These Minimum Security Requirements form a legally binding contract between you and Snap and are incorporated by reference into the Snap General Commercial Terms (the “Terms”).  Any terms not defined herein will have the meanings provided in the Terms. 

Any party providing Services (“Service Provider”) to Snap is responsible for and will ensure that it will comply with the following:

1.1. Implements, maintains, and complies  with a written information security program consistent with established industry standards that includes administrative, technical, and physical safeguards to protect Snap Data from foreseeable threats and hazards to the confidentiality, security, integrity, or availability of Snap Data including unauthorized access, acquisition, disclosure, destruction, use, processing, modification, or compromise of Snap Data or  any other access to or use of Snap Data that could result in substantial harm or inconvenience to Snap, Snap’s customers, Snap’s users, or Snap’s employees.

1.2. Adopts, implements, and complies with reasonable policies and standards related to information security and privacy.

1.3. Conducts periodic risk assessments to assess risks (whether external or internal) to the security, confidentiality, availability, and integrity of Snap Data and any systems directly or indirectly processing any Snap Data, and implements reasonable controls and safeguards to limit any identified risks. 

1.4. Assigns responsibility and accountability for the information security program to an individual or committee with sufficient experience, knowledge, and skill in information security management.

1.5. Devotes adequate personnel and other resources to Service Provider’s information security program.

1.6. Conducts appropriate background checks of any individual that will have access to Snap Data and requires all employees, vendors, and others with access to Snap Data to be informed of their confidentiality obligations and to enter into written confidentiality agreements.

1.7. Conducts periodic information security and privacy training, including without limitation, to ensure employees and others with access to Snap Data: (a) are aware of information security and privacy risks, and (b) understand their obligation to comply with Service Provider’s information security and privacy program, these Security Requirements, and with applicable laws.

1.8. Maintains a business continuity and disaster recovery program, including encrypted backups in accordance with industry standards and secure redundant (in a different region, locale, or zone) storage of data sufficient for disaster recovery. 

1.9. Maintains and complies with data minimization industry standards, including data retention and secure destruction policies, procedures, and capabilities.

1.10. Uses industry standard (or better) encryption for any Snap Data stored on any laptop, portable device (e.g., USB stick, tablet, mobile device), or storage media (e.g., servers, databases, tapes), or that is transported or transmitted outside the physical or logical controls or network of Service Provider (except in the case of a facsimile). Service Provider will also use industry standard controls to safeguard the confidentiality, security, and integrity of any encryption keys.

1.11. Establishes, maintains, and enforces role-based access controls based on the concept of “least privilege,” and conducts routine audits of any access granted to ensure that any privileges and access granted is relevant and appropriate. Service Provider will also maintain a robust off-boarding process to ensure privileges and access are revoked immediately upon the departure of any employee, contractor, or vendor.

1.12. Requires strong authentication (including complex passwords and multi-factor authentication with physical security keys or one-time codes) in accordance with NIST 800-63 for any systems that will access, process, use, or store Snap Data, including any administrator or elevated privileges accounts and methods for remote access to Service Provider’s environment or cloud resources.

1.13. Automatically collects logs (including application, network, system, firewall, and user level) on a real-time or near real-time basis, audits those logs on a periodic basis in accordance with industry standards, and maintains those logs for a minimum of ninety (90) days in a security information and event management (SIEM) system or an equivalent log aggregation and analysis platform or system for centralized review and alerting. Service Provider will also maintain procedures to respond promptly to any alerts generated by Service Provider’s security controls and technologies.

1.14. Utilizes intrusion detection and/or prevention systems or similar cloud native solutions and conducts periodic penetration tests and security audits (except where not permitted by cloud resource providers) and resolves any threats, vulnerabilities or hazards identified expediently, taking into account the risk posed by the threat, vulnerability, or hazard and any countermeasures or mitigations available and implemented to reduce the risk. 

1.15. Maintains a comprehensive vendor due diligence program that assesses and documents the risk associated with any vendors (including Subprocessors as defined herein) prior to their engagement by Service Provider, and periodically undertakes audits of such vendors while performing services on behalf of Service Provider to ensure ongoing compliance, including ensuring that vendor processes Snap Data strictly in accordance with Snap’s instructions.

1.16. Requires that all systems that process, store, or access Snap Data (whether directly or indirectly) are free from malware, and maintains and updates endpoint detection and response software on all systems.

1.17. Maintains change management procedures. 

1.18. Implements and maintains a comprehensive incident response program in accordance with industry standards to detect, investigate, contain, eradicate, and learn from any suspected or actual security incidents, which includes provisions to notify Snap of any such security incidents in accordance with Service Provider’s obligations herein.

1.19. Maintains controls to logically or physically separate Snap Data from the data of Service Provider and from the data of Service Provider’s other customers.

1.20. Maintains physical security and access control measures (e.g., ID cards, security desks, card readers, alarm systems, video surveillance, motion detectors, and external security) to ensure secure data processing facilities and prevent unauthorized access to any premises involved in processing Snap Data or any premises physically connected to a premise that processes Snap Data.

1.21. Maintains and complies with a robust vulnerability management and patching program, including  periodic (but no less than quarterly) vulnerability scans and procedures to (a) patch and update systems and applications processing Snap Data (or connected to systems processing Snap Data) promptly in accordance with any recommendations of the manufacturer, developer, or provider of the system or application; and (b) identify, analyze, and patch any critical or significant vulnerabilities publicly disclosed or released as soon as possible, but in no event more than 21 days from disclosure.

1.22. Maintains and monitors measures to determine any unauthorized use or processing of Snap Data by users with authorized access, including periodic auditing and user behavior analysis.

1.23. Ensures (via contract and through the measures described in Section 1.15) that any Subprocessor used by Service Provider maintains controls no less secure than those contained in these Snap Minimum Security Requirements.