- Security of Data Processing.
Panther has implemented and will maintain technical and organizational measures inclusive of administrative, technical and physical safeguards to ensure a level of security appropriate to the risk of the data processing for the Panther Services as described in this Panther Security Annex (collectively, the “Security Measures”). The Security Measures may be changed by Panther from time to time during the Term of the Agreement (as defined below) in order to take into account advancements in available security technologies. However, Panther will not materially decrease the overall security of the Services during the Term of the Agreement.
The Security Measures include, but will not be limited to, the following measures for ensuring the ongoing confidentiality, integrity, and availability of Customer Data in order to prevent unauthorized access, use, modification or disclosure of Customer Data:
- Performance of background checks on all personnel, as well as signature of non-disclosure commitments and business ethics prior to employment;
- Security and privacy awareness training, inclusive of acknowledgment and agreement to abide by organizational security policies, for all personnel upon hire and annually thereafter;
- Pseudonymization or encryption of Customer Data in transit and at rest utilizing industry-standard mechanisms for certain Panther Services;
- The ability to restore the availability and access to Customer Data in a timely manner in the event of an incident impacting the availability of Customer Data by maintaining a backup solution for disaster recovery purposes;
- Logging and monitoring of security logs via a Security Incident Event Management (“SIEM”) system and alerting upon the detection of suspicious system and/or user behaviors; processes and tooling for regularly identifying, assessing and triaging vulnerabilities based on industry-standard guidelines;
- Maintenance of a comprehensive set of security and privacy policies, procedures and plans that are reviewed on at least an annual basis and provide guidance to the organization regarding security and privacy practices; processes for evaluating prospective and existing subprocessors to ensure that they have the ability and commit to appropriate technical and organizational measures to ensure the ongoing confidentiality, integrity and availability of Customer Data;
- A process for regularly testing, assessing and evaluating the effectiveness of administrative, technical, and physical safeguards for ensuring the security of the processing, transmission or storage of Customer Data through external and internal audits as further described in Section 3 below; and
- Preventing access, use, modification or disclosure of Customer Data except by authorized Panther personnel (1) to provide the Subscription Services and prevent or address service or technical problems, (2) as compelled by law, or (3) as Customer expressly permits in writing.
- Panther Shared Responsibility Model
Panther is responsible for the confidentiality, integrity and availability (the “security”) of the Services and internal Panther information technology systems. In addition to those measures detailed in “Security of Data Processing” above, Security Measures include, but are not limited to, server-level patching, vulnerability management, penetration testing, security event logging & monitoring, incident management, operational monitoring, and ensuring customer site availability in accordance with SLAs entered into between the parties.
Panther uses Subprocessors for the Services and to support Panther as a Processor of Customer data, all as more fully set forth on the website https://runpanther.io/subprocessors. As these Subprocessors are Authorized Contractors as defined in the Agreement, Panther shall remain fully liable for their acts and omissions relating to the performance of the respective Services, subject to the limitation of liability set forth in the Agreement, and shall be responsible for ensuring that their obligations are carried out in accordance with this Security Annex and the Agreement.
The Customer is responsible for the security of the software used in conjunction with the Services. This includes, but is not limited to, Customer user access management, password configurations, and/or implementing multi-factor authentication. In addition, Customers are also responsible for the secure management of their users that they manage and provision for the purpose of granting access to Panther’s Services and abiding by the Agreement in using Panther’s Services.
- Third-Party Audits, Certifications
The Security Measures for Panther’s platform are subject to periodic testing by independent third-party audit organizations, inclusive of the following audits and certifications:
- SOC 2
Panther will provide copies of current published audit reports for the Services to Customers upon written request and under NDA. Such audit reports, and the information they contain, are Panther Confidential Information and must be handled by Customer accordingly. Such reports may be used solely by Customer to evaluate the design and operating effectiveness of defined controls applicable to the Services and are provided without any warranty.
- Customer Audits
Panther offers its Services in the cloud using AWS. AWS does not allow for physical audits of the AWS data centers but instead provides third-party audits and certifications. Panther’s security program consists of the audits, certifications and available documentation detailed in “Third Party Audits, Certifications” above as part of balancing transparency regarding the security and privacy safeguards that Panther has implemented, while also satisfying security and privacy requirements as part of security and privacy obligations to Panther Customers, and its Subprocessors, including AWS.
Therefore, Customer agrees to exercise its right to conduct an audit or inspection of Panther’s processing of personal data within Customer Data by instructing Panther to carry out the audits as described above in the section “Third Party Audits, Certification” using its current processes and timing. If Customer wishes to change this instruction regarding the audit or inspection, then Customer shall send such request by written notice to Panther and the parties agree to jointly discuss how to implement the changed instruction.