NASDAQ
FTDR
Stock Information
Home / Security And Privacy Requirements

Security And Privacy Requirements

UPDATED: June 13, 2024

To the extent that your company ("Company") has entered into a contract or agreement ("Agreement") with Frontdoor, Inc. or any of its affiliates (collectively, "Frontdoor") which incorporates these Security and Privacy Requirements (these "Security and Privacy Requirements") into the Agreement by reference, Company agrees to comply with the additional terms and conditions set forth herein. Further, these Security and Privacy Requirements shall be applicable to any change order, work order, insertion order, statement of work, or any other document which provides for the purchase of goods or services that is subject to the terms and conditions of the Agreement (any such document being referred to herein as a "Statement of Work" or "SOW"). In the event of a conflict between the Agreement and these Security and Privacy Requirements, these Security and Privacy Requirements will control.  Any capitalized term used but not defined herein will have the meaning assigned to it in the Agreement.

PART ONE: DEFINITIONS & CONTACT INFORMATION

1. Definitions.

"Authorized Persons" : Company’s employees, Company’s contractors, agents, outsourcers, and auditors who have a need-to-know or otherwise access Frontdoor Information to enable Company to perform its obligations under the Agreement.

"Cardholder Data" : the PAN.  When any of the following elements are with the PAN, they shall also be considered Cardholder Data: (a) cardholder name, (b) card expiration date or (c) Service Code. Magnetic stripe data (also known as track data) shall also be considered Cardholder Data.

"Confidential Information" is Frontdoor’s Confidential Information as defined in the Agreement. 

"Electronic Communications Resource" (also known as, "ECR" or "Frontdoor ECR") means any Frontdoor owned, authorized or provided computer, computer network, email (both internet and Intranet-based), telephone system (including voicemail), fax, mobile device (pager, cell phone, smartphone, PDA, tablet, etc.), software and hardware resources, Intranet, Internet, video conferencing (webinars and conference calls), closed-circuit television, radios, wireless devices or other handheld devices, photocopiers, or other resource that allows Authorized Persons access to the Internet and documents, files or other information contained within these resources.

"Encryption" : the conversion of data into an unreadable form without the use of a decryption key. 

"Frontdoor Data Classification": the classification of Frontdoor Information by Frontdoor to ensure that appropriate security controls, labeling, and the granting of access are maintained. Frontdoor maintains four (4) Data Classifications from least restrictive to most restrictive:

    1. "Public" is information that has been cleared by Frontdoor’s management for general use and public knowledge.
    2. "Internal" or "Internal Frontdoor Information" is Frontdoor Information that is proprietary to Frontdoor, disclosure of which would result in unnecessary burden to Frontdoor;
    3. "Confidential" or "Confidential Frontdoor Information" is critical Frontdoor Information, disclosure of which would be detrimental to Frontdoor, including, but not limited to, PII; and
    4. "Restricted" or "Restricted Frontdoor Information" is Frontdoor Information that is highly sensitive to the operation and organizational well-being of Frontdoor, including, but not limited to, Sensitive PII

"Frontdoor Information": all information provided to Company by or at the direction of Frontdoor (whether through Frontdoor’s affiliates, subsidiaries or otherwise), or to which access was provided to Company by or at the direction of Frontdoor, in connection with performance under the Agreement, including, but not limited to, any PII, Sensitive PII, Confidential Information, or any other data or information delivered in connection with the Agreement. Frontdoor Information is, and will remain, the sole and exclusive property of Frontdoor.

"Frontdoor Network": the system of computers, peripherals and other devices, that are interconnected to each other physically or logically, which enable Frontdoor ECR and users of Frontdoor ECR to perform job duties or services under the Agreement. The Frontdoor Network includes all Frontdoor owned or operated LANs, WANs, extranets, intranets, wireless, or any other network which Frontdoor would consider used for Frontdoor purposes. 

"Hosting Services": web hosting, infrastructure as a service, platform as a service, software as a service, collocation services, and/or cloud servers, etc. provided by Company or used by Company to deliver services under the Agreement.  Hosting Services are typically off premise, one-host to many users scenario, where the user pays for resources consumed or allotted.

"Information Security": protecting information and information systems from unauthorized collection, access, use, disclosure, disruption, modification or destruction.

"Information Security Program": the comprehensive collection of policies, standards, procedures, and controls used to deliver and assure Information Security across the Company.

"PAN": the full Primary Account Number imprinted on an applicable credit or debit card (or embedded within the magnetic stripe of such card).

"Payment Card Brand Organization": an organization (e.g., Visa, MasterCard, JCB, American Express, Discover, etc.) that promulgates operating rules for payment processing workflow, including rules relating to purchase, authorization, clearing and payment and settlement, for each such organization’s applicable branded cards.

"Payment Card Industry Requirements" (also known as, "PCI Requirements"): the security standard for all entities involved in payment card processing functions and the security-related functions involved in protecting cardholder data for the major debit, credit, prepaid, e-purse, ATM, and POS cards as defined by the Payment Card Industry Security Standards Council. Current (as of the Effective Date of the Agreement) versions of the standards may be obtained from https://www.pcisecuritystandards.org/.

"Personally Identifiable Information" ("PII"): one or more piece of Frontdoor Information that:

    1. identifies, distinguishes or can be used to trace an individual’s identity (including, but not limited to, names, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers, date and place of birth, social security number, or biometric records);
    2. can be used to authenticate an individual (including, without limitation, passwords, passcode, or PINs, biometric data, answers to security questions and other personal identifiers);
    3. can be linked to an individual, such as medical (i.e., HIPAA), financial (i.e., account numbers, PINs, security codes, Service Codes, credit report information), and employment information (including, but not limited to, benefits, hiring information, salary, performance reviews, employment terms, etc.); or
    4. is regulated under any applicable Privacy Law as "personal information" (or has a similar designation under any applicable Privacy Law) and was provided to Company by or at the direction of Frontdoor (or its affiliates or subsidiaries).

"Privacy Laws": all applicable federal, state (including the California Consumer Privacy Act of 2018), and local U.S. (and, when applicable, foreign) laws, regulations, and rules relating to personal information and other data privacy and data protection, as they may be enacted, adopted or amended from time to time.

"Record": any recorded or documented form of Frontdoor Information in any medium, including information created or received in any form, including e-mails, paper documents, electronic documents, database or application information, call center recordings, and other electronic or photographic media.

"Security Breach": any confirmed access to Frontdoor Information (or the systems that store, process, or transmit Frontdoor Information) that is unauthorized and intended to, or reasonably likely to, compromise the confidentiality, integrity or availability of Frontdoor Information or the controls put in place to protect the confidentiality, integrity or availability of Frontdoor Information, including any suspicion of Frontdoor  Information being copied, transmitted, viewed, stolen, or used by an individual not authorized to do so.  

"Security Incident": any suspected access to Frontdoor Information (or the systems that store, process, or transmit Frontdoor Information) that is unauthorized and intended to, or reasonably likely to, compromise the confidentiality, integrity or availability of Frontdoor Information or the controls put in place to protect the confidentiality, integrity or availability of Frontdoor Information, including any suspicion of Frontdoor Information being copied, transmitted, viewed, stolen, or used by an individual not authorized to do so.

"Sensitive Personally Identifiable Information" ("Sensitive PII"): specific PII or combinations of PII that require additional security provisions as required by contractual agreement, Privacy Laws or as otherwise deemed necessary by Frontdoor. Sensitive PII includes the following:

    1. use of an individual’s first and last name or first initial and last name, combined with any of the below:
      1. financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account; or
      2. an individual’s government-issued identification number (including social security number, driver’s license number or state-issued identification number);
    2. an individual’s Cardholder Data; or
    3. an individual’s biometric or health data.

Service Codes”: The three- or four-digit codes following the expiration date of the payment card.

"Software": the programs and other operating information used by a computer, server, router, network device, or similar computing device.

"Strong Encryption": encryption that meets then-current industry standards (e.g., NIST) relating to the strength of the algorithm, the secrecy of the key, the initialization vectors and how they all work together within the cryptosystem.

"Vulnerability": a weakness at the network services, operating system, or application level, or within associated functions of networks, computer systems, or Software that could allow a Security Breach to occur. Vulnerabilities also include physical vulnerabilities (such as broken locks, malfunctioning key or proximity cards) to the premises containing or permitting access to Frontdoor Information.

2. Contact Information

For Security Incidents or inquiries, the following contact information for Frontdoor will be used:


Frontdoor

Email: security@frontdoor.com

Company shall provide an email address and telephone number by which Frontdoor can contact Company regarding Security Incidents or inquiries.  Company shall immediately update Frontdoor should any such provided contact information change for the longer of (a) the period of time during which Company has any Frontdoor Information or access thereto and (b) the Term of the Agreement. Frontdoor may update contact information by providing notice of such updated contact information to Company in accordance with the Agreement. 

PART TWO: GENERAL SECURITY AND PRIVACY REQUIREMENTS

3. Changes and/or Modifications to Security and Privacy Requirements. 

From time to time, in Frontdoor’s reasonable discretion, it may be necessary for Frontdoor to review and make changes to these Security and Privacy Requirements.

3.1 Notice of Changes. Frontdoor will provide notice of any material changes to the Company contact email address referenced in the first sentence of the last paragraph of Section 2 above. Following Company’s receipt of such notice, Company will have fifteen (15) days to review such material changes, and if Company objects to such changes, to provide notice of non-acceptance of such material changes and proposed revisions in writing.

3.2 Frontdoor Review. Should Company provide proposed revisions in accordance with Section 3.1, Frontdoor will review such revisions and work with Company to arrive at mutually agreed upon revisions to these Security and Privacy Requirements.

3.3 Resolution. In the event Company and Frontdoor cannot agree on revised Security and Privacy Requirements within thirty (30) days following Frontdoor’s receipt of proposed revisions provided by Company in accordance with Section 3.1, Frontdoor may choose to (in its sole discretion): (a) continue to use the requirements set forth herein; (b) continue to use the requirements set forth herein for all existing Statements of Work under the Agreement and not engage Company in future Statements of Work under the Agreement; or (c) terminate all activities and services currently in operation under any Statement of Work under the Agreement (and Frontdoor shall be entitled to receive a refund of all prepaid and unused fees as of the effective date of termination).

4. Information Security Program. 

Company shall, at all times during the Term (including during normal operations, disaster recovery and business continuity), maintain an effective and comprehensive Information Security Program that meets or exceeds then-current industry standards with respect to all Frontdoor Information in Company’s possession or to which Company has access. Company shall implement, maintain, and monitor a comprehensive written Information Security Program that includes reasonable administrative, technical, physical, organizational, and operational safeguards and other security measures, including policies and procedures, designed to (a) ensure the security, privacy, confidentiality, integrity, and availability of Frontdoor Information, (b) protect against any established or emerging threats to the Information Security of Frontdoor Information in Company’s possession or to which Company has access, and (c) protect against unauthorized processing, destruction, loss, alteration, use of, disclosure, or access to Frontdoor Information. Said Information Security Program shall be reviewed at any time there is a material change in practices and not less than annually.  Company shall monitor its Information Security Program to ensure that it is operating in a manner reasonably calculated to ensure effective Information Security.

4.1 Information Security Program Requirements. At minimum, Company’s Information Security Program shall incorporate policies and procedures consistent with then-current industry standards for the following:

  • identity and access management;
  • malware prevention and protection;
  • threat and vulnerability management; 
  • system configuration and hardening;
  • security incident management;
  • network security and firewall management;
  • infrastructure and virtualization security;
  • encryption and cryptography;
  • backup and restoration;
  • business continuity management and operational resilience;
  • data security and privacy;
  • security of wireless technology and wireless networks;
  • security operations and management
  • application and interface security;
  • change and configuration management;
  • event logging and monitoring;
  • third-party security and risk management;
  • governance and risk management, as applicable.

4.2 Minimum Security Requirements. The following are applicable to Company and any third parties that process, access or logically store Frontdoor sensitive, proprietary, confidential or personal data.


Entity-level Requirements:

  • Security Risk Assessment Questionnaire
  • Master Service Agreement (MSA) and Mutual Non-Disclosure Agreement (MNDA)
  • Service Level Agreement (SLA)
  • SOC 2 Type II and Bridge Letter
  • Vulnerability Assessment Summary
  • Penetration Testing Summary
  • Other Attestation Reports – as applicable (PCI AOC, ISO, GDPR)
  • Geographical Location: cannot be in a “prohibited” region or one that is geo-IP blocked.
  • Design and Implementation Documentation for Software Solutions: integrations, data flows, privilege operations, trust boundaries must meet Frontdoor standards.
  • Access Controls: adequate access and authentication mechanisms to protect Frontdoor Information must be in place.
  • Encryption: cryptographic protections to preserve the confidentiality and integrity of Frontdoor Information when it is processed, stored, or transmitted must be in place.
  • Interoperability: any multi-tenant zones to be in use for Frontdoor Information are appropriately segmented from others.
  • Vulnerability Management: process to identify, prioritize and remediate Vulnerabilities must be in place.
  • Data Protection: adequate data protection mechanisms to ensure confidentiality, integrity and privacy of Frontdoor Information must be in place.
  • Data Breach Response: a comprehensive model to respond to, mitigate and notify Frontdoor, in a timely manner, of Security Incidents and Security Breaches.
  • Incident Response: formal and timely procedures to respond to and recover from an incident must be in place.
  • Backup and Recovery: adequate backup and recovery procedures to ensure availability of Frontdoor Information must be in place.
  • Business Continuity & Operational Resiliency: business continuity plans to meet recovery time objectives (RTO) and recovery point objectives (RPO) must be in place.


Authorized Person Requirements:

  • Security Awareness Training and Acceptable Use Policy (AUP) Acknowledgement: adherence to Frontdoor policies and standards is required.
  • Virtual Desktop Infrastructure (VDI) or Segmentation: the dedicated path of access established by InfoSec and Corp IT must be used to access company resources.
  • Anti-Virus/Anti-Malware/EDR Protection: controls must be implemented to block and monitor for malware and cyber breaches on the device to be used.
  • DLP Solution: tool to ensure that sensitive data is not lost, misused, or accessed by unauthorized individuals must be in place.
  • Virtual Private Network (VPN): a secure connection between the computing device and the network must be used.
  • OS and Patching: device to be used must be current in OS version and patching levels.
  • Web Browser Version: latest version of Chrome must be used to conduct business.
  • Full-Disk Encryption: device to be used must have a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive (as applicable).
  • Multi-Factor Authentication (MFA): strong multi-factor authentication method must be implemented and used.
  • O365 Account: Frontdoor email must be used for conducting all sensitive or confidential company business and communications.
  • Geographical Location: user cannot be in a “prohibited” region or one that is geo-IP blocked.

5. Personnel Security.

5.1 Background Checks. Company shall perform or cause to be performed background checks for all Authorized Persons with access to Frontdoor Information.

5.2 Security Awareness Training. Company shall provide periodic and mandatory Information Security training for all Authorized Persons.  Said training shall be designed to impart to each person an awareness of his or her responsibilities regarding Information Security, and the Company’s Information Security Program.

6. Access to Frontdoor Information. 

Company will ensure only Authorized Persons have access to Frontdoor Information.

6.1 Limit Access: Company shall ensure that access to Frontdoor Information by any Authorized Person is limited based on least-privilege and need-to-know. Access to sensitive information should be limited and only permissions that are needed to perform job function are granted.

6.2 Removal of Access. Company shall ensure that all accounts that allow for access to Frontdoor Information to any Authorized Person are promptly disabled or removed (or provide notice to Frontdoor to have account permissions revoked) with respect to such Authorized Person following such Authorized Person’s cessation of the provision of services provided in connection with the Agreement for any reason, including, but not limited to, termination.

6.3 Physical Protections. As appropriate based upon Frontdoor Data Classification or data type, Company shall appropriately secure Frontdoor Information to prevent any physical access by any person other than an Authorized Person.

7. Use of Frontdoor Information.

7.1 Acceptable Use of Frontdoor Information. Company will receive, retain, use and disclose Frontdoor Information only to the extent necessary to perform Company’s obligations under the Agreement or an applicable Statement of Work.  Without limiting the foregoing, Company will not collect, retain, use, sell, disclose or otherwise take any action with respect to Frontdoor Information except as permitted by these Security and Privacy Requirements, the Agreement  and all applicable law.

7.2 Expressly Prohibited Uses. Except as specifically permitted in a Statement of Work or otherwise in writing, Company may not undertake any of the following actions with respect to Frontdoor Information:

  1. send Frontdoor Information out of the country in which Frontdoor provided such Frontdoor Information (deemed to be the United States of America unless otherwise designated in writing by Frontdoor) to another country;

  2. remove or copy Frontdoor Information from a Frontdoor environment to a non-Frontdoor environment, or otherwise initiate such extractions;

  3. access any Frontdoor Information relating to production data or any Frontdoor environments that are deemed by Frontdoor to hold Frontdoor Information relating to production data; or

  4. access any Frontdoor system that is deemed by Frontdoor to be regulated by any PCI Requirements.

8. Information Retention and Deletion. 

Subject to the deletion obligations set forth in this Section 8, Company agrees to retain Frontdoor Information only for so long as necessary for Company to perform the Services.  

8.1 Deletion Requests. Upon Company’s receipt of a written request from Frontdoor to delete any Frontdoor Information, Company shall promptly (but in any event not later than ten (10) calendar days following receipt thereof) (a) securely delete such Frontdoor Information in Company’s possession by sanitizing or destroying (using NIST 800-88 Revision 1 Guidelines for Media Sanitization) such Frontdoor Information and (b) certify in writing to Frontdoor that Company has complied with the requirements of this Section 8; provided that if Company is required to retain any Frontdoor Information under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall not be required to comply with the deletion requirements set forth in this Section 8 only as to such Frontdoor Information, but shall instead provide a written statement to Frontdoor that specifically identifies the Frontdoor Information that was not deleted and the reason for the non-deletion; provided further that if, at any time, such Frontdoor Information is no longer required to be retained by Company under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall promptly (but in any event not later than ten (10) calendar days following the day upon which such Frontdoor Information is no longer required to be maintained by Company under applicable law or by the terms of a separate written agreement with Frontdoor) (a) delete such Frontdoor Information and (b) certify in writing to Frontdoor that Company has complied with the requirements set forth in this Section 8.

8.2 Return or Destruction. Following the termination or expiration of the Agreement, Company shall promptly (but in any event not later than ten (10) calendar days following the termination or expiration of the Agreement) (a) return or securely delete by sanitizing or destroying (using NIST 800-88 Revision 1 Guidelines for Media Sanitization) all Frontdoor Information in Company’s possession and (b) certify in writing to Frontdoor that Company has complied with the requirements of this Section 8.2; provided that if Company is required to retain any Frontdoor Information under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall not be required to comply with the return or deletion requirements of this Section 8.2 only as to such Frontdoor Information, but shall instead provide a written statement to Frontdoor that specifically identifies the Frontdoor Information that was not returned or deleted and the reason for the non-return or non-deletion; provided further that if, at any time, such Frontdoor Information is no longer required to be retained by Company under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall promptly (but in any event not later than ten (10) calendar days following the day upon which such Frontdoor Information is no longer required to be maintained by Company under applicable law or by the terms of a separate written agreement with Frontdoor) (a) return or delete such Frontdoor Information and (b) certify in writing to Frontdoor that Company has complied with the requirements of this Section 8.2.

9. Incident Response.  

(a) Company will maintain a documented response process to manage and to take appropriate corrective action(s) for any Security Incident or Security Breach. This process must be reviewed by the Company for sufficiency at least annually.  

(b) In the event of a Security Incident, Company shall use its continuous best efforts to investigate such Security Incident (including to confirm whether any access to Frontdoor Information by any person other than an Authorized Person has occurred) and limit the scope of such Security Incident. Promptly following (a) Company’s becoming aware of any Security Incident, Company shall communicate such awareness to Frontdoor, along with all pertinent details relating to such Security Incident (and shall provide periodic updates) and (b) Company’s investigation of any Security Incident, Company shall promptly communicate to Frontdoor all findings with respect thereto (including confirmation as to whether any access to Frontdoor Information by any person other than an Authorized Person has occurred). Company shall not notify any third party of any Security Incident, except as may be strictly required by law, without first obtaining Frontdoor’s prior written consent and incorporating in good faith any feedback that Frontdoor may have as to the content and manner of executing such third-party notification.

(c) In the event of a Security Breach, Company will ensure the procedures set forth in Section 9.1 and Section 9.2 are included in its Security Breach response procedures.

9.1 Security Breach Notification and Communication. Company will promptly notify Frontdoor of any Security Breach occurring that affects Frontdoor Information or the systems that store, process or transmit Frontdoor Information based on the chart below:

Response

Classification

Internal

Confidential

Restricted

Frontdoor Contact

Section 2.0

Section 2.0

Section 2.0

Notification

72 hours

48 hours

24 hours

Initial Notification

Status Report

Within 48 hours

Within 24 hours

Within 8 hours

Update Communication

Mutually Agreed Upon

Mutually Agreed Upon

Mutually Agreed Upon

Final Report

Within 10 business days of Security Breach closure

Within 5 business days of Security Breach closure

Within 5 business days of Security Breach closure

(a) Initial Notification Status Report. Within the above defined hours for the initial notification status report, Company shall provide Frontdoor a written status report for each Security Breach ("Initial Notification Status Report"). Each such Initial Notification Status Report will include, at a minimum, the following information:

    1. the date (or suspected date) of the initial incident giving rise to such Security Breach;

    2. a detailed description of such Security Breach, including known or suspected cause;

    3. contact information for the Company coordinator responsible for remediating such Security Breach; 

    4. a description of the steps taken (as of the date the Initial Notification Status Report is delivered) to contain or correct such Security Breach;

    5. a description of next action steps to contain or correct such Security Breach;

    6. current status of remediation efforts; and

    7. expected timeframe for full-service restoration and resolution.

(b) Update Communications. After delivery of an Initial Notification Status Report, Company shall provide Frontdoor with interim written status reports for each Security Breach. Reports will be delivered at mutually agreed upon intervals. Reports will include, at a minimum, the same requirements from Section 9.1(a) plus a list and description of any third parties that are involved with any Security Breach remediation.

(c) Final Report. Company shall provide Frontdoor, in writing, with a final written report for each Security Breach (each, a "Final Report") within the above defined business days of Security Breach closure. Each such Final Report shall include:

    1. Company’s remediation coordinator name and contact information;

    2.  the date (or suspected date) of the initial incident giving rise to such Security Breach;

    3. a Security Breach executive overview;

    4. Security Breach details;

    5. how and when the Security Breach was detected and initially reported to Frontdoor;

    6. a list and description of any third parties that were involved with Security Breach remediation;

    7. a description of what resources and services were impacted; and

    8. those permanent corrective actions taken to prevent further occurrences.

(d) Post Mortem Review. Frontdoor reserves the right to schedule a review of the Final Report with Company.

9.2 Public Notification of Security Breach. Company shall not notify any third party of any Security Breach, except as may be strictly required by law, without first obtaining Frontdoor’s prior written consent and incorporating in good faith any feedback that Frontdoor may have as to the content and manner of executing such third-party notification.

9.3 Right to Security Assessment Following a Security Breach. Without limiting Frontdoor’s rights as set forth in Section 14, upon request, Frontdoor shall have the right to cause Company to engage an independent third party to perform a security assessment of reasonable and appropriate scope to validate that all necessary and timely remedial and proactive actions have been taken by Company following a Security Breach (each, a "Security Assessment"). Such Security Assessment shall be at Company’s sole cost and expense; provided that in the event that Company has engaged a third party to perform a security assessment prior to a request by Frontdoor under this Section 9.3 (to the extent such security assessment is at least as thorough as that requested by Frontdoor), Company will not be required to engage an additional third party to provide a Security Assessment and the existing security assessment will be deemed to comply with the requirements of this Section 9.3.

10. Security Testing. 

Company will ensure its Information Security Program addresses application security testing as it relates to applications (a) developed by Company and (b) under the control or support of Company. Additionally, the Information Security Program will address network security testing as the same is applicable to any systems under the control of Company in which Confidential Frontdoor Information or Restricted Frontdoor Information is collected, stored, transmitted or processed. An executive report of tests to ensure compliance with the foregoing requirements will be provided to Frontdoor annually. In addition to the foregoing, Frontdoor reserves the right to request security testing requirements as it relates to Confidential Frontdoor Information.

11. Encryption of Data. 

Company shall encrypt, at minimum, Restricted Frontdoor Information using Strong Encryption when transmitted over the internet (i.e., "data in transit") or any other un-trusted network. Company shall also encrypt using Strong Encryption, at minimum, Restricted Frontdoor Information when stored on any system (i.e., "data at rest"), including, but not limited to, servers, workstations, mobile devices, backup tapes, removable media, or any other electronic storage medium. In addition to the foregoing, Frontdoor reserves the right to request at any time implementation of data encryption requirements as it relates to Confidential Frontdoor Information.

12. Third Party Service Providers. 

Company shall require all third-party (and all other) Authorized Persons, including those to whom Company transmits Frontdoor Information, to adhere to the terms and conditions hereof. Company shall ensure that agreements with third parties include appropriate safeguards to enforce the requirements set forth herein (which such safeguards must be materially similar to those set forth herein).

13. Compliance with Privacy and Security Laws; Consumer Requests; Reasonable Assistance. 

Any Frontdoor Information, including PII and Sensitive PII, used by the Company in the course of performing services under the Agreement will be used and protected in accordance with all Privacy Laws. Company expressly warrants that its use of PII and Sensitive PII will comply with all Privacy Laws. Company will at all times perform its obligations under the Agreement in such a manner as to not, by its actions, or inaction contrary to the Agreement, cause Frontdoor to be in violation of any Privacy Laws or any other applicable laws.  

13.1 Consumer Requests. In the event Company receives a consumer question or request directed to Frontdoor relating to any Frontdoor Information or the exercise of any consumer rights with respect thereto, Company shall forward such request to Frontdoor within five (5) business days following Company’s receipt thereof.

13.2 Reasonable Assistance. Company shall provide Frontdoor with such additional reasonable assistance as Frontdoor may request in support of Frontdoor’s compliance with all Privacy Laws relating to Frontdoor Information.

14. Right to Audit. 

In addition to the rights set forth in Section 9.3, Frontdoor reserves the right to cause a qualified, independent third party to conduct an annual security assessment or audit for verification of Company’s compliance with the requirements hereof (an "Assessment").

14.1 Assessment Details. Assessments will be conducted during Company’s regular business hours with reasonable notice to Company. In connection with an Assessment, Frontdoor will work in good faith with Company to avoid material impact to Company systems that support Company’s other customers. All Assessments will be subject to the non-disclosure and confidentiality obligations hereof and the Agreement.

14.2 Assessment Findings and Remediation. Following completion of an Assessment, Frontdoor shall provide a written report summarizing the Assessment results to the Company. Should deficiencies be noted, Company will correct any reported deficiencies within thirty (30) days of receipt of such report, or as otherwise mutually agreed. If Company fails to implement such corrections in the agreed upon timeframes, then Frontdoor, at its option, may terminate any or all Statements of Work under the Agreement at no cost or penalty to Frontdoor.

15. Periodic Certification of Compliance with these Requirements. 

Promptly following receipt of a written request from Frontdoor, Company will deliver a certification attesting to Company’s then-current compliance with the requirements hereof.

16. Security on Frontdoor Premises. 

At all times during which the Company and Company’s Authorized Persons are on Frontdoor premises, Company will comply with all applicable Frontdoor policies and procedures of which Company has notice.

17. Acceptable Use of Frontdoor ECR Systems.

17.1 ECR Compliance. At all times, Company will, and will cause all Authorized Persons to, comply with all applicable Frontdoor ECR policies and procedures.

17.2 ECR Security. Company and Company’s Authorized Persons are responsible for managing, maintaining, and guarding the security of Frontdoor ECR to which they have access or control, including the equipment that stores Frontdoor Information. Company acknowledges and agrees that Company and Authorized Persons should have no expectation of privacy with respect to ECR as Frontdoor routinely monitors all communications activity made on ECR.

17.3 ECR Safeguarding.  In order to safeguard Frontdoor ECR, Company and all Authorized Persons will:

    1. comply with all Frontdoor security policies and procedures for password utilization and maintenance; 

    2. log off ECR, or utilize password-protecting mechanisms to protect computer terminals when such terminals are unattended; 

    3. safeguard user IDs and passwords and not share any passwords or user IDs with others; 

    4. not install any software, or change the provided configuration of any software, unless authorized and assisted by Frontdoor technology specialists;

    5. not leave mobile devices, including mobile phones and laptops, unattended or unprotected;

    6. not allow any person other than an Authorized Person to use Frontdoor ECR; and

    7. report lost or stolen Frontdoor ECR immediately to (a) the Frontdoor Help Desk (866-597-4321) and (b) that contact email listed in Section 2.

17.4 ECR Restrictions. Company and all Authorized Persons using Frontdoor ECR will not:

    1. engage (including access or transmissions of) in any activities that are soliciting, illegal, hostile, defamatory, gambling-related, or offensive, including suggestive, obscene, harassing, pornographic, off-color, racist, sexist, "hate", or discriminatory towards others; 

    2. transmit or access destructive programs (including malware) with the intention to damage or place an excessive load on a computer system or network;

    3. alter the configuration of any anti-malware software;

    4. use another Authorized Person’s user ID or password, or the user ID or password of a Frontdoor associate; 

    5. circumvent any Frontdoor security provision (including firewalls, software, or other access controls) to access, transmit, or process unauthorized Frontdoor Information;

    6. grant access to Frontdoor Information, the Frontdoor Network, or Frontdoor ECR to any third-party computer system or other unauthorized party; and

    7. store Confidential Information or Restricted Frontdoor Information on external devices (including laptops, thumb drives, external hard drives, etc.).

17.5 Access to ECR. Only Authorized Persons using Frontdoor ECR, using a direct or wireless connection, are permitted access to the Frontdoor Network.

17.6 Tools. All Frontdoor ECR must have the required information security suite of tools installed and function properly before access is granted by Company to any Authorized Person.

17.7 Prohibited Connections. Non-Frontdoor Electronic Communication Resources are prohibited from connecting (by any means) to any Frontdoor Network, or storing Frontdoor Information; provided that Company may be granted an exception to the foregoing prohibition in Frontdoor’s sole discretion.

17.8 Wireless Connections. Company shall not attach any non-Frontdoor-owned wireless access points to the Frontdoor Network or Frontdoor ECR.

Part Three: Additional PCI Requirements


18. Payment Card Industry Security. 

If Company (a) receives, collects, stores, processes, or transmits Cardholder Data on behalf of Frontdoor, (b) provides security in protecting Cardholder Data, or (c) affects the security or integrity of Cardholder Data, in each case, in connection with the Agreement, in addition to all other obligations set forth herein, the requirements of this Section 18 will apply.

18.1 Maintain PCI Compliance. Company shall continuously maintain compliance with all applicable Payment Card Industry Requirements for so long as Company receives, collects, stores, processes, or transmits any Cardholder Data provided by, or at the direction of, Frontdoor.

18.2 Attestation of PCI Compliance. Company shall provide an attestation of current PCI compliance at any time the Parties sign any Statement of Work under the Agreement involving Cardholder Data, and annually thereafter for so long as any such Statement of Work is in effect. Acceptable forms of attestation include either of the following:

    1. Company inclusion in the Visa Global List of PCI DSS Validated Service Providers; or

    2. providing a copy of Company’s Attestation of Compliance and executive summary from either the Company’s (a) PCI DSS Service Provider Report On Compliance or (b) PCI DSS Service Provider Self-Assessment Questionnaire, as applicable, based on Company’s PCI vendor level, as determined by the applicable Payment Card Brand Organizations.

18.3 Security Breach of Cardholder Data. Without limiting the obligations set forth in Section 9, in the event that any Security Breach is alleged or confirmed to involve Cardholder Data, Company shall fully cooperate with Frontdoor and any applicable Payment Card Brand Organization in investigating and remediating such Security Breach. Without limiting the obligations set forth in Section 9, Company will, upon request from Frontdoor, and at Company’s sole cost and expense, engage a forensic investigator approved by Frontdoor no later than forty-eight (48) hours following Company’s receipt of notice from Frontdoor to investigate such Security Breach. Company shall (a) allow such forensic investigator to conduct promptly an examination of Company’s systems, procedures and records (and shall provide access, information and assistance as necessary to conduct such examination), (b) support such forensic investigator in producing an oral and written report, (c) discuss the investigator’s initial findings with Frontdoor, and (d) cause such forensic investigator to issue a written report of its findings to Frontdoor. In addition to the foregoing, Company will provide to Frontdoor all information related to Company’s or any Payment Card Brand Organization’s investigation related to any unauthorized use, access, or processing of Cardholder Data, including, but not limited to, all forensic reports and systems audits.

Part Four: Software Development and Hosting Requirements

19. Software Development. 

If Company provides software development services for Frontdoor, or provides Hosting Services using proprietary software written by or on behalf of Company, in connection with the Agreement then, in addition to all other requirements set forth herein, the requirements of this Section 19 will apply.

19.1 Software Development Life Cycle (SDLC). Company shall have implemented a SDLC using industry standard development methodology.  Such SDLC will include, at minimum, code reviews, change management, source code back up, code versioning, code testing for Vulnerabilities and other security flaws, defects testing, and documentation of activities.  Such SDLC will also include regular post deployment of Software to ensure critical Vulnerabilities (based on CVSS scale) and defects are remediated within thirty (30) days.

19.2 Coding Standards. Company will develop Software using secure coding standards relevant to the development languages and technologies in use. Company’s code developers will use code reviews, manual or automated, to ensure secure coding practices are validated and other security flaws and critical Vulnerabilities (based on CVSS scale) are remediated within thirty (30) days.

19.3 Developer Training. Company will only use developers trained in secure development standards and practices relevant to development languages and technologies used to provide services under the Agreement. Without limiting Frontdoor’s rights set forth in Section 14, Frontdoor reserves the right to request validation of knowledge and training of developers as it relates to secure coding and development practices.

20. Hosting Services. 

If Company will be providing any Hosting Services for Frontdoor under the Agreement, then, in addition to all other requirements set forth herein (including any that may relate to PCI, if applicable to any Hosting Services provided by Company), the requirements of this Section 20 will apply.

20.1 Security Certifications with Industry Standards. At least annually, Company shall conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under the Agreement, including, but not limited to, obtaining a network-level Vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices. Upon Frontdoor’s written request, Company shall make available to Frontdoor for review all of the following, as applicable: (a) Company’s Statement on Standards for Attestation Engagements (SSAE) No. 18 Type II audit report for Reporting on Controls at a Service Organization and (b) any reports relating to its ISO/IEC 27001 certification. Frontdoor shall treat such audit reports confidentially.

[End]