Download Ping Identity

Require Ping Identity personnel performing services under the Agreement to maintain valid non-disclosure obligations or other confidentiality agreements as deemed reasonably necessary by Ping Identity. 18.3 Ping Identity Personnel Termination and Separation. Ping Identity shall maintain personnel offboarding procedures that include revoking access promptly and a process that governs the secure return of Ping Identity assets and Customer Confidential Information for separated Ping Identity personnel. 18.4 Training and Awareness. Ping Identity shall require that all Ping Identity personnel complete upon hire and, at least annually thereafter, Ping Identity’s security awareness training including awareness of Ping Identity’s related policies and maintain records of such training completion. 19. Security Audit Report and Assessment. This clause 19 is applicable during the Subscription Term and any information shared under this clause is Confidential Information subject to the confidentiality terms in the Agreement. This clause 19 is strictly limited to Customer’s reasonable verification of Ping Identity’s compliance with its obligations under this Service Security Exhibit. 19.1 Ping Identity provides its Customers, upon their request, with a summary of Ping Identity’s then-current external audit report such as the ISO27001 Statement of Applicability, or, SOC 2 Report, including information as to whether the security audit revealed any material non-conformities in the Ping Identity Service. Ping Identity shall provide annually, or upon written request, evidence of third-party assessment and security reviews of its sub-contractors and sub-processors involved in providing the Service to Customer (collectively “Third Party Audits”). Ping Identity shall promptly inform Customer of any material issues identified

To a Security Breach shall not be construed as an acknowledgement by Ping Identity of any fault or liability with respect to the Security Breach. (c) Remediation. In the event of a Security Breach, Ping Identity, at its own expense shall: (i) investigate the actual or suspected Security Breach (ii) where a breach impacts a Customer, provide affected Customer with a remediation plan, to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, (iii) remediate the effects of the Security Breach within Ping Identity’s scope of control and (iv) reasonably cooperate with Customer and law enforcement or regulatory official investigating such Security Breach. 17. Logs. Ping Identity provides procedural mechanisms that record and examine activity in the Service, including appropriate logs and reports. Ping Identity: (i) backs-up logs, (ii) implements commercially reasonable measures to protect such logs from unauthorized modification or erasure, and (iii) retains such logs in compliance with Ping Identity’s data retention policy. 18. Human Resources Security 18.1 Employee Selection. To the extent reasonable, and permissible under applicable law, Ping Identity shall where appropriate, conduct, have conducted or otherwise require, background checks proportionate to the role for Ping Identity personnel performing services under the Agreement including professional references and criminal background checks. 18.2 Ping Identity Personnel Security Management. (a) Ping Identity shall maintain an acceptable use policy governing the use of computing resources including, without limitation, all Ping Identity Systems, that is communicated to appropriate Ping Identity Personnel. (b) Ping Identity shall

1. Security Policy Overview. 1.1. Ping Identity’s Commitment to Security. Ping Identity is committed to achieving and preserving the trust of our Customers by providing a comprehensive security program that carefully considers data protection matters across our suite of products and services, including any Customer Data submitted by Customers to the Service. 1.2. Covered Services. This documentation describes the certifications held by Ping Identity, and the administrative, technical, and physical controls applicable to the Service. This exhibit does not apply to free trial services and beta versions made available by Ping Identity. 1.3. Ping Identity may update or modify these security practices from time to time provided such updates and modifications will not result in a material degradation of the overall security of the Service. 2. Default Security Controls and Information Security Management Program. 2.1. Default Security Controls. The Service includes a variety of configurable security controls that allow Ping Identity Customers to tailor the security of the Service for their own use. Ping Identity personnel will not set a defined password for a user. Each Customer’s users are provided with a token that they can use to set their own password in accordance with the applicable Customer’s password policy. Ping Identity strongly encourages all customers, where applicable in their configuration of the Service’s security settings, to use the multi-factor authentication features made available by Ping Identity. 2.2. Information Security Management Program. Ping Identity maintains a comprehensive Information Security Management System (“ISMS”) that contains administrative, technical, and physical safeguards that

Term of the Agreement. 2.4. Policies and Standards. Ping Identity maintains policies or standards addressing the following areas which include but are not limited to: risk management, information security, acceptable use, access control, software development lifecycle, change control, vulnerability management, data classification, encryption, data retention, incident response, backup and recovery, and business continuity. 2.5. Risk Management. Ping Identity maintains a documented risk management program that includes a risk assessment at least annually approved by senior management. 2.6. Assigned Security Responsibility. Ping Identity assigns responsibility for the development, implementation, and maintenance of its ISMS, including: (a) Designating a security executive with overall responsibility; and (b) Defining security roles and responsibilities for individuals with security responsibilities within Ping Identity. 3. Relationship with Sub-processors. Ping Identity conducts reasonable due diligence and security assessments of sub-processors engaged by Ping Identity in the storing and/or processing of Customer Data (“Sub- processors”) and enters into agreements with Sub-processors that contain provisions similar or more stringent than those provided for in this security documentation. 4. Disciplinary Policy and Process. Ping Identity maintains a disciplinary policy and process in the event Ping Identity personnel violate security policies. 5. Access Controls. 5.1 Access Control Policies and Procedures. Ping Identity has policies, procedures, and logical controls that are designed: (a) To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (b) To prevent personnel and others who should not have access from obtaining access; and (c) To remove access

In a timely basis in the event of a change in job responsibilities or job status. Additionally, Ping Identity institutes: (d) Controls to ensure that only those Ping Identity personnel with an actual need-to-know will have access to any Customer Data; (e) Controls to ensure that all Ping Identity personnel who are granted access to any Customer Data are based on least-privilege principles; (f) Controls to require that user identifiers (User IDs) shall be unique and readily identify Ping Identity person to whom it is assigned, and no shared or group User IDs shall be used for Ping Identity personnel access to any Customer Data; and (g) Customer User Authentication. Password and other strong authentication controls are made available to Ping Identity customers, so that Customer can configure the Service to be in compliance with NIST guidance addressing locking out, uniqueness, reset, expiration, termination after a period of inactivity, password reuse limitations, length, expiration, and the number of invalid login requests before locking out a user. Customers are responsible for the configuration and management of the authentication requirements for their end users. 5.2. Physical and Environmental Security. Data center physical and environmental security controls are managed by approved third parties who operate tier 4 and 5 data centers. 5.3. Privileged Access by Ping Identity. If Ping Identity determines, in its reasonable discretion, that a Customer environment is impacting the availability or performance of the Services due to Customer’s misconfiguration or a security incident, Ping Identity may use restricted privileged access

; (g) Recovery: appropriate steps shall be taken to restore any and all affected systems to a functionally optimal state; (h) Documentation: all material actions taken during the incident response process shall be documented for internal analysis and communication to internal and external stakeholders and customers who experience a security breach with material impact on their data or environment; (i) Retrospective analysis: internal analysis of actions taken during the incident response process shall be reviewed by relevant stakeholders to determine the efficacy of the response process and document any further actions that may improve the operation of the incident response process if invoked in the future. Ping Identity publishes system status information on the Ping Identity website. For PingOne Advanced Services and PingOne Advanced Identity Cloud only, Ping Identity typically notifies customers of significant system incidents by email to the listed admin contact, and for availability incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident and Ping Identity’s response. 16. Security Breach Management. (a) Notification. In the event of a Security Breach, Ping Identity notifies impacted customers of such Security Breach without undue delay and, where required, within time limits defined by law. Ping Identity shall cooperate with the Customer’s reasonable request for information regarding such Security Breach, and Ping Identity provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken. (b) No Acknowledgement of Fault by Ping Identity. Ping Identity’s notification of or response