Network Security Terms
These Network Security Terms (“Network Security Terms”) effective as of the Start Date are subject to the Vendor Master Terms and Conditions between the parties (the “VMTC”) and are part of the Agreement, as defined in the VMTC. Except for terms defined herein, all other terms used herein are defined in the VMTC and/or other parts of the Agreement between Yahoo and Vendor, and shall have the same meaning.
- DEFINITIONS
- “Yahoo Confidential Information” is defined in the VMTC and shall have the same meaning in these Network Security Terms.
- “Industry Standard” means a security control, process, or practice: when taking account of the nature and scope of the services and the vendor’s processing of Yahoo Data: (a) actually used or adopted by a substantial number of companies comparable in size, stature, and industry sector or functional equivalent to vendor; (b) prescribed for use within the industry sector by an applicable nationally recognized standards body (e.g., NIST, ISO, PCI, etc.); or (c) assessed by a significant number of recognized experts in the field as acceptable and reasonable, except where a recent disclosure/public finding uncovers a significant flaw/vulnerability in such standard.
- “Malware” means any software, code, or application that is suspected or known by either Party to modify, damage, destroy, record, misuse, distribute, or transmit information to, from, or within The System, including malvertising, without intention or permission of the Parties. Malware includes, but is not limited to, viruses or worms that may be self-replicating or self-propagating and may be designed to: (a) contaminate other components of The System, (b) consume resources, (c) modify, destroy, record, or transmit data, or (d) alter the operation of The System.
- “Personal Information” is defined in the VMTC and will include any copies, reproductions, duplications, and onsite or offsite backups thereof, whether in whole or in part.
- “Security Issue(s)” means (a) any known or suspected condition in or affecting The System or Vendor security program policies and processes that could compromise the security, confidentiality, integrity, or availability of Yahoo Data or The System or impair Yahoo’s ability to meet legal or business obligations, or (b) any unauthorized disclosure or unauthorized use of Yahoo Data in the possession or under the control or direction of Vendor.
- “Security Review” means examination of The System or information related to the security of The System requiring the assistance of or coordination with Vendor that can identify, assess, and/or diagnose, or are intended to identify, assess, and/or diagnose Security Issues.
- “Security Testing” means testing of The System, directly or indirectly through interfaces to which any Yahoo Company and/or their agents, and/or Yahoo Companies have access without the need for Vendor coordination, by manual interaction with or automated test cases that can identify and/or diagnose, or are intended to identify and/or diagnose Security Issues. Testing includes, but is not limited to, penetration testing, red team testing, and vulnerability scans.
- “The System” means any and all technical, physical, and operational components of the environment owned, operated, or provided by or on behalf of Vendor, that are involved in performing Vendor’s obligations under the Agreement, including, but not limited to, networks, databases, software, computer systems, backups, devices, policies, processes, documentation, data, and physical premises.
- “User Data” means information submitted by a User through the Service, including all associated messages, attachments, files, tasks, project names, team names, channels, conversations, and other similar content.
- “Yahoo Data” is defined in the VMTC, and includes User Data and Personal Information, and shall otherwise have the same meaning in these Network Security Terms.
- GOVERNANCE AND ADMINISTRATIVE REQUIREMENTS
- In accordance with generally accepted industry practices and regulatory guidance, and consistent with standards and practices described in the NIST Cybersecurity Framework, and the current Center for Internet Security Critical Security Controls, Vendor agrees to comply with the Network Security Requirements set forth herein.
- Vendor will implement, maintain, update and comply with a comprehensive, written network and information security program (“Vendor Security Program”) that includes Industry Standard physical, technical, and administrative security safeguards to protect the confidentiality, integrity and availability of The System, Yahoo Data and Yahoo Confidential Information from unauthorized access, destruction, use, modification and disclosure.
- Vendor’s Security Program will include identifying appropriate Executive Level Management and oversight to manage network and information security risk, and to designate a qualified individual to oversee and manage the Vendor Security Program.
- Vendor shall have and enforce a comprehensive set of Industry Standard policies, processes, and practices (“Policies”) reasonably designed to manage Vendor’s network and information security risks, including protecting facilities, systems, assets, and information against external and internal security threats, including but not limited to network intrusions, digital threats (e.g., malware), denial-of-service and other attacks on availability, and insider thefts, and the integrity and reliability of Vendor’s products and services.
- Vendor agrees to perform and maintain regular third-party audits or risk assessments (at a minimum annually) to review and verify that applicable administrative, technical, and physical controls satisfy the Vendor Security Program and these Network Security Terms, and to remediate and update the Vendor Security Program consistent with Industry Standards (including the NIST Framework and CIS CSC), and current legal requirements, as appropriate.
- Vendor workforce, including staff/employees, management, and contractors who have access to Yahoo Data must receive periodic training (at least annually) relating to the Vendor Information Security Program and commensurate with their roles and responsibilities, and must be bound in writing to protect the confidentiality of Yahoo Data and Yahoo Confidential Information. The full workforce must be provided cybersecurity risk awareness education.
- Vendor must require that all permitted Subcontractors and Vendors’ vendors are bound in writing to comply with requirements that are substantially the same as these Network Security Terms to the extent applicable to providing Services associated with the performance of this Agreement.
- OPERATIONAL REQUIREMENTS OF THE SYSTEM
- Asset and Software Management: Vendor agrees to maintain an asset management system to ensure data, employee and network devices, systems, software, and applications, and facilities (“assets”) are inventoried and network connections are controlled; assets are properly accounted for, and that mechanisms exist to properly dispose of or reimage assets and devices; privacy and security risks associated with lost assets are appropriately managed, including through encryption of all laptops and removable media; and mobile devices, whether owned by Vendor or not, are managed through a Mobile Device Management policy.
- Authorized and Unauthorized Software: Vendor agrees to establish policies and practices, including using corporate images, to identify and manage the installation of authorized software. Vendor agrees to maintain policies to provide reasonable assurance as to the security of applications and software deployed on The Systems.
- Configuration Management: Vendor will maintain a Configuration Management policy to create a baseline configuration for The System and assets and to ensure that The System is at all times securely configured, by, at a minimum (i) changing all factory or provider default password setting for all applications, operating systems, routers, firewalls, wireless access points and other components of The System; (ii) disabling all unnecessary services or features; (iii) closing all known and all published security deficiencies therein, including applying updates and subsequently identified publications thereof; (iv) ensuring only ports, protocols, and services with validated business needs are running on The System; (v) actively monitoring The System, including for changes to configuration settings, and (vi) adhering to the physical security requirements set forth below. The Configuration Management policy must include an approval process for deviations from established configurations and document changes to configuration settings.
- Patch Management: Vendor will apply all applicable security patches for The System as soon as possible after any such patch becomes available, but in no event more than thirty (30) calendar days after the release of any such patch. Vendor will upgrade applications, operating systems, browsers, and other software when earlier versions are no longer supported or patched.
- Security Protection
- Vendor will continuously maintain Industry Standard firewall protection for The System to control the ingress and egress of transmissions and data to environments containing Yahoo Data. At a minimum, firewalls must protect all connections to open, public networks, including remote and wireless access points. Vendor will test its perimeter router and firewall devices no less than quarterly for unsafe configurations.
- Vendor will ensure that The System is not vulnerable to industry-recognized security vulnerabilities (e.g., issues listed in OWASP Top Ten, found at: http://www.owasp.org, as updated from time to time).
- Vendor will perform vulnerability scanning at least on a weekly basis and critical vulnerabilities identified shall be remediated within 24 hours, High severity vulnerabilities within a week (7 days), and Medium severity vulnerabilities within thirty (30 days) upon detection. Unless an alternate method is mutually agreed upon by Yahoo and Vendor in a signed written agreement, tests will be conducted in a manner consistent with Industry Standard security scanning procedures.
- Vendor will take all reasonable measures to ensure that The System components are free of all Malware, and that Vendor will not transmit or distribute any Malware. Such efforts will include, but are not limited to, running Industry Standard, commercially available, anti-virus software on all systems, updating signatures no less than daily, conducting at least biweekly Malware sweeps of The System and purging all Malware found. Any transmission or distribution of Malware is a Security Issue.
- Security Testing
- Vendor shall conduct penetration testing and vulnerability scanning on The Systems and its applications at least twice annually, and more frequently if a Security Issue or vulnerability is suspected. Upon request, the Vendor shall provide the results of such testing and scanning to Yahoo.
- Yahoo shall have the right to perform remote Security Testing of The System through interfaces to which any Yahoo and/or their agents have access, subject to a mutually agreed upon testing processes between Yahoo and Vendor.
- Yahoo will notify Vendor at least 10 days in advance of any proposed Security Testing and shall work in good faith with Vendor to arrive at a mutually agreed upon testing plan, including white listing Yahoo designated IP addresses to allow for accurate testing to occur. Such examination will not include action that Vendor reasonably believes will cause serious harm or damage to The System.
- If Vendor reasonably believes Security Testing will cause serious harm or damage to The System, Vendor will (a) take the minimum action necessary to mitigate such harm or damage; (b) contact Yahoo immediately and explain the nature of the potential harm or damage; and (c) work with Yahoo to agree on an appropriate Security Testing methodology so that testing can continue without serious harm or damage to The System.
- DESIGN REQUIREMENTS
- Encryption
- All Yahoo Data consisting of User Data or Personal Information shall be encrypted at all times (at rest and in transit) while in Vendor’s possession or control. Where data must be encrypted under the terms of these Network Security Terms, other parts of the Agreement, or Laws, Vendor will sign and encrypt using at a minimum the Yahoo-approved algorithm. The following algorithms are pre-approved by Yahoo: i) AES GCM (128 bit key size or above); ii) RSA (2048 bit key size or above); and iii) HMAC SHA256. All other algorithms must be specifically approved by Yahoo’s security team in writing prior to use and will be subject to any limitations prescribed by Yahoo in its approval. Such requests shall be coordinated through the Yahoo Notification Contacts designated below.
- Vendor will store and distribute cryptographic keys, shared secrets, and passwords (collectively “Secrets”) in encrypted form. Secrets are prohibited from being placed in online code repositories (e.g. Github, Bitbucket, etc.). Secrets used by automated processes may only be stored in an unencrypted file when the file: i) can only be accessed by the automated process; ii) cannot be accessed by the automated process after initialization; iii) is only available to servers running the automated process; iv) is not backed up in unencrypted form; and v) is not stored on a shared file system, and vi) are rotated regularly and at a maximum of 90 days
- Components of The System that verify a password will, at a minimum, only store a salted, cryptographically secure hash (with a required minimum of bcrypt work factor 8, Scrypt, argon2 and PBKDF2) of the password for verification.
- Access Control
- Vendor will permit access to The System and Yahoo Data only to authorized persons on a need-to-know basis, consistent with the Principle of Least Privilege. “Principle of Least Privilege” means a model for access to information, including Yahoo Data, enabling access only to such information and other rights and privileges relating to such data as are necessary for a person or process to perform a legitimate business function in connection with the Services.
- Vendor agrees to ensure that all remote and wireless access to The Systems and Yahoo Data is controlled.
- Authentication. The System, excluding physical premises, will at all times be protected by an authentication system that complies with the following requirements:
- Vendor will ensure that (i) it employs Industry Standard password complexity and aging requirements; (ii) use of privileged accounts will be minimized; (iii) authentication credentials must not be shared; (iv) authentication credentials must be kept confidential; (v) individuals must authenticate using their own account and not a shared account (vi) when an authorized individual no longer needs access to The System, Vendor will ensure his or her authentication credentials and access to The System are terminated immediately; (vii) user accounts must lockout after a certain number of failed authentication attempts; and (viii) except in the case where required for job function, all authorized individuals must log out of The System at the end of each work day.
- Vendor will ensure that multifactor authentication is used to access all Yahoo Data and The Systems. All remote and wireless network connections to systems and networks, must be individually identified, verified, logged and approved using multifactor authentication. If such authentication controls are not feasible, Vendor will notify and work with Yahoo to ensure appropriate compensating controls are implemented and maintained.
- Source Code Development. Vendor uses a Secure Software Development Life Cycle (SSDLC) framework for all code development. Such framework includes the following requirements:
- All branch, feature, and release must be reviewed by more than one team member. Pull requests must be approved by a senior team member. Automated code analysis and integration testing is applied before any code merge, and again before release to production.
- All code is tested prior to being considered for release.
- Vendor uses industry-standard software frameworks and libraries: native HTML, Javascript, and WebApp; Swift on MacOS; Node.js on Backend. All frameworks are regularly reviewed for security issues and amendments made as appropriate to any deployed or in-development code.
- Vendor uses internal vulnerability scanning tools to identify known vulnerabilities in code.
- Vendor undergoes a penetration and dynamic application security test carried out by an independent third party on at least an annual basis.
- Logging: Vendor will log, including time and date, all attempted accesses to the servers involved in performing obligations pursuant to the Agreement, or that otherwise process Yahoo Data and the result of such attempts, successful or unsuccessful. In order to enable a complete audit trail of activities, Vendor will log, including time and date, all commands that require additional privileges, including all failed attempts to execute privileged commands. Vendor will protect the logs from tampering. Vendor will retain all log entries for at least six (6) months. Unless a Security Issue is identified or suspected, in which case all relevant logs must be preserved until both parties mutually agree that the Security Issue has been resolved. Logs shall be monitored by a dedicated individual or team for identification of anomalous activities or Vendor shall employ an automated alerting function for anomalies to be sent automatically to appropriate staff for resolution.
- Communications, Email, and Web Browser Security: Vendor ensures that only fully supported, current web browsers and email clients are allowed to be used in the environment; logs URL requests; scans and filters web and email traffic; and blocks access to unauthorized sites. Vendor will educate workforce members on email phishing and other social engineering techniques.
- Encryption
- SECURITY ISSUE MANAGEMENT AND INCIDENT HANDLING
- Incident Response Plan: Vendor maintains a written comprehensive incident response plan to detect, respond to, contain, investigate, and remediate network and information Security Issues, including all security incidents that compromise the confidentiality, integrity, and availability of Yahoo Data, Yahoo Confidential Information, The Systems, or the services under this Agreement. The incident response plan identifies and assigns roles and responsibilities to key stakeholders and decision-makers across the organization. Vendor regularly tests the incident response plan.
- Incident Handling and Notification: At a minimum, Vendor will take the following steps in the event of a Security Issue:
- Vendor will immediately inform Yahoo through the Notification Contact of any Security Issue of which Vendor becomes aware or suspects, but in no case later than 24 hours after it becomes aware of or suspects the Security Issue. Following verbal notice, Vendor shall provide a written notice summarizing in reasonable detail the effect on Yahoo, if known, the nature and cause of the Security Issue (including, if known, the categories and approximate number of individuals and Yahoo Data (including Personal Information) affected, and the likely consequences of the Security Issue), the date and/or time period during which the Security Issue is believed to have occurred, and the corrective actions taken or to be taken by Vendor. Vendor shall provide regular updates to Yahoo as additional information becomes available.
- Vendor shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Yahoo in all reasonable and lawful efforts to prevent, mitigate or rectify such Security Issue. Vendor shall (i) investigate such Security Issue and perform a root cause analysis thereon; (ii) remediate the effects of such Security Issue; and (iii) provide Yahoo with such assurances and information as Yahoo shall request that Vendor has taken reasonable steps to ensure that the Security Issue is not likely to recur.
- Vendor shall make a good faith effort to notify Yahoo prior to disclosing a Security Issue to any third party, including law enforcement, and to work cooperatively with Yahoo on a response strategy, including any notifications or communications to third parties.
- Confidentiality. Unless otherwise required by applicable Laws, Vendor will not disclose to third parties, including law enforcement, regulators, the media, or impacted individuals, any information about Security Issues without prior written and express permission from Yahoo for each disclosure. If Vendor is required to disclose pursuant to Laws, Partner must notify Yahoo as soon as possible prior to such disclosure. Vendor may disclose to the following parties without obtaining such permission: (a) Vendor’s agents who are working on the issue, have a need-to-know, and have a Non-disclosure Agreement that is no less restrictive than that between the Parties, and (b) others who are similarly affected and with whom Vendor has an obligation to notify. In such cases, Vendor will not disclose any information about Yahoo, impact to Yahoo, or Yahoo’s involvement in the response effort. Vendor shall require that any Subcontractor involved in providing the Services shall be bound in writing with Confidentiality terms substantially the same as those in this section.
- Vendor shall immediately notify Yahoo of any investigations of its information use, privacy or information security practices or Security Issues by a governmental, regulatory or self-regulatory organization, unless prohibited by law from doing so.
- Vendor shall reimburse Yahoo for, at a minimum, the following costs, fees, and expenses incurred in responding to and/or mitigating damages caused by a Security Issue caused by Vendor: (a) any costs incurred by Yahoo to correct, reconstruct, and reload incorrect, damaged or lost data; (b) any costs and expenses incurred by Vendor to investigate and repair damage done to Yahoo systems and Yahoo Data; and (c) any fines or penalties assessed against Yahoo.
- Classification: Vendor’s incident response plan shall include processes to ensure timely and appropriate response to all Security Incidents impacting Yahoo Data and The Systems. If Yahoo believes an issue has not been properly classified as a Security Issue, Yahoo, in its sole and absolute discretion, has the right to classify such issue as a Security Issue.
- Security Issue Resolution: Vendor will treat every Security Issue with high priority and commence working on it immediately with sufficient numbers of competent Personnel to meet the requirements of these Network Security Terms. In some cases, unscheduled updates, modifications to legacy code, working during non-business hours, and disabling portions of The System (excluding physical premises) may be required to limit harm.
- Monitoring: Vendor will actively monitor The System and public reports for Security Issues.
- RIGHT TO MONITOR AND REVIEW
- Yahoo will have the right, at its own expense, to conduct Security Reviews for the purpose of assessing compliance with these Network Security Terms, either directly or through an independent third party subject to a Vendor-approved confidentiality agreement. In the case that Yahoo uses an independent third party, the third party will be selected by Yahoo subject to approval by Vendor, and such approval will not be unreasonably withheld or delayed.
- Yahoo will have the right to conduct a Security Review at least annually, and otherwise: (a) prior to The System being available or in production, (b) when there is or is planned to be a material change to The System, or (c) when Yahoo suspects there may be a Security Issue in The System.
- Security Reviews will be subject to the following conditions: (a) Yahoo will provide reasonable notice to Vendor before such Security Reviews; and (b) Security Reviews will be conducted during regular business hours in a manner that does not interfere with normal business activities.
- Vendor will respond promptly to any inquiries from Yahoo relating to Vendor’s obligations under the Network Security Terms, and will provide sufficient access to information and records as required for the Security Review during Vendor’s regular business hours, and will otherwise support and cooperate with the Security Review, including making available all information necessary to demonstrate compliance with these Network Security Concerns.
- Statement of Compliance At Yahoo’s request, Vendor will provide Yahoo an annual written attestation certified by a Vendor officer that:
- Vendor has obtained each year an Industry Standard security certification (e.g., SOC 2) or standard (NIST) relating to the Services from a qualified third party security assessments and auditing firm, or that Vendor has undertaken a similar internal security review; and
- Vendor has complied with all of the requirements of these Network Security Terms.
- DATA HANDLING AND RESTRICTIONS ON USE
- Vendor must maintain logical separation between, and will not commingle Yahoo Data in Vendor’s possession. Prior to first handling Yahoo Data, Vendor will resolve all identified Security Issues with The System, unless otherwise expressly specified by Yahoo in writing.
- Vendor will not store or prompt for Yahoo ID and password pairs.
- Vendor will always use Vendor ID as the identifier when storing and retrieving user specific data.
- The storage or transmission of Yahoo Data on or through removable media (e.g., USB drives, mobile devices, CD/DVD Roms, etc.) is strictly prohibited.
- After the termination of the Agreement, Vendor must return or securely destroy Yahoo Data, unless otherwise expressly permitted by Yahoo in writing. Prior to destroying Yahoo Data, Vendor must give Yahoo advance written notification specifying the means of destruction, and such method must be approved by Yahoo in writing.
- Consistent with its obligations in these Network Security Terms, Vendor will not transmit or store in unencrypted form any User Data or Personal Information (including but not limited to, payment instruments, banking information, authentication credentials, or government issued identifiers).
- CONTACTS
- Notification Contact. Each party has designated Notification Contacts as set forth below. Each Party may update or modify its Notification Contact information by providing written notice to the other Party’s Notification Contact. Notifications pursuant to these Network Security Terms will take place via a telephone call and/or email by one Party to the other’s Notification Contact. Notification Contacts will be available twenty-four hours a day, seven days a week. Notification Contact information and communication protocol is as follows:
Yahoo Notification Contacts Yahoo Network Operations Center:
+1 (408) 349-5555 (communicate that the call regards a “Vendor Security Notification”)
Email: security-incidents@yahooinc.com
(With subject line: “Vendor Security Notification”)Vendor Notification Contacts Vendor’s Notification Contacts will be as identified in the PO or SOW. - Security Contact. Vendor will provide Yahoo with access to knowledgeable Personnel who can respond to security questions or security concerns (“Security Contact”). The Security Contact will have a deep, current knowledge about the architecture and operation of The System. The Security Contact will be available twenty-four (24) hours a day, seven (7) days a week by telephone and email, or through Vendor’s Notification Contact.
- Notification Contact. Each party has designated Notification Contacts as set forth below. Each Party may update or modify its Notification Contact information by providing written notice to the other Party’s Notification Contact. Notifications pursuant to these Network Security Terms will take place via a telephone call and/or email by one Party to the other’s Notification Contact. Notification Contacts will be available twenty-four hours a day, seven days a week. Notification Contact information and communication protocol is as follows:
- INJUNCTIVE RELIEF
The Parties agree that breach of these Network Security Terms will cause Yahoo irreparable harm and that Yahoo is therefore entitled to injunctive relief to enforce its rights under these Network Security Terms and the Agreement, without the requirement of posting a bond therefore, in addition to such other legal and equitable relief as to which Yahoo may also be entitled. - TERM AND TERMINATION
These Network Security Terms shall remain in force so long as Vendor retains or has access to any Yahoo Data or to the Yahoo network, systems, or assets. The preceding does not constitute authorization to retain or access data that was covered by these Network Security Terms that was not authorized by the Agreement. - MISCELLANEOUS
- Interpretation of these Network Security Terms. The Parties desire that these Network Security Terms be construed fairly, according to their terms, in plain English, without constructive presumptions against the drafting Party, and without reference to the section headings, which are for reference only.
- Entire Agreement. These Network Security Terms, together with the other parts of the Agreement and any non-disclosure agreement, with respect to its subject matter and exempting any non-contrary provisions of the non-disclosure agreement and these Network Security Terms constitute the full agreement between Vendor and Yahoo and supersede any prior or contemporaneous agreements. Except as specifically provided herein, all other terms and conditions of the VMTC remain the same. In the case of inconsistency or conflict between the provisions of these Network Security Terms, on the one hand, and the VMTC or any PO, SOW, SLA, PLSS, or Change Order, on the other hand, the provisions of these Network Security Terms will control.
- Online Terms Subject to Change. Yahoo may change these Network Security Terms or the VMTC, or both, at any time by posting such on the applicable Yahoo Company Website or by email, and such revised Network Security Terms or VMTC will supersede and replace the earlier Network Security Terms or VMTC, as applicable. Any provision of Services after such revision will be deemed to be an acceptance by Vendor of the revised online terms.
Last updated: 1 May 2022