This CivicPlus Security Annex (this “Annex”) forms part of and supplements (1) the services agreement in effect between the parties (the “Agreement”) and (2), where one exists, the data processing agreement between the parties (the “DPA”).
Any capitalized term used but not defined in this Annex carries the meaning given to it in the Agreement or the DPA. Should these documents conflict, the inconsistency will be resolved in the following descending order of authority: first the DPA, then the Agreement, and finally this Annex.
1. Security Policy
CivicPlus operates an enterprise-wide information security management system and control program, documented in written policies, standards, and procedures modeled on NIST 800-53 (together, the “CivicPlus Information Security Policy”). Under the CivicPlus Information Security Policy, CivicPlus adheres to the security principles set out below (each and collectively, a “Security Principle(s)”):
Identifying and evaluating the reasonably foreseeable internal and external risks to the confidentiality, integrity, availability, and security of any Customer Data the Customer supplies to CivicPlus and that CivicPlus holds or processes while delivering the Services, drawing on core operational and security practices that include:
Secure development of software;
Hardened operating procedures and vulnerability management;
Continual staff training;
Governing both physical and electronic access to Customer Data; and
Means of spotting and heading off intrusions, as well as security-system failures, on critical systems.
Following the Security Principle of least-privilege access, so that records containing Customer Data may be reached only by current CivicPlus employees and contractors, and only by those who genuinely need the information to fulfill a legitimate business purpose or to satisfy record-retention requirements;
Securing Customer Data that the customer flags as such to CivicPlus at intake - including any individual personal data the Customer provides under this Annex - at a level proportionate to its sensitivity and consistent with CivicPlus’ data-handling policies and procedures, using commercially available, industry-accepted controls and precautionary measures;
Observing commercially reasonable standards for robust change-control procedures and for technical controls that enforce separation of duties, the minimum necessary dataset, and access restrictions;
Overseeing operations and maintaining procedures so that security protocols function in a manner reasonably designed to prevent unauthorized access to or use of Customer Data, while continually strengthening information safeguards as needed to mitigate risk;
Running a patch- and vulnerability-management process that rests on widely adopted industry-standard methods and protocols, which involves watching for threats and acting on vulnerabilities that third parties disclose; and
Maintaining security-incident response and disaster-recovery planning, together with documentation of the responsive actions taken in connection with any security incident involving Customer Data.
2. Security Practices and Processes
The Customer is responsible for its own legal and regulatory compliance in using any Services and must notify CivicPlus of any Customer Data it processes, stores, or transmits through the Services that is governed by regulations beyond those addressed in this Annex. Where CivicPlus agrees in writing to process such Customer Data while providing the Services, and the Customer has subscribed to the applicable Services, CivicPlus will process it solely as the Agreement permits and in conformity with the DPA and the data-protection laws to which CivicPlus is subject as a service provider. Once CivicPlus agrees to receive Customer Data from the Customer, it will handle and process that data in accordance with the security requirements, obligations, specifications, and incident-reporting procedures established in this Annex, the DPA, and the Agreement, as each may be amended.
CivicPlus follows secure software-development practices that conform to industry-accepted standards and are designed to surface, track, and correct security-relevant defects across every phase of the development process.
CivicPlus limits how users, applications, and other systems may access Customer Data and its systems. These controls comprise (i) controls over systems and data that admit only properly authenticated and authorized individuals under least-privilege and need-to-know principles, and (ii) the physical access controls described below. CivicPlus will confine access to Customer Data to the smallest dataset needed to perform the relevant Service(s).
CivicPlus will establish and follow access- and asset-management controls (for example, electronic locks, access badges, and video surveillance) that maintain a physically secure environment.
CivicPlus records access to controlled systems and records, capturing both successful and failed access attempts, and limits the times during which users may connect. Wherever commercially reasonable, CivicPlus uses unique logins across all network equipment.
CivicPlus assesses and remediates identified vulnerabilities through a risk-based process that supports their prompt identification, prioritization, and resolution. Unless the parties expressly agree otherwise in writing, “timely” means CivicPlus will roll out a fix or patch as promptly as is commercially reasonable once it learns of the vulnerability, or that a fix or patch exists, in keeping with its internal vulnerability-management program and applicable industry-accepted practices
3. Patch and Vulnerability Management
Across the CivicPlus-operated systems, switches, routers, appliances, servers, and workstations to which it applies, CivicPlus follows commercially reasonable leading practices for managing patches centrally, ranking them by criticality, and meeting patch-timing targets.
Where practical, CivicPlus sees to it that well-regarded, commercially available anti-virus software runs - installed, switched on, and current - on the CivicPlus servers and systems involved in accessing, processing, transmitting, or storing Customer Data.
CivicPlus keeps reputable, current, commercially available anti-malware protections in place on its devices, particularly those used to access, process, transmit, or store Customer Data.
CivicPlus operates a vulnerability-management solution for devices connected to its internal network, configured to assess the network for known vulnerabilities on a regular basis.
4. Security Monitoring
A designated CivicPlus security team monitors the CivicPlus control environment, which is built to prevent unauthorized access to or modification of CivicPlus’s Customer Data. CivicPlus routinely reviews the controls applied to critical systems, the network, and its procedures to confirm they are properly implemented and effective against the identified threats, vulnerabilities, and risks. The scope of this monitoring varies with a system’s criticality, exposure, and assets, and may include: (i) internal risk assessments; (ii) verification of Multi-Factor Authentication for selected environments; (iii) the compliance of outside parties, hosting services and external components included; and (iv) review of changes affecting systems that process authentication, authorization, and auditing.
CivicPlus conducts periodic vulnerability assessments of its applications and systems, including penetration tests performed by third parties.
5. Security of Data Processing
CivicPlus has implemented, and will continue to maintain, technical and organizational measures - comprising administrative, technical, and physical safeguards - calibrated to provide a level of security appropriate to the risk of processing data for the CivicPlus Services described in this Annex (the “Security Measures”). CivicPlus may modify these Security Measures from time to time over the Term of the Agreement to reflect advances in available security technology; however, it will not, during any Subscription Term, materially weaken how secure the Services are overall.
Without limitation, the Security Measures may include the following, each intended to preserve the ongoing confidentiality, integrity, and availability of Customer Data and to prevent its unauthorized access, use, modification, or disclosure:
Background Checks.
Performing background checks on all personnel and obtaining, before employment begins, signed non-disclosure commitments together with acknowledgment of workplace-conduct documents, including anti-harassment and code-of-business-conduct-and-ethics materials.
Training.
Providing security and privacy awareness training - including acknowledgment of and agreement to follow organizational security policies - to all personnel at hire and annually thereafter.
Customer Data.
Pseudonymizing or encrypting Customer Data in transit and at rest using industry-standard cryptographic mechanisms, as applicable to the CivicPlus Services and described in the Product Privacy Notices for the respective Service(s).
Maintaining a process - supported by the internal and external audits described below - to regularly test, assess, and evaluate how effective the administrative, technical, and physical safeguards are at securing the processing, transmission, or storage of Customer Data.
Preventing any access to, use, modification, or disclosure of Customer Data other than by authorized CivicPlus personnel (1) to deliver the Subscription Services and to prevent or resolve service or technical problems, (2) where compelled by law, or (3) as the Customer expressly permits in writing - in each case subject to the terms of any applicable DPA.
Availability.
Maintaining the ability to restore the availability of and access to Customer Data promptly following an incident that affects the availability of the Services, by keeping a backup solution in place for disaster-recovery purposes.
Logging and Monitoring.
Security logging and monitoring for the systems that support the Services, including the recording of security-relevant events and the routing of alerts to a dedicated Incident Response team for investigation and response under established incident-management procedures.
Vulnerability Triaging.
Using processes and tooling to identify, assess, and triage vulnerabilities regularly, in line with industry-standard guidelines.
Policies
Keeping a comprehensive set of security and privacy policies, reviewed at least annually, together with the supporting procedures and plans that guide the organization’s security and privacy practices; and,
Sub-processors.
Maintaining processes to evaluate prospective and existing sub-processors and vendors, confirming that they are able and committed to maintain appropriate administrative, technical, and physical measures that preserve the ongoing confidentiality, integrity, and availability of Customer Data.
In applying the Security Measures described above, CivicPlus takes into account the risks associated with data processing, in particular those arising from the accidental or unlawful destruction, loss, or alteration of, or the unauthorized disclosure of or access to, personal data that is transmitted, stored, or otherwise processed.
6. Secure Data Transmissions
When CivicPlus sends Customer Data across a public communications network, that data is safeguarded while in transit through the use or availability of industry-accepted standards - among them TLS, SSH, and VPNs - except where the applicable Product Privacy Notice says otherwise.
7. Data and Media Disposal
CivicPlus follows disposal procedures aligned with recognized industry standards (for instance, NIST SP 800-88) for both tangible property and electronic files that contain Customer Data, taking available technology into account so that Customer Data cannot afterward be reconstructed and read.
8. Backup and Retention
CivicPlus will back up the systems used to provide services to the Customer so as to ensure adequate recovery capabilities, following the schedule set out in the Documentation for the applicable Services. Backups will be suitably protected so that only authorized individuals can access the Customer Data, including, among other things, encrypting data held off-site on electronic media and suitably classifying and safeguarding hard-copy records, where applicable. Where files that contain Customer Data are not backed up on their own, CivicPlus will protect them from unauthorized access consistent with what the Agreement requires.
9. Customer Data
CivicPlus will comply with the laws and regulations applicable to its provision of the Services that concern how any Customer Data it receives from the Customer is kept confidential, secured, and processed. Where CivicPlus processes categories of Customer Data subject to additional regulatory requirements because of the nature or place of origin of the data (as described in section 2a above), CivicPlus will reasonably cooperate with the Customer to arrange compliance with those requirements. Such cooperation may include, without limitation, entering into additional agreements required by applicable law, implementing additional security controls required by such law, completing regulatory filings applicable to CivicPlus, and participating in relevant regulatory audits, as applicable, under Section 17 below (“Customer Audits.”).
10. Security Incident Management and Remediation
For the purposes of this Annex, a “Security Incident” refers to any (i) loss of, (ii) unauthorized acquisition, use, or disclosure of, or (iii) unauthorized access to, Customer Data arising from a breach of security on the CivicPlus platform. CivicPlus maintains a response capability able to identify and assess the seriousness and scope of a Security Incident, contain its effects, perform root-cause analysis, develop and document remedial action plans, and prevent Security Incidents from recurring. CivicPlus has established procedures requiring personnel and contractors to report actual or suspected security breaches promptly, and it maintains a current incident-management plan designed to swiftly identify, prevent, investigate, and mitigate Security Incidents and to carry out the recovery actions needed to remedy their impact.
Security Incidents affecting the CivicPlus platform are logged, reviewed, secured, and retained as applicable laws and regulations require.
Where a Security Incident relates to Customer Data, CivicPlus will (a) promptly assess and contain the Security Incident; (b) notify the Customer without undue delay after becoming aware of the Incident, and in no event later than forty-eight (48) hours after CivicPlus becomes aware of the Security Incident, by means of a Support ticket sent to each individual the Customer has designated to receive such Support Tickets (or to any other addresses the Customer may provide from time to time), and provide regular status updates on the investigation as often as the Customer reasonably requests given the severity of the Incident; (c) where applicable, provide the reasonable cooperation and assistance the Customer needs to meet its own obligations arising from its use of the Services; and (d) immediately take every step reasonably necessary and within CivicPlus’s reasonable control — including, without limitation, those the Customer reasonably requests — to limit, stop, prevent, and remediate the Incident. Once that initial notice has gone out, CivicPlus will move quickly to look into the Security Incident and to put in place whatever reasonable measures are needed to keep the Customer Data from being compromised any further. If the investigation reveals a security deficiency within any CivicPlus information system, CivicPlus will, within a reasonable period, provide the Customer with a report describing the nature of the Security Incident, pinpointing any Customer Data that was exposed, lost, changed, or otherwise affected, and laying out the investigative, corrective, or remedial actions CivicPlus has taken or plans to take to reduce the risk of further Security Incidents. CivicPlus will keep log files sufficient to allow the Customer to determine which Customer Data was accessed and when, whether that data is maintained physically or electronically.
11. Business Continuity and Disaster Recovery
CivicPlus runs business-continuity and disaster-recovery planning programs that build and keep current the documented plans and procedures needed to keep the information systems, processes, and facilities running — or to bring them back — when a disruption to them could affect whether Customer Data stays available (“BC/DR Plans”). The BC/DR Plans describe how CivicPlus reacts when an emergency strikes (say, a natural event like a fire, an earthquake, or a hurricane, or a deliberate one such as sabotage, malware, or terrorism), and they cover: (i) who does what, naming the key people and the recovery team charged with seeing the recovery effort through; (ii) backup arrangements under which data is copied from database systems on a recurring basis so the data can later be rebuilt; (iii) contingency and recovery playbooks that the recovery team works through before, during, and after an unplanned outage in order to hold downtime and lost data to a minimum; and (iv) a routine for exercising and reviewing the BC/DR Plans each year, with those exercises recorded in writing.
12. Security Evaluations
CivicPlus performs internal security evaluations that are consistent with its information security program and aligned with applicable industry-accepted practices, including risk assessments conducted from time to time. These evaluations are intended to gauge how effective the security controls supporting the Services are.
CivicPlus also reviews and evaluates its security policies on a regular basis to confirm their operational effectiveness, maintain compliance with applicable laws and regulations, and respond to new threats and risks.
Security Policies are likewise reviewed whenever a material change in CivicPlus’s business practices or in the external threat environment could reasonably bear on the security or integrity of records that hold Customer Data. For software, systems, applications, and databases, CivicPlus relies on a written change-management procedure that ensures every access change is governed, signed off, and logged.
CivicPlus will give the Customer prompt notice of any planned change to system configuration - or any other change - that would have an adverse effect on the confidentiality, integrity, or availability of Customer Data.
13. CivicPlus Certifications and Standards by Product Offering
CivicPlus retains reputable, independent third-party audit firms to perform the audit engagements listed below:
CivicPlus Offering | Certificate Type |
|---|---|
SeeClickFix 311 CRM Agenda and Meeting Management Asset Management CivicPlus Payments Codification Web Central Web Evolve Municode Codification Recreation Management Utility Billing | GovRAMP Ready (in progress) |
Social Media Archiving | FedRAMP Authorized (in progress) |
Asset Management NextRequest Social Media Archiving | SOC 1 Type 2 (SSAE18 & ISAE 3402) SOC 2 Type 2 (Security, Availability and Confidentiality) |
CivicPlus Payments | PCI DSS2 |
NextRequest | HIPAA1 |
Process Automation and Digital Services | ISO 27001 |
1 “HIPAA ready” means that the service can be used in a manner that helps Customers meet their own legal obligations for HIPAA compliance, including CivicPlus signing a Business Associate Agreement (BAA) covering the identified services. Responsibility for meeting legal obligations, for confirming that the CivicPlus service satisfies their compliance requirements, and for securing the service appropriately rests ultimately with Customers.
2 Achieving PCI-DSS compliance requires configuration with a PCI-DSS-integrated payment processor.
If a Customer asks in writing and signs an NDA, CivicPlus will share copies of the audit reports it has on hand, together with the related trust documentation, for the Services in question. Those reports, and everything in them, count as CivicPlus Confidential Information, and the Customer must treat them on that basis. The Customer may rely on the reports only to gauge how well the relevant controls for the Services are designed and functioning, and the reports carry no warranty whatsoever.
14. Training and Secure Development Practices
CivicPlus communicates the CivicPlus Information Security Policy to all of its personnel, employees, and contractors, and provides recurring, mandatory security awareness training to its employees and contractors (collectively, “Personnel”). CivicPlus imposes disciplinary measures for violations of the CivicPlus Information Security Policy.
CivicPlus’s contracts with the Sub-processors involved require each of them to tackle the security risks, controls, and procedures tied to information systems and to operate under terms, conditions, and restrictions no less protective or restrictive than the ones in this Annex. CivicPlus equips every member of its personnel and its contractors with suitable, recurring training on information-security procedures, risks, and threats, and CivicPlus stays responsible for how any subcontractor performs. CivicPlus agrees that any Services it performs for the Customer that involve the use of Customer Data will be carried out only within the Data Center Region and only by personnel permitted under the Agreement.
CivicPlus follows secure-development practices consistent with its Information Security Policy and with industry-accepted standards; these practices include building security considerations into the development lifecycle and providing role-appropriate training to Personnel involved in developing, testing, or deploying the Services.
15. CivicPlus Shared Responsibility Model
CivicPlus Responsibilities
CivicPlus is responsible for the confidentiality, integrity, and availability (collectively, “Security”) of the Services and of CivicPlus’s internal information-technology systems. Beyond the measures described under “Security of Data Processing” above, the Security Measures include, without limitation, server-level patching, vulnerability management, penetration testing, logging and monitoring of security events, incident management, operational monitoring, around-the-clock support, and maintaining customer-site availability in accordance with the applicable SLA.
To deliver the Services and to back up its function as a Processor of Customer Data, CivicPlus brings in Sub-processors. Except to the extent the agreement between CivicPlus and a Customer caps liability, CivicPlus stays fully answerable for what those Sub-processors do or fail to do in carrying out the relevant Services, and it must see that the commitments in this Security Annex and in the Agreement are honored under both.
Customer Responsibilities
Customers are responsible for securely managing and provisioning their users for the purpose of granting access to CivicPlus’s Services, and for complying with the Agreement, the DPA, and CivicPlus’s Acceptable Use Policy when using CivicPlus’s Services.
16. Access and Review
Upon reasonable prior written notice from the Customer, and subject to CivicPlus’s confidentiality and security conditions and to a written, mutually agreed audit plan, CivicPlus will make available for the Customer’s review, at CivicPlus, summary-level information about its security policies and procedures as well as current, published third-party audit reporting relating to the Customer’s Data. CivicPlus may insist on approving in advance any third-party review of the DR, IR, BCP, and other related Plans, and may place reasonable conditions and limits on that third-party access. As noted under “CivicPlus Certifications and Standards by Product Offering” above, the Customer may likewise consult the available audit reporting set out in Section 13.
17. Customer Audits
CivicPlus offers its Services in the cloud on a one-to-many basis — an approach that, for its Customers’ benefit, leans on standardized leading practices and recognized industry norms and that draws on outside providers and Sub-processors. Because of that, letting individual Customers audit on-site would create security and privacy risks for CivicPlus, for its other Customers, and for its Sub-processors.
In addition, certain Sub-processors, such as Amazon Web Services and Azure, do not permit physical audits of their data centers and instead supply third-party audits and certifications. For these reasons, among others, CivicPlus’s security program is built around the audits, certifications, and documentation described in Section 13, “CivicPlus Certifications and Standards by Product Offering,” above, balancing transparency about the security and privacy safeguards CivicPlus has implemented against its need to meet the security and privacy obligations it owes to CivicPlus Customers and its Sub-processors.
Accordingly, the Customer agrees to exercise any right it has to audit or inspect how CivicPlus processes the personal data within Customer Data by having CivicPlus run audits as described in Section 13, “CivicPlus Certifications and Standards by Product Offering,” above, in line with the processes and timetable CivicPlus currently uses. Should the Customer want to change that audit or inspection instruction, it will put the request to CivicPlus in writing, and the parties will then work out together how to carry the revised instruction into effect.
Disclaimer: Information in this document is subject to change without notice.