STANDARD DATA SAFEGUARDS:

1. Organization of Information Security


1. Security Ownership. Avanade will appoint one or more security officers responsible for coordinating and monitoring the security rules and procedures.


2. Security Roles and Responsibilities. Avanade’s personnel with access to Client Data will be subject to confidentiality obligations.


3. Risk Management Program. Avanade will have a risk management program in place to identify, assess and take appropriate actions with respect to risks related to the processing of the Client Data in connection with the applicable agreement between the Parties.


2. Asset Management


1. Asset Inventory. Avanade will maintain an asset inventory of its infrastructure, network, applications and cloud environments. Avanade will also maintain an inventory of its media on which Client Data is stored. Access to the inventories of such media will be restricted to personnel authorized in writing to have such access.


2. Data Handling. Avanade will
1. Classify Client Data to help identify such data and to allow for access to it to be appropriately restricted.
2. Limit printing of Client Data from its systems to what is minimally necessary to perform services and have procedures for disposing of printed materials that contain Client Data.
3. Require its personnel to obtain appropriate authorization prior to storing Client Data outside of contractually approved locations and systems, remotely accessing Client Data, or processing Client Data outside the Parties’ facilities.


3. Human Resources Security


1. Security Training. Avanade will
1. Inform its personnel about relevant security procedures and their respective roles.
2. Inform its personnel of possible consequences of breaching the security rules and procedures.
3. Only use anonymous data in its training environments.


4. Physical and Environmental Security


1. Physical Access to Facilities. Avanade will implement and maintain procedures to limit authorized access to its facilities where information systems that process Client Data are located.


2. Physical Access to Components. Avanade will maintain records of the incoming and outgoing media containing Client Data, including the kind of media, the authorized sender/recipients, date and time, the number of media, and the types of Client Data they contain.


3. Component Disposal. Avanade will use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) processes to delete Client Data when it is no longer needed.


5. Communications and Operations Management


1. Operational Policy. Avanade will maintain security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Client Data.


2. Mobile Device Management (MDM)/Mobile Application Management (MAM). Avanade will maintain a policy for its mobile devices that:
1. Enforces device encryption.
2. Prohibit use of blacklisted apps.
3. Prohibits enrollment of mobile devices that have been “jail broken.”


3. Data Recovery Procedures. Avanade will
1. Have specific data recovery procedures with respect to its systems in place designed to enable the recovery of Client Data being maintained in its systems.
2. Review its data recovery procedures at least annually.
3. Log data restoration efforts with respect to its systems, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.


4. Malicious Software. Avanade will have anti-malware controls to help avoid malicious software gaining unauthorized access to Client Data, including malicious software originating from public networks.


5. Data Beyond Boundaries. Avanade will
1. Encrypt Client Data that it transmits over public networks.
2. Protect Client Data in media leaving its facilities (e.g., through encryption).
3. Implement automated tools where practicable to reduce the risks of misdirected email, letters, and / or faxes from its systems.


6. Event Logging.
1. For its systems containing Client Data, Avanade will log events consistent with its stated policies or standards.


6. Access Control


1. Access Policy. Avanade will maintain a record of security privileges of individuals having access to Client Data via its systems.


2. Access Authorization. Avanade will
1. Maintain and update a record of personnel authorized to access Client Data via its systems.
2. When responsible for access provisioning, promptly provision authentication credentials.
3. Deactivate authentication credentials where such credentials have not been used for a period of time (such period of non-use not to exceed 90 days).
4. Deactivate authentication credentials upon notification that access is no longer needed (e.g. employee termination, project reassignment, etc.) within two business days.
5. Identify those personnel who may grant, alter or cancel authorized access to data and resources.
6. Ensure that where more than one individual has access to its systems containing Client Data, the individuals have unique identifiers/log-ins (i.e., no shared ids).


3. Least Privilege. Avanade will
1. Only permit its technical support personnel to have access to Client Data when needed
2. Maintain controls that enable emergency access to productions systems via firefighter ids, temporary ids or ids managed by a Privileged Access Management (PAM) solution.
3. Restrict access to Client Data in its systems to only those individuals who require such access to perform their job function.
4. Limit access to Client Data in its systems to only that data minimally necessary to perform the services.
5. Support segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest (e.g., developer/ reviewer, developer/tester).


4. Integrity and Confidentiality. Avanade will instruct its personnel to disable administrative sessions when leaving premises or when computers are otherwise left unattended.


5. Authentication. Avanade will
1. Use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) practices to identify and authenticate users who attempt to access its information systems.
2. Where authentication mechanisms are based on passwords, require that the passwords are renewed regularly.
3. Where authentication mechanisms are based on passwords, require the password to contain at least eight characters and three of the following four types of characters: numeric (0-9), lowercase (a-z), uppercase (A-Z), special (e.g., !, *, &, etc.).
4. Ensure that de-activated or expired identifiers are not granted to other individuals.
5. Monitor repeated attempts to gain access to its information systems using an invalid password.
6. Maintain industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
7. Use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, as well as during storage.


6. Multi Factor Authentication. Avanade will implement Multi-Factor Authentication for internal access and remote access over virtual private network (VPN) to its systems.


7. Penetration Testing and Vulnerability Scanning of Avanade Systems.


1. At least annually, Avanade will perform penetration and vulnerability assessments on Avanade’s IT environments in accordance with Avanade’s internal security policies and standard practices.


2. Avanade agrees to share with Client summary level information related to such tests as conducted by Avanade to the extent applicable to the Services.


3. For clarity, as it relates to such penetration and vulnerability testing, Client will not be entitled to (i) data or information of other customers or clients of Avanade; (ii) test third party IT environments except to the extent Avanade has the right to allow such testing; (iii) any access to or testing of shared service infrastructure or environments, or (iv) any other Confidential Information of Avanade that is not directly relevant to such tests and the Services.


4. For any Avanade IT systems that are physically dedicated to Client, the Parties may agree to separate, written testing plans and such testing will not to exceed two tests per year.


8. Network and Application Design and Management. Avanade will


1. Have controls to avoid individuals gaining unauthorized access to Client Data in its systems.


2. Use email-based data loss prevention to monitor or restrict movement of sensitive data.


3. Use network-based web filtering to prevent access to unauthorized sites.


4. Use firefighter IDs or temporary user IDs for production access.


5. Use network intrusion detection and / or prevention in its systems.


6. Use secure coding standards.


7. Scan for and remediate OWASP vulnerabilities in its systems.


8. To the extent technically possible, expect that the Parties will work together to limit the ability of Avanade personnel to access non-Client and non-Avanade environments from the Client systems.


9. Maintain up to date server, network, infrastructure, application and cloud security configuration standards.


10. Scan its environments to ensure identified configuration vulnerabilities have been remediated.


9. Patch Management


1. Avanade will have a patch management procedure that deploys security patches for its systems used to process Client Data that includes:
1. Defined time allowed to implement patches (not to exceed 90 days for high or medium patches as defined by Avanade’s standard); and
2. Established process to handle emergency or critical patches as soon as practicable.


10. Workstations


1. Avanade will implement controls for workstations it provides that are used in connection with service delivery/receipt incorporating the following:
1. Software agent that manages overall compliance of workstation and reports at a minimum on a weekly basis to a central server
2. Encrypted hard drive
3. Patching process so that workstations are patched within the documented patching schedule
4. Ability to prevent blacklisted software from being installed
5. Antivirus with a minimum weekly scan
6. Firewalls installed


11. Information Security Breach Management


1. Security Breach Response Process. Avanade will maintain a record of its own security breaches in its systems with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the process for recovering data.


2. Service Monitoring. Avanade’s security personnel will review their own logs as part of their security breach response process to propose remediation efforts if necessary.


12. Business Continuity Management


1. Avanade will have processes and programs that are aligned to ISO 22301 to enable recovery from events that impact its ability to perform in accordance with the Agreement.

SUPPLEMENTARY MEASURES. In addition, in accordance with regulatory guidance following the European Court of Justice “Schrems II” decision, Avanade further commits to maintaining the following additional technical, organizational and legal/contractual measures with respect to Client Data, including personal data.

Technical Supplementary Measures:

1. The Client Data in transit between Avanade entities will be strongly encrypted with encryption that:
1. is state of the art,
2. secures the confidentiality for the required time period,
3. is implemented by properly maintained software,
4. is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
5. does not contain back doors in hardware or software, unless otherwise agreed with the applicable Client.


2. The Client Data at rest and stored by any Avanade entities will be strongly encrypted with encryption that:
1. is state of the art,
2. secures the confidentiality for the required time period,
3. is implemented by properly maintained software,
4. is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
5. does not contain back doors in hardware or software, unless otherwise agreed with the applicable Client.

Organizational Supplementary Measures:

1. The Client Data transfer between Avanade entities and the processing by any Avanade entities will be in accordance with:
1. Avanade’s internal policies and procedures to manage requests from public authorities to access personal data,
2. Avanade’s internal data access and confidentiality policies and procedures,
3. Avanade’s internal data minimization policies and procedures, and
4. Avanade’s internal data security and data privacy policies and procedures.


2. Avanade will maintain a documented log of requests for access to personal data received from public authorities and the response provided, along with the legal reasoning and the involved parties.


3. Avanade will regularly provide reports of public authority requests for personal data, if any, to Avanade’s Chief Compliance Officer.

Legal/Contractual Supplementary Measures:

1. Avanade will maintain regularly updated assessment reports with respect to the surveillance laws and privacy practices for the countries in which Avanade processes Client Data where such country is not formally recognized as providing a lever of protection essentially similar to EU countries and will provide copies of applicable reports to clients upon request.


2. The Avanade entity/s processing Client Data certify that, unless otherwise agreed with the applicable Client, (a) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data (b) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (c) to the best of Avanade’s knowledge, applicable national law or government policy does not require the Avanade entity to create or maintain back doors or to facilitate access to personal data or systems or for the Avanade entity to be in possession or to hand over the encryption key without a legally valid order and following an appropriate legal review.


3. To the extent permitted under applicable law the Avanade entity/s processing Client Data will inform the client of Government Requests relating to Personal Data that Avanade is processing on behalf of the client. If, under applicable law, Avanade is not permitted to inform the client of a Government Request, Avanade will take reasonable steps to either (i) obtain administrative or judicial leave to inform the client at the earliest possible time or (ii) request that the respective Government Authority directly informs the client. In any event, Avanade will take reasonable steps before the courts or in administrative proceedings to challenge Government Requests it deems unlawful.


4. Avanade will advise the applicable client of any change in applicable law that would affect Avanade’s ability to comply with the data transfer mechanism relied on.


5. The Avanade entity/s processing Client Data will allow the applicable client to verify if its personal data was disclosed to public authorities via agreed audit procedures as set out in the applicable client agreement.


6. The Avanade entity/s processing Client Data will not engage in any onward transfer of Client Data, or suspend ongoing transfers, without the client’s approval as required in the applicable client agreement or as otherwise required by law.


7. Nothing herein shall prejudice the rights of the data subject to recover damages from Avanade to the extent permitted by applicable law in the event Avanade discloses Client Data transferred in violation of its commitments contained under the chosen transfer tool.