Global Security & Privacy Practices
1. SECURITY PRACTICES
SpinUp is responsible for the security measures set out in the Agreement, and shall maintain and implement the following technical and organizational measures in relation to the security of the Customer Configuration. Customer remains the primary system/account administrator and is responsible for the integrity, security, maintenance and appropriate protection of Customer Data by: (i) selecting and purchasing appropriate security Services; (ii) implementing appropriate encryption and logical access controls; and (iii) maintaining appropriate application security controls. Certain SpinUp services are available to help Customers meet these requirements.
1.1. Physical Security – Data Centers
The following physical security controls apply to Customer Data residing in data center or office premises either owned or leased by SpinUp or its Affiliate in connection with the provision of Services to Customer (and expressly excludes third party hosting Services):
A. Servers and devices dedicated to Customer’s use as part of the Customer Configuration provided by SpinUp will be located in a controlled access data center (or portion thereof) either operated by or dedicated to use by SpinUp or its Affiliate.
B. SpinUp operates or audits the use of an electronic access control system which logs access to physical facilities, managed by a professional security guard force in line with its current processes.
C. Access to the raised production floor of the data halls will be restricted to SpinUp employees or its agents who need access for the purpose of providing the Services. Access within data center facilities is in zones and provisioned based on physical access rights required by a given individual. Access to designated “meet me” rooms will be available to customers, subject to data center escort policies.
D. The data center will be staffed 24/7/365 and will be monitored by video surveillance, recording to a centralized location, and viewed by the onsite security force.
E. SpinUp limits access to physical facilities to authorized individuals by proximity-based access cards and biometric hand scanners or other approved security authentication methods.
F. Except as specifically stated in the Agreement, SpinUp will not relocate the Customer Configuration from a SpinUp date center in one country to a data center in another country without Customer’s express written permission.
G. Following the termination of the Agreement or a Customer Configuration, SpinUp will wipe data from those hard drives and storage devices dedicated to Customer use prior to re-use.
1.2. Security Controls Audits & Reporting
SpinUp shall engage qualified third party auditors to perform examinations of its systems and services in accordance with the best practice recommendations of ISO 27001 for the purpose of auditing SpinUp’s compliance with SSAE 18 compliance frameworks and the AT 101 compliance framework (based upon select Trust Services Principles); and/or equivalent industry standards. SpinUp’s annual SOC report(s) or suitable equivalent standard(s) as specified by SpinUp is available to Customer upon Customer’s request subject to SpinUp’s SOC distribution requirements. Not all SpinUp Services are included in the scope of the SOC report(s) or audits described in this Section 1.2, for details Customer should contact the SpinUp account manager.
1.3. Administrative Controls
Screening. SpinUp will perform pre-employment background screening of its employees who have access to Customer’s account, and is committed to employee supervision, training, and management.
SpinUp Access. SpinUp will restrict the use of administrative access codes for Customer’s account to its employees and other agents who need the access codes for the purpose of providing the Services. SpinUp personnel who use access codes shall be required to log on using an assigned user name and password.
Customer Access. As the primary system administrator, Customer is responsible for the management of their account, including creation, change management, and termination, and enforcement of related remote working and password controls.
With respect to the security of cardholder data, as that term is defined in the Payment Card Industry-Data Security Standard, which SpinUp may possess or otherwise store, process or transmit on Customer’s behalf, SpinUp agrees to provide (i) those physical, technical, and administrative safeguards described in the Agreement and (ii) the Services selected by Customer and described in the Agreement; provided that Customer remains responsible for ensuring all PCI-DSS requirements are met with respect to such cardholder data. SpinUp maintains PCI-DSS Service Provider, or equivalent, accreditation with regards to dedicated hosting Services (excluding managed virtualization services).
1.5. Reports of and Response to Security Breach
SpinUp will report to Customer as soon as reasonably practicable in writing and in accordance with applicable law, of a material breach of the security of the Customer Configuration which results in unauthorized access to Customer Data resulting in the destruction, loss, unauthorized disclosure or alteration of Customer Data of which SpinUp becomes aware. Upon request, SpinUp will promptly provide to Customer all relevant information and documentation that SpinUp has available to SpinUp regarding the Customer Configuration in connection with any such event. SpinUp shall be under no obligation to notify routine security alerts in respect of the Customer Configuration (including pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) save as otherwise specifically set out in the Agreement.
1.6. Customer Data Return
The Services enable Customer to retrieve, correct, or delete Customer Data. Depending on the Services, Customer may not have access to the Customer Configuration or Customer Data during a suspension of Services, or following the termination of the Agreement. Customer is responsible for retrieving a copy of Customer Data prior to the termination of the Agreement. SpinUp may delete Customer Data at any time following termination of the Agreement.
2. PRIVACY PRACTICES
Customer and SpinUp will comply with applicable laws in relation to their collection and processing of any Sensitive Data in the provision and use of the Services.