Security And Privacy Requirements
UPDATED: May 1, 2020
To the extent that your company (“Company”) has entered into a contract or agreement (“Agreement”) with frontdoor, inc. or any of its affiliates (collectively, “Frontdoor”) which incorporates these Security and Privacy Requirements (these “Security and Privacy Requirements”) into the Agreement by reference, Company agrees to comply with the additional terms and conditions set forth herein. Further, these Security and Privacy Requirements shall be applicable to any change order, work order, insertion order, statement of work, or any other document which provides for the purchase of goods or services that is subject to the terms and conditions of the Agreement (any such document being referred to herein as a “Statement of Work” or “SOW”). In the event of a conflict between the Agreement and these Security and Privacy Requirements, these Security and Privacy Requirements will control. Any capitalized term used but not defined herein will have the meaning assigned to it in the Agreement.
PART ONE: DEFINITIONS & CONTACT INFORMATION
“Authorized Persons” means Company’s employees, Company’s contractors, agents, outsourcers, and auditors who have a need to know or otherwise access Frontdoor Information to enable Company to perform its obligations under the Agreement.
“Cardholder Data” means, at minimum, the PAN. When any of the following elements are with the PAN, they shall also be considered Cardholder Data: (a) cardholder name, (b) card expiration date or (c) service code. Magnetic stripe data (also known as track data) shall also be considered Cardholder Data.
“Confidential Information” is Frontdoor’s Confidential Information as defined in the Agreement.
“Electronic Communications Resource” (also known as, “ECR” or “Frontdoor ECR”) means any Frontdoor owned, authorized or provided computer, computer network, email (both internet and Intranet-based), telephone system (including voicemail), fax, mobile device (pager, cell phone, smartphone, PDA, tablet, etc.), software and hardware resources, Intranet, Internet, video conferencing (webinars and conference calls), closed-circuit television, radios, wireless devices or other handheld devices, photocopiers, or other resource that allows Authorized Persons access to the Internet and documents, files or other information contained within these resources.
“Encryption” means the conversion of data into an unreadable form without the use of a decryption key.
“Frontdoor Data Classification” means the classification of Frontdoor Information by Frontdoor to ensure that appropriate security controls, labeling, and the granting of access are maintained. Frontdoor maintains four (4) Data Classifications from least restrictive to most restrictive:
- “Public” is information that has been cleared by Frontdoor’s management for general use and public knowledge;
- “Internal” or “Internal Frontdoor Information” is Frontdoor Information that is proprietary to Frontdoor, disclosure of which would result in unnecessary burden to Frontdoor;
- “Confidential” or “Confidential Frontdoor Information” is critical Frontdoor Information, disclosure of which would be detrimental to Frontdoor, including, but not limited to, PII; and
- “Restricted” or “Restricted Frontdoor Information” is Frontdoor Information that is highly sensitive to the operation and organizational well-being of Frontdoor, including, but not limited to, Sensitive PII.
“Frontdoor Information” means all information provided to Company by or at the direction of Frontdoor (whether through Frontdoor’s affiliates, subsidiaries or otherwise), or to which access was provided to Company by or at the direction of Frontdoor, in connection with performance under the Agreement, including, but not limited to, any PII, Sensitive PII, Confidential Information, or any other data or information delivered in connection with the Agreement. Frontdoor Information is, and will remain, the sole and exclusive property of Frontdoor.
“Frontdoor Network” means the system of computers, peripherals and other devices, that are interconnected to each other physically or logically, which enable Frontdoor ECR and users of Frontdoor ECR to perform job duties or services under the Agreement. The Frontdoor Network includes all Frontdoor owned or operated LANs, WANs, extranets, intranets, wireless, or any other network which Frontdoor would consider used for Frontdoor purposes.
“Hosting Services” means web hosting, infrastructure as a service, platform as a service, software as a service, collocation services, and/or cloud servers, etc. provided by Company or used by Company to deliver services under the Agreement. Hosting Services are typically off premise, one-host to many users scenario, where the user pays for resources consumed or allotted.
“Information Security” means protecting information and information systems from unauthorized collection, access, use, disclosure, disruption, modification or destruction.
“Information Security Program” means the comprehensive collection of policies, standards, procedures, and controls used to deliver and assure Information Security across the Company.
“PAN” means the full Primary Account Number imprinted on an applicable credit or debit card (or embedded within the magnetic stripe of such card).
“Payment Card Brand Organization” means an organization (e.g., Visa, MasterCard, JCB, American Express, Discover, etc.) that promulgates operating rules for payment processing workflow, including rules relating to purchase, authorization, clearing and payment and settlement, for each such organization’s applicable branded cards.
“Payment Card Industry Requirements” (also known as, “PCI Requirements”) means the security standard for all entities involved in payment card processing functions and the security-related functions involved in protecting cardholder data for the major debit, credit, prepaid, e-purse, ATM, and POS cards as defined by the Payment Card Industry Security Standards Council. Current (as of the Effective Date of the Agreement) versions of the standards may be obtained from https://www.pcisecuritystandards.org/.
“Personally Identifiable Information” (or “PII”) means one or more piece of Frontdoor Information that:
- identifies, distinguishes or can be used to trace an individual’s identity (including, but not limited to, names, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers, date and place of birth, social security number, or biometric records);
- can be used to authenticate an individual (including, without limitation, passwords, passcode, or PINs, biometric data, answers to security questions and other personal identifiers);
- can be linked to an individual, such as medical (i.e., HIPAA), financial (i.e., account numbers, PINs, security codes, service codes, credit report information), and employment information (including, but not limited to, benefits, hiring information, salary, performance reviews, employment terms, etc.); or
- is regulated under any applicable Privacy Law as “personal information” (or has a similar designation under any applicable Privacy Law) and was provided to Company by or at the direction of Frontdoor (or its affiliates or subsidiaries).
“Privacy Laws” means all applicable federal, state (including the California Consumer Privacy Act of 2018), and local U.S. (and, when applicable, foreign) laws, regulations, and rules relating to personal information and other data privacy and data protection, as they may be enacted, adopted or amended from time to time.
“Record” means any recorded or documented form of Frontdoor Information in any medium, including information created or received in any form, including e-mails, paper documents, electronic documents, database or application information, call center recordings, and other electronic or photographic media.
“Security Breach” means any confirmed Security Incident.
“Security Incident” means any suspected access to Frontdoor Information (or the systems that store, process, or transmit Frontdoor Information) that is unauthorized and intended to, or reasonably likely to, compromise the confidentiality, integrity or availability of Frontdoor Information or the controls put in place to protect the confidentiality, integrity or availability of Frontdoor Information, including any suspicion of Frontdoor Information being copied, transmitted, viewed, stolen, or used by an individual not authorized to do so.
“Sensitive Personally Identifiable Information” (or “Sensitive PII”) means specific PII or combinations of PII that require additional security provisions as required by contractual agreement, Privacy Laws or as otherwise deemed necessary by Frontdoor. Sensitive PII includes the following:
- use of an individual’s first and last name or first initial and last name, combined with any of the below:
- financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account; or
- an individual’s government-issued identification number (including social security number, driver’s license number or state-issued identification number);
- an individual’s Cardholder Data; or
- an individual’s biometric or health data.
“Software” means the programs and other operating information used by a computer, server, router, network device, or similar computing device.
“Strong Encryption” means Encryption that meets then-current industry standards (e.g., NIST) relating to the strength of the algorithm, the secrecy of the key, the initialization vectors and how they all work together within the cryptosystem.
“Vulnerability” means a weakness at the network services, operating system, or application level, or within associated functions of networks, computer systems, or Software that could allow a Security Breach to occur. Vulnerabilities also include physical vulnerabilities (such as broken locks, malfunctioning key or proximity cards) to the premises containing or permitting access to Frontdoor Information.
2. Contact Information. For Security Incidents or inquiries, the following contact information for Frontdoor will be used:
Company shall provide an email address and telephone number by which Frontdoor can contact Company regarding Security Incidents or inquiries. Company shall immediately update Frontdoor should any such provided contact information change for the longer of (a) the period of time during which Company has any Frontdoor Information or access thereto and (b) the Term of the Agreement. Frontdoor may update contact information by providing notice of such updated contact information to Company in accordance with the Agreement.
PART TWO: GENERAL SECURITY AND PRIVACY REQUIREMENTS
3. Changes and/or Modifications to Security and Privacy Requirements. From time to time, in Frontdoor’s reasonable discretion, it may be necessary for Frontdoor to review and make changes to these Security and Privacy Requirements.
3.1 Notice of Changes. Frontdoor will provide notice of any material changes to the Company contact email address referenced in Section 2 above. Following Company’s receipt of such notice, Company will have fifteen (15) days to review and agree to such material changes, or to provide notice of non-acceptance of such material changes and proposed revisions in writing.
3.2 Frontdoor Review. Should Company provide proposed revisions in accordance with Section 3.1, Frontdoor will review such revisions and work with Company to arrive at mutually agreed upon revisions to these Security and Privacy Requirements.
3.3 Resolution. In the event Company and Frontdoor cannot agree on revised Security and Privacy Requirements within thirty (30) days following Frontdoor’s receipt of proposed revisions provided by Company in accordance with Section 3.1, Frontdoor may choose to (in its sole discretion): (a) continue to use the requirements set forth herein; (b) continue to use the requirements set forth herein for all existing Statements of Work under the Agreement and not engage in future Statements of Work under the Agreement; or (c) suspend all activities and services currently in operation under any Statement of Work under the Agreement.
4. Information Security Program. Company shall, at all times during the Term (including during normal operations, disaster recovery and business continuity), maintain an effective and comprehensive Information Security Program that meets or exceeds then-current industry standards with respect to all Frontdoor Information in Company’s possession or to which Company has access. Company shall implement, maintain, and monitor a comprehensive written Information Security Program that includes reasonable administrative, technical, physical, organizational, and operational safeguards and other security measures, including policies and procedures, designed to (a) ensure the security and confidentiality of Frontdoor Information, (b) protect against any established or emerging threats to the Information Security of Frontdoor Information in Company’s possession or to which Company has access, and (c) protect against unauthorized processing, destruction, loss, alteration, use of, disclosure, or access to Frontdoor Information. Said Information Security Program shall be reviewed at any time there is a material change in practices and not less than annually. Company shall monitor its Information Security Program to ensure that it is operating in a manner reasonably calculated to ensure effective Information Security.
4.1 Information Security Program Requirements. At minimum, Company’s Information Security Program shall incorporate policies and procedures consistent with then-current industry standards for the following:
- access control (including the use of unique IDs and passwords for all users);
- malware preventionand protection;
- patch and vulnerability management;
- system configuration and hardening;
- logging of security Incidents, Security Breaches and access to Frontdoor Information;
- network security and firewall management;
- security of wireless technology and wireless networks; and
- application and network security testing, as applicable.
5. Personnel Security.
5.1 Background Checks. Company shall perform or cause to be performed background checks for all Authorized Persons with access to Frontdoor Information.
5.2 Security Awareness Training. Company shall provide periodic and mandatory Information Security training for all Authorized Persons. Said training shall be designed to impart to each person an awareness of his or her responsibilities regarding Information Security, and the Company’s Information Security Program.
6. Access to Frontdoor Information. Company will ensure only Authorized Persons have access to Frontdoor Information.
6.1 Removal of Access. Company shall ensure that all accounts that allow for access to Frontdoor Information to any Authorized Person are promptly disabled or removed (or provide notice to Frontdoor to have account permissions revoked) with respect to such Authorized Person following such Authorized Person’s cessation of the provision of services provided in connection with the Agreement for any reason, including, but not limited to, termination.
6.2 Physical Protections. As appropriate based upon Frontdoor Data Classification or data type, Company shall appropriately secure Frontdoor Information to prevent any physical access by any person other than an Authorized Person.
7. Use of Frontdoor Information.
7.1 Acceptable Use of Frontdoor Information. Company will receive, retain, use and disclose Frontdoor Information only to the extent necessary to perform Company’s obligations under the Agreement or an applicable Statement of Work. Without limiting the foregoing, Company will not collect, retain, use, sell, disclose or otherwise take any action with respect to Frontdoor Information except as permitted by these Security and Privacy Requirements, the Agreement, an applicable Statement of Work and all applicable law.
7.2 Expressly Prohibited Uses. Except as specifically permitted in a Statement of Work or otherwise in writing, Company may not undertake any of the following actions with respect to Frontdoor Information:
- send Frontdoor Information out of the country in which Frontdoor provided such Frontdoor Information (deemed to be the United States of America unless otherwise designated in writing by Frontdoor) to another country;
- remove or copy Frontdoor Information from a Frontdoor environment to a non-Frontdoor environment, or otherwise initiate such extractions;
- access any Frontdoor Information relating to production data or any Frontdoor environments that are deemed by Frontdoor to hold Frontdoor Information relating to production data; or
- access any Frontdoor system that is deemed by Frontdoor to be regulated by any PCI Requirements.
8. Information Retention and Deletion. Subject to the deletion obligations set forth in this Section 8, Company agrees to retain Frontdoor Information only for so long as necessary for Company to perform the Services.
8.1 Deletion Requests. Upon Company’s receipt of a written request from Frontdoor to delete any Frontdoor Information, Company shall promptly (but in any event not later than ten (10) calendar days following receipt thereof) (a) securely delete such Frontdoor Information in Company’s possession by sanitizing or destroying (using NIST 800-88 Revision 1 Guidelines for Media Sanitization) such Frontdoor Information and (b) certify in writing to Frontdoor that Company has complied with the requirements of this Section 8; provided that if Company is required to retain any Frontdoor Information under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall not be required to comply with the deletion requirements set forth in this Section 8 only as to such Frontdoor Information, but shall instead provide a written statement to Frontdoor that specifically identifies the Frontdoor Information that was not deleted and the reason for the non-deletion; provided further that if, at any time, such Frontdoor Information is no longer required to be retained by Company under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall promptly (but in any event not later than ten (10) calendar days following the day upon which such Frontdoor Information is no longer required to be maintained by Company under applicable law or by the terms of a separate written agreement with Frontdoor) (a) delete such Frontdoor Information and (b) certify in writing to Frontdoor that Company has complied with the requirements set forth in this Section 8.
8.2 Return or Destruction. Following the termination or expiration of the Agreement, Company shall promptly (but in any event not later than ten (10) calendar days following the termination or expiration of the Agreement) (a) return or securely delete by sanitizing or destroying (using NIST 800-88 Revision 1 Guidelines for Media Sanitization) all Frontdoor Information in Company’s possession and (b) certify in writing to Frontdoor that Company has complied with the requirements of this Section 8.2; provided that if Company is required to retain any Frontdoor Information under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall not be required to comply with the return or deletion requirements of this Section 8.2 only as to such Frontdoor Information, but shall instead provide a written statement to Frontdoor that specifically identifies the Frontdoor Information that was not returned or deleted and the reason for the non-return or non-deletion; provided further that if, at any time, such Frontdoor Information is no longer required to be retained by Company under applicable law or by the terms of a separate written agreement with Frontdoor, Company shall promptly (but in any event not later than ten (10) calendar days following the day upon which such Frontdoor Information is no longer required to be maintained by Company under applicable law or by the terms of a separate written agreement with Frontdoor) (a) return or delete such Frontdoor Information and (b) certify in writing to Frontdoor that Company has complied with the requirements of this Section 8.2.
9. Incident Response.
- Company will maintain a documented response process to manage and to take appropriate corrective action(s) for any Security Incident or Security Breach. This process must be reviewed by the Company for sufficiency at least annually.
- In the event of a Security Incident, Company shall use its continuous best efforts to investigate such Security Incident (including to confirm whether any access to Frontdoor Information by any person other than an Authorized Person has occurred) and limit the scope of such Security Incident. Promptly following (a) Company’s becoming aware of any Security Incident, Company shall communicate such awareness to Frontdoor, along with all pertinent details relating to such Security Incident (and shall provide periodic updates) and (b) Company’s investigation of any Security Incident, Company shall promptly communicate to Frontdoor all findings with respect thereto (including confirmation as to whether any access to Frontdoor Information by any person other than an Authorized Person has occurred). Company shall not notify any third party of any Security Incident, except as may be strictly required by law, without first obtaining Frontdoor’s prior written consent and incorporating in good faith any feedback that Frontdoor may have as to the content and manner of executing such third-party notification.
- In the event of a Security Breach, Company will ensure the procedures set forth in Section 9.1 and Section 9.2 are included in its Security Breach response procedures.
9.1 Security Breach Notification and Communication. Company will promptly notify Frontdoor of any Security Breach occurring that affects Frontdoor Information or the systems that store, process or transmit AHS Information based on the chart below:
- Initial Notification Status Report. Within the above defined hours for the initial notification status report, Company shall provide Frontdoor a written status report for each Security Breach (“Initial Notification Status Report”). Each such Initial Notification Status Report will include, at a minimum, the following information:
- the date (or suspected date) of the initial incident giving rise to such Security Breach;
- a detailed description of such Security Breach, including known or suspected cause;
- contact information for the Company coordinator responsible for remediating such Security Breach;
- a description of the steps taken (as of the date the Initial Notification Status Report is delivered) to contain or correct such Security Breach;
- a description of next action steps to contain or correct such Security Breach;
- current status of remediation efforts; and
- expected timeframe for full-service restoration and resolution
- Update Communications. After delivery of an Initial Notification Status Report, Company shall provide Frontdoor with interim written status reports for each Security Breach. Reports will be delivered at mutually agreed upon intervals. Reports will include, at a minimum, the same requirements from Section 9.1(a) plus a list and description of any third parties that are involved with any Security Breach remediation.
- Final Report. Company shall provide Frontdoor, in writing, with a final written report for each Security Breach (each, a “Final Report”) within the above defined business days of Security Breach closure. Each such Final Report shall include:
- Company’s remediation coordinator name and contact information;
- the date (or suspected date) of the initial incident giving rise to such Security Breach;
- a Security Breach executive overview;
- Security Breach details;
- how and when the Security Breach was detected and initially reported to Frontdoor;
- a list and description of any third parties that were involved with Security Breach remediation;
- a description of what resources and services were impacted; and
- those permanent corrective actions taken to prevent further occurrences.
- Post Mortem Review. Frontdoor reserves the right to schedule a review of the Final Report with Company.
9.2 Public Notification of Security Breach. Company shall not notify any third party of any Security Breach, except as may be strictly required by law, without first obtaining Frontdoor’s prior written consent and incorporating in good faith any feedback that Frontdoor may have as to the content and manner of executing such third-party notification.
9.3 Right to Security Assessment Following a Security Breach. Without limiting Frontdoor’s rights as set forth in Section 14, upon request, Frontdoor shall have the right to cause Company to engage an independent third party to perform a security assessment of reasonable and appropriate scope to validate that all necessary and timely remedial and proactive actions have been taken by Company following a Security Breach (each, a “Security Assessment”). Such Security Assessment shall be at Company’s sole cost and expense; provided that in the event that Company has engaged a third party to perform a security assessment prior to a request by Frontdoor under this Section 9.3 (to the extent such security assessment is at least as thorough as that requested by Frontdoor), Company will not be required to engage an additional third party to provide a Security Assessment and the existing security assessment will be deemed to comply with the requirements of this Section 9.3.
10. Security Testing. Company will ensure its Information Security Program addresses application security testing as it relates to applications (a) developed by Company and (b) under the control or support of Company. Additionally, the Information Security Program will address network security testing as the same is applicable to any systems under the control of Company in which Confidential Frontdoor Information or Restricted Frontdoor Information is collected, stored, transmitted or processed. An executive report of tests to ensure compliance with the foregoing requirements will be provided to Frontdoor annually. In addition to the foregoing, Frontdoor reserves the right to request security testing requirements as it relates to Confidential Frontdoor Information.
11. Encryption of Data. Company shall encrypt, at minimum, Restricted Frontdoor Information using Strong Encryption when transmitted over the internet (i.e., “data in transit”) or any other un-trusted network. Company shall also encrypt using Strong Encryption, at minimum, Restricted Frontdoor Information when stored on any system (i.e., “data at rest”), including, but not limited to, servers, workstations, mobile devices, backup tapes, removable media, or any other electronic storage medium. In addition to the foregoing, Frontdoor reserves the right to request at any time implementation of data encryption requirements as it relates to Confidential Frontdoor Information.
12. Third Party Service Providers. Company shall require all third-party Authorized Persons, including those to whom Company transmits Frontdoor Information, to adhere to the terms and conditions hereof. Company shall ensure that agreements with third parties include appropriate safeguards to enforce the requirements set forth herein (which such safeguards must be materially similar to those set forth herein).
13. Compliance with Privacy and Security Laws; Consumer Requests; Reasonable Assistance. Any Frontdoor Information, including PII and Sensitive PII, used by the Company in the course of performing services under the Agreement will be used and protected in accordance with all Privacy Laws. Company expressly warrants that its use of PII and Sensitive PII will comply with all Privacy Laws. Company will at all times perform its obligations under the Agreement in such a manner as to not, by its actions, or inaction contrary to the Agreement, cause Frontdoor to be in violation of any Privacy Laws or any other applicable laws.
13.1 Consumer Requests. In the event Company receives a consumer question or request directed to Frontdoor relating to any Frontdoor Information or the exercise of any consumer rights with respect thereto, Company shall forward such request to Frontdoor within five (5) business days following Company’s receipt thereof.
13.2 Reasonable Assistance. Company shall provide Frontdoor with such additional reasonable assistance as Frontdoor may request in support of Frontdoor’s compliance with all Privacy Laws relating to Frontdoor Information.
14. Right to Audit. In addition to the rights set forth in Section 9.3, Frontdoor reserves the right to cause a qualified, independent third party to conduct an annual security assessment or audit for verification of Company’s compliance with the requirements hereof (an “Assessment”).
14.1 Assessment Details. Assessments will be conducted during Company’s regular business hours with reasonable notice to Company. In connection with an Assessment, Frontdoor will work in good faith with Company to avoid material impact to Company systems that support Company’s other customers. All Assessments will be subject to the non-disclosure and confidentiality obligations hereof and the Agreement.
14.2 Assessment Findings and Remediation. Following completion of an Assessment, Frontdoor shall provide a written report summarizing the Assessment results to the Company. Should deficiencies be noted, Company will correct any reported deficiencies within thirty (30) days of receipt of such report, or as otherwise mutually agreed. If Company fails to implement such corrections in the agreed upon timeframes, then Frontdoor, at its option, may terminate any or all Statements of Work under the Agreement at no cost or penalty to Frontdoor.
15. Periodic Certification of Compliance with these Requirements. Promptly following receipt of a written request from Frontdoor, Company will deliver a certification attesting to Company’s then-current compliance with the requirements hereof.
16. Security on Frontdoor Premises. At all times during which the Company and Company’s Authorized Persons are on Frontdoor premises, Company will comply with all applicable Frontdoor policies and procedures of which Company has notice.
17. Acceptable Use of Frontdoor ECR Systems.
17.1 ECR Compliance. At all times, Company will, and will cause all Authorized Persons to, comply with all applicable Frontdoor ECR policies and procedures.
17.2 ECR Security. Company and Company’s Authorized Persons are responsible for managing, maintaining, and guarding the security of Frontdoor ECR to which they have access or control, including the equipment that stores Frontdoor Information. Company acknowledges and agrees that Company and Authorized Persons should have no expectation of privacy with respect to ECR as Frontdoor routinely monitors all communications activity made on ECR.
17.3 ECR Safeguarding. In order to safeguard Frontdoor ECR, Company and all Authorized Persons will:
- comply with all Frontdoor security policies and procedures for password utilization and maintenance;
- log off ECR, or utilize password-protecting mechanisms to protect computer terminals when such terminals are unattended;
- safeguard user IDs and passwords and not share any passwords or user IDs with others;
- not install any software, or change the provided configuration of any software, unless authorized and assisted by Frontdoor technology specialists;
- not leave mobile devices, including mobile phones and laptops, unattended or unprotected;
- not allow any person other than an Authorized Person to use Frontdoor ECR; and
- report lost or stolen Frontdoor ECR immediately to (a) the Frontdoor Help Desk (866-597-4321) and (b) that contact email listed in Section 2.
17.4 ECR Restrictions. Company and all Authorized Persons using Frontdoor ECR will not:
- engage (including access or transmissions of) in any activities that are soliciting, illegal, hostile, defamatory, gambling-related, or offensive, including suggestive, obscene, harassing, pornographic, off-color, racist, sexist, “hate”, or discriminatory towards others;
- transmit or access destructive programs (including malware) with the intention to damage or place an excessive load on a computer system or network;
- alter the configuration of any anti-malware software;
- use another Authorized Person’s user ID or password, or the user ID or password of a Frontdoor associate;
- circumvent any Frontdoor security provision (including firewalls, software, or other access controls) to access, transmit, or process unauthorized Frontdoor Information;
- grant access to Frontdoor Information, the Frontdoor Network, or Frontdoor ECR to any third-party computer system or other unauthorized party; and
- store Confidential Information or Restricted Frontdoor Information on external devices (including laptops, thumb drives, external hard drives, etc.).
17.5 Access to ECR. Only Authorized Persons using Frontdoor ECR, using a direct or wireless connection, are permitted access to the Frontdoor Network.
17.6 Tools. All Frontdoor ECR must have the required information security suite of tools installed and function properly before access is granted by Company to any Authorized Person.
17.7 Prohibited Connections. Non-Frontdoor Electronic Communication Resources are prohibited from connecting (by any means) to any Frontdoor Network, or storing Frontdoor Information; provided that Company may be granted an exception to the foregoing prohibition in Frontdoor’s sole discretion.
17.8 Wireless Connections. Company shall not attach any non-Frontdoor-owned wireless access points to the Frontdoor Network or Frontdoor ECR.
Part Three: Additional PCI Requirements
18. Payment Card Industry Security. If Company (a) receives, collects, stores, processes, or transmits Cardholder Data on behalf of Frontdoor, (b) provides security in protecting Cardholder Data, or (c) affects the security or integrity of Cardholder Data, in each case, in connection with the Agreement, in addition to all other obligations set forth herein, the requirements of this Section 18 will apply.
18.1 Maintain PCI Compliance. Company shall continuously maintain compliance with all applicable Payment Card Industry Requirements for so long as Company receives, collects, stores, processes, or transmits any Cardholder Data provided by, or at the direction of, Frontdoor.
18.2 Attestation of PCI Compliance. Company shall provide an attestation of current PCI compliance at any time the Parties sign any Statement of Work under the Agreement involving Cardholder Data, and annually thereafter for so long as any such Statement of Work is in effect. Acceptable forms of attestation include either of the following:
- Company inclusion in the Visa Global List of PCI DSS Validated Service Providers; or
- providing a copy of Company’s Attestation of Compliance and executive summary from either the Company’s (a) PCI DSS Service Provider Report On Compliance (“ROC”) or (b) PCI DSS Service Provider Self-Assessment Questionnaire (“SAQ”), as applicable, based on Company’s PCI vendor level, as determined by the applicable Payment Card Brand Organizations.
18.3 Security Breach of Cardholder Data. Without limiting the obligations set forth in Section 9, in the event that any Security Breach is alleged or confirmed to involve Cardholder Data, Company shall fully cooperate with Frontdoor and any applicable Payment Card Brand Organization in investigating and remediating such Security Breach. Without limiting the obligations set forth in Section 9, Company will, upon request from Frontdoor, and at Company’s sole cost and expense, engage a forensic investigator approved by Frontdoor no later than forty-eight (48) hours following Company’s receipt of notice from Frontdoor to investigate such Security Breach. Company shall (a) allow such forensic investigator to conduct promptly an examination of Company’s systems, procedures and records (and shall provide access, information and assistance as necessary to conduct such examination), (b) support such forensic investigator in producing an oral and written report, (c) discuss the investigator’s initial findings with Frontdoor, and (d) cause such forensic investigator to issue a written report of its findings to Frontdoor. In addition to the foregoing, Company will provide to Frontdoor all information related to Company’s or any Payment Card Brand Organization’s investigation related to any unauthorized use, access, or processing of Cardholder Data, including, but not limited to, all forensic reports and systems audits
Part Four: Software Development and Hosting Requirements
19. Software Development. If Company provides software development services for Frontdoor, or provides Hosting Services using proprietary software written by or on behalf of Company, in connection with the Agreement then, in addition to all other requirements set forth herein, the requirements of this Section 19 will apply.
19.1 Software Development Life Cycle (SDLC). Company shall have implemented a SDLC using industry standard development methodology. Such SDLC will include, at minimum, code reviews, change management, source code back up, code versioning, code testing for Vulnerabilities and other security flaws, defects testing, and documentation of activities. Such SDLC will also include regular post deployment of Software to ensure critical Vulnerabilities (i.e., CVSS 7+) and defects are remediated within thirty (30) days.
19.2 Coding Standards. Company will develop Software using secure coding standards relevant to the development languages and technologies in use. Company’s code developers will use code reviews, manual or automated, to ensure secure coding practices are validated and other security flaws and critical Vulnerabilities (CVSS 7+) are remediated within thirty (30) days.
19.3 Developer Training. Company will only use developers trained in secure development standards and practices relevant to development languages and technologies used to provide services under the Agreement. Without limiting Frontdoor’s rights set forth in Section 14, Frontdoor reserves the right to request validation of knowledge and training of developers as it relates to secure coding and development practices.
20. Hosting Services. If Company will be providing any Hosting Services for Frontdoor under the Agreement, then, in addition to all other requirements set forth herein (including any that may relate to PCI, if applicable to any Hosting Services provided by Company), the requirements of this Section 20 will apply.
20.1 Security Certifications with Industry Standards. At least annually, Company shall conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under the Agreement, including, but not limited to, obtaining a network-level Vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices. Upon Frontdoor’s written request, Company shall make available to Frontdoor for review all of the following, as applicable: (a) Company’s Statement on Standards for Attestation Engagements (SSAE) No. 16 Type II audit report for Reporting on Controls at a Service Organization and (b) any reports relating to its ISO/ICE 27001 certification. Frontdoor shall treat such audit reports confidentially.