Information Security Addendum

Last modified on March 28, 2025

NOT FOR EDITING

This Information Security Addendum (the “Addendum”) sets forth the technical and organizational measures for the protection of Content processed by the HyperDX Service (if applicable) or data (if any) provided by Customer to DeploySentinel in connection with the delivery of Support Services (if applicable) (collectively “Customer Information”). Capitalized terms not defined in this Addendum shall have the meanings set forth in the applicable agreement between Customer and DeploySentinel for the delivery of the HyperDX Service and/or Support Services (the “Agreement”).

DeploySentinel shall maintain an information security program that is designed to protect the security, confidentiality, and integrity of Customer Information (the "DeploySentinel Information Security Program"). The DeploySentinel Information Security Program will be implemented on an organization-wide basis. The DeploySentinel Information Security Program will be designed to ensure DeploySentinel’s compliance with data protection laws and regulations applicable to DeploySentinel’s performance under the applicable Agreement (including any Data Processing Addendum), and shall include the safeguards set below (the “DeploySentinel Information Security Controls”).

1. SHARED RESPONSIBILITY

   1. Shared Responsibility Model. For the HyperDX Service, DeploySentinel maintains specific security responsibilities, while customers are responsible for managing their data and access. Further delineation is described throughout this Addendum.

2. CONTENT STORAGE LOCATION

   1. Content Storage Location. DeploySentinel will make the HyperDX Service available for customers to upload their Content, in cloud providers and regions that are chosen and managed by DeploySentinel.

3. ORGANIZATIONAL CONTROLS

   1. Governance. DeploySentinel assigns to an individual or a group of individuals appropriate roles for developing, coordinating, implementing, and managing DeploySentinel’s administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Customer Information.

   2. Security Personnel. DeploySentinel uses data security personnel that are sufficiently trained, qualified, and experienced to be able to fulfill their information security-related functions.

   3. Information Security Policies. DeploySentinel creates information security policies, approved by management, published and acknowledged by all employees.

   4. Information Security Policy Review. DeploySentinel reviews and updates policies at planned intervals to maintain their continuing suitability, adequacy, and effectiveness.

   5. Data Classification. DeploySentinel maintains a data classification standard based on sensitivity.

   6. Data Retention and Destruction. DeploySentinel maintains policies establishing data retention and secure destruction requirements.

   7. Asset Ownership. DeploySentinel implements procedures to clearly identify assets and assign ownership of those assets.

   8. Compliance. DeploySentinel establishes procedures designed to ensure all applicable statutory, regulatory, and contractual requirements are adhered to across the organization.

4. PEOPLE CONTROLS

   1. Information Security Policy Acknowledgement. DeploySentinel creates information security policies, approved by management, published and acknowledged by all employees.

   2. Information Security Awareness Training. DeploySentinel requires all employees to undergo security awareness training on an annual basis.

   3. Personnel Agreements. DeploySentinel requires personnel to sign confidentiality agreements and acknowledge DeploySentinel’s information security policy, which includes acknowledging responsibilities for reporting security incidents involving Customer Information.

5. PHYSICAL SECURITY

   1. Cloud Service Providers. For the HyperDX Service, DeploySentinel uses Hosting Service Providers that have:

      1. Physical Security. Implemented controls designed to restrict unauthorized physical access to areas containing equipment used to provide the HyperDX Service.

      2. Environmental Security. Maintain equipment used to host the HyperDX Service in physical locations that are designed to be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heating or cooling, and power failures or outages.

6. TECHNOLOGICAL CONTROLS

   1. Logical Access Control. DeploySentinel maintains technical, logical, and administrative controls designed to limit access to Customer Information. Unique usernames and passwords are required for authentication.

   2. Privileged Access Restriction. DeploySentinel restricts privileged access to the Content to authorized users with a business need.

   3. Access Revocation. DeploySentinel maintains policies requiring termination of access to Customer Information within 24 hours of employee termination.

   4. Multi-Factor Authentication. DeploySentinel implements access controls designed to authenticate users and limit access to Customer Information, including multi-factor authentication.

   5. Cryptographic Key Management. DeploySentinel implements encryption key management procedures.

   6. Encryption in Transit. DeploySentinel encrypts Customer Information in transit using a minimum of SSL with SHA 256 or TLS 1.2 with strong ciphers. 

   7. Encryption at Rest. DeploySentinel encrypts Customer Information at rest using a minimum of AES-256 with strong ciphers.

      1. Encryption Key Rotation. DeploySentinel utilizes Hosting Service Provider managed keys that are rotated at least annually.

   8. Vulnerability Testing. DeploySentinel performs periodic network, infrastructure, and application vulnerability testing.

   9. Penetration Testing. DeploySentinel performs network and application penetration testing at least annually.

   10. Technical Vulnerability Management. DeploySentinel implements procedures to document and address vulnerabilities discovered during vulnerability and penetration tests.

   11. Workstation Security. DeploySentinel centrally manages workstations via endpoint security solutions for deployment and management of end-point protections.

   12. Local Separation of Customer Environments. Customer environments are logically separated.

   13. Change Management. DeploySentinel assigns responsibility for security, changes and maintenance for all information systems processing Customer Information.

   14. Change Authorization. For the HyperDX Service, DeploySentinel tests, evaluates and authorizes major information system components prior to implementation.

   15. Secure Development. DeploySentinel maintains and follows a secure development lifecycle for the development of the software that is hosted and made available via the HyperDX Service.

   16. System Monitoring. DeploySentinel monitors the access, availability, capacity and performance of the HyperDX Service and Support Services systems, and related system logs and network traffic using various monitoring software and services.

   17. Security Incident Response Procedures. DeploySentinel maintains incident response procedures for identifying, reporting, and acting on Security Breaches. 

   18. Security Incident Reporting. If DeploySentinel becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Information, DeploySentinel shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 48 hours after becoming aware and in accordance with Section 7 of the Data Processing Addendum (opens in a new tab).

   19. Security Incident Response Tabletop. DeploySentinel exercises the incident response process on a periodic basis.

   20. Security Incident Response Improvement. DeploySentinel implements plans to address gaps discovered during incident response exercises.

   21. Incident Response Team. DeploySentinel establishes a cross-disciplinary security incident response team.