Data Importer maintains and enforces various policies, standards and processes designed to secure personal data submitted by Data Exporter to the Services (hereinafter “Personal Data”) to which Data Importer employees are provided access, and updates such policies, standards and processes from time to time consistent with industry standards. Following is a description of some of the core technical and organizational security measures implemented by Data Importer as of the date of signature:


    1.1 Data Importer shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Data Importer, if any, comply with all of the foregoing. Data Importer shall designate an individual to be responsible for the information security program. Such individual shall respond to Data Exporter reasonable inquiries regarding computer security and to be responsible for notifying Data Exporter-designated contact(s) if a breach or an incident occurs, as further described herein.

    1.2 Data Importer shall conduct formal privacy and security awareness training for all personnel and required contractors as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Data Importer, confirming that this training and subsequent annual recertification process have been completed.

    1.3 In the event of any actual theft, unauthorized use or disclosure of any Personal Data, Data Importer shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof. Within 3 business day following confirmation of any such event, provide Data Exporter notice thereof, and such further information and assistance as may be reasonably requested. Upon Data Exporter request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Data Exporter.

    1.4 Data Importer shall not transmit any unencrypted Personal Data over the internet or any unsecured network, and shall not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Data Importer shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.

    All Personal data in transit between the Services and Data Exporter’s interface is encrypted using TLS 1.2 or better. Personal Data is also encrypted at rest.


    2.1 All Data Importer connectivity to Data Exporter computing systems and/or networks and all attempts at same shall be only through Data Exporter’s security gateways/firewalls and only through Data Exporter-approved security procedures.

    2.2 Data Importer shall maintain technical and organizational measures for data protection including: (i) firewalls and threat detections systems to identify malicious connection attempts, to block spam, viruses and unauthorized intrusion; (ii) physical networking technology designed to resist attacks by malicious users or malicious code; and (iii) encrypted data in transit over public networks using industry standard protocols.


    3.1 Disposal of Personal Data on paper shall be done in a secure manner, to include shredders or secure shredding bins within Data Importer space from which Personal Data is handled or accessed (“Data Exporter Work Area”). Shredding must take place within the Data Exporter Work Area before disposal or transit outside of the Data Exporter Work Area or be performed offsite by a reputable third party under contract with Data Importer.

    3.2 Erasure of Information and Destruction of Electronic Storage Media. All electronic storage media containing Personal Data must be wiped or degaussed for physical destruction or disposal, in a manner meeting forensic industry standards such as the NIST SP800-88 Guidelines for Media Sanitization, prior to departing Data Exporter Work Area(s), with the exception of encrypted Personal Data residing on portable media for the express purpose of providing service to the Data Exporter. Data Importer shall maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure level resources. This evidence must be available for review at the request of Data Exporter.

    3.3 Data Importer shall maintain authorization and authentication technologies and processes to ensure that only authorized persons access Personal Data, including: (i) granting access rights on the basis of the need-to-know-principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length and duration requirements; (iv) storing passwords in a manner that makes them undecipherable if used incorrectly or recovered in isolation; (v) encrypting, logging and auditing all access sessions to systems containing Personal Data; and (vi) instructing employees on safe administration methods when computers may be unattended such as use of password protected screen savers and session time limits.

    3.4 Data Importer shall maintain logical controls to segregate Personal Data from other data, including the data of other customers.

    3.5 Data Importer shall maintain measures to provide for separate processing of Personal Data for different purposes including: (i) provisioning Data Exporter within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.


    4.1 Technical and organizational measures to control access to Data Importer’s premises and facilities are in place and include: (i) staffed reception desks or security officers to restrict access to identified, authorized individuals; (ii) visitor screening on arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic door locking systems with access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital camera coverage, motion detecting alarm systems and detailed surveillance and audit logs; (v) intruder alarms present on all external emergency doors with one-way internal exit doors; and (vi) segregation of shipping and receiving areas with equipment checks upon arrival.


    During the performance of Services under the Agreement, Data Importer shall engage, at its own expense and at least one time per year, a third-party vendor (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Data Importer’s systems containing and/or storing Personal Data.

    The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Data Importer systems containing and/or storing Personal Data, which could expose Data Exporter’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Data Importer systems containing and/or storing Personal Data that could be exploited by a malicious party.

    Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un- sanitized input; broken or excessive access controls; broken authentication and session management; cross- site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of TLS; proper use of encryption; and anti-virus reliability and testing.

    Within a reasonable period after the Security Test has been performed, Data Importer shall, upon Data Exporter’s request, notify Data Exporter in writing of any critical security issues that were revealed during such Security Test which have not been remediated. To the extent that critical security issues were revealed during a particular Security Test, Data Importer shall subsequently engage, at its own expense, the Testing Company to perform an additional Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Data Exporter through a screenshare upon request.


    Data Importer, and all subcontracted entities (as appropriate) shall conduct at least annually an SSAE 18 (or higher) audit covering all systems and/or facilities utilized to provide the Service to the Data Exporter, and will furnish to Data Exporter the results thereof promptly following Data Exporter’s written request. If, after reviewing such audit results, Data Exporter reasonably determines that security issues exist relating to the Service, Data Exporter will notify Data Importer, in writing, and Data Importer will promptly discuss and where commercially feasible, address the identified issues. Any remaining issues shall be documented, tracked and addressed at such time as agreed upon by both Data Importer and the Data Exporter.


    Data Importer will maintain an appropriate Business Continuity Program and IT Disaster Recovery/ Technical Resiliency Program(s) which are regularly reviewed or tested, and which meet or exceed industry best practices.


    During the term of Customer's Agreement with Xactly, Xactly may delete or otherwise destroy Customer Data that has been stored in the Service for more than seven (7) years on a rolling basis. Once deleted as set forth in the preceding sentence, Customer Data cannot be restored. It is otherwise Customer’s responsibility to back-up Customer Data.



Revised March 24, 2022