Data Processing Addendum
The Services include customer-configurable security controls that allow Customer to tailor the security of the Services for its own use. These controls include:
- Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.
The Services include effective controls to prevent the classes of software vulnerabilities relevant to the Services, the design of the services, and the software languages used in the delivery of the services. For general web applications, these vulnerability classes include, but are not limited to:
- SQL injection
- Cross site scripting
- Cross site request forgery
- Session fixation
- Sensitive cookies permitted to be sent over insecure channels
- Buffer overflows
- Command injection
- Directory traversal
- Insecure third-party domain access and cross domain policies
- HTTP response splitting
- Unauthorized privilege escalation
- Use of HTTPS using other than SSLv3 or TLS
- Use of SSL/TLS with null ciphers or ciphers using symmetric keys of less than 128 bits in length
- Returning verbose error information to clients
- Exposing cryptography errors to client (e.g. incorrect padding)
- Arbitrary redirection
Security Procedures, Policies and Logging
The Services are operated in accordance with the following procedures to enhance security:
- User credentials or credential equivalents stored on Elastic Projects’ third party hosting services provider’s servers or in persistent cookies are not stored in a format from which the original password can be derived (e.g. plaintext, encryptions other than one-way hashes) or easily discovered by brute force attacks given knowledge of the stored representation.
- User access log entries will be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (viewed, edited, etc.) and source IP address. Customer acknowledges that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
- Logging will be kept for a minimum of 90 days.
- Logging will be kept in a secure area to prevent tampering.
- Passwords are not logged under any circumstances.
Elastic Projects, or an authorized third party, will monitor the Services for unauthorized intrusions using network-based intrusion detection mechanisms.
Access to the Services requires a valid User ID and password combination, which are encrypted via SSL while in transmission. A random session ID cookie greater than or equal to 128 bits in length is used to uniquely identify each User.
Elastic Projects shall ensure that all Elastic Projects systems, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable the security audits referred to herein.
Elastic Projects maintains security incident management policies and procedures, including detailed security incident escalation procedures. Elastic Projects will promptly notify Customer in the event Elastic Projects becomes aware of an actual or reasonably suspected unauthorized disclosure of Customer Data.
Right to Audit Reports of Security Procedures
Elastic Projects agrees that at least once per year and after any security incident in which Customer Data is accessed by or disclosed to a third party: (a) undergo an industry accepted third party audit or assessment and, upon request from Customer, will furnish evidence of successful completion of the audit or assessment; and (b) make commercially reasonable efforts to remediate any critical and high severity issues identified during any third party audit, assessments, and/or penetration tests in a timely manner.
SOC 2 Report
Subject to reasonable confidentiality obligations consistent with generally accepted industry practices regarding such report, once per year during the term of the Agreement Elastic Projects will, upon request, provide Customer with a SOC 2 Report from Elastic Projects’ third-party hosting services provider. The provision of such SOC 2 Report will be considered to fulfill the requirements of Clauses 5(f) and 12(2) of the Standard Contract Clauses.
Elastic Projects’ third-party hosting services provider maintains data centers that have an access system that controls access to the data center. Such controls are designed to ensure that this system permits only authorized personnel to have access to secure areas. Elastic Projects’ third party hosting services provider’s facility is also designed to withstand adverse weather and other reasonably predictable natural conditions, and is secured by guards and access screening.
Reliability and Backup
All networking components, SSL accelerators, load balancers, Web servers and application servers are configured in a redundant configuration. All Customer Data is stored on a primary database server that is clustered with a backup database server for redundancy. All Customer Data is stored on carrier-class disk storage using RAID disks and multiple data paths. All Customer Data, up to the last committed transaction, is automatically backed up on a regular basis.
Elastic Projects has a disaster recovery facility or facilities that are geographically remote, along with required hardware, software, and Internet connectivity, in the event Elastic Projects production facilities at the primary data center were to be rendered unavailable.
Elastic Projects will make commercially reasonable efforts to ensure that the Services will not introduce any viruses to Customer’s systems. Customer will make commercially reasonable efforts to ensure that content uploaded into the Services by Customer will not introduce any viruses into Elastic Projects’ systems.
Elastic Projects uses industry accepted encryption products to protect Customer Data and communications during transmissions between Customer’s network and the Services, including minimum https TLS 256 bit. Elastic Projects will encrypt data at rest using industry standard algorithms.
System Changes and Enhancements
Elastic Projects plans to enhance and maintain the Services during the term of the Agreement. Security controls, procedures, policies and features may change or be added. Elastic Projects will provide security controls that deliver a level of security protection that is not materially lower than that provided as of the Effective Date.