Network-Information Security Terms - EMEA
These Network-Information Security Terms (“Network Security Terms”) effective as of the Start Date are subject to the Vendor Master Terms and Conditions located at https:/ie/en/yahoo/terms/vendor/mastertnc/index.html and are part of the Agreement. Except for terms defined herein, unless the context otherwise requires, capitalised terms used herein have the meaning given to them in the Vendor MTC.
- DEFINITIONS
- “Contaminant” means any instrument that is suspected or known by either Party to modify, damage, destroy, record, misuse, distribute, or transmit information to, from, or within The System without intention or permission of the Parties. Contaminant includes, but is not limited to, viruses or worms that may be self-replicating or self-propagating and may be designed to: (a) contaminate other components of The System, (b) consume resources, (c) modify, destroy, record, or transmit data, or (d) alter the operation of The System.
- “Yahoo Data” is defined in the Vendor MTC and will include any copies, reproductions, duplications, and onsite or offsite backups thereof, whether in whole or in part.
- “Yahoo ID” means a user-specific identifier issued or authorised by Yahoo which, when combined with a password, provides credentialed access to any Yahoo Company’s services and/or Information Systems.
- “Permitted Use” means the following specific use(s) of Yahoo Data that Vendor is hereby authorised to perform (and such ancillary activities that are strictly and necessarily related to such use(s)), and no other use: to perform the Services outlined in the applicable PO or SOW in strict compliance with the Agreement.
- “Security Issue” means (a) any known or suspected condition in or affecting The System that could compromise the security, confidentiality, or integrity of Yahoo Data or The System or impair Yahoo’s ability to meet legal obligations, or (b) any unauthorised disclosure or unauthorised use of Yahoo Data in the possession or under the control or direction of Vendor.
- “Security Review” means examination of The System or information related to the security of The System requiring the assistance of or coordination with Vendor that can identify and/or diagnose, or are intended to identify and/or diagnose, Security Issues.
- “Security Testing” means of The System, directly or indirectly through interfaces to which any Yahoo Company and/or their agents, and/or Yahoo Affiliates have access without the need for Vendor coordination, by manual interaction with or automated test cases that can identify and/or diagnose, or are intended to identify and/or diagnose, Security Issues.
- “The System” means any and all components owned, operated, or provided by or on behalf of Vendor, that are involved in performing Vendor’s obligations under the Agreement and Laws, including,but not limited to, networks, databases, software, computer systems, backups, devices, processes, documentation, data, and physical premises.
- “Vendor ID” means a user specific identifier provided to the Vendor by Yahoo for the purpose of identifying a user.
- “Contaminant” means any instrument that is suspected or known by either Party to modify, damage, destroy, record, misuse, distribute, or transmit information to, from, or within The System without intention or permission of the Parties. Contaminant includes, but is not limited to, viruses or worms that may be self-replicating or self-propagating and may be designed to: (a) contaminate other components of The System, (b) consume resources, (c) modify, destroy, record, or transmit data, or (d) alter the operation of The System.
- THE SYSTEM SECURITY
2.1 Operational Requirements
- Vendor will implement, maintain, and comply with a written, effective information security program that is consistent with then-current industry best practices, as those best-practices may evolve from time to time, to protect the Systems and Yahoo Data from an actual or potential Security Issue. To that end, Vendor will ensure that The System, excluding physical premises, is at all times securely configured, including (i) disabling all unnecessary services or features, and (ii) closing all known and all published security deficiencies therein, including updates and subsequently identified publications thereof.
- Vendor will apply all applicable security patches for The System as soon as possible after any such patch becomes available, but in no event more than thirty (30) calendar days after the release of any such patch.
- Vendor will continuously maintain industry-standard firewall protection for The System. Vendor will test its perimeter router and firewall devices no less than quarterly for unsafe configurations and vulnerabilities. Unless an alternate method is mutually agreed upon by Yahoo and Vendor, in a signed written agreement, tests will be conducted in a manner consistent with the PCI DSS Security Scanning Procedures; provided however, Vendor may perform the tests in lieu of using a third party.
- Vendor will make commercially reasonable efforts to ensure that The System components are free of all Contaminants. Such efforts will include, but are not limited to, running anti-virus software on all Windows systems, updating signatures no less than daily, conducting at least biweekly Contaminant sweeps of The System and purging all Contaminants found. Vendor will use commercially reasonable efforts to not transmit or distribute Contaminants. Any transmission or distribution of Contaminants is a Security Issue.
2.2 Design requirements
- Throughout the term of these Network Security Terms, Vendor will ensure that The System is not vulnerable to any issue listed in OWASP Top Ten, found at:http://www.owasp.org, as updated from time to time. If the OWASP Top Ten ceases to exist or becomes obsolete, Yahoo may designate a successor or replacement list thereafter, and Vendor will use that list in place of the OWASP Top Ten in performing Vendor’s obligations under this section.
- Vendor will ensure that warnings are not generated by The System on A-grade browsers according to Yahoo’s Graded Browser Support (currently found here and incorporated by reference: https://github.com/yui/yui3/wiki/Graded-Browser-Support), as such list and associated URL may be independently updated by Yahoo from time to time.
- Encryption
- All Yahoo Data consisting of confidential, personal and sensitive data should be encrypted at all times (at rest and in transit) while in Vendor’s possession. Where data must be encrypted under the terms of these Network Security Terms, other parts of the Agreement, or Laws, Vendor will sign and encrypt using an Yahoo-approved algorithm. The following algorithms are pre-approved by Yahoo: (a) 3DES, (b) AES, (c) RSA-1024bit+, (d) HMAC-SHA-1, and (e) The MD5-based signature scheme used for Yahoo APIs as described on http://developer.oth.com, as such scheme may be independently updated by Yahoo from time to time. All other algorithms must be specifically approved by Yahoo’s security team in writing prior to use and will be subject to any limitations prescribed by Yahoo in its approval.
- Vendor will store and distribute cryptographic keys, shared secrets, and passwords (collectively “Secrets”) in encrypted form. Secrets used by automated processes may only be stored in an unencrypted file when the file:
- can only be accessed by the automated process;
- cannot be accessed by the automated process after initialisation;
- is only available to servers running the automated process;
- is not backed up in unencrypted form; and
- is not stored on a shared file system.
- Components of The System that verify a password will only store a salted, cryptographically secure hash of the password for verification.
- All Yahoo Data consisting of confidential, personal and sensitive data should be encrypted at all times (at rest and in transit) while in Vendor’s possession. Where data must be encrypted under the terms of these Network Security Terms, other parts of the Agreement, or Laws, Vendor will sign and encrypt using an Yahoo-approved algorithm. The following algorithms are pre-approved by Yahoo: (a) 3DES, (b) AES, (c) RSA-1024bit+, (d) HMAC-SHA-1, and (e) The MD5-based signature scheme used for Yahoo APIs as described on http://developer.oth.com, as such scheme may be independently updated by Yahoo from time to time. All other algorithms must be specifically approved by Yahoo’s security team in writing prior to use and will be subject to any limitations prescribed by Yahoo in its approval.
- Access Control
- Vendor will permit access to The System only to authorised persons on a need-to-know basis.
- The System, excluding physical premises, will at all times be protected by an authentication system that complies with the following requirements: (i) passwords will be reasonably complex; (ii) use of privileged accounts will be minimised; (iii) authentication credentials must not be shared; (iv) authentication credentials must be kept confidential; (v) individuals must authenticate using their own account and not a shared account (vi) when an authorised individual no longer needs access to The System, Vendor will ensure his or her authentication credentials and access to The System are terminated immediately; and (vii) authorised individuals must log out of The System at the end of each work day.
- Vendor will at all times protect physical premises of The System using physical security methods commensurate with the type of data being handled. At a minimum, such methods must include: (i) visitor sign-ins, (ii) standard keyed or card keyed locks, (iii) limited access to server rooms and archival backup storage, and (iv) burglar/intrusion alarm systems.
- Vendor will permit access to The System only to authorised persons on a need-to-know basis.
- Logging Vendor will log, including time and date, all attempted accesses to its servers involved in performing obligations pursuant to the Agreement, and the result of such attempts, successful or unsuccessful. In order to enable a complete audit trail of activities, Vendor will log, including time and date, all commands that require additional privileges, including all failed attempts to execute privileged commands. Vendor will protect the logs from tampering. Vendor will retain all log entries for at least six months.
- SECURITY ISSUE MANAGEMENT, INCIDENT HANDLING, AND SECURITY REVIEW
These Network Security Terms were last updated on 21 April 2018
3.1 Notification Contact. Each party has designated Notification Contacts as set forth below. Each Party may update or modify its Notification Contact information by providing written notice to the other Party’s Notification Contact. Notifications pursuant to these Network Security Terms will take place via a telephone call and/or email by one Party to the other’s Notification Contact. Notification Contacts will be available twenty-four hours a day, seven days a week. Notification Contact information and communication protocol is as follows:
Yahoo Notification Contacts |
Yahoo Network Operation Center (With verbal communication that this is a Vendor Security Notification) email: partners-security@oath.com (With subject line: Vendor Security Notification) |
Vendor Notifications Contacts or Sow | Vendor's Notifications Contacts will be as identified in the PO |
3.2 Security Contact. Vendor will provide Yahoo with access to knowledgeable Personnel, who can be reached with and respond to security questions or security concerns (“Security Contact”). The Security Contact will have a deep, current knowledge about the architecture and operation of The System. The Security Contact will be available twenty-four hours a day, seven days a week by telephone and email, or through Vendor’s Notification Contact.
3.3 Security Issue Management
- Classification. If Yahoo believes an issue has not been properly classified as a Security Issue, Yahoo, in its sole and absolute discretion, has the right to classify the issue as a Security Issue.
- Service Level Agreement (SLA). Vendor will treat every Security Issue with high priority and commence working on it immediately with sufficient numbers of competent Personnel to meet the requirements of these Network Security Terms. In some cases, unscheduled updates, modifications to legacy code, working during non-business hours, removing Yahoo Branding, and disabling portions of The System (excluding physical premises) may be required to limit harm.
- Monitoring. Vendor will actively monitor The System and public reports for Security Issues.
- Actions. At a minimum, Vendor will take the following steps in the event of a Security Issue:
- Notify Yahoo’s Notification Contact immediately. Vendor will be deemed to have provided immediate notification hereunder if it notifies Yahoo via telephone and in writing via email within 24 hours of discovery of the actual or suspected Security Issue. The Security Issue notification shall describe, to the extent possible: (a) the incident; (b) the suspected effect on Yahoo, Yahoo Data, and affected individuals; (c) whether and to what extent law enforcement, governmental agencies or other regulators have been notified; (d) Vendor’s actual and anticipated corrective actions to respond to the Security Issue; and (e) if possible, the outcome of the Security Issue investigation.
- Provide an estimated time to resolution to Yahoo within two (2) calendar days.
- Resolve the Security Issue as soon as possible but no later than five (5) calendar days, unless otherwise agreed to by the Parties.
- Take reasonable steps to preserve logs or other data that may be useful for determining the source, cause, and consequences of the Security Issue. All logs or other data must be retained for one month after the Parties mutually agree that the Security Issue is resolved, unless additional retention is requested by Yahoo.
- Maintain a time and date stamped log of all significant actions taken in investigating and addressing the Security Issue. All logs or other data must be retained for one month after the Parties mutually agree that the Security Issue is resolved, unless additional retention is requested by Yahoo.
- Identify the root cause and implications of the Security Issue, and provide to Yahoo for review.
- Limit Harm. Where the Security Issue causes or is likely to cause imminent harm, and reviewing with Yahoo would prolong such harm, Vendor will immediately take the minimum actions necessary to mitigate the harm. Any action beyond the minimum should be taken only after review with Yahoo.
- Identify and implement the changes necessary to address the Security Issue to the mutual satisfaction of the Parties. Vendor will promptly provide Yahoo with a description of the planned changes. In cases where the changes require significant effort, Vendor will discuss the plan with Yahoo prior to implementing changes.
- Provide Yahoo with weekly status updates until the Security Issue has been resolved, unless more frequent updates are requested by Yahoo.
- At its option, Yahoo may participate in the investigation of a Security Issue, provided that the incident resulted in (or is reasonably believed to have resulted in or may potentially result in) the misuse, compromise or unauthorised release of or access to Yahoo Data.
- Partner shall immediately notify Yahoo of any investigations of its information use, privacy or information security practices or Security Issues by a governmental, regulatory or self-regulatory organisation.
- Partner shall promptly reimburse Yahoo for all costs, fees, and expenses incurred in responding to and/or mitigating damages caused by a Security Issue caused by Partner, such as: (a) any costs incurred by Yahoo to correct, reconstruct, and reload incorrect, damaged or lost data; (b) any costs and expenses incurred by Yahoo to investigate and repair damage done to Yahoo’s systems and/or data; (c) any costs incurred related to notifying or offering remediation to third parties (including affected individuals) of unauthorised access to or use of any Yahoo Data (including without limitation any personally identifiable information) related to such persons, and providing credit monitoring and/or identity theft protection services to such persons in accordance with Yahoo’s then-current policies and practices; (d) fines, penalties and interest assessed against Yahoo; and (e) related attorneys’ fees.
- Confidentiality. Unless otherwise required by applicable Laws, Vendor will not disclose to third parties any information about Security Issues without prior written and express permission from Yahoo for each disclosure. If Vendor is required to disclose pursuant to Laws, Vendor must notify Yahoo as soon possible. Vendor may disclose to the following parties without obtaining such permission: (a) Vendor’s agents who are working on the issue, have a need-to-know, and have a Non-disclosure Agreement that is no less restrictive than that between Parties, and (b) others who are similarly affected and with whom Vendor has an obligation to notify. In such cases, Vendor will not disclose any information about Yahoo or Yahoo’s involvement.
- Rights to Review.
- Security Testing
- The Yahoo Companies, in their sole discretion, have the right at any time to perform remote Security Testing of The System, excluding physical premises. Such examination does not include actions that the examiner reasonably believes will cause serious harm or damage to The System. Security Testing may result in the identification of Security Issues.
- Upon Yahoo’s request, Vendor will promptly whitelist IP addresses provided by Yahoo to allow accurate Security Testing to occur.
- Vendor will not impede Security Testing; provided, however, that if Vendor reasonably believes Security Testing will cause serious harm or damage to The System, Vendor will (a) take the minimum action necessary to mitigate such harm or damage; (b) contact Yahoo immediately and explain the nature of the potential harm or damage; and (c) work with Yahoo so that Security Testing can continue without serious harm or damage to The System.
- Security Review.
- Subject to the conditions set forth in this Section 3(e)(ii), Yahoo, directly or through an Yahoo Affiliate, will have the right, at its own expense, to conduct Security Reviews, and/or to have an independent third party subject to a Vendor-approved confidentiality agreement conduct Security Reviews. In the case that Yahoo uses an independent third party, the third party will be selected by Yahoo subject to approval by Vendor, and such approval will not be unreasonably withheld or delayed. Vendor will provide sufficient access to its facilities, personnel, and records as required for the Security Review during Vendor’s regular business hours, and will otherwise support and cooperate with the Security Review. Security Reviews may result in the identification of Security Issues.
- Yahoo will have the right to conduct a Security Review: (a) prior to The System being available or in production, (b) when there is or is planned to be a material change to The System, (c) when Yahoo suspects there may be a Security Issue in The System, (d) upon termination of these Network Security Terms.
- Security Reviews will be subject to the following conditions: (a) Yahoo will provide reasonable notice to Vendor before such Security Reviews; (b) Security Reviews will be conducted during regular business hours in a manner that does not interfere with normal business activities.
- Security Testing
- DATA HANDLING AND RESTRICTIONS ON USE
4.1 Data Handling. Vendor will ensure Yahoo Data is handled subject to each of the following guidelines, except to the extent otherwise specifically permitted by the Agreement:
- Vendor will not commingle Yahoo Data with any other data
- Prior to first handling Yahoo Data, Vendor will resolve all identified Security Issues with The System, unless otherwise expressly specified by Yahoo in writing.
- Vendor will not store or prompt for Yahoo ID and password pairs.
- Vendor will always use Vendor ID as the identifier when storing and retrieving user specific data.
- After the termination of the Agreement, Vendor must return or securely destroy Yahoo Data, unless otherwise expressly permitted by Yahoo in writing. Prior to destroying Yahoo Data, Vendor must give Yahoo advance written notification specifying the means of destruction, and such method must be approved by Yahoo in writing.
- Consistent with its obligations in Section 2.2(c)(i) hereof, Vendor will not transmit or store in unencrypted form any Yahoo Data (including but not limited to, payment instruments, banking information, authenticationcredentials, or government issued identifiers).
4.2 Restrictions on Use. Vendor represents, warrants and covenant to use Yahoo Data solely for the Permitted Use, and Vendor will not export or use Personal Data outside of the United States without Yahoo’s prior written authorisation.
4.3 Compliance with Laws. Vendor will comply with all applicable laws and regulations (including data security, data protection, and any restrictions on transferring information across borders) with regards to Yahoo Data.
- INJUNCTIVE RELIEF. The Parties agree that breach of these Network Security Terms will cause Yahoo irreparable harm and that Yahoo is therefore entitled to injunctive relief to enforce its provisions, without the requirement of posting a bond therefore, in addition to such other legal and equitable relief as to which Yahoo may also be entitled.
- TERM AND TERMINATION. These Network Security Terms remain in force so long as Vendor retains or has access to any Yahoo Data. The preceding does not constitute authorisation to retain or access data that was covered by these Network Security Terms that was not authorised by the Agreement.
- ADDITIONAL REPRESENTATIONS AND WARRANTIES; INDEMNITY
7.1 Vendor represents, warrants and covenants: (a) that it has the power and the right to enter into these Network Security Terms on Vendor’s behalf, that Vendor has the power and the right to grant all rights conveyed hereby, and to perform its obligations under these Network Security Terms without breach of any agreements with third parties to which Vendor is a party or by which it is otherwise bound; (b) Vendor has not entered into, and will not enter into during the Term, any other contracts which materially interfere with Vendor’s performance of its obligations under these Network Security Terms or which frustrate the purposes of these Network Security Terms; and (c) Vendor has not assigned, delegated, sold, or otherwise transferred any intellectual property or other rights required to perform its obligations under these Network Security Terms and will not do so during the Term, except as expressly provided herein.
7.2 Vendor will indemnify, defend and hold harmless Yahoo, its employees, directors, officers, shareholders, contractors, agents and affiliates, from and against any claims, causes of action, costs, expenses, fees, penalties (including courts costs and reasonable attorneys fees) arising out of or related to Vendor’s breach of any of the representations, warranties, covenants, duties or other terms of these Network Security Terms. This indemnity obligation will survive the expiration or earlier termination hereor.
- STATEMENT OF COMPLIANCE. Vendor will provide Yahoo an annual written statement certified by a Vendor officer that: (a) Vendor has obtained each year a “SOC 2” and/or “ISO 27001” certification from a qualified third party security assessments and auditing firm;.and (b) Vendor has complied with all of the requirements of these Network Security Terms.
- MISCELLANEOUS
9.1 Interpretation of these Network Security Terms. The Parties desire that these Network Security Terms be construed fairly, according to their terms, in plain English, without constructive presumptions against the drafting Party, and without reference to the section headings, which are for reference only.
9.2 Entire Agreement: These Network Security Terms, together with the other parts of the Agreement and any non-disclosure agreement, with respect to its subject matter and exempting any non-contrary provisions of the non-disclosure agreement and these Network Security Terms constitute the full agreement between Vendor and Yahoo and supersede any prior or contemporaneous agreements. Except as specifically provided herein, all other terms and conditions of the Vendor MTC remain the same. In the case of inconsistency or conflict between the provisions of these Network Security Terms, on the one hand, and the Vendor MTC or any PO, SOW, SLA, PLSS, or Change Order, on the other hand, the provisions of these Network Security Terms will control.
***
These NIS Terms were last updated 1 October 2019.