Orange County NC Website
Browse       Search
CrowdStrike Form May 27 2019 14 of 17 <br />b. Suspicious/Unknown File Analysis. While using certain CrowdStrike Offerings Customer may have the <br />option to upload (by submission, configuration, and/or , in the case of Services, by CrowdStrike personnel <br />retrieval) files and other information related to the files for security analysis and response or, when <br />submitting crash reports, to make the product more reliable and/or improve Crowd Strike’s products and <br />services or enhance cyber-security. These potentially suspicious or unknown files may be transmitted and <br />analyzed to determine functionality and their potential to cause instability or damage to Customer’s <br />endpoints and systems. In some instances, these files could contain Personal Data for which Customer <br />is responsible. <br /> <br />4. Compliance with Privacy and Information Security Requirements <br />a. Compliance with Laws. CrowdStrike shall comply with all Privacy and Security Laws , the EU-US Privacy <br />Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of <br />Commerce regarding the collection, use, and retention of Personal Data from the European Economic Area, <br />Switzerland, and the United Kingdom, as applicable. CrowdStrike’s privacy notice may be found at <br />http://www.crowdstrike.com/privacy-notice/. To the extent necessary to comply with Privacy and Security <br />Laws, including but not limited to when Customer is a controller of Personal Data processed by CrowdStrike <br />originating in the European Union, Switzerland, or the United Kingdom, the Data Protection Addendum set <br />forth here https://www.crowdstrike.com/data-protection-agreement/ shall apply to CrowdStrike’s <br />processing of such Customer Personal Data. <br />b. Safeguards. CrowdStrike shall maintain appropriate technical and organizational safeguards <br />commensurate with the sensitivity of the Customer Data and Personal Data processed by it on Customer’s <br />behalf, which are designed to protect the security, confidentiality, and integrity of such Customer Data and <br />Personal Data and protect such Customer Data and Personal Data against accidental or unlawful <br />destruction or accidental loss, alteration, unauthorized disclosure or access, including the safeguards set <br />forth on Appendix 1 which substantially conform to the ISO/IEC 27002 control framework. (“Information <br />Security Controls for CrowdStrike Systems”). <br />c. Access; Contacts. With respect to employees, agents, and subcontractors, CrowdStrike shall limit access <br />to Customer Data and Personal Data to only those employees, agents, and subcontractors who have a <br />need to access the Customer Data and/or Personal Data in order to carry out their roles as contemplated <br />in the terms of this Agreement. CrowdStrike shall assign and train personnel who shall: (i) liaise with <br />customers regarding any issues concerning the security of Customer Data and/or Personal Data; (ii) <br />receive notice of any Security Breach discovered by CrowdStrike and provide notice of any such Security <br />Breach to Customer; and (iii) coordinate CrowdStrike’s Security Breach response and remedial action. <br /> <br />5. Security Breach Response <br />In the event CrowdStrike discovers a Security Breach, CrowdStrike shall: <br />a. Without undue delay but no later than 72 hours of becoming aware, notify Customer of the discovery of the <br />Security Breach. Such notice shall summarize the known circumstances of the Security Breach and the <br />corrective action taken or to be taken by CrowdStrike. <br />b. Conduct an investigation of the circumstances of the Security Breach. <br />c. Use commercially reasonable efforts to remediate the Security Breach. <br />d. Use commercially reasonable efforts to communicate and cooperate with Customer concerning its <br />response to the Security Breach. <br /> <br />6. Security Assessment and Provision of Audited Security Controls. Promptly after written (including email) <br />request from Customer, CrowdStrike shall provide Customer with: (i) its most recent SOC II, Type 2 report <br />regarding the CrowdStrike Systems; and (ii) provide its completed Standardized Inform ation Gathering (SIG) <br />questionnaire (or similar document) for the CrowdStrike Systems (the “Security Documentation”). Upon the <br />provision of reasonable notice to CrowdStrike, once every twelve months during the term of the Agreement and <br />during normal business hours unless otherwise decided by CrowdStrike in its sole discretion, CrowdStrike shall <br />make appropriate CrowdStrike personnel reasonably available to Customer to discuss CrowdStrike’s manner of <br />compliance with applicable security obligations under thi s Agreement. In advance of such discussion, <br />CrowdStrike may, in addition to the Security Documentation, provide Customer with access to additional <br />requested information or documentation concerning CrowdStrike’s information security practices as they relate <br />to this Agreement, including without limitation, access to any security assessment reports designed to be shared <br />with third parties. Any information or documentation provided pursuant to this assessment process or otherwise <br />pursuant to this Schedule shall be considered CrowdStrike’s Confidential Information and subject to the <br />Confidentiality section of the Agreement. <br />DocuSign Envelope ID: 15D73919-3C2B-4FD5-B1D4-12D3A740401FDocuSign Envelope ID: 8CCC378C-D84F-4D9F-BAF3-FB77653C088ADocuSign Envelope ID: BA2C0343-56AA-4434-92F9-D28AEB96D976