applicable Laws which impacts the privacy or security of Scoped Data, Contentsquare Systems or Supplier systems. |
Performance | Means any acts by the Supplier in the course of completing obligations contemplated under the Agreement, including the performance of services, providing deliverables and work product, access to Scoped Data, or providing Software as a Service (“SaaS”), cloud platforms or hosted services. |
Scoped Data | Means all Contentsquare Data and any information and data provided or made available to Supplier, including customer information and data, any manipulation of that data and any data or information Supplier collects, generates, or otherwise obtains in connection with its Performance under the Agreement. |
Supplier | Means the person or legal entity, regardless of the form of organization that has entered into an Agreement with ContentSquare. |
Contentsquare Software Security Requirements
Supplier must implement the below Security Requirements in its systems, processes and policies, and ensure the applicability of these Security Requirements upon any of its third party providers.
All capitalized terms not defined in the Definitions provision below, shall have the meanings set forth in the Statement of Compliance or the Agreement.
1. Certification
Supplier will, on an annual basis, obtain a formal review of its security controls conducted by an unaffiliated third party, and will thereafter provide Contentsquare with the written results of the audit and proof of Supplier’s compliance with the audit requirements and/or Supplier’s remediation plan. The specific third party audit type may be set forth in the Agreement. If not specified in the Agreement, Supplier will obtain one of the audits provided as relevant examples below, which will be consistent with the services and/or products provided by the Supplier.
Prior to Processing Scoped Data, and upon any request by Contentsquare thereafter, Supplier will provide ContentSquare with copies of such certifications it maintains (along with relevant supporting documentation) that apply to the systems, policies, and procedures that govern the Processing of Scoped Data. Supplier will promptly notify ContentSquare if Supplier has failed or no longer intends to adhere to such certifications or successor frameworks.
Examples of potentially relevant certifications include: SSAE 16/18 – SOC 1 & SOC 2; ISO 27001:2022; ISO 27701:2019; ISO 27017:2015; ISO 27018:2019; Payment Card Industry Data Security Standards (PCI-DSS); and Federal Information Security Management Act (FISMA) Compliance Certification.
2. Access control
Supplier shall provide Contentsquare the list of users using email addresses located in Contentsquare domain (contentsquare.com and contentsquare-ext.com) upon request.
3. Authentication for users
Where authentication mechanisms are based on passwords, Supplier shall require the password to conform to very strong password control parameters. The following rules must be implemented regarding passwords complexity:
Minimum of twelve characters long
Include lower cases
Include upper cases
Include numbers
Include special characters
Password breaches must be monitored.
Users must be able to change their own password at any time (e.g., there is to be no minimum validity period) and administrators must be able to force a password change. In particular, this must be performed in case of breach or suspected leakage.
To limit the possibility of leakage, it must be ensured that passwords never appear in plain text when entered. Moreover, to prevent a malicious individual from guessing the password by errors and trials, access is to be suspended after 5 incorrect attempts.
Supplier shall use industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage (e.g., passwords shall not be stored or shared in plain text). Such practices shall be designed to ensure strong, confidential passwords.
Use of multi-factor authentication if supported.
4. Cryptography
Supplier shall have a policy on the use of cryptographic controls based on assessed risks.
Supplier shall assess and manage the lifecycle of cryptographic algorithms, hashing algorithms, etc. and deprecates and disallows usage of weak cypher suites, and mathematically insufficient block lengths and bit lengths. The following minimum level must be followed:
Symmetric algorithm to be used is AES with key length of at least 256 bits
Asymmetric algorithms to be used is RSA (2048 bits at least) or elliptic curves (same level)
Hash functions to be used are at least SHA256. A salt must be used in addition for password hashing.
TLSv1.2 or better for in transit encryption (SSL and TLS < 1.2 must be rejected)
Supplier’s cryptographic controls/policy shall address appropriate algorithm selections, key management and other core features of cryptographic implementations.
Supplier shall have procedures for distributing, storing, archiving, and changing/updating keys; recovering, revoking/destroying, and dealing with compromised keys; and logging all transactions associated with such keys.
Supplier shall constantly encrypt Contentsquare data in transit and at rest..
5. Physical and Environmental Security
Supplier shall limit access to facilities where systems that process Scoped Data are located to authorize individuals and use a variety of industry standard systems to protect against loss of data due to power supply failure, line interference or others environmental related failures :
24*7 security guard, alarms and CCTV
Log of all physical access with 90 days minimum log retention
Access review every 6 months
Fire protection: Air sampling and automatic fire extinguisher designed to not damage electronic, 1 year maintenance frequency
Temperature protection: Redundant air conditioner with the appropriate temperature (18– 27 °C), 1 year maintenance frequency
Water protection: Water leak protection
Humidity protection
Power failure protection: Redundant UPS and redundant power generator, 1 year maintenance frequency
6. Operations security
Supplier shall have a documented security program and policies that provide guidance to its personnel and third party providers to ensure the security, confidentiality, integrity, and availability of the Scoped Data and Systems maintained or processed by Supplier, and that provides express instructions regarding the steps to take in the event of a compromise or any Information Security Incident.
7. Communication security and data transfer
Supplier shall, at a minimum, use the following controls to secure its networks which store or process Scoped Data:
Network traffic shall pass through firewalls, which are monitored at all times. Supplier must implement intrusion prevention systems that allow traffic flowing through the firewalls and LAN to be logged and protected at all times.
Access to network devices for administration must utilize a minimum of 256-bits length key, industry standard encryption.
Network, application, and server authentication passwords are required to meet minimum complexity guidelines (at least 12 characters, upper case, lower case, numeral, special character).
Initial user passwords are required to be changed during the first log-on. Supplier shall have a policy prohibiting the sharing of user IDs and passwords.
Firewalls must be deployed to protect the perimeter Scoped data.
When remote connectivity is required for processing of Scoped Data, Supplier shall use VPN servers for the remote access with the following or similar capabilities:
Connections must be encrypted using a minimum of 256-bits key encryption.
The use of multi-factor authentication is required.
Supplier shall have formal transfer policies in place to protect the transfer of information through the use of all types of communication facilities that adhere to these Security Requirements. Such policies shall be designed to protect transferred information from interception, copying, modification, corruption, mis-routing and destruction.
8. System Acquisition, Development, and Maintenance
Supplier shall have policies for secure development, system engineering, and support. Supplier shall conduct appropriate tests for system security as part of acceptance testing processes Supplier shall supervise and monitor the activity of outsourced system development.
Before deployment, new developments shall be qualified, reviewed and automatically tested in terms of functionality, performance and security. Development, testing, staging and production environments shall be segregated. No Contentsquare data shall be used in development and testing environments.
9. Definitions
Information Security Incident | Means a suspected, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, theft, loss, corruption, or destruction of Scoped Date or to Contentsquare Systems; interference with information technology operations; interference with system operations; or breach by Supplier of Applicable Laws which impacts the privacy or security of Scoped Data, Contentsquare Systems or Supplier systems. |
Performance | Means any acts by the Supplier in the course of completing obligations contemplated under the Agreement, including the performance of services, providing deliverables and work product, access to Scoped Data, or providing Software as a Service (“SaaS”), cloud platforms or hosted services. |
Scoped Data | Means all Contentsquare Data and any information and data provided or made available to Supplier, including customer information and data, any manipulation of that data and any data or information Supplier collects, generates, or otherwise obtains in connection with its Performance under the Agreement. |
Supplier | Means the person or legal entity, regardless of the form of organization that has entered into an Agreement with ContentSquare. |