2024/10/31
PipeBio considers protection of Customer Data a top priority. Taking into account the available technology, and the nature, scope, context and purposes of processing, as well as the risk to data subjects’ rights, PipeBio uses commercially reasonable technical and organizational measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data. PipeBio maintains these security measures in accordance with ISO 27001. This Information Security Policy supplements the underlying agreement (“Agreement”) entered into between the parties. Capitalized terms used but not defined herein shall have the meaning set forth in the Agreement.
1. Definitions.
“Customer Systems” means information systems and resources supplied or operated by Customer or its other service providers, including network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, proprietary applications, printers, and internet connectivity.
“PipeBio Infrastructure” means information processing resources supplied or operated by PipeBio, including without limitation, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, printers, proprietary applications, internet connectivity, printers and hard drives that are used, either directly or indirectly, in support of PipeBio’s processing of Customer Data.
2. Information Security Management Program and Policies.
2.1 Policies and Procedures. PipeBio shall maintain a written security management program with policies and procedures designed with the intent to prevent, detect, contain, and correct vulnerabilities. These policies and procedures shall:
(a) assign specific data security responsibilities and accountabilities to specific individual(s).
(b) include a risk management program that includes periodic risk assessments.
(c) be made available, upon written request, to the Customer.
2.2 Infrastructure Protection. To the extent applicable to the provision of the PipeBio Services provided to Customer, PipeBio shall maintain policies, procedures, and industry standard security capabilities and practices to protect PipeBio Infrastructure, protect Customer Data, detect threats and risks against PipeBio Infrastructure, and adequately respond to threats and risks to PipeBio Infrastructure and Customer Data including:
(a) security programs (policies, standards, processes, etc.).
(b) processes for becoming aware of, and maintaining, security patches and fixes.
(c) processes for identifying security vulnerabilities in software, databases, infrastructure, and networks, and processes for remediating security vulnerabilities.
(d) procedures for employing mechanisms to restrict access to the PipeBio Infrastructure, including all local-site networks that may be accessed via the internet (whether or not such sites transmit information) and any and all systems that store, process, and support use of Customer Data.
(e) procedures designed to protect the PipeBio Infrastructure, including any and all systems that store, process and support use of Customer Data, against attack and penetration.
(f) Whenever technically possible, PipeBio Infrastructure and any systems that store, process, access, and support Customer Data, are protected by and configured with:
(g) If security risks, vulnerabilities, and/or issues during a security audit or assessment are identified, PipeBio shall remediate the risks, vulnerabilities, and gaps identified. PipeBio will use commercially reasonable efforts to remediate validated security risks, vulnerabilities, and issues, with risk severity being determined by PipeBio.
3. Access Control.
3.1 Identification and Authentication. Access to Customer Data, or any PipeBio Infrastructure shall be Identified and Authenticated (as defined below). “Identification” or “Identified” refers to processes that establish the identity of the person requesting access to the Customer Data, and/or PipeBio Infrastructure. “Authentication” refers to processes that validate the purported identity of the requestor. For access to Customer Data, or PipeBio Infrastructure, PipeBio shall require Authentication by the use of an individual, unique user ID and an individual password or other appropriate Authentication technique. PipeBio shall maintain industry standard procedures designed for the protection, integrity, and soundness of any passwords created by PipeBio and/or used by PipeBio in connection with the performance of the PipeBio Services to Customer.
3.2 Account Administration. PipeBio shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for PipeBio Infrastructure and Customer Data, and shall include procedures for granting and revoking emergency access to PipeBio Infrastructure and to any systems used to store, process, or support Customer Data.
3.3 Access Control. PipeBio shall maintain appropriate access control mechanisms designed to prevent access to Customer Data, and/or PipeBio Infrastructure, except by authorized users. The access and privileges granted shall be limited to the minimum necessary to perform the assigned functions. PipeBio shall maintain appropriate mechanisms and processes designed to detect, record, analyze, and resolve unauthorized attempts to access Customer Data or PipeBio Infrastructure.
4. Personnel Security.
4.1 Access to Customer Data. PipeBio shall require its personnel and its approved sub-processors’ personnel who have, or may be expected to have, access to Customer Data or Customer Systems to comply with the provisions of this Data Security Policy. PipeBio shall remain responsible for any breach of this Data Security Policy by its personnel or the personnel of its sub-processors.
4.2 Security Awareness. PipeBio shall require that its employees and sub-processors remain aware of PipeBio’s security practices, and their responsibilities for protecting Customer Data. This shall include:
(a) protection against viruses and malware;
(b) appropriate password protection and password management practices; and
(c) appropriate use of workstations and computer system accounts, and
(d) appropriate use of the Internet, network infrastructure, applications, communications systems, including email, productivity software, and software-as-a-service.
5. Risk Management.
5.1 General Requirements. PipeBio shall maintain appropriate safeguards and controls and exercise due diligence designed to protect Customer Data, and PipeBio Infrastructure and systems used to store, process, access, and support Customer Data against unauthorized access, use, and/or disclosure, considering:
(a) applicable data protection law; and
(b) information technology and industry practices; and
(c) the relative level and severity of risk of harm should the integrity, confidentiality, availability or security of Customer Data be compromised, as determined by PipeBio as part of an overall risk management program; and
(d) protect Customer Data from security threats and risks, identify and appropriately respond to security threats and risks to Customer Data, and minimize the impact of adverse security events impacting the security of Customer Data.
5.2 Security Evaluations. PipeBio shall, on an annual basis, evaluate its processes and systems with respect to the confidentiality, integrity, availability, and security of Customer Data, PipeBio Infrastructure, and systems that store, process, access, and support Customer Data. PipeBio shall document the results of these evaluations and any remediation activities taken in response to these evaluations and shall make available written summaries of such evaluations and remediations if requested by the Customer.
5.3 Internal Records. PipeBio shall maintain and implement policies and programs to capture, record, and examine information relevant to security related events. In response to such events, PipeBio shall take appropriate action to address and remediate identified vulnerabilities to Customer Data and PipeBio Infrastructure.
6. Hosted Security. The PipeBio Services operate on GPC (“GPC”) and are protected by the security and environmental controls of Google. Detailed information about Google security is available at https://cloud.google.com/security/ and https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate. .
7. Communications Security.
7.1 Encryption. Whenever technically possible, PipeBio shall maintain encryption, at rest and in transit, in accordance with industry standards (including AES-256 at rest and TLS 1.2 or higher in transit), for all storage of and transmission of Customer Data via public and private networks.
7.2 Protection of Storage Media. PipeBio shall delete Customer Data from all storage media prior to disposal or re-use and the deletion method will be in compliance with NIST 800-88. All systems and media on which Customer Data is stored shall be protected against unauthorized access or modification. PipeBio shall maintain industry standard processes and mechanisms designed to maintain accountability and tracking of the receipt, removal and transfer of systems and storage media used for processing of Customer Data.
7.3 Data Integrity. PipeBio shall maintain processes designed to prevent unauthorized or inappropriate modification of Customer Data that is stored and processed by Supplier.
8. Remote Access to Customer Systems. PipeBio’s remote access to Customer Systems, infrastructure, and applications shall be limited to the extent minimally necessary to provide the services to Customer.
9. Business Continuity Management. PipeBio shall have a plan in place designed to counteract interruptions to business activities and protect critical business processes from the effects of failures of information systems or disasters.
