Cloud Services Security Terms
This Cloud Services Security Terms (“Security Terms”) are incorporated into and made a part of the Master Relationship Agreement or such other written or electronic agreement between NICE and Customer for the purchase of Cloud Services (“Agreement”). Except as otherwise set forth herein, defined terms used in these Security Terms shall have the meanings provided in the Agreement.
I. Purpose
These Security Terms describes the information security standards NICE implements and follows in its business and in the provision of Cloud Services. These Cloud Security Terms do not apply to trial, beta, evaluation, or free Cloud Services, nor to third-party products or services sold but not developed by NICE. NICE may update these Security Terms from time to time to reflect changes in NICE’s security program provided such changes do not materially diminish the level of security provided herein.
II. Company Security
- Overview. This Section II (Company Security) describes the information security controls NICE implements and follows for the protection of its IT systems, networks, facilities and assets (“Company Systems”), and any Confidential Information accessed or processed therein, from anticipated threats or hazards, unauthorized or unlawful access, use, disclosure, alteration, or destruction, and accidental loss, destruction or damage (“Company Security Program”). The Company Security Program has technical and organizational measures that are appropriate to the nature, size, and complexity of NICE’s business operations, the resources available to NICE, the type of information that NICE stores, and the need for security and confidentiality of such information.
- Company Security Policies. NICE has and maintains company information security policies (“Company Security Policies”) designed to educate its employees, contractors, and vendors on the appropriate use, access, and storage of Confidential Information. The Company Security Policies include access restrictions for personnel who have a ‘need to know’ such information, policies preventing terminated employees from accessing NICE’s information and information systems post-termination and imposing disciplinary measures for failure to abide by the Company Security Policies.
- Risk Assessment and Change Management. NICE uses a risk-based methodology to help it reasonably identify internal and external risks to the Company Systems and information resources and decide whether the Company Security Program is sufficient or needs to be updated to address any identified risks. NICE uses a change management process to ensure any changes to the Company Security Program or Company Security Policies are reviewed, tested, and approved.
- System Access Controls. NICE uses monitoring and logging tools to help detect and prevent unauthorized access to its networks and systems. NICE’s monitoring includes a review of Company Systems use through authentication and privileged access controls based upon the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that take into account the risk associated with the particular information system, and the type of information stored therein. Access logs are maintained on a centralized repository, to allow for security review and analysis by the security team. Such logs include log-on, failover attempts and log off attempts. Users must authenticate with two-factor authentication prior to accessing NICE servers or systems. Personal devices used to access NICE systems must be enrolled in the NICE portal for security and access controls.
- Threat and Vulnerability Management. NICE monitors the Company Systems and the technology implemented therein for vulnerabilities that are acknowledged by third-party vendors, reported by researchers, or discovered internally. Any such vulnerabilities are identified for mitigation or fixes based on severity level. NICE or third parties acting at its direction periodically perform network vulnerability and penetration tests on the Company Systems. NICE uses real-time anti-virus and malware solutions to protect the Company Systems and its personnel’s computers against viruses, worms, and other forms of malicious code that may cause damage. Definition updates are performed and monitored on an automated basis.
- Training. All NICE employees and contractors are required to receive training on Company Security Policies upon hiring/onboarding and on an annual basis thereafter to maintain compliance with the Company Security Policies. Additional, more in-depth training may be required based on the roles and responsibilities performed by such personnel. NICE also implements periodic security awareness campaigns to educate its personnel and to maintain a secure work environment.
- Secure Product Development. When developing its software and technologies, NICE employs a methodology for the acquisition, development, configuration, maintenance, modification, and management of such technology with the intent of maximizing its inherent security. Source code access is restricted to authorized personnel only. NICE uses a risk-based approach when applying such methodology to production software, which may include activities such as performing security architecture reviews, open-source security scans, dynamic application security testing, network vulnerability scans, code review, and external penetration testing in the development environment. NICE scans packaged software to ensure it’s free from trojans, viruses, malware and other malicious threats.
- Storage and Secure Disposal. NICE’s Company Security Policies contain procedures and controls regarding the secure disposal of tangible and intangible materials containing Confidential Information, which are designed to ensure such Confidential Information cannot be viewed or reconstructed when possible.
- Third-Party Vendors. NICE puts each third-party vendor and its partners through a rigorous due diligence process, including privacy and security reviews for those with access to Confidential Information, including Content and personal data (as defined under the General Data Protection Regulation (EU) 2016/679 (“GDPR”)) (“Personal Data”), prior to contracting with any such third party. Third-party vendors are subject to contractual obligations of confidentiality and risk assessments to determine the sensitivity of information being shared. Vendors are expected to comply with any pertinent contract terms relating to the confidentiality and security of data, as well as any applicable NICE policies or procedures such as the NICE Supplier Code of Conduct. Periodically, NICE may re-evaluate a vendor and its security posture to help ensure compliance.
- Personnel Security. NICE requires each employee and contractor to enter into confidentiality agreements upon hire or engagement, as applicable, and to agree to its Code of Ethics and Business Conduct. NICE performs background checks on its potential employees prior to hiring, as permitted by applicable law. In addition to the Company Security Policies, NICE also requires its employees and contractors to agree and adhere to teleworking, internet acceptable use, social media, electronic messaging, clear desk/clear screen, and other work policies.
- Facilities. NICE grants physical access to its facilities based on role and logs visitor access. NICE removes physical access when access is no longer required, including upon termination. Employees and visitors must visibly display and wear identity badges when in a NICE facility. Visitors must always be accompanied while at a NICE facility. NICE reviews data center physical access, including remote access, on a regular basis to confirm that access is restricted to authorized personnel. NICE employs additional measures to protect its employees and assets, including video surveillance systems and onsite security personnel.
- Company Business Continuity and Disaster Recovery. NICE endeavors to maintain continuity of its operations through business continuity, redundancy, appropriate staffing of incident response personnel, and timely recovery of critical NICE processes and systems. NICE has a business continuity and disaster recovery plan for its business operations (“BCP/DRP”), which is reviewed and approved by management at least annually. The BCP/DRP includes actions and procedures for NICE facilities, business functions/operations, HR, IT, and communications, which are designed to ensure the survivability for NICE’s internal services, mission-critical applications, infrastructure and data, and enable the recovery thereof to effective service levels as soon as possible to minimize the impact the business should a reasonably foreseeable event occur, which causes significant operational disruption and crisis to NICE’s business and Company Systems. Training exercises and tests of the BCP/DRP are performed to ensure it is reliable and effective, and updates are made to the plan based on findings of these tests.
- Certifications. NICE strives to align its Company Security Policies to ISO 27001 standards for information security where practical.
III. Cloud Services Security
- Overview. This Section III (Cloud Services Security) describes the information security standards and administrative, technical and organizational safeguards NICE implements and follows to protect the confidentiality, integrity, and availability of Confidential Information, including Content, in the Cloud Services (“Cloud Services Security Program”). The Cloud Services Security Program is designed to protect the Confidential Information, including Content, in the Cloud Service from and against anticipated or actual threats or hazards, unauthorized or unlawful access, use, disclosure, alteration, or destruction, and accidental loss, destruction or damage, in accordance with laws applicable to NICE’s provision of the Cloud Service to Customer under the Agreement.
- Cloud Services Security Program. NICE’s Cloud Services Security Program: (a) is consistent with industry recognized information security standards; (b) includes technical, administrative, physical and organizational measures designed to protect the confidentiality, integrity and availability of Confidential Information, including Content, as well as the processing of such data by NICE’s employees, subcontractors, and sub-processors; and (c) is appropriate given the nature, scope, and complexity of the Cloud Services and NICE’s business operations.
- Cloud Services Security Policies. NICE will maintain appropriate policies, standards, and procedures designed to support the Cloud Services Security Program (“Cloud Services Security Policies”) and will review and update them from time to time to ensure relevance, accuracy, and to maintain industry standard security standards.
- Risk Assessment and Management. NICE uses a risk-based methodology to help it reasonably identify cybersecurity risks to its information assets. NICE security teams review the risks identified by it to understand potential impact to the business, determine appropriate risk levels, and treatment options. Risk mitigation plans are implemented by NICE to address material risks to business operations, including data protection.
- Change Management. NICE follows documented change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes to the Cloud Services. These changes undergo appropriate levels of review and testing, including security and code reviews, regression testing and user acceptance prior to approval for implementation. Software development and testing environments are maintained and logically separated from the production environment.
- Data Storage and Backup. The Cloud Services contain functionality to allow backups of Content. Depending on the Cloud Service, this may include both the ability to backup Content and store within the Cloud Service, and/or to backup and store Content with an external storage provider of Customer. Backups of Content in the Cloud Services will not be stored on portable media. The timing and cadence for backups of Content, the storage duration, and capacity, are different for each Cloud Service. Information on the foregoing may be found in the Documentation for the applicable Cloud Service.
- Data Management, Deletion and Destruction. NICE has data disposal policies in place to guide personnel on the procedure for disposal of Confidential Information, including Content in accordance with the terms of the Agreement. If deletion is required, Content will be securely deleted. For Content in a Cloud Service hosted by NICE in Amazon Web Services (“AWS”), AWS procedures include a decommissioning process that is designed to prevent Content from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices. For certain Cloud Services, which make recordings of voice calls, recording retention policies may be determined by Customer and used as part of its routine deletion process for such Content. For example, a recording retention policy can be created within the Cloud Service to delete conversations that occurred within a range of dates.
- Vulnerability Management. NICE continuously monitors for vulnerabilities discovered through scans, offensive exercises, employees or externally reported by vendors or researchers. NICE follows industry best practices to discover and address vulnerabilities in accordance with their severity level.
- Incident Response and Breach Notification. NICE has an Information Security Incident Response Plan (the “ISIRP”) and a Cyber Incident Response Team (“CIRT”) in place to prepare for, detect, analyze, contain, eradicate, recover, and gain lessons learned from (as appropriate) identified information security incidents affecting NICE. NICE reviews and updates the ISIRP at least annually to reflect emerging risks and changes to NICE’s operations and systems. Should a breach of security, which leads to the unauthorized or unlawful destruction, loss, modification, disclosure of or access to Content, including Personal Data, while being transmitted, stored, or otherwise processed (as defined under GDPR) by NICE (“Data Incident”) occur, NICE will notify Customers without undue delay after its confirmation of such Data Incident. As appropriate, NICE will provide affected customer(s) with known details regarding the Data Incident, including the date it was identified and confirmed, the nature and impact of the Data Incident to their Content, actions NICE intends to take or has already taken to contain, eradicate, and/or recover from effects of the Data Incident, and any impending next steps. In the event of a Data Incident involving Personal Data to which Customer is the data owner or controller, if Customer reasonably determines notification is required by applicable data breach notification laws, NICE will provide reasonable assistance to the extent required for Customer to comply with such laws, including assistance in notifying the relevant supervisory authority and providing a description of the Data Incident. Nothing in these Cloud Services Security Terms shall prohibit or limit NICE from complying with any obligations it may have under the data breach notification laws.
- Cloud Services Security Program Audit and Assessments. NICE conducts internal control assessments on an ongoing basis to validate that security and access controls are designed and operating effectively. Third party audits are performed as part of NICE’s certification process to validate the ongoing governance of control operations and their effectiveness. Issues identified from assessments and audits are documented, tracked, and remediated as appropriate given the materiality.
- Security Audits. At least once a year, Cloud Services are subject to a security audit by an independent third party auditor that attests to the effectiveness of the controls NICE has put in place to safeguard the systems and operations where Content is processed, stored, or transmitted (e.g., System and Organizational Control (SOC 2), Type 2). For those Cloud Services subject to a SOC 2, the audit will be in accordance with the Attestation Standards under Section 101 of the codification standards (AT 101) and at a minimum will cover the security, confidentiality, and availability control criteria developed by the American Institute of Certified Public Accountants (AICPA). Upon request, NICE will supply Customer with a summary copy of NICE’s most recent annual audit reports available for the applicable Cloud Service, which will be deemed NICE’s Confidential Information under the Agreement.
- Penetration Testing. At least once a year NICE performs, or employs a third party to perform, penetration testing on its applications and infrastructure of the Cloud Services. Issues identified during the engagement will be appropriately addressed within a reasonable time-frame given their materiality. Upon request, NICE will provide Customer with a copy of the executive summary associated with such penetration testing results, which will be deemed NICE’s Confidential Information under the Agreement.
- Password, Access, User Management and Authentication. Application access logs are maintained on a centralized repository, to allow for security review and analysis by the security team. NICE maintains technical safeguards to prevent unauthorized access to Content through fraud or error. NICE implements user access management functionality in the Cloud Services including requirements for user registration, access provisioning, management of privileged access rights to information and information systems, and the removal or adjustment of access rights. NICE maintains policies and processes to control and secure access to the back-end production environment of the Cloud Service based upon the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that take into account the risk associated with the particular information system and the type of information stored therein. These processes include multiple layers of access controls such as firewalls, tokens, security keys, and authentication.
- Encryption. NICE employs encryption to mitigate the risk of unauthorized disclosure or alteration of Content in the Cloud Service. Cryptographic keys shall be protected against unauthorized access, disclosure, modification, and data loss.
- Cloud Service Business Continuity. The Cloud Services environment is separate and within a reasonable distance from Company Systems. NICE has a written business continuity plan designed to manage significant disruptions to its Cloud Services operations and infrastructure (“BCP”). NICE reviews (and, as necessary, updates) and approves the BCP at least annually. The BCP provides steps required and expected to recover NICE’s operations should a reasonably foreseeable disaster or force majeure event occur. NICE personnel perform annual tests of the BCP to assess effectiveness. Test results are documented, and corrective actions are noted. Data backup, replication, and recovery systems/technologies are deployed to support resilience and protection of Content. Backup systems are configured to encrypt backup media. Disaster recovery capabilities for recovery to separate hosting service provider regions may require an additional fee for certain Cloud Services.
- Data Center Physical Access. Data centers operated by NICE, and those by its hosting service providers for the Cloud Services, have physical access control systems to permit only authorized personnel to have access to the secure areas. These physical controls include, but are not limited to, identification and signatures of all access requirements, escorted access of authorized personnel, intrusion detection systems, access control devices, closed circuit television cameras.
- Industry Specific Certifications. Certain Cloud Services include features and controls, which may assist Customers in their compliance with a particular law, regulation or security standard such as FedRamp, PCI, HIPAA etc. Information on the certifications of a particular Cloud Service may be found in the NICE customer portal or by contacting Customer’s NICE sales representative.