Introduction. As further described in this StreamSets Security Policy (“Security Policy”), StreamSets uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration, or disclosure of Configuration Data stored on systems under StreamSets’ control.When the Products are used as a Service, the Service operates on Amazon Web Services, Inc. or Google Cloud (the “Cloud Provider”) and is protected by Cloud Provider’s security and environmental controls. Detailed information about Cloud Provider’s security is available at either www.aws.amazon.com/security/ and www.aws.amazon.com/compliance/shared-responsibility-model or www.cloud.google.com/security/. For clarity, only Configuration Data—and not Pipeline Data—is accessible by the Service. When the Products are used as Software, the Software is installed on Customer’s infrastructure and StreamSets does not have access to Configuration Data or Pipeline Data.Technical Measures.Access Controls.Access to the Service—which is hosted by Cloud Provider—is controlled by Customer via user IDs and passwords.StreamSets limits access to the Service to those employees and contractors needed to perform authorized tasks (“StreamSets Personnel”).StreamSets has implemented a role-based program to limit StreamSets Personnel access to Configuration Data:Access is granted on a least privilege necessary basis. If such access is granted, StreamSets Personnel are prohibited from storing Configuration Data on local desktops, laptops, mobile devices, shared drives, removable media such as USB drives, or on public facing systems that do not fall under the administrative control or compliance monitoring processes of StreamSets.StreamSets maintains and monitors logs to review access to Configuration Data.Upon termination of StreamSets Personnel, any access to Configuration Data, the Service, and StreamSets’ facilities is also terminated.Encryption.Configuration Data is always encrypted in transit to and from Cloud Provider’s systems via Secure Socket Layer / Transport Layer Security 1.2.Network Security / Intrusion Protection.Cloud Provider’s systems are ISO 27001 certified. For information about Cloud Provider’s SOC certification, please see www.aws.amazon.com/compliance/soc-faqs or www.cloud.google.com/security/compliance/. Further, these systems deploy 24x7x365 monitoring, anomaly detection algorithms, and rule-based exception alert mechanisms.StreamSets’ own network (the “StreamSets Network”) is set behind a firewall and designed to detect and thwart inappropriate access. The StreamSets Network is segmented with security groups defining access control lists on an as-needed basis.For enhanced security within the StreamSets Network, StreamSets imposes Network Address Translation to non-published addresses.On the StreamSets Network, StreamSets employs a centralized multi-factor authentication access management system to control StreamSets Personnel access to StreamSets’ servers.Asset Management.StreamSets’ assets—including StreamSets Personnel laptops—are tagged and tracked.StreamSets requires all StreamSets Personnel to report any lost assets, immediately. Once a loss is reported, StreamSets will attempt to remotely wipe the asset.Managed antivirus is deployed on all StreamSets Personnel laptops and workstations to monitor for malware, viruses, and other malicious exploits.Audit Logs.All logs for the Service are reviewed on a regular basis.Any exception reporting—such as intrusion or breach detection—immediately triggers a review of access logs.Physical and Environmental Controls.The Service and Configuration Data are hosted with the Cloud Provider and all physical security controls are managed by the Cloud Provider. StreamSets reviews the Cloud Provider’s SOC 2 Type 2 report annually to ensure appropriate physical security controls.Physical access to StreamSets’ facilities is controlled via computer chip enabled key cards.24x7x365 cameras are deployed at key StreamSets’ facilities to monitor entry points.Vulnerability Scans.Cloud Provider conducts regular vulnerability scans of its systems. Cloud Provider also enables Customer to conduct its own vulnerability testing of Cloud Provider’s systems.StreamSets conducts security vulnerability scans of the StreamSets Network on a regular basis. At least annually, a third party conducts similar scans. A copy of the results of such third-party scans will be provided to Customer upon reasonable request, no more than once annually, and such report will be deemed the Confidential Information of StreamSets without any further marking or designation.Security Incident Response.A “Security Incident” is (a) the unauthorized access to or disclosure of Configuration Data, or (b) the unauthorized access to the systems within the Service that transmit or analyze Configuration Data.StreamSets will notify Customer in writing or email within seventy-two (72) hours of a confirmed Security Incident.StreamSets will take appropriate actions to contain, investigate, and mitigate the Security Incident.An incident report is created after the investigation is complete and communicated to Customer, and such report will be deemed the Confidential Information of StreamSets without any further marking or designation.Business Continuity Plan.StreamSets maintains a Business Continuity Plan (“BCP“). As part of this BCP:StreamSets has facilities and StreamSets Personnel in multiple geographic zones, worldwide.The BCP is tested annually.Organizational Measures.Background Checks.StreamSets performs background screening as part of the StreamSets hiring process, to the extent legally permissible. The scope of this screening includes:Criminal records.Verification reports including identity, previous employment, education, and social security number.Reference checks.Security Training.StreamSets maintains a security awareness program for StreamSets Personnel that provides initial education to all StreamSets Personnel.Ongoing training in security and secure computing is provided to StreamSets Personnel who are engaged in the development and operations of the Products.Additional security trainings are made available on an ad-hoc basis.StreamSets Personnel Management.StreamSets Personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding business ethics, appropriate usage, and professional standards.As a condition of employment, StreamSets Personnel are required to execute a confidentiality agreement.