1. Security Policy Overview.
1.1. Ping Identity’s Commitment to Security. Ping Identity is committed to achieving and preserving the trust of our Customers by providing a comprehensive security program that carefully considers data protection matters across our suite of products and services, including any Customer Data submitted by Customers to the Service.
1.2. Covered Services. This documentation describes the certifications held by Ping Identity, and the administrative, technical, and physical controls applicable to the Service. This exhibit does not apply to free trial services and beta versions made available by Ping Identity.
1.3. Ping Identity may update or modify these security practices from time to time provided such updates and modifications will not result in a material degradation of the overall security of the Service.
2. Default Security Controls and Information Security Management Program.
2.1. Default Security Controls. The Service includes a variety of configurable security controls that allow Ping Identity Customers to tailor the security of the Service for their own use. Ping Identity personnel will not set a defined password for a user. Each Customer’s users are provided with a token that they can use to set their own password in accordance with the applicable Customer’s password policy. Ping Identity strongly encourages all customers, where applicable in their configuration of the Service’s security settings, to use the multi-factor authentication features made available by Ping Identity.
2.2. Information Security Management Program. Ping Identity maintains a comprehensive Information Security Management System (“ISMS”) that contains administrative, technical, and physical safeguards that are appropriate to (i) the size, scope and type of Ping Identity’s business; (ii) the amount of resources available to Ping Identity; (iii) the type of information that Ping Identity will store and process; and (iv) the need for security and protection from unauthorized disclosure of such Customer Data. The ISMS is documented and updated based on changes in legal and regulatory requirements related to privacy and data security practices and industry standards applicable to the Service and reviewed at least annually. Ping Identity’s ISMS is designed to:
(a) Protect the integrity, availability, and confidentiality, of Customer data in Ping Identity’s possession or control;
(b) Protect against reasonably anticipated threats or hazards to the integrity, availability, and prevention of unauthorized disclosure of Customer Data by Ping Identity or its agents;
(c) Protect against unauthorized access, use, alteration, or destruction of Customer Data;
(d) Protect against accidental loss or destruction of, or damage to, Customer Data; and
(e) Safeguard information as set forth in any local, state or federal regulations by which Ping Identity may be regulated.
2.3. Security Standards. Ping Identity’s ISMS includes adherence to and regular testing by internal and independent external audit of the key controls, systems and procedures of its ISMS to validate that they are properly implemented and effective in addressing the threats and risks identified. Ping Identity engages an independent third party to conduct annual security testing of its controls. Ping Identity will maintain SOC 2 and ISO 27001 certifications or their equivalents during the term of the Agreement.
2.4. Policies and Standards. Ping Identity maintains policies or standards addressing the following areas which include but are not limited to: risk management, information security, acceptable use, access control, software development lifecycle, change control, vulnerability management, data classification, encryption, data retention, incident response, backup and recovery, and business continuity.
2.5. Risk Management. Ping Identity maintains a documented risk management program that includes a risk assessment at least annually approved by senior management.
2.6. Assigned Security Responsibility. Ping Identity assigns responsibility for the development, implementation, and maintenance of its ISMS, including:
(a) Designating a security executive with overall responsibility; and
(b) Defining security roles and responsibilities for individuals with security responsibilities within Ping Identity.
3. Relationship with Sub-processors. Ping Identity conducts reasonable due diligence and security assessments of sub-processors engaged by Ping Identity in the storing and/or processing of Customer Data (“Sub- processors”) and enters into agreements with Sub-processors that contain provisions similar or more stringent than those provided for in this security documentation.
4. Disciplinary Policy and Process. Ping Identity maintains a disciplinary policy and process in the event Ping Identity personnel violate security policies.
5. Access Controls.
5.1 Access Control Policies and Procedures. Ping Identity has policies, procedures, and logical controls that are designed:
(a) To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
(b) To prevent personnel and others who should not have access from obtaining access; and
(c) To remove access in a timely basis in the event of a change in job responsibilities or job status.
Additionally, Ping Identity institutes:
(d) Controls to ensure that only those Ping Identity personnel with an actual need-to-know will have access to any Customer Data;
(e) Controls to ensure that all Ping Identity personnel who are granted access to any Customer Data are based on least-privilege principles;
(f) Controls to require that user identifiers (User IDs) shall be unique and readily identify Ping Identity person to whom it is assigned, and no shared or group User IDs shall be used for Ping Identity personnel access to any Customer Data; and
(g) Customer User Authentication. Password and other strong authentication controls are made available to Ping Identity customers, so that Customer can configure the Service to be in compliance with NIST guidance addressing locking out, uniqueness, reset, expiration, termination after a period of inactivity, password reuse limitations, length, expiration, and the number of invalid login requests before locking out a user. Customers are responsible for the configuration and management of the authentication requirements for their end users.
5.2. Physical and Environmental Security. Data center physical and environmental security controls are managed by approved third parties who operate tier 4 and 5 data centers.
5.3. Privileged Access by Ping Identity. If Ping Identity determines, in its reasonable discretion, that a Customer environment is impacting the availability or performance of the Services due to Customer’s misconfiguration or a security incident, Ping Identity may use restricted privileged access accounts to access the relevant Customer production environments. In the event Ping Identity need to enter a Customer environment, Ping Identity shall use reasonable efforts to contact the Customer prior to any action being taken. Ping Identity reserves the right to effect access without Customer consent when contact attempts fail and action is required to preserve service for one or more customers. In the event of a Special Access to a Customer environment, the Customer will receive a report stating: (i) when access took place; (ii) what actions were taken, including any contact or exposure to Customer Data; and (iii) a post event review summarizing impact on the environment and root cause analysis of the incident.
6. Data Encryption.
6.1. Encryption of Transmitted Data. Ping Identity uses industry-standard secure encryption methods designed to encrypt communications between the Service and its Users, Transmitted Customer data is encrypted using the latest supported industry standard cryptographic protocols such as Transport Layer Security (“TLS”).
6.2. Encryption of At-Rest Data. Customer Data in the Service is encrypted at rest using industry standard encryption algorithms.
6.3. Encryption of Backups. All backups are encrypted. Ping Identity uses disk storage that is encrypted at rest.
6.4. Global Configuration Data: All configuration data is secured and encrypted.
6.5. Services Encryption: Where applicable, accounts are configured with their own unique key preventing assertions from other accounts from being processed. Audit logs track all Users who log in and which applications they access.
6.6. Ping Identity Personnel Equipment. Personnel endpoints provisioned by Ping Identity shall have the following:
(a) Whole disk encryption
(b) anti-malware and endpoint protection solutions
(c) Strong password enforcement
(d) Mobile device management
7. Business Continuity and Disaster Recovery. Ping Identity maintains policies and procedures for responding to an emergency or a force majeure event that could damage Customer Data or production systems that contain such Customer Data. Such procedures include:
(a) Data Backups: A policy for performing periodic backups of production file systems and databases to meet the Recovery Point Objective described below;
(b) Disaster Recovery: A disaster recovery plan for the production environment designed to minimize disruption to the Service, which includes requirements for the disaster plan to be tested on a regular basis, at least annually;
(c) RPO / RTO applies as below:
(i.) For PingOne, PingOne for Enterprise/PingID and PingOne Advanced Services:
- Recovery Point Objective (“RPO”) is twenty-four (24) hours and Recovery Time Objective (“RTO”) is eight (8) hours;
(ii.) For PingOne Advanced Identity Cloud only:
- RPO / RTO: Recovery Point Objective is no more than two (2) hours and Recovery Time Objective is no more than one (1) hour;
(d) Business Continuity Plan: A process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.
8. Secure Development Practices. Ping Identity adheres to the following development controls:
(a) Development Policies: Ping Identity follows secure application development policies, procedures, and standards that are aligned to industry-standard practices, such as the OWASP Top 10 and SANS Top 20 Critical Security Controls;
(b) Least Privilege: Only authorized Personnel with a specific business purpose shall be allowed access to production and development resources, and all access shall be appropriately approved;
(c) Manual Code Review: Ping Identity requires a code review and peer review for all Services;
(d) Automated testing: Ping Identity engineers are required to test each build prior to deployment to the production environment: and
(e) Training: Ping Identity provides employees responsible for secure application design, development, configuration, testing, and deployment appropriate (based on role) training regarding secure application development practices.
9. Data Integrity and Management. Ping Identity maintains policies that ensure the following:
(a) Segregation of Data: The Service includes logical controls, including encryption, to segregate Customer Data from that of other customers; and
(b) Back Up/Archival: Ping Identity performs regular backups of the database(s) containing Customer Data on a periodic basis, at least daily. Backups are stored in encrypted state.
(c) Data Centers: The Service is provided through geographically distributed, redundant, and secure data centers (see clause 5.2 above) operated by third parties. Ping Identity relies on security controls of such parties and reviews their controls to confirm adequate controls are in place and designed to protect the confidentiality, integrity and availability of the Service.
(d) All production servers are hardened, monitored, or have anti-malware protection software installed and updated periodically.
(e) Customer Data Handling. Ping Identity maintains appropriate data security controls addressing the following areas which include but are not limited to:
- Data classification;
- Data leakage protection;
- Technical controls to prevent the use of removable media;
- Secure and integrity-checked data storage and transmission at rest and in-transit; and
- Access, usage, and capacity monitoring and control.
10. Vulnerability Management. Ping Identity maintains security measures to monitor the network and production systems, error logs on servers. Such measures include:
(a) Infrastructure Scans: Ping Identity performs regular vulnerability scans. Vulnerabilities are remediated on a risk basis. Ping Identity installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible;
(b) Application Scans: Ping Identity performs regular (as well as after making any major feature change or architectural modification to the Service) application vulnerability scans. Vulnerabilities are remediated on a risk basis;
(c) Application Vulnerability Assessment: Ping Identity engages third parties to perform network and application vulnerability assessments, and penetration testing on at least an annual basis (“Vulnerability Assessment”). Executive reports from Ping Identity’s then-current external assessment, together with any applicable remediation plans, will be made available to customers on written request.
Vulnerabilities are remediated on a risk basis. Ping Identity installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible.
11. Penetration Testing.
11.1 Third Party Penetration Test: Ping Identity performs at least annual third-party penetration testing of the Services. An executive summary of the latest penetration test shall be made available upon Customer’s written request.
11.2 Customer Testing: Customers are prohibited from performing penetration, load, or performance testing against the Services without Ping Identity’s written approval. Customers may submit a written request for such testing and may be required to review applicable policy and provide written details, such as detailed test case, dates and times of testing, tester details, and other industry standard information.
11.3 PingOne Advanced Identity Cloud: Notwithstanding the above, penetration and load testing can only be performed on PingOne Advanced Identity Cloud. Customer may perform load testing that is representative of expected production volumes in the staging environment. Customer may perform penetration testing of their own environment in line with the requirements of the Ping Identity Cloud Penetration & Load Testing Policy located on the Ping Identity Customer Portal.
12. Change and Configuration Management. Ping Identity maintains policies and procedures for managing changes to production systems, applications, and databases for the Service. All changes must contain documentation and relevant rollback plans. Each change is reviewed, approved, and tested prior to Service deployment or software release.
13. Secure Deletion. Ping Identity maintains policies and procedures regarding the deletion of Customer Data in compliance with applicable NIST guidance and data protection laws, taking into account available technology so that Customer Data cannot be practicably read or reconstructed. Customer Data is deleted from data centers using secure deletion methods including digital shredding of encryption keys and hardware destruction in accordance with NIST SP800-88 guidelines.
14. Intrusion Detection. Ping Identity monitors the Service generally for unauthorized intrusions using traffic and activity- based monitoring systems. Ping Identity may analyze data collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug- ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to help customers detect fraudulent authentications, and to ensure that the Service functions properly.
15. Incident Management. Ping Identity has a security incident response plan that includes procedures to be followed in the event of unauthorized or unlawful access to or disclosure, loss, exposure or use of any Customer Data of which Ping Identity becomes aware (such unauthorized disclosure defined herein as a “Security Breach”). The procedures in Ping Identity’s security incident response plan include:
(a) Roles and responsibilities: formation of an internal incident response team with a response leader;
(b) Triage: assessment of the risk and criticality of the incident to ensure correct prioritization and allocation of resources;
(c) Analysis: analysis of each incident shall take place to determine the scope, spread, cause, mitigation and remediation of the incident;
(d) Notification: internal and external stakeholders and customers who experience a Security Breach with material impact on their data or environment shall be notified without undue delay upon Ping Identity becoming aware of the Security Breach;
(e) Containment: appropriate steps shall be taken to stop the incident and limit the damage or risk caused by the incident; and
(f) Eradication: appropriate steps shall be taken to eliminate any remaining elements of the cause of the incident ;
(g) Recovery: appropriate steps shall be taken to restore any and all affected systems to a functionally optimal state;
(h) Documentation: all material actions taken during the incident response process shall be documented for internal analysis and communication to internal and external stakeholders and customers who experience a security breach with material impact on their data or environment;
(i) Retrospective analysis: internal analysis of actions taken during the incident response process shall be reviewed by relevant stakeholders to determine the efficacy of the response process and document any further actions that may improve the operation of the incident response process if invoked in the future.
Ping Identity publishes system status information on the Ping Identity website. For PingOne Advanced Services and PingOne Advanced Identity Cloud only, Ping Identity typically notifies customers of significant system incidents by email to the listed admin contact, and for availability incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident and Ping Identity’s response.
16. Security Breach Management.
(a) Notification. In the event of a Security Breach, Ping Identity notifies impacted customers of such Security Breach without undue delay and, where required, within time limits defined by law. Ping Identity shall cooperate with the Customer’s reasonable request for information regarding such Security Breach, and Ping Identity provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.
(b) No Acknowledgement of Fault by Ping Identity. Ping Identity’s notification of or response to a Security Breach shall not be construed as an acknowledgement by Ping Identity of any fault or liability with respect to the Security Breach.
(c) Remediation. In the event of a Security Breach, Ping Identity, at its own expense shall:
(i) investigate the actual or suspected Security Breach
(ii) where a breach impacts a Customer, provide affected Customer with a remediation plan, to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents,
(iii) remediate the effects of the Security Breach within Ping Identity’s scope of control and
(iv) reasonably cooperate with Customer and law enforcement or regulatory official investigating such Security Breach.
17. Logs. Ping Identity provides procedural mechanisms that record and examine activity in the Service, including appropriate logs and reports. Ping Identity: (i) backs-up logs, (ii) implements commercially reasonable measures to protect such logs from unauthorized modification or erasure, and (iii) retains such logs in compliance with Ping Identity’s data retention policy.
18. Human Resources Security
18.1 Employee Selection. To the extent reasonable, and permissible under applicable law, Ping Identity shall where appropriate, conduct, have conducted or otherwise require, background checks proportionate to the role for Ping Identity personnel performing services under the Agreement including professional references and criminal background checks.
18.2 Ping Identity Personnel Security Management.
(a) Ping Identity shall maintain an acceptable use policy governing the use of computing resources including, without limitation, all Ping Identity Systems, that is communicated to appropriate Ping Identity Personnel.
(b) Ping Identity shall require Ping Identity personnel performing services under the Agreement to maintain valid non-disclosure obligations or other confidentiality agreements as deemed reasonably necessary by Ping Identity.
18.3 Ping Identity Personnel Termination and Separation. Ping Identity shall maintain personnel offboarding procedures that include revoking access promptly and a process that governs the secure return of Ping Identity assets and Customer Confidential Information for separated Ping Identity personnel.
18.4 Training and Awareness. Ping Identity shall require that all Ping Identity personnel complete upon hire and, at least annually thereafter, Ping Identity’s security awareness training including awareness of Ping Identity’s related policies and maintain records of such training completion.
19. Security Audit Report and Assessment. This clause 19 is applicable during the Subscription Term and any information shared under this clause is Confidential Information subject to the confidentiality terms in the Agreement. This clause 19 is strictly limited to Customer’s reasonable verification of Ping Identity’s compliance with its obligations under this Service Security Exhibit.
19.1 Ping Identity provides its Customers, upon their request, with a summary of Ping Identity’s then-current external audit report such as the ISO27001 Statement of Applicability, or, SOC 2 Report, including information as to whether the security audit revealed any material non-conformities in the Ping Identity Service. Ping Identity shall provide annually, or upon written request, evidence of third-party assessment and security reviews of its sub-contractors and sub-processors involved in providing the Service to Customer (collectively “Third Party Audits”). Ping Identity shall promptly inform Customer of any material issues identified as part of any Third-Party Audit which materially impact (or have the potential to materially impact) Customer. Ping Identity shall subsequently inform Customer of the actions it intends to take to remedy the relevant issues and the timeframe such remedial actions will be taken. Ping Identity shall consider any of Customer’s reasonable observations in respect of the same and shall keep Customer regularly updated.
19.2 Ping Identity shall maintain records (as indicated in 191 above) relating to Ping Identity’s obligations under this Service Security Exhibit as required under law which are applicable to Ping Identity’s provision of the Service (including any electronic form) (the “Records”); and shall allow Customer to access and inspect Ping Identity’s records as necessary to demonstrate Ping Identity’s compliance with the obligations imposed under this Service Security Exhibit. This assessment may include one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) the latest SOC 2 Type II audit report, (iii) the latest ISO 27001 certificate and ISO 27001 Statement of Applicability; (iv) an executive summary of the most recent penetration test of the Service and the status of findings not resolved during the test; (v) an executive summary of the most recent disaster recovery test of the Service; (vi) a summary of Ping Identity’s operational practices related to data protection and security that Ping Identity normally shares with its other customers, which may include table of contents of key policies and procedures; and (vii) making Ping Identity’s relevant personnel reasonably available for security-related discussions (subject to reasonable place, manner, scope, during normal business hours and not to exceed one (1) business day. The foregoing is strictly limited as follows: no more than once per year and contingent on an advanced written notice of twenty (20) business days of any such request.
19.3 Provided Customer has exhausted its rights above in sections 19.1 and 19.2, and upon reasonable cause and no more than once annually during the term of the Agreement, Customer may have access to Ping Identity’s premises, information, data and relevant records, including any records it has retained in respect of this Service Security Exhibit to conduct a reasonable security assessment of whether the controls protecting Customer Data conform with Ping Identity’s obligations under this Service Security Exhibit. Customer will work with Ping Identity to avoid impact on Ping Identity’s systems or business processes and such audit shall be scheduled in advance subject to Ping Identity being provided at least sixty (60) business days advance written notice of the Customer’s intention to audit, the audit being conducted during normal business hours, and in a timeframe mutually agreed in reasonable place, manner, and scope and not to exceed more than two (2) business days in order to enable Customer to:
(a) undertake verification that the Service is being provided in accordance with this Service Security Exhibit; and
(b) assess and verify Ping Identity’s continued ability to comply with the obligations of this Service Security Exhibit (including, in respect of any operational resilience (except for penetration testing where relevant information shall be provided to the Customer in accordance with clause 10(c) above) and business continuity requirements in respect of the Service).
19.4 Additional Audits. To the extent that Customer seeks an audit of Ping Identity’s compliance with this Service Security Exhibit in addition to what is provided in 19.3 above, the parties agree to meet and confer in good faith on the understanding that the audit shall have the same scope as that provided in 19.3 above, is at entirely Customer’s own cost and subject to Ping Identity charging a fee for time and services at a commercially reasonable rate (to be confirmed in writing with Customer).
This Ping Identity Software Information Security Exhibit (“Exhibit”) is incorporated into the agreement between Ping Identity and the entity identified in the applicable Order Form (“Customer”) that governs Customer’s use of the Ping Identity Software (the “Agreement”). To the extent the terms and conditions of this Exhibit conflict with the terms or conditions in the Agreement, the terms of this Exhibit shall control unless expressly stated otherwise. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them in the Agreement.
1 Defined Terms
1.1 Definitions
1.1.1 As used in this Exhibit, “Applicable Law” means all legal, regulatory or industry requirements applicable to performance under the Agreement or Order Form including the data protection or privacy laws of any applicable jurisdiction.
1.1.2 “Commercially Reasonable Efforts” means, in addition to the implied duty of good faith and fair dealing, at least those diligent measures that people experienced in the relevant subject area would generally regard as sufficient to constitute reasonable diligence for regulated financial institutions in relevant circumstances. In no circumstance shall techniques, tools or protocols publicly known to be deprecated or otherwise compromised be considered reasonable or secure under this definition.
1.1.3 “Disaster” means any sudden, unplanned catastrophic event that compromises Ping Identity’s ability to provide the Services including, without limitation, any other critical functions, processes, or services for some unacceptable period of time causing Ping Identity’s management to invoke their recovery plans.
1.1.4 “Disaster Recovery” means the collection of resources and activities to re-establish the delivery of the Services and the recovery and restoration of data lost by reason of the Disaster.
1.1.5 “Ping Identity System” means any physical or electronic system including, without limitation, applications, information stores, and infrastructure systems, used for storing, processing, or transmitting Customer Confidential Information.
1.1.6 “Intrusion Detection System” or “IDS” means any Ping Identity System that monitors a network or systems in real time for malicious activity or policy violations with such malicious activity or violations being reported either to an administrator or collected centrally using a security information and event management (SIEM) system that combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
1.1.7 “Malware” means software programs designed to damage or perform other unwanted actions to or within any Ping Identity Systems. Such examples may include viruses, worms, Trojan horses, keystroke loggers and spyware.
1.1.8 “Multi-Factor Authentication” or “MFA” means authentication through verification of at least two of the following types of authentication factors: (i) knowledge factors, such as a username/password, or (ii) possession factors, such as token or text message on a mobile device, or (iii) inherence factors, such as a biometric characteristic.
1.1.9 “Recovery Point Objective” or “RPO”, also referred to as the “Maximum Data Loss”, means the targeted point in time from which it is necessary to recover Customer data in Ping Identity’s infrastructure and systems, and quantifies and the permissible amount of such data loss following an interruption caused by a Disaster, measured in hours.
1.1.10 “Recovery Time Objective” or “RTO” means the targeted elapsed time between the point of the interruption of the Services caused by a Disaster up to the point where the Services must be acceptably functional to Customer, measured in hours.
1.1.11 “Risk-Based Authentication” or “RBA” means any non-static authentication system which detects anomalies or changes in the normal use patterns of an individual and requires additional verification of the individual’s identity when such deviations are detected, such as using challenge questions.
1.1.12 “Security Incident” means any actual or reasonably suspected misuse, compromise, or unauthorized, accidental or unlawful acquisition, destruction, loss, alteration, disclosure, or access to Customer Confidential Information under the possession, custody, or control of Ping Identity Personnel including any circumstance pursuant to which Applicable Law requires either notification to be given to affected parties or other activity in response to such circumstance.
1.1.13 “Site” means any physical premise or Ping Identity Systems utilized by Ping Identity Personnel in performance of Services under the Agreement.
1.1.14 “Site Visit” means the physical or other access to Sites by Customer personnel, each a “Site Visitor”.
1.1.15 “Customer Confidential Information” means any data that is stored by Ping Identity on behalf of a customer within Ping Identity Systems during the fulfillment of a contract.
2 Information Management and Risk Management
2.1 Information Security Program
2.1.1 Ping Identity shall have and maintain a holistic information risk management program that complies with Applicable Law, incorporates reasonable and appropriate administrative, operational, technical, physical and organizational measures that are designed to preserve and protect the confidentiality, integrity and availability of Confidential Information. This program shall identify the organization’s critical information, the threats associated with such information and maintain documented controls designed to mitigate anticipated risks for the same.
3 Access Control
3.1 Ping Identity Management of Access Control to Ping Identity Systems
3.1.1 For user accounts managed by Ping Identity that grant access to Ping Identity Systems that require material changes to such access, Ping Identity shall effect such changes in a timely manner.
3.1.2 For user accounts managed by Customer and utilized by Ping Identity Personnel that grant access to Customer Ping Identity Systems, Ping Identity shall notify the appropriate Customer security and access administration personnel of material changes to such access in a timely manner.
3.2 Encryption of Customer Confidential Information
3.2.1 Ping Identity shall use Commercially Reasonable Efforts to ensure that Customer Confidential Information is encrypted at rest and in transit.
3.3 Multi-Factor Authentication
3.3.1 For access to cloud-based or hosted Ping Identity Systems containing Customer Confidential Data, Ping Identity Systems shall, where possible, support Multi-Factor Authentication as a requirement for logon.
4 Incident Response Policy and Management
4.1 Response and Reporting
4.1.1 Ping Identity shall maintain an incident response plan and an incident response team with defined roles and responsibilities that are each periodically reviewed and authorized by appropriate management.
4.1.2 Ping Identity shall use Commercially Reasonable Efforts to anticipate, detect, evaluate, and respond to a Security Incident in a timely manner.
4.2 Incident Management and Forensics
4.2.1 Ping Identity shall use Commercially Reasonable Efforts to maintain relevant documentation related to Security Incidents including issues, outcomes, and remediation activities.
4.2.2 Ping Identity shall use Commercially Reasonable Efforts to maintain the integrity and chain of custody of relevant information related to Security Incidents and ensure that such information is preserved in a manner consistent with Applicable Law.
5 Secure Operations
5.1 Operational Management
5.1.1 Ping Identity shall use Commercially Reasonable Efforts to physically or logically segregate Customer Confidential Information from other non-Customer data within Ping Identity Systems.
5.1.2 Ping Identity shall use Commercially Reasonable Efforts to physically or logically segregate production, test and development Systems for which Ping Identity is responsible unless agreed to otherwise in writing by the parties prior to such use.
5.1.3 Ping Identity Systems used in the provision of Support Services shall be securely configured, maintained, and retired from use using Commercially Reasonable Efforts and incorporating, to the extent applicable, any legal, regulatory, and compliance requirements deemed necessary by Ping Identity in Ping Identity’s reasonable judgment.
5.2 Anti-Malware
5.2.1 Ping Identity shall have an anti-Malware policy that requires Malware-detection software to be installed and enabled on Ping Identity Systems that interact with Customer Confidential Information and prohibits disabling such anti-Malware controls without appropriate authorization.
5.2.2 Ping Identity Systems shall be configured to automatically check for and automatically implement new anti-Malware signatures on a reasonable frequency.
5.3 Vulnerability and Patch Management
5.3.1 Ping Identity shall use Commercially Reasonable Efforts to maintain effective vulnerability and patch management processes for Ping Identity Systems.
5.3.2 Ping Identity shall use Commercially Reasonable Efforts to evaluate and effect appropriate remediation activities including the timely application of patches to impacted Ping Identity Systems in a risk-prioritized manner informed by such vulnerability detection processes.
5.4 Logging and Monitoring
5.4.1 Ping Identity shall use Commercially Reasonable Efforts to log user actions related to Ping Identity Systems with the following requirements: (i) user and administrative actions, (ii) account privilege changes, (iii) all access attempts, (iv) configuration changes, (v) access to Customer Confidential Information, and (vi) changes to firewall and network access control systems.
5.4.2 Such logs for shall be retained for an appropriate length of time and at least for the minimum retention period under Applicable Law and readily available for review by appropriate Ping Identity Personnel.
5.5 Intrusion Detection Systems (IDS)
5.5.1 Using Commercially Reasonable Efforts, for Ping Identity networks through which Customer Confidential Information traverses, Ping Identity shall utilize Intrusion Detection Systems and regularly update IDS signatures based on new threats which shall be applied in a timely risk-prioritized manner.
6 Remote Access to Internal Customer Ping Identity Systems
6.1 Administrative Requirements for Remote Access
6.1.1 Ping Identity shall require that remote users have valid non-disclosure obligations or other confidentiality agreements in force for such personnel prior to allowing such remote access.
6.1.2 Ping Identity shall maintain reasonable oversight of Ping Identity Personnel’s use of such access.
6.1.3 Upon reasonable request, Ping Identity shall make available to Customer a complete list of Ping Identity Personnel accounts that have remote access privileges to Customer Systems.
6.1.4 Upon request by Customer, Ping Identity Personnel that have remote access to Customer Systems shall have confidentiality obligations which shall be acknowledged by signature.
6.1.5 Privacy training and information security training shall be completed by Ping Identity Staff prior to performance of Services and as required thereafter.
6.2 Technical Requirements for Remote Access
6.2.1 Ping Identity shall establish such connections through a mutually agreed facility between Parties and shall originate from Ping Identity’s approved IP addresses and only through the use of Ping Identity’s appropriately managed and approved devices.
6.2.2 Ping Identity shall utilize Commercially Reasonable Efforts to maintain the security of its Ping Identity Systems establishing such remote connections by appropriately applying the latest applicable security patches in a timely and risk-prioritized manner.
7 Disposal, Return and Retention of Customer Confidential Information
7.1 Disposal Requirements for Customer Confidential Information
7.1.1 Except as otherwise specifically required by Applicable Law or permitted by this Agreement, upon termination or expiration this Agreement and Customer’s written request, or upon the reasonable written request of Customer, Ping Identity shall sanitize in a manner designed to make forensically unrecoverable by standard forensic technologies, using Commercially Reasonable Efforts, all Customer Confidential Information from all Ping Identity Systems, data retentive devices or any other media containing such Customer Confidential Information.
7.1.2 If Ping Identity discards or otherwise discontinues its use of media utilized at any time for the storage or processing of Customer Confidential Information, such media shall be made forensically unrecoverable in accordance with the relevant terms of such obligations as such obligations are set forth in the Agreement including this Exhibit.
7.1.3 Upon written request by Customer, Ping Identity shall represent its performance of applicable secure disposal obligations (e.g., NIST800-88 guidelines) by providing written attestation to appropriate Customer personnel in a timely manner. Notwithstanding any other provisions in the Agreement, Customer shall retain the right to assess, to its satisfaction, Ping Identity’s performance of Ping Identity’s secure data disposal obligations as such obligations are set forth in the Agreement and this Exhibit.
7.2 Return of Customer Confidential Information
7.2.1 Upon request by Customer, Ping Identity shall return copies of any Customer Confidential Information in its custody, including in printed or physical form, to Customer in a format deemed usable by Customer.
7.3 Retention of Customer Confidential Information
7.3.1 Each Party shall be entitled to retain copies of the other Party’s Confidential Information as may be required by the Party’s record retention policy, audit requirements, or otherwise required to comply with Applicable Law, court order, warrant, subpoena, or other valid request carrying the force and effect of law, provided that (a) further processing, use or disclosure of such Confidential Information is limited to the purpose described in this Section and for no other purpose, (b) during such retention each Party agrees to treat such Confidential Information in accordance with the terms of the Agreement, and (c) such Confidential Information shall be retained only for such period as required by the purpose for which such Confidential Information was retained, as set forth in this Section and promptly returned, rendered permanently inaccessible, or destroyed in accordance with this provision upon the expiration of retention requirement. In no event shall Ping Identity withhold any Customer Confidential Information as a means of resolving any dispute between the Parties.
8. Information Contingency
8.1 Backup and Recovery
8.1.1 Ping Identity shall have policies and procedures for governing backup media that contain Customer Confidential Information which provide that:
8.1.2 Customer Confidential Information shall be retained for such period stipulated in the Agreement or other governing written agreement between Parties;
8.1.3 Such backups and replicas of data stores shall be treated with the same care and control as the stores in which such original information resides;
8.1.4 Access to such backup media shall be restricted to formally authorized Ping Identity Personnel and its access logged.
8.2 Business Continuity and Disaster Recovery Planning
8.2.1 Ping Identity’s provision of Support Services shall be subject to an approved Business Continuity and Disaster Recovery (BC/DR) plan which is regularly reviewed by appropriate management.
8.2.2 To the extent applicable, such BC/DR plan(s) shall contain an appropriate strategy to meet the recovery objectives of Customer Confidential Information or the Services.
8.3 Business Continuity and Disaster Recovery Plan Requirements
8.3.1 The Business Continuity and Disaster Recovery (BC/DR) plan shall:
8.3.1.1 Include a mechanism designed to ensure the confidentiality, integrity, and availability of Customer Confidential Information during a Disaster;
8.3.1.2 For Support Services, meet the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) mutually agreed between Parties, but in no case longer than 48 hours for RTO and 12 hours for RPO unless otherwise specified in the Agreement or relevant Order Form;
8.3.1.3 Identify the technical and non-technical recovery actions and requirements that Ping Identity needs to perform when a Disaster is declared and when a recovery plan is executed; and
8.3.1.4 Identify the restoration procedure to switch production operations between primary and recovery sites and provide the corresponding validation process for such procedure.
8.3.2 Notwithstanding anything to the contrary in the Agreement, a force majeure event shall not excuse Ping Identity from its performance of its Disaster recovery obligations under Ping Identity’s BC/DR plan or as such obligations are set forth herein.
8.4 Testing Requirements
8.4.1 Ping Identity shall conduct appropriately scoped BC/DR tests at least annually and address findings related to its performance of the BC/DR plan as they relate to the recoverability of Customer Confidential Information to meet the specified recovery objectives.
8.4.2 Upon request from Customer, Ping Identity shall provide to Customer a report, in a mutually agreeable format, after such relevant recovery exercises, that identifies the findings related to the recoverability of Customer Confidential Information and Ping Identity’s actions, taken and planned, to address such findings.
8.4.3 Upon Customer’s reasonable request, Ping Identity shall reasonably cooperate with any continuity risk or business impact analysis conducted by Customer to the extent applicable.
8.4.4 In lieu of the provisions contained hitherto in this Exhibit, upon Customer’s reasonable request, Ping Identity shall furnish to Customer such relevant third-party reports that sufficiently demonstrate assurance of the design and effectiveness of such testing and recoverability provisions to Customer’s satisfaction.
9. Secure Development
9.1 Application Development Requirements
9.1.1 Ping Identity shall have and comply with a secure software development life cycle (SDLC) process that governs the development, testing, and maintenance of all applications used by Customer for storing, processing, or transmitting Customer Confidential Information or that comprise a component of the Service.
9.1.2 For such applications, threat modeling, including identification of threats during design, and application security testing, including code scanning and manual penetration testing, shall be conducted for each major code release.
9.1.3 Ping Identity’s application development and maintenance processes shall provide for continual testing of vulnerabilities within such applications with a commitment to provide patches on a schedule commensurate with the perceived risk associated with such corresponding vulnerabilities without adversely impacting the availability of related Ping Identity Systems.
9.1.4 To the extent Ping Identity utilizes open-source software on Ping Identity Systems or to deliver the Services, Ping Identity shall perform security due diligence activities using Commercially Reasonable Efforts with respect to the selection, acquisition, and maintenance of such open-source software to ensure appropriate risk mitigation practices including, without limitation, the application of timely security patching and vulnerability management oversight.
10. Human Resources Security
10.1 Employee Selection. To the extent reasonable, and permissible under Applicable Law, Ping Identity shall where appropriate, conduct, have conducted or otherwise require, background checks proportionate to the role for Ping Identity personnel performing Services under the Agreement including professional references and criminal background checks.
10.2 Ping Identity Personnel Security Management
10.2.1 Ping Identity shall maintain an acceptable use policy governing the use of computing resources including, without limitation, all Ping Identity Systems, that is communicated to appropriate Ping Identity Personnel.
10.2.2 Ping Identity shall require Ping Identity Personnel performing Services under the Agreement to maintain valid non-disclosure obligations or other confidentiality agreements as deemed reasonably necessary by Ping Identity.
10.3 Ping Identity Personnel Termination and Separation. Ping Identity shall have a process that governs the secure return of Ping Identity Systems and Customer Confidential Information for separated Ping Identity Personnel.
10.4 Training and Awareness. Ping Identity shall require that all Ping Identity Personnel complete upon hire and, at least annually thereafter, Ping Identity’s security awareness training including awareness of Ping Identity’s related policies and maintain records of such training completion.
11. Compliance and Reporting
11.1 Regulatory Compliance. Ping Identity shall use Commercially Reasonable Efforts to comply with Applicable Law. Such compliance efforts shall be designed, managed, and regularly evaluated for effectiveness by qualified Ping Identity Personnel.
11.2 External Information Security Assessment and Certifications
11.2.1 Using Commercially Reasonable Efforts, Ping Identity shall have a reputable third party conduct an information security assessment upon the introduction of a new product or service, and for every major change to an existing product or service.
11.2.2 Up to once annually upon Customer’s request, Ping Identity shall make available, and all information reasonably necessary to demonstrate compliance with its privacy, compliance, and information security obligations under the Agreement and this Exhibit. Such information may include Customer’s information security questionnaire, SOC 2 Type II, ISO 27001 or other relevant compliance reports or certifications including high-level reports, in a mutually agreeable format, of external information security assessment findings to the extent such findings relate to Ping Identity Personnel’s ability to safeguard Customer Confidential Information applicable to Ping Identity’s performance of its obligations under the Agreement.
Ping Identity shall use Commercially Reasonable Efforts to correct any material control deficiencies identified through such examinations, as described in this Exhibit, in a timely risk-prioritized manner.