Orange County NC Website
Browse       Search
29 <br /> b. Suspicious/Unknown File Analysis. While using certain CrowdStrike Offerings Customer may have the <br /> option to upload (by submission, configuration, and/or, in the case of Services, by CrowdStrike personnel <br /> retrieval) files and other information related to the files for security analysis and response or, when <br /> submitting crash reports, to make the product more reliable and/or improve CrowdStrike's products and <br /> services or enhance cyber-security. These potentially suspicious or unknown files may be transmitted and <br /> analyzed to determine functionality and their potential to cause instability or damage to Customer's <br /> endpoints and systems. In some instances, these files could contain Personal Data for which Customer <br /> is responsible. <br /> 4. Compliance with Privacy and Information Security Requirements <br /> a. Compliance with Laws. CrowdStrike shall comply with all Privacy and Security Laws, the EU-US Privacy <br /> Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of <br /> Commerce regarding the collection, use,and retention of Personal Data from the European Economic Area, <br /> Switzerland, and the United Kingdom, as applicable. CrowdStrike's privacy notice may be found at <br /> http://www.crowdstrike.com/privacy-notice/. To the extent necessary to comply with Privacy and Security <br /> Laws, including but not limited to when Customer is a controller of Personal Data processed by CrowdStrike <br /> originating in the European Union, Switzerland, or the United Kingdom, the Data Protection Addendum set <br /> forth here https://www.crowdstrike.com/data-protection-agreement/ shall apply to CrowdStrike's <br /> processing of such Customer Personal Data. <br /> b. Safeguards. CrowdStrike shall maintain appropriate technical and organizational safeguards <br /> commensurate with the sensitivity of the Customer Data and Personal Data processed by it on Customer's <br /> behalf, which are designed to protect the security, confidentiality, and integrity of such Customer Data and <br /> Personal Data and protect such Customer Data and Personal Data against accidental or unlawful <br /> destruction or accidental loss, alteration, unauthorized disclosure or access, including the safeguards set <br /> forth on Appendix 1 which substantially conform to the ISO/IEC 27002 control framework. ("Information <br /> Security Controls for CrowdStrike Systems"). <br /> c. Access; Contacts. With respect to employees, agents, and subcontractors, CrowdStrike shall limit access <br /> to Customer Data and Personal Data to only those employees, agents, and subcontractors who have a <br /> need to access the Customer Data and/or Personal Data in order to carry out their roles as contemplated <br /> in the terms of this Agreement. CrowdStrike shall assign and train personnel who shall: (i) liaise with <br /> customers regarding any issues concerning the security of Customer Data and/or Personal Data; (ii) <br /> receive notice of any Security Breach discovered by CrowdStrike and provide notice of any such Security <br /> Breach to Customer; and (iii) coordinate CrowdStrike's Security Breach response and remedial action. <br /> 5. Security Breach Response <br /> In the event CrowdStrike discovers a Security Breach, CrowdStrike shall: <br /> a. Without undue delay but no later than 72 hours of becoming aware, notify Customer of the discovery of the <br /> Security Breach. Such notice shall summarize the known circumstances of the Security Breach and the <br /> corrective action taken or to be taken by CrowdStrike. <br /> b. Conduct an investigation of the circumstances of the Security Breach. <br /> c. Use commercially reasonable efforts to remediate the Security Breach. <br /> d. Use commercially reasonable efforts to communicate and cooperate with Customer concerning its <br /> response to the Security Breach. <br /> 6. Security Assessment and Provision of Audited Security Controls. Promptly after written (including email) <br /> request from Customer, CrowdStrike shall provide Customer with: (i) its most recent SOC II, Type 2 report <br /> regarding the CrowdStrike Systems; and (ii) provide its completed Standardized Information Gathering (SIG) <br /> questionnaire (or similar document) for the CrowdStrike Systems (the "Security Documentation"). Upon the <br /> provision of reasonable notice to CrowdStrike, once every twelve months during the term of the Agreement and <br /> during normal business hours unless otherwise decided by CrowdStrike in its sole discretion, CrowdStrike shall <br /> make appropriate CrowdStrike personnel reasonably available to Customer to discuss CrowdStrike's manner of <br /> compliance with applicable security obligations under this Agreement. In advance of such discussion, <br /> CrowdStrike may, in addition to the Security Documentation, provide Customer with access to additional <br /> requested information or documentation concerning CrowdStrike's information security practices as they relate <br /> to this Agreement, including without limitation, access to any security assessment reports designed to be shared <br /> with third parties. Any information or documentation provided pursuant to this assessment process or otherwise <br /> pursuant to this Schedule shall be considered CrowdStrike's Confidential Information and subject to the <br /> Confidentiality section of the Agreement. <br /> CrowdStrike Form May 27 2019 14 of 17 <br />