Network-Information Security Terms

These Network-Information Security Terms (“Network Security Terms”) effective as of the Start Date are subject to the Vendor Master Terms and Conditions located at  https://policies.oath.com/us/en/oath/terms/vendor/mastertnc/index.html and are part of the Agreement. Except for terms defined herein, capitalized terms used here are defined in the Vendor Master Terms and Conditions (“Vendor MTC”, located at https://policies.oath.com/us/en/oath/terms/vendor/mastertnc/index.html) and/or other parts of any other agreement between Oath and Vendor.

  1. DEFINITIONS.
    1. Contaminant” means any instrument that is suspected or known by either Party to modify, damage, destroy, record, misuse, distribute, or transmit information to, from, or within The System without intention or permission of the Parties. Contaminant includes, but is not limited to, viruses or worms that may be self-replicating or self-propagating and may be designed to: (a) contaminate other components of The System, (b) consume resources, (c) modify, destroy, record, or transmit data, or (d) alter the operation of The System.
    2. Permitted Use” means the following specific use(s) of Oath Data that Vendor is hereby authorized to perform (and such ancillary activities that are strictly and necessarily related to such use(s)), and no other use: to perform the Services outlined in the applicable PO or SOW in strict compliance with the Agreement.
    3. Security Issue” means (a) any known or suspected condition in or affecting The System that could compromise the security, confidentiality, or integrity of Oath Data or The System or impair Oath’s ability to meet legal obligations, or (b) any unauthorized disclosure or unauthorized use of Oath Data in the possession or under the control or direction of Vendor.
    4. Security Review” means examination of The System or information related to the security of The System requiring the assistance of or coordination with Vendor that can identify and/or diagnose, or are intended to identify and/or diagnose, Security Issues.
    5. Security Testing” means of The System, directly or indirectly through interfaces to which any Oath Company and/or their agents, and/or Oath Affiliates have access without the need for Vendor coordination, by manual interaction with or automated test cases that can identify and/or diagnose, or are intended to identify and/or diagnose, Security Issues.
    6. The System” means any and all components owned, operated, or provided by or on behalf of Vendor, that are involved in performing Vendor’s obligations under the Agreement and Laws, including,but not limited to, networks, databases, software, computer systems, backups, devices, processes, documentation, data, and physical premises.
    7. Vendor ID” means a user-specific identifier provided to the Vendor by Oath for the purpose of identifying a user.
    8. Oath Data” is defined in the Vendor MTC and will include any copies, reproductions, duplications, and onsite or offsite backups thereof, whether in whole or in part.
    9. Oath ID” means a user-specific identifier issued or authorized by Oath which, when combined with a password, provides credentialed access to any Oath Company’s services and/or Information Systems.
  2. THE SYSTEM SECURITY.
    1. Operational Requirements.
      1. Vendor will implement, maintain, and comply with a written, effective information security program that is consistent with then-current industry best practices, as those best-practices may evolve from time to time, to protect the Systems and Oath Data from an actual or potential Security Issue. To that end, Vendor will ensure that The System, excluding physical premises, is at all times securely configured, including (i) disabling all unnecessary services or features, and (ii) closing all known and all published security deficiencies therein, including updates and subsequently identified publications thereof.
      2. Vendor will apply all applicable security patches for The System as soon as possible after any such patch becomes available, but in no event more than thirty (30) calendar days after the release of any such patch.
      3. Vendor will continuously maintain industry-standard firewall protection for The System. Vendor will test its perimeter router and firewall devices no less than quarterly for unsafe configurations and vulnerabilities. Unless an alternate method is mutually agreed upon by Oath and Vendor, in a signed written agreement, tests will be conducted in a manner consistent with the PCI DSS Security Scanning Procedures; provided, however, Vendor may perform the tests in lieu of using a third party.
      4. Vendor will make commercially reasonable efforts to ensure that The System components are free of all Contaminants. Such efforts will include, but are not limited to, running anti-virus software on all Windows systems, updating signatures no less than daily, conducting at least biweekly Contaminant sweeps of The System and purging all Contaminants found. Vendor will use commercially reasonable efforts to not transmit or distribute Contaminants. Any transmission or distribution of Contaminants is a Security Issue.
    2. Design requirements.
      1. Throughout the term of these Network Security Terms, Vendor will ensure that The System is not vulnerable to any issue listed in OWASP Top Ten, found at: http://www.owasp.org, as updated from time to time. If the OWASP Top Ten ceases to exist or becomes obsolete, Oath may designate a successor or replacement list thereafter, and Vendor will use that list in place of the OWASP Top Ten in performing Vendor’s obligations under this section.
      2. Vendor will ensure that warnings are not generated by The System on A-grade browsers according to Oath’s Graded Browser Support (currently found here and incorporated by reference: https://github.com/yui/yui3/wiki/Graded-Browser-Support), as such list and associated URL may be independently updated by Oath from time to time.
      3. Encryption.
        1. All Oath Data consisting of confidential, personal and sensitive data should be encrypted at all times (at rest and in transit) while in Vendor’s possession. Where data must be encrypted under the terms of these Network Security Terms, other parts of the Agreement, or Laws, Vendor will sign and encrypt using an Oath-approved algorithm. The following algorithms are pre-approved by Oath: (a) 3DES, (b) AES, (c) RSA-1024bit+, (d) HMAC-SHA-1, and (e). All other algorithms must be specifically approved by Oath’s security team in writing prior to use and will be subject to any limitations prescribed by Oath in its approval.
        2. Vendor will store and distribute cryptographic keys, shared secrets, and passwords (collectively “Secrets”) in encrypted form. Secrets used by automated processes may only be stored in an unencrypted file when the file:
          1. can only be accessed by the automated process;
          2. cannot be accessed by the automated process after initialization;
          3. is only available to servers running the automated process;
          4. is not backed up in unencrypted form; and
          5. is not stored on a shared file system.
        3. Components of The System that verify a password will only store a salted, cryptographically secure hash of the password for verification.
      4. Access Control.
        1. Vendor will permit access to The System only to authorized persons on a need-to-know basis.
        2. The System, excluding physical premises, will at all times be protected by an authentication system that complies with the following requirements: (i) passwords will be reasonably complex; (ii) use of privileged accounts will be minimized; (iii) authentication credentials must not be shared; (iv) authentication credentials must be kept confidential; (v) individuals must authenticate using their own account and not a shared account (vi) when an authorized individual no longer needs access to The System, Vendor will ensure his or her authentication credentials and access to The System are terminated immediately; and (vii) authorized individuals must log out of The System at the end of each work day.
        3. Vendor will at all times protect physical premises of The System using physical security methods commensurate with the type of data being handled. At a minimum, such methods must include: (i) visitor sign-ins, (ii) standard keyed or card keyed locks, (iii) limited access to server rooms and archival backup storage, and (iv) burglar/intrusion alarm systems.
      5. Logging. Vendor will log, including time and date, all attempted accesses to its servers involved in performing obligations pursuant to the Agreement, and the result of such attempts, successful or unsuccessful. In order to enable a complete audit trail of activities, Vendor will log, including time and date, all commands that require additional privileges, including all failed attempts to execute privileged commands. Vendor will protect the logs from tampering. Vendor will retain all log entries for at least six months.
  3. SECURITY ISSUE MANAGEMENT, INCIDENT HANDLING, AND SECURITY REVIEW.
    1. Notification Contact. Each party has designated Notification Contacts as set forth below. Each Party may update or modify its Notification Contact information by providing written notice to the other Party’s Notification Contact. Notifications pursuant to these Network Security Terms will take place via a telephone call and/or email by one Party to the other’s Notification Contact. Notification Contacts will be available twenty-four hours a day, seven days a week. Notification Contact information and communication protocol is as follows:
      Oath Notification Contacts Oath Network Operations Center: +1 (408) 349-5555
      (With verbal communication that this is a Vendor Security Notification)
      email: partners-security@oath.com
      (With subject line: Vendor Security Notification)
      Vendor Notification Contacts Vendor’s notifications Contacts will be as identified in the PO or SOW.
    2. Security Contact. Vendor will provide Oath with access to knowledgeable Personnel, who can be reached with and respond to security questions or security concerns (“Security Contact”). The Security Contact will have a deep, current knowledge about the architecture and operation of The System. The Security Contact will be available twenty-four hours a day, seven days a week by telephone and email, or through Vendor’s Notification Contact.
    3. Security Issue Management.
      1. Classification. If Oath believes an issue has not been properly classified as a Security Issue, Oath, in its sole and absolute discretion, has the right to classify the issue as a Security Issue.
      2. Service Level Agreement (SLA). Vendor will treat every Security Issue with high priority and commence working on it immediately with sufficient numbers of competent Personnel to meet the requirements of these Network Security Terms. In some cases, unscheduled updates, modifications to legacy code, working during non-business hours, removing Oath Branding, and disabling portions of The System (excluding physical premises) may be required to limit harm.
      3. Monitoring. Vendor will actively monitor The System and public reports for Security Issues.
      4. Actions. At a minimum, Vendor will take the following steps in the event of a Security Issue:
        1. Notify Oath’s Notification Contact immediately. Vendor will be deemed to have provided immediate notification hereunder if it notifies Oath via telephone and in writing via email within 24 hours of discovery of the actual or suspected Security Issue. The Security Issue notification shall describe, to the extent possible: (a) the incident; (b) the suspected effect on Oath, Oath Data, and affected individuals; (c) whether and to what extent law enforcement, governmental agencies or other regulators have been notified; (d) Vendor’s actual and anticipated corrective actions to respond to the Security Issue; and (e) if possible, the outcome of the Security Issue investigation.
        2. Provide an estimated time to resolution to Oath within two (2) calendar days.
        3. Resolve the Security Issue as soon as possible but no later than five (5) calendar days, unless otherwise agreed to by the Parties.
        4. Take reasonable steps to preserve logs or other data that may be useful for determining the source, cause, and consequences of the Security Issue. All logs or other data must be retained for one month after the Parties mutually agree that the Security Issue is resolved, unless additional retention is requested by Oath.
        5. Maintain a time and date stamped log of all significant actions taken in investigating and addressing the Security Issue. All logs or other data must be retained for one month after the Parties mutually agree that the Security Issue is resolved, unless additional retention is requested by Oath.
        6. Identify the root cause and implications of the Security Issue, and provide to Oath for review.
        7. Limit Harm. Where the Security Issue causes or is likely to cause imminent harm, and reviewing with Oath would prolong such harm, Vendor will immediately take the minimum actions necessary to mitigate the harm. Any action beyond the minimum should be taken only after review with Oath.
        8. Identify and implement the changes necessary to address the Security Issue to the mutual satisfaction of the Parties. Vendor will promptly provide Oath with a description of the planned changes. In cases where the changes require significant effort, Vendor will discuss the plan with Oath prior to implementing changes.
        9. Provide Oath with weekly status updates until the Security Issue has been resolved, unless more frequent updates are requested by Oath.
        10. At its option, Oath may participate in the investigation of a Security Issue, provided that the incident resulted in (or is reasonably believed to have resulted in or may potentially result in) the misuse, compromise or unauthorized release of or access to Oath Data.
        11. Partner shall immediately notify Oath of any investigations of its information use, privacy or information security practices or Security Issues by a governmental, regulatory or self-regulatory organization.
        12. Partner shall promptly reimburse Oath for all costs, fees, and expenses incurred in responding to and/or mitigating damages caused by a Security Issue caused by Partner, such as: (a) any costs incurred by Oath to correct, reconstruct, and reload incorrect, damaged or lost data; (b) any costs and expenses incurred by Oath to investigate and repair damage done to Oath’s systems and/or data; (c) any costs incurred related to notifying or offering remediation to third parties (including affected individuals) of unauthorized access to or use of any Oath Data (including without limitation any personally identifiable information) related to such persons, and providing credit monitoring and/or identity theft protection services to such persons in accordance with Oath’s then-current policies and practices; (d) fines, penalties and interest assessed against Oath; and (e) related attorneys’ fees.
        13. Confidentiality. Unless otherwise required by applicable Laws, Vendor will not disclose to third parties any information about Security Issues without prior written and express permission from Oath for each disclosure. If Vendor is required to disclose pursuant to Laws, Vendor must notify Oath as soon possible. Vendor may disclose to the following parties without obtaining such permission: (a) Vendor’s agents who are working on the issue, have a need-to-know, and have a Non-disclosure Agreement that is no less restrictive than that between Parties, and (b) others who are similarly affected and with whom Vendor has an obligation to notify. In such cases, Vendor will not disclose any information about Oath or Oath’s involvement.
    4. Rights to Review.
      1. Security Testing.
        1. The Oath Companies, in their sole discretion, have the right at any time to perform remote Security Testing of The System, excluding physical premises. Such examination does not include actions that the examiner reasonably believes will cause serious harm or damage to The System. Security Testing may result in the identification of Security Issues.
        2. Upon Oath’s request, Vendor will promptly white list IP addresses provided by Oath to allow accurate Security Testing to occur.
        3. Vendor will not impede Security Testing; provided, however, that if Vendor reasonably believes Security Testing will cause serious harm or damage to The System, Vendor will (a) take the minimum action necessary to mitigate such harm or damage; (b) contact Oath immediately and explain the nature of the potential harm or damage; and (c) work with Oath so that Security Testing can continue without serious harm or damage to The System.
      2. Security Review.
        1. Subject to the conditions set forth in this Section 3.4.b, Oath, directly or through an Oath Affiliate, will have the right, at its own expense, to conduct Security Reviews, and/or to have an independent third party subject to a Vendor-approved confidentiality agreement conduct Security Reviews. In the case that Oath uses an independent third party, the third party will be selected by Oath subject to approval by Vendor, and such approval will not be unreasonably withheld or delayed. Vendor will provide sufficient access to its facilities, personnel, and records as required for the Security Review during Vendor’s regular business hours, and will otherwise support and cooperate with the Security Review. Security Reviews may result in the identification of Security Issues.
        2. Oath will have the right to conduct a Security Review: (a) prior to The System being available or in production, (b) when there is or is planned to be a material change to The System, (c) when Oath suspects there may be a Security Issue in The System, (d) upon termination of these Network Security Terms.
        3. Security Reviews will be subject to the following conditions: (a) Oath will provide reasonable notice to Vendor before such Security Reviews; (b) Security Reviews will be conducted during regular business hours in a manner that does not interfere with normal business activities.
  4. DATA HANDLING AND RESTRICTIONS ON USE.
    1. Data Handling. Vendor will ensure Oath Data is handled subject to each of the following guidelines, except to the extent otherwise specifically permitted by the Agreement:
      1. Vendor will not commingle Oath Data with any other data
      2. Prior to first handling Oath Data, Vendor will resolve all identified Security Issues with The System, unless otherwise expressly specified by Oath in writing.
      3. Vendor will not store or prompt for Oath ID and password pairs.
      4. Vendor will always use Vendor ID as the identifier when storing and retrieving user specific data.
      5. After the termination of the Agreement, Vendor must return or securely destroy Oath Data, unless otherwise expressly permitted by Oath in writing. Prior to destroying Oath Data, Vendor must give Oath advance written notification specifying the means of destruction, and such method must be approved by Oath in writing.
      6. Consistent with its obligations in Section 2.2(c)(i) hereof, Vendor will not transmit or store in unencrypted form any Oath Data (including but not limited to, payment instruments, banking information, authentication credentials, or government issued identifiers).
    2. Restrictions on Use. Vendor represents, warrants and covenant to use Oath Data solely for the Permitted Use, and Vendor will not export or use Personal Data outside of the United States without Oath’s prior written authorization.
    3. Compliance with Laws. Vendor will comply with all applicable laws and regulations (including data security, data protection, and any restrictions on transferring information across borders) with regards to Oath Data.
  5. INJUNCTIVE RELIEF. The Parties agree that breach of these Network Security Terms will cause Oath irreparable harm and that Oath is therefore entitled to injunctive relief to enforce its provisions, without the requirement of posting a bond therefore, in addition to such other legal and equitable relief as to which Oath may also be entitled.
  6. TERM AND TERMINATION. These Network Security Terms remain in force so long as Vendor retains or has access to any Oath Data. The preceding does not constitute authorization to retain or access data that was covered by these Network Security Terms that was not authorized by the Agreement.
  7. ADDITIONAL REPRESENTATIONS AND WARRANTIES; INDEMNITY.
    1. Vendor represents, warrants and covenants: (a) that it has the power and the right to enter into these Network Security Terms on Vendor’s behalf, that Vendor has the power and the right to grant all rights conveyed hereby, and to perform its obligations under these Network Security Terms without breach of any agreements with third parties to which Vendor is a party or by which it is otherwise bound; (b) Vendor has not entered into, and will not enter into during the Term, any other contracts which materially interfere with Vendor’s performance of its obligations under these Network Security Terms or which frustrate the purposes of these Network Security Terms; and (c) Vendor has not assigned, delegated, sold, or otherwise transferred any intellectual property or other rights required to perform its obligations under these Network Security Terms and will not do so during the Term, except as expressly provided herein.
    2. Vendor will indemnify, defend and hold harmless Oath, its employees, directors, officers, shareholders, contractors, agents and affiliates, from and against any claims, causes of action, costs, expenses, fees, penalties (including courts costs and reasonable attorneys fees) arising out of or related to Vendor’s breach of any of the representations, warranties, covenants, duties or other terms of these Network Security Terms. This indemnity obligation will survive the expiration or earlier termination hereor.
  8. STATEMENT OF COMPLIANCE. Vendor will provide Oath an annual written statement certified by a Vendor officer that: (a) Vendor has obtained each year a “SOC 2” and/or “ISO 27001” certification from a qualified third party security assessments and auditing firm;.and (b) Vendor has complied with all of the requirements of these Network Security Terms.
  9. MISCELLANEOUS.
    1. Interpretation of these Network Security Terms. The Parties desire that these Network Security Terms be construed fairly, according to their terms, in plain English, without constructive presumptions against the drafting Party, and without reference to the section headings, which are for reference only.
    2. Entire Agreement: These Network Security Terms, together with the other parts of the Agreement and any non-disclosure agreement, with respect to its subject matter and exempting any non-contrary provisions of the non-disclosure agreement and these Network Security Terms constitute the full agreement between Vendor and Oath and supersede any prior or contemporaneous agreements. Except as specifically provided herein, all other terms and conditions of the Vendor MTC remain the same. In the case of inconsistency or conflict between the provisions of these Network Security Terms, on the one hand, and the Vendor MTC or any PO, SOW, SLA, PLSS, or Change Order, on the other hand, the provisions of these Network Security Terms will control.

Last updated: June 2018

We’re updating our name and staying focused on creating what's next in content, advertising and technology.

Read on   arrow