Technical and Organisational Measures

Description of the technical and organisational security measures implemented by data importer:

Data Importer maintains and enforces various policies, standards and processes designed to secure personal data and other data to which Data Importer employees are provided access, and updates such policies, standards and processes from time to time consistent with industry standards. Following is a description of some of the core technical and organisational security measures implemented by Data Importer as of the date of signature:

1.           General Security Procedures

1.1          Data Importer shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Data Importer, if any, comply with all of the foregoing. Data Importer shall designate an individual to be responsible for the information security program. Such individual shall respond to Data Exporter inquiries regarding computer security and to be respData Importer shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Data Importer, if any, comply with all of the foregoing. Data Importer shall designate an individual to be responsible for the information security program. Such individual shall respond to Data Exporter inquiries regarding computer security and to be responsible for notifying Data Exporter-designated contact(s) if a breach or an incident occurs, as further described herein.onsible for notifying Data Exporter-designated contact(s) if a breach or an incident occurs, as further described herein.

1.2          Data Importer shall conduct formal privacy and security awareness training for all personnel and contractors as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Data Importer, confirming that this training and subsequent annual recertification process have been completed.

1.3         Data Exporter shall have the right to review an overview of Data Importer’s information security program prior to the commencement of Service and annually thereafter upon Data Exporter request.

1.4         In the event of any apparent or actual theft, unauthorized use or disclosure of any Personal Data, Data Importer shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within one (1) business day following confirmation of any such event, provide Data Exporter notice thereof, and such further information and assistance as may be reasonably requested. Upon Data Exporter request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Data Exporter.

1.5         Data Importer shall not transmit any unencrypted Personal Data over the internet or any unsecured network, and shall not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Data Importer shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.

2.           Network and Communications Security

2.1          All Data Importer connectivity to Data Exporter computing systems and/or networks and all attempts at same shall be only through Data Exporter’s security gateways/firewalls and only through Data Exporter-approved security procedures.

2.2          Data Importer shall not access, and will not permit unauthorized persons or entities to access Data Exporter computing systems and/or networks without Data Exporter’s express written authorization and any such actual or attempted access shall be consistent with any such authorization.

2.3          Data Importer shall take appropriate measures to ensure that Data Importer’s systems connecting to Data Exporter’s systems and anything provided to Data Exporter through such systems does not contain any computer code, programs, mechanisms or programming devices designed to, or that would enable, the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of Data Exporter’s systems.​​​​​​​

2.4          Data Importer shall maintain technical and organisational measures for data protection including:
(i) firewalls and threat detections systems to identify malicious connection attempts, to block spam, viruses and unauthorized intrusion; (ii) physical networking technology designed to resist attacks by malicious users or malicious code; and (iii) encrypted data in transit over public networks using industry standard protocols.

3.           Personal Data Handling Procedures

3.1         ​​​​​​​Disposal of Personal Data on paper shall be done in a secure manner, to include shredders or secure shredding bins within Data Importer space from which Personal Data is handled or accessed (“Data Exporter Work Area”). Shredding must take place within the Data Exporter Work Area before disposal or transit outside of the Data Exporter Work Area or be performed offsite by a reputable third party under contract with Data Importer.

​​​​​​​3.2          Erasure of Information and Destruction of Electronic Storage Media. All electronic storage media containing Personal Data must be wiped or degaussed for physical destruction or disposal, in a manner meeting forensic industry standards such as the NIST SP800-88 Guidelines for Media Sanitization, prior to departing Data Exporter Work Area(s), with the exception of encrypted Personal Data residing on portable media for the express purpose of providing service to the Data Exporter. Data Importer shall maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure level resources. This evidence must be available for review at the request of Data Exporter.

​​​​​​​3.3          Data Importer shall maintain authorization and authentication technologies and processes to ensure that only authorized persons access Personal Data, including: (i) granting access rights on the basis of the need-to-know-principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length and duration requirements; (iv) storing passwords in a manner that makes them undecipherable if used incorrectly or recovered in isolation; (v) encrypting, logging and auditing all access sessions to systems containing Personal Data; and (vi) instructing employees on safe administration methods when computers may be unattended such as use of password protected screen savers and session time limits.

​​​​​​​3.4          Data Importer shall maintain logical controls to segregate Personal Data from other data, including the data of other customers.

3.5          ​​​​​​​Data Importer shall maintain measures to provide for separate processing of data for different purposes including: (i) provisioning Data Exporter within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.

4.           Physical Security

4.1          ​​​​​​​​Xactly Incent Enterprise, Xactly Objectives, Xactly Insights. The terms set forth in 4.1A, 4.1B, and 4.1C are applicable solely to Xactly Incent Enterprise, Xactly Objectives and Xactly Insights product offerings:​​​​​​​

               A. All backup and archival media containing Personal Data must be contained in secure, environmentally-controlled storage areas owned, operated, or contracted for by Data Importer. All backup and archival media containing Personal Data must be encrypted. 

               
B. Technical and organisational measures to control access to data center premises and facilities are in place and include: (i) staffed reception desks or security officers to restrict access to identified, authorized individuals; (ii) visitor screening on arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic door locking systems with access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital camera coverage, motion detecting alarm systems and detailed surveillance and audit logs; (v) intruder alarms present on all external emergency doors with one-way internal exit doors; and (vi) segregation of shipping and receiving areas with equipment checks upon arrival.​​​​​​​​​​​​​​

             C. Data Importer shall maintain measures to protect against accidental destruction or loss of Personal Data including: (i) fire detection and suppression, including a multi-zoned, dry-pipe, double-interlock, pre-action fire suppression system and a Very Early Smoke Detection and Alarm (VESDA); (ii) redundant on-site electricity generators with adequate supply of generator fuel and contracts with multiple fuel providers; (iii) heating, ventilation, and air conditioning (HVAC) systems that provide stable airflow, temperature and humidity, with minimum N+1 redundancy for all major equipment and N+2 redundancy for chillers and thermal energy storage; and (iv) physical systems used for the storage and transport of data utilizing fault tolerant designs with multiple levels of redundancy.

4.2          ​​​​​​​​Xactly Incent Express. Customer acknowledges that the Xactly Incent Express product offering is hosted on Xactly’s subprocessor’s platform. The administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services are described in the Security, Privacy and Architecture Documentation applicable to Salesforce.com’s platform and accessible via http://help.salesforce.com or otherwise made reasonably available by Xactly.​​​​​​​

4.3          ​​​​​​​​Xactly AlignStar for SalesForce. Customer acknowledges that the Xactly AlignStar for SalesForce product offering is hosted on the Amazon Web Services and Salesforce.com platforms. The administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services are described in (a) the Security, Privacy and Architecture Documentation applicable to Salesforce.com’s platform and accessible via https://trust.salesforce.com/en/security/ or otherwise made reasonably available by Xactly and (b) the documentation applicable to Amazon Web Services and accessible via https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing- the-security-responsibility/ or otherwise made reasonably available by Xactly.

​​​​​​​4.4         ​​​​​​​​Xactly SimplyComp, Xactly Sales Planning. Customer acknowledges that the Xactly SimplyComp and Xactly Sales Planning product offerings are hosted on the Amazon Web Services platform. The administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services are described in the Security, Privacy and Architecture Documentation applicable to Amazon Web Services and accessible via https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security- responsibility/ or otherwise made reasonably available by Xactly.​​​​​​​

4.5          ​​​​​​​​Xactly Inspire. Customer acknowledges that the Xactly Inspire product offering is hosted by Saleshood. The administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services shall be made reasonably available by Xactly, upon request.

​​​​​​​4.6          ​​​​​​​​Xactly Commission Expense Accounting, Obero SPM, Xactly Advanced Quota Planning. Customer acknowledges that the Xactly Commission Expense Accounting, Obero SPM and Xactly Advanced Quota Planning product offerings are hosted on the Microsoft Azure platform. The administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services are described in the Security, Privacy and Architecture Documentation applicable to Microsoft Azure and accessible via https://www.microsoft.com/en-us/trustcenter or otherwise made reasonably available by Xactly.

5.           Security Testing

During the performance of Services under the Agreement, Data Importer shall engage, at its own expense and at least one time per year, a third party vendor (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Data Importer’s systems containing and/or storing Personal Data. The foregoing shall not apply to the Xactly Inspire product offering which is hosted by Saleshood.

The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Data Importer systems containing and/or storing Personal Data, which could expose Data Exporter’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Data Importer systems containing and/or storing Personal Data that could be exploited by a malicious party.

Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un- sanitized input; broken or excessive access controls; broken authentication and session management; cross- site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing.

Within a reasonable period after the Security Test has been performed, Data Importer shall notify Data Exporter in writing of any critical security issues that were revealed during such Security Test which have not been remediated. To the extent that critical security issues were revealed during a particular Security Test, Data Importer shall subsequently engage, at its own expense, the Testing Company to perform an additional Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Data Exporter upon request.

6.          Security Audit​​​​​​​

Data Importer, and all subcontracted entities (as appropriate) shall conduct at least annually an SSAE 18 (or higher) audit covering all systems and/or facilities utilized to provide the Service (excluding any Service related to Xactly Inspire) to the Data Exporter, and will furnish to Data Exporter the results thereof promptly following Data Exporter’s written request. If, after reviewing such audit results, Data Exporter reasonably determines that security issues exist relating to the Service, Data Exporter will notify Data Importer, in writing, and Data Importer will promptly discuss and where commercially feasible, address the identified issues. Any remaining issues shall be documented, tracked and addressed at such time as agreed upon by both Data Importer and the Data Exporter.