NetSpring Subscription Service Security Guide

This NetSpring Subscription Service Security (“Security Guide”) applies to NetSpring’s written information security program of policies, procedures, and controls governing the processing, storage, transmission, and security of Customer Data (“Security Program”) for the NetSpring Cloud software-as-a-service offering (“NetSpring Cloud”) purchased by Customer directly from NetSpring or any NetSpring authorized reseller. 

NetSpring Cloud is made available by NetSpring under the terms of this Security Guide as incorporated into the NetSpring Cloud Subscription Agreement or other Agreement that grants the right to access and use the NetSpring Cloud. It’s incorporated or referenced order forms, purchase orders, addenda, and other documents (collectively, the “Agreement,” without regard to the name of the underlying Agreement, nor how it refers to its parties or identifies NetSpring’s products). This Guide constitutes the complete and exclusive Agreement between Customer and NetSpring relating to its subject matter. It supersedes all prior oral and written agreements, understandings, representations, warranties, and communications regarding its subject matter. In the event of any conflict between the terms and conditions and the Agreement, the Agreement will govern to the extent of such conflict. As used herein, NetSpring Data, Inc. or its affiliate that entered into the Agreement with Customer is “NetSpring”; the other entity that is a party to the Agreement is the “Customer,” and each is referred to herein as a “party” and collectively as the “parties.” NetSpring’s online portal for support information and requests available at https://www.netspring.io/support related and successor websites are collectively the “Support Portal.” This Guide may be updated from time to time upon posting the new version to the Support portal. 

NetSpring has put into place an information security program and organization supported by leadership and proactively manages cybersecurity and privacy risk. Through a secure-by-design approach, NetSpring does its best to build security into its services through the development lifecycle and layers security throughout its architecture to protect its assets, Software, and customer-facing services. 

NetSpring’s Head of Security has established this document to provide a general overview of the policies, standards, practices, procedural, and technical controls used to protect its data, systems, applications, infrastructure, facilities, and personnel. 

In addition to internal programs and controls, NetSpring intends to undergo regular independent audits that assess and verify the effectiveness of NetSpring’s security controls. In addition, customers and potential customers may request a copy of the most recent independent auditor’s report or certificate under a non-disclosure agreement.

NetSpring maintains an information security and privacy program designed to protect NetSpring Resources from internal and external security threats, loss, and unauthorized disclosure. NetSpring’s Head of Security is responsible for managing information security throughout the company, including corporate security, product security, and the security of NetSpring’s XaaS-based customer environments. In addition, the Security Program is focused on managing risk as a continuous cycle seeking to manage and build effective security controls, quickly detect and respond to incidents, and constantly test the effectiveness to maintain a healthy operating risk posture for NetSpring, its customers, and its stakeholders. Head of Security – NetSpring’s Head of Security reports to executive management on information security and is accountable for establishing people, processes, and technology controls to manage and communicate the overall state of NetSpring’s security posture to the whole company. The Head of Security is responsible for NetSpring’s information security policies, standards, and processes and ensuring their effectiveness.

• Customer Data – Any and all data and information that a customer configures the Software or Service to collect, which is supplied to NetSpring in accordance with any relevant agreements between the Customer and NetSpring.
• Customer Resources – Customer-owned and managed facilities, systems, and networks, excluding any NetSpring Resources.
• Information Systems – NetSpring’s systems and networks that store, process, transmit, and or collect Customer Data, including the Service.
• NetSpring Personnel – All employees of NetSpring and any subcontractors engaged by NetSpring to deliver professional services to customers or who support the NetSpring Service and Information Systems.
• NetSpring Resources – NetSpring-owned and managed facilities, systems, and networks, including Software, Service, Information Systems, or systems otherwise managed by NetSpring.
• Security Program – NetSpring’s information security program.
• Service – means NetSpring’s Cloud Platform offerings, together with all associated Software and Documentation.
• Software – means any NetSpring software provided to a customer as part of the Service and installed on Customer Resources.
• SOC 2 – Service Organization Control (SOC) 2 audit performed in accordance with the AT 101 standards and based upon the Trust Services Principles established by the American Institute of Certified Public Accountants that audit the operating effectiveness of NetSpring’s controls as they relate to security.
• XaaS – Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS)

NetSpring’s Security Program is designed to protect against the accidental or unauthorized damage, loss or access of any Customer Data. NetSpring has implemented administrative, technical, and physical safeguards designed to ensure the confidentiality and integrity of Customer Data. In addition to the controls implemented by NetSpring, NetSpring leverages industry-leading XaaS providers that implement industry best practices for the protection of data. 

Access to Customer Data – NetSpring limits access to Customer Data in the production environment to those NetSpring Personnel who need to access the

Information Systems in support of the Software or Services. Such personnel is required to sign agreements with confidentiality protections part of their employment. 

Data Classification – NetSpring treats all Customer Data as the Customer’s confidential information. Due to the nature of NetSpring’s products and the nature of a SaaS product and supporting environment, NetSpring does not apply customer-specific data classification schemes to Customer Data; instead, NetSpring classifies all Customer Data at its highest level of data classification. 

Data Destruction – NetSpring securely erases or destroys all media that contains Customer Data prior to reuse outside of the production environment using industry standard procedures. 

Encryption at Rest – All Customer Data, including backups of Customer Data, are encrypted at rest using algorithms that meet or exceed industry standards. 

NetSpring implements people, processes, and technical controls designed to manage cybersecurity risks as part of the Security Program. These controls include physical, technical, and or administrative in their operation, and their intent may be detective, corrective, deterrent, or recovery-focused. These controls are reviewed no less than annually to ensure continued appropriateness and effectiveness. 

Policies – NetSpring maintains internal policies, including policies focused on information security and privacy, that are approved by NetSpring’s senior management. Policies are reviewed no less than annually to ensure continued effectiveness and appropriateness with respect to changes in NetSpring’s risk tolerance, architectural changes in the Information Systems, Software, and Services, changes to the relevant industry such as the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO), as well as changes to applicable law.

NetSpring uses industry-standard techniques designed to restrict access to and to prevent unauthorized use of its Information Systems. 

Accounts – NetSpring requires the use of individual user accounts to maintain the integrity of audit trails. 

Access Approval – Access to Information Systems by NetSpring Personnel is subject to management approval. Access to sensitive systems, including all systems that process or store Customer Data, is reviewed regularly. 

Multi-factor Authentication – NetSpring leverages multi-factor authentication for NetSpring Personnel access to Information Systems. 

Role-Based Access – NetSpring follows the principle of least privilege. System owners maintain access control policies, procedures, and documentation for each system, including the privileges assigned to users and groups. 

Single-Sign-On – Where possible, user and group management is centralized using single-sign-on systems.

NetSpring uses infrastructure-as-a-service cloud providers as further described in the Agreement or Documentation (a “Cloud Provider”). Each Cloud Provider shall have a SOC 2 Type II annual audit and ISO 27001 certification or industry-recognized equivalent frameworks. Such controls, will include, but are not limited to, the following: (a) Physical access to the facilities are controlled at building ingress points; (b) visitors are required to present ID and are signed in; (c) physical access to servers is managed by access control devices; (d) physical access privileges are reviewed regularly; (e) use of CCTV; (f) fire detection and protection systems; (g) backup and redundancy systems; and (h) climate control systems.

All changes to Information Systems by NetSpring Personnel in production environments, including network and other infrastructure, are authorized, tracked, tested, and monitored.

Code Review – All changes to the Software undergo peer code review and quality assurance testing prior to being released. 

Configuration Management – Where possible, the configuration of XaaS is done through configuration management and infrastructure-as-code. 

System Baselines – NetSpring has established configuration baselines for the Information Systems based on industry standards such as Center for Internet Security and NIST hardening standards for systems and applications. 

NetSpring Access Limitations – NetSpring employees will not, without Customer’s prior consent or unless as part of the functionality of the NetSpring Cloud initiated by or for Customer (e.g., data integrations or data transferability between instances): access Customer Data, move Customer Data outside Customer’s tenant (except as performed by Customer or for Customer by a third party), nor screen-capture, copy, record in video or other formats, Customer Data. 

Cloud Provider Review – NetSpring performs routine reviews of Cloud Providers to confirm that the Cloud Providers continue to maintain appropriate security controls necessary to comply with the Security Program. 

Personnel Security – NetSpring performs background screening on all employees and, as applicable, all contractors who have access to Customer Data in accordance with NetSpring’s then-current applicable standard operating procedure and subject to applicable laws. 

Security Awareness Training – NetSpring maintains a security and privacy awareness program that includes appropriate training and education of NetSpring personnel, including, as applicable, any contractors that may access Customer Data. Such training is conducted at the time of hire and at least annually throughout employment at NetSpring.

Vendor Risk Management – NetSpring maintains a vendor risk management program that assesses vendors that access, store, process, or transmit Customer Data for appropriate security and privacy controls and business disciplines. 

Software and Asset Inventory – NetSpring shall maintain an inventory of all software components (including, but not limited to, open-source Software) used in the NetSpring Cloud.

Data Management; Data Backup – NetSpring will host the purchased instances of the NetSpring Cloud in Cloud Providers that attained SSAE 18 / SOC 1 and SOC 2 Type 2 attestations or have ISO 27001 certifications (or equivalent or successor attestations or certifications) acting in an active/active capacity for the Subscription Term. NetSpring backs up all Customer’s tenant metadata and NetSpring’s service state in accordance with NetSpring’s standard operating procedure, for which a description of applicable portions is available to the Customer upon request. 

Disaster Recovery – NetSpring shall: (a) maintain a disaster recovery (“DR”) plan that is consistent with industry standards for the NetSpring Cloud; (b) test the DR plan at least once every year; (c) make available summary test results which will include the actual recovery point and recovery times; and (d) document any action plans within the summary test results to promptly address and resolve any deficiencies, concerns, or issues that prevented or may prevent the NetSpring Cloud from being recovered in accordance with the DR plan. 

Business Continuity – NetSpring shall maintain a business continuity plan (“BCP”) to minimize the impact on its provision and support of the NetSpring Cloud from an event. The BCP shall: (a) include processes for protecting personnel and assets and restoring functionality in accordance with the time frames outlined therein; and (b) be tested annually and updated based on any deficiencies, identified during such tests. 

Personnel – In the event of an emergency that renders the Support telephone system unavailable, all calls are routed to an answering service that will transfer to a NetSpring telephone support representative, geographically distributed to ensure business continuity for support operations.

NetSpring employs a defense-in-depth strategy for network security, including the use of perimeter, host-based, and web-application firewalls, physical segregation of development and production environments, and network access control lists between subnets. Firewall configurations are maintained under change management and are reviewed regularly. 

Web-Application Firewall – NetSpring leverages industry-standard web-application firewalls to protect the Information Systems against malicious attacks. 

Distributed Denial of Service – NetSpring’s XaaS providers provide Distributed-Denial of-Service protection that protects the Service and Information Systems. 

Encryption in Transit – NetSpring Software leverages encryption by default to protect Customer Data while in transit from Customer Resources to the Service. 

Incident Monitoring and Management – NetSpring will monitor, analyze, and respond to security incidents in a timely manner in accordance with NetSpring’s standard operating procedure. NetSpring’s security group will escalate and engage response teams as may be necessary to address a security incident. 

Breach Notification – NetSpring will report to Customer any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a “Breach”) without undue delay following the determination by NetSpring that a Breach has occurred. 

Report – The initial report will be made to Customer security contact(s) designated by Customer to NetSpring (or if no such contact(s) are designated, then to the primary Technical Contact designated by Customer). As information is collected or otherwise becomes available, NetSpring shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow the Customer to notify relevant parties, including affected individuals, government agencies, and data protection authorities, in accordance with all applicable data protection and privacy laws regulating the processing of Personal Data, including where applicable, Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (the General Data Protection Regulation, or GDPR), and repealing Directive 95/46/EC. As used herein, “Personal Data” means any information relating to an identified or identifiable natural person uploaded to the NetSpring Cloud as Customer Data by or for Customer or Customer’s agents, employees, or contractors; and “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The report will include the name and contact information of the NetSpring contact from whom additional information may be obtained. NetSpring shall inform the Customer of the measures that NetSpring will adopt to mitigate the cause of the Breach and to prevent future Breaches. 

Customer Obligations – Customers will cooperate with NetSpring by providing any information that is reasonably requested by NetSpring to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. The Customer is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted data subjects (identified or identifiable natural persons) and for providing such notice.

By a Third Party. NetSpring contracts with third-party vendors to perform a penetration test on the NetSpring application code at least four times per year to identify risks and remediation options that help increase security. NetSpring shall make executive summary reports from the penetration testing available to Customer on demand. 

By Customer. The Customer shall not perform a penetration test on the NetSpring Cloud without NetSpring’s express written authorization. 

NetSpring has established an information security risk management program aligned with industry standards such as the ISO 31000-series and NIST SP 800-37 risk management frameworks and the ISO 27000-series and NIST SP 800-53 information security control frameworks. 

Risk Assessment – NetSpring performs ongoing risk identification and risk assessments of its people, processes, data, and technologies to identify confidentiality, availability, and or integrity risks; their operational, business interruption, financial, reputational, legal, and or regulatory impacts; as well as the likelihood of their occurrence. 

Risk Lifecycle – Risks identified throughout the risk management process are documented and tracked, from identification to remediation. NetSpring categorizes and prioritizes risks by asset class. All risks require identification of a risk owner and validation of the risk, calibration to the organizational risk model, and a documented plan for remediation. 

Governance – NetSpring’s Head of Security reports regularly to NetSpring’s executive leadership on the risks identified by NetSpring’s information security risk management program. This information is funneled to the NetSpring Board of Directors as part of NetSpring’s overarching risk management program.

NetSpring follows a risk-based methodology leveraging relevant industry standards, such as CVSS, to prioritize security issues based on their impact severity and the likelihood of exploitation. NetSpring aims to release patches or remediate an issue in a reasonable period of time commensurate with the risk assessment results. Generally, higher-impact issues will be prioritized and fixed sooner than lower-impact issues. However, the exact amount of time required to fix a vulnerability is unique to each finding. It depends on a set of factors, including the complexity of the issue, the number of components impacted, and any third-party dependencies. 

Responsible Disclosure – NetSpring follows a responsible disclosure model for reporting vulnerabilities in the Software and infrastructure. Reporters may submit any issues or concerns to [email protected].

Product Vulnerabilities – NetSpring intends to discover and remediate vulnerabilities in its Software before release. To accomplish this, NetSpring utilizes industry-standard techniques as part of its software development life cycle. Such methods include peer code review before merging, malware scans of build artifacts, and scans of third-party libraries and dependencies for known vulnerabilities against the NIST National Vulnerability Database (https://nvd.nist.gov). 

Infrastructure Vulnerabilities – NetSpring’s vulnerability management program is designed to detect vulnerabilities at all layers of the Information Systems using industry standard tools and to track identified vulnerabilities until remediation. NetSpring subscribes to notification channels for its vendors as well as industry feeds for vulnerabilities. 

Customer Notification – Once a fix is available, NetSpring provides notification to affected customers based on the risk of the vulnerability. Depending on the severity, notifications to customers may be issued through multiple channels, including email or product release notes. 

Third-Party Assessments – NetSpring regularly engages qualified third parties to perform independent assessments of NetSpring’s products, and infrastructure 

NetSpring procures appropriate confidentiality and security commitments from the vendors and third parties it engages to support its business. 

Vendor and Third-Party Due Diligence – Before engaging with any third party that accesses the Information System or processes Customer Data, NetSpring performs appropriate due diligence to ensure that the third party’s information security program is reasonable and consistent with NetSpring’s obligations to the scope of the engagement and the types of data under the control or accessible by the third party. 

Contractual Controls – NetSpring requires appropriate contracts to be in place before engaging any third party that accesses the Information Systems, processes Customer Data, or otherwise supports the delivery of NetSpring’s Software or Services. Such contracts include provisions appropriate to the engagement of the relevant third party, including confidentiality, security, privacy, SLAs, and quality control provisions. 

Subprocessors – NetSpring engages third-party service providers and subprocessors to support its products and related services’ availability 

and data processing activities. NetSpring maintains information about subprocessors at https://www.netspring.io/legal/subprocessors/ 

Product Capabilities –The NetSpring Cloud allows Customer to (a) authenticate users before accessing the Customer’s instance; (b) integrate with SAML solutions; (c) allow users to manage passwords; (d) prevent access by users with an inactive account; and 

(e) select fields for exclusion from indexing. The Customer is solely responsible for managing each user’s access to and use of, the NetSpring Cloud by assigning to each user a credential and role that controls the level of access to the NetSpring Cloud. Customer is solely responsible for: (i) its decision to index Customer Data containing sensitive data, including any information relating to a natural person governed by data protection laws, and NetSpring will have no liability to the extent that damages would have been mitigated by the Customer’s decision not to index such Customer Data; (ii) protecting the confidentiality of each user’s login and password and managing roles, rights, maintaining user logins for each individual person, and granting each user’s access to the NetSpring Cloud; and (iii) reviewing NetSpring’s Security Program and making an independent determination as to whether it meets Customer’s requirements, taking into account the type and sensitivity of Customer Data that Customer processes within the NetSpring Cloud. 

Security Contact – In accordance with this Guide, the Customer agrees to identify and maintain appropriate security contact(s) for all information security incidents, and information security-related communication within the Support Portal. 

Limitations – Notwithstanding anything to the contrary in this Guide or other parts of the Agreement, NetSpring’s obligations herein are only applicable to the NetSpring Cloud. This Guide does not apply to (a) information shared with NetSpring that is not Customer Data; (b) data in Customer’s VPN or a third-party network, and (c) any data processed by Customer or its users in violation of the Agreement or this Guide.