- Information Security Management Program. Cleo shall develop, implement, maintain, monitor, upgrade and comply with a reasonable and comprehensive Information Security Management Program (ISMP), which includes administrative, technical, and physical safeguards to ensure protection of assets and data (including without limitation Personal Data) from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The ISMP should address, but not be limited to, the following areas (insofar as they relate to the characteristics of the Cleo’s business):
- Risk management;
- Security policy;
- Organization of information security;
- Asset management;
- Human resources security;
- Physical and environmental security;
- Communications and operations management;
- Access control; and
- Information systems acquisition, development, and maintenance.
As part of the ISMP, Cleo shall develop and maintain network and solution architecture diagrams that clearly identify (1) high-risk environments and data flows that may have regulatory compliance impacts, and (2) all termination of network encryption. These architecture diagrams shall be made available to Customer upon request. Cleo shall establish policies and procedures for the labeling, handling, storage, transmission, retention/disposal, and security of Personal Data and objects that contain Personal Data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for Personal Data.
- Risk Assessments. Cleo shall perform independent reviews or formal risk assessments aligned with the enterprise-wide framework at least annually, to ensure the organization has identified and addressed foreseeable privacy and data security risks, and is compliant with policies, procedures, standards, processing agreements and applicable regulatory requirements (i.e., internal/external audits, certifications, vulnerability and penetration testing). The risk assessment or independent review shall determine the likelihood and impact of all identified risks, using qualitative and quantitative methods.
- Personnel Training. Cleo shall implement a security awareness training program for all contractors, third-party users, and employees of the organization. All individuals with access to organizational data shall receive appropriate awareness training and regular updates at least annually in organizational procedures, processes, and policies relating to their function relative to the organization.
- Disciplinary Measures. Cleo shall impose disciplinary measures on personnel for violations of Cleo’s policies and procedures and information security program.
- Access Controls. Cleo shall maintain logical access controls to limit access to Personal Data and relevant information systems only to authorized personnel and third parties (for example, granting access on a need-to-know basis, use of unique IDs and passwords (which are not vendor-supplied default passwords) for all users, periodic review and revoking/changing access when personnel are terminated or changes in job functions occur), and storing physical records containing Personal Data in locked facilities, storage areas or containers.
- Secure User Authentication. Cleo’s systems shall support complex and strong passwords. Passwords shall be communicated to the user in an out-of-band method (for example, application passwords can be phoned or mailed to the user, but not provided through the application interface). Passwords must meet the following criteria:
- For non-privileged users, passwords must be a minimum of 12 characters in length, with at least one (1) alphabetic character, one (1) numeric character and one (1) symbolic character;
- For privileged users, passwords must be a minimum of 15 characters in length, must consist of letters, numbers and special characters, and must be changed every 180-days.
- Multi-factor Authentication and VPNs. Cleo shall use multi-factor authentication to authenticate access to Personal Data by Cleo personnel, and permit remote-access to databases only through a Cleo-controlled virtual private network (VPN).
- Incident Detection and Response. Cleo shall implement and maintain security mechanisms and policies to facilitate timely detection and escalation of actual and potential security incidents, investigation by root cause analysis and incident responses for file integrity (host) and network intrusion detection (IDS) tools.
- Encryption. Cleo shall establish and implement security mechanisms and policies to prevent the leak of Personal Data in transit and at rest. For Personal Data in transit, all network communication must be encrypted using industry standards. For Personal Data volume/storage, all data must be encrypted to prevent outside snooping, in addition to preventing unauthorized access to data in the environment.
- Network Security. Cleo shall implement network security controls such as up-to-date firewalls, endpoint protection and anti-malware software with up-to-date virus definitions, operating system patches, layered DMZs, updated intrusion detection/prevention systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability Management. Cleo shall establish and implement mechanisms for malware protection and virus detection, including providing reasonable assurance that these programs are no more than one major revision behind the current software version, and that all anti-malware programs are capable of detecting, removing, and protecting against all known types of malicious or unauthorized software, and updating antivirus signatures and definitions at least every 12 hours. Cleo shall conduct vulnerability scanning of operating systems, databases, and server applications containing highly restricted and high business impact Personal Data at least daily.
- Event Logging. Cleo shall ensure that computing systems log, monitor, and collect relevant security event data (for example, source, target, attack type, and payload) for investigation purposes.
- Highly Restricted Personal Data. With respect to highly restricted Personal Data, Cleo shall implement and maintain policies for the segregation of duties across all infrastructure and application layers (for example, a server administrator or host service account shall not have privileged access to an application running on the server, and an application administrator or application service account shall not have administrative access to the middleware or server configurations). Such policies and procedures shall provide that systems and applications classified as highly restricted shall have a dedicated computing environment isolated using physical or logical methods.
- Secure Deletion. Cleo shall implement policies and procedures for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means (in a manner that provides reasonable assurance of secure data disposal when the storage media is decommissioned or when the Agreement terminates).
- Secure Software Development. If applicable, Cleo shall supervise and monitor the development of all software to ensure that such development includes:
- Security requirements;
- Independent security review of the environment by a certified individual;
- Code reviews; and
- Establishment and documentation of quality monitoring, evaluation, and acceptance criteria for information systems, upgrades, and new versions.
- Business Continuity and Disaster Recovery. Cleo shall establish, document and adopt a consistent, unified framework for business continuity planning, disaster recovery, plan development, and appropriate communications. Cleo shall ensure all business continuity plans are designed to protect against ransomware attacks, malicious code, denial of service attacks and similar technological issues that could reasonably interrupt the Cleo Services or make the Cleo Services unavailable, and natural and man-made disasters (for example, fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.). Such continuity plans shall be subject to testing at least annually or upon significant organizational or environmental changes to ensure their continuing effectiveness.
Cleo’s Standard Service Level Agreement (“SLA”)
Last Updated: July 11, 2022
A. Digital Platform Service Commitment
During the Term for which Cleo has agreed to provide access to the Digital Platform Services to Customer, Cleo will use commercially reasonable efforts to provide a Monthly Uptime Percentage to Customer in accordance with the level set forth in the table below (“Service Level Commitment”):
Digital Platform Services
Services are all digital products provided by Cleo, ordered by Customer under an Order Form.
Monthly Uptime Percentage Threshold:
Eligible Service Credits
5% service credit
B. Service Credits
(a) If, during any quarter throughout the Term, the Monthly Uptime Percentage falls below the Monthly Uptime Percentage Threshold, then Customer will be eligible to receive Service Credits of 5% of the monthly prorated annual Platform Fee to be applied towards either future payment otherwise due for the affected applicable product, provided that Customer’s account is fully paid up, without any outstanding payment issues or disputes
(b) No refunds or cash value will be given for unused Service Credits. Service Credits are non-transferrable
(c) Customer shall have the right, exercisable no more than once per calendar quarter during the Term, to request a report indicating the Platform Services Monthly Uptime Percentage during the previous ninety (90) days. Such requests should be directed to [email protected].
(d) Cleo’s monitoring and logging infrastructure is the source of truth for determining Monthly Uptime Percentage, errors, and whether Cleo has met the Service Level Commitment.
Customer will not be entitled to Service Credit if it is in breach of the applicable Order Form or Master Services Agreement. The Service Level Commitment will not include unavailability to the extent due to: (a) any use of the Digital Platform in a manner not authorized in the Authorized User terms and conditions; (b) force majeure events or other factors outside of Cleo’s reasonable control, including, without limitation, Internet access or related problems; (c) Authorized Users’ equipment, software, network connections or other infrastructure; or (d) routine scheduled maintenance or reasonable emergency maintenance. No Service Level Commitment or Service Credits are provided for free, proof-of-concept, beta or trial services.
D. Exclusive Remedy
Service Credits are Customer’s sole remedy with respect to the Service Level Agreement.
The following definitions apply to this SLA.
Monthly Uptime Percentage: is the percentage of total minutes the Services were available during a calendar quarter, calculated by: (Available – Unavailable + Excluded) / Available
Monthly Uptime Percentage Threshold: The percentage listed above in the table under the heading “Monthly Uptime Percentage”
Available: The total amount of available minutes within the applicable calendar quarter.
Unavailable: The total amount of unavailable minutes within the applicable calendar quarter during which the Applicable Cleo Services were unavailable for use.
Excluded: Notwithstanding any provision in this Agreement to the contrary, no Unavailable Time will be deemed to have occurred if downtime:
- (i) is caused by factors outside of Cleo’s reasonable control, including, without limitation, cloud provider-related problems or issues, Internet access or related problems occurring beyond the point in the network where Cleo maintains access and control over the Applicable Services;
- (ii) results from any actions or inactions of Customer or any third party (except for Cleo’s agents and subcontractors);
- (iii) occurs during Cleo’s scheduled maintenance of up to once per two weeks within the window of 10pm – 5am PT;
- (iv) occurs during Cleo’s emergency maintenance (maintenance that is necessary for purposes of maintaining the integrity or operation of the Applicable Services), regardless of the notice provided by Cleo; or
- (v) results from any alpha, beta, preview, development test bed environments, descriptions of similar import or not otherwise generally-available Cleo’s features or products; or
- (vi) periods of Unavailable Monthly Time that are less than ten (10) minutes of continuous unavailability in duration (collectively, “Excluded”).
Customer: means the entity listed in the applicable Order Form, Statement of Work, or Services Agreement.