Third Party Security Requirements
THIRD PARTY SECURITY REQUIREMENTS
1. Scope
Supplier will comply in all respects with Amazon’s information security requirements as set forth these third-party security requirements (the “Security Policy”). The Security Policy applies to Supplier’s performance under the Agreement and all Processing of, and Security Incidents involving, Amazon Information. This Security Policy does not limit other obligations of Supplier, including under the Agreement or laws that apply to Supplier, Supplier’s performance under the Agreement, or the Permitted Purpose. To the extent this Security Policy conflicts with the Agreement, Supplier will promptly notify Amazon of the conflict and will comply with the requirement that is more restrictive and protective of Amazon Information (which may be designated by Amazon). These commitments apply to Supplier and its Personnel.
2. Definitions
The following definitions apply to this Security Policy
2.1 “Aggregate” means to combine or store Amazon Information with any data or information of Supplier or any third party.
2.2 “Amazon Information” means: (a) all Amazon Confidential Information (as defined in the Agreement or in the non-disclosure agreement between the parties); (b) all other data, records, files, content or information received from Amazon or its affiliates and Processed by Supplier in connection with the Agreement; and (c) data derived from (a) or (b), even if Anonymized.
2.3 “Confidentiality, Integrity, and Availability” refers to the three properties of the information-security model known as the “CIA Triad.” Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity is the property that data or information have not been altered or destroyed in an unauthorized manner. Availability is the property that data or information is accessible and useable upon demand by an authorized person.
2.4 “Personnel” means Supplier’s or Subcontractor’s employees, agents, subcontractors, and other authorized users of its systems and network resources.
2.5 “Physical, Administrative, and Technical Safeguards” refers to the controls an organization implements to maintain information security. Physical safeguards address physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Administrative safeguards address administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic data or information and to manage the conduct of Personnel in relation to the protection of that data or information. Technical safeguards address the technology, and the policies and procedures for its use, that protect electronic data or information and control access to it.
2.6 “Process” means to perform any operation or set of operations on data, such as access, use, collection, receipt, storage, alteration, transmission, dissemination or otherwise making available, erasure, or destruction.
3. Permitted Purposes
Supplier will Process Amazon Information only as follows (each, a “Permitted Purpose”):
3.1 Authorized data. Supplier may Process only the Amazon Information expressly authorized under the Agreement. If there is no express authorization, the Supplier may process only the Amazon Information necessary to perform the services under the Agreement.
3.2 Only for purposes expressly authorized. Supplier may Process Amazon Information only for purposes expressly authorized under the Agreement.
3.3 Sale or other transfer prohibited. Supplier will not transfer, rent, barter, trade, sell, rent, loan, lease, or otherwise distribute or make any Amazon Information available to any third party.
3.4 Data aggregation prohibited. Supplier will not Aggregate Amazon Information, even if anonymized or pseudonymized, except as expressly authorized under the Agreement
4. Information Security Requirements
4.1 General security requirement. Supplier will maintain Physical, Administrative, and Technical safeguards consistent with industry-accepted best practices [(including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or other similar industry standards for information security)] to protect the Confidentiality, Integrity, and Availability of Amazon Information.
4.2 Specific safeguard requirements. In addition to following the above standards, Supplier’s information security program will include, at a minimum, the following safeguards and controls:
4.2.1 Written information security program. Supplier shall implement a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. The program will apply to Supplier’s employees, agents, subcontractors, and suppliers. Supplier will maintain a process to monitor and enforce program compliance and log program violations.
4.2.2 Security awareness training. Supplier will provide periodic security training to its Personnel on relevant threats and business requirements [such as social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting].
4.2.3 Data inventory. Supplier will document and maintain information regarding how and where Amazon Information is Processed while in Supplier’s possession or control.
4.2.4 Secure configurations. Supplier shall manage security configurations of its systems using industry best practices to protect Amazon Information from exploitation through vulnerable services and settings.
4.2.5 Controlled use of administrative privileges. Supplier shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices.
4.2.6 Vulnerability and patch management. Supplier will maintain a process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Amazon Information.
4.2.7 Maintenance, monitoring, and analysis of audit logs. Supplier will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect Amazon Information. Logs will be kept and maintained for at least 18 months. [In a multi-tenant environment with a shared responsibility model (e.g. a SaaS), Supplier shall associate all logs with a unique Amazon implementation id, and provide this information to Amazon upon request.]
4.2.8 Malware defenses. Supplier will deploy anti-malware software [to and configure all workstations and servers on Supplier’s network] to control and detect the installation, spread, and execution of malicious code.
4.2.9 Firewalls. Supplier will maintain and configure firewalls to protect systems containing Amazon Information from unauthorized access. Supplier will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
4.2.10 Suitable Environment. Data will be used in an environment suitable to its purpose. Production data will not be used on test equipment and test data will not be used on production equipment.
4.2.11 Change Management. Changes to production systems are tracked, recorded, and reviewed.
4.2.12 Disablement of services. Disable all unnecessary services, protocols, and ports. Authorized services must be documented with a business justification and be approved.
4.2.13 Encryption. Supplier will encrypt all Amazon Information at rest and when in transit across open networks in accordance with industry best practices. Upon Amazon written request, the supplier will confirm that all copies of encryption keys have been securely deleted.
4.2.14 Access controls. Supplier will implement the following access controls with respect to Amazon Information:
(a) Unique IDs. Supplier will assign individual, unique IDs to all Personnel with access to Amazon Information, including accounts with administrative access. Accounts with access to Amazon Information must not be shared.
(b) Need-to-know. Supplier will restrict access to Amazon Information to only those Personnel with a “need-to-know” for a Permitted Purpose.
(c) User access review. Supplier will periodically review Personnel and services with access to Amazon Information and remove accounts that no longer require access. [This review must be performed at least once every 90 days.]
4.2.15 “In bulk” access. Except where expressly authorized by Amazon in writing, Supplier will not access, and will not permit access to, Amazon Information “in bulk” whether the Amazon Information is in an Amazon- or Supplier-controlled database or stored in any other method, including storage in file-based archives (e.g., flat files).
(a) Definition of “in bulk” access. For purposes of this section, “in bulk” access means accessing data by means of database query, report generation, or any other mass transfer of data.
(b) “In bulk” safeguards. Supplier will implement appropriate Physical, Administrative, and Technical Safeguards—including access controls, logging [of all attempted or successful “in bulk” access], and monitoring to prevent and detect “in bulk” access to Amazon Information or, where authorized by Amazon, to (1) limit such access only to specified employees with a “need to know”, and (2) require explicit authorization and logging of all “in bulk” access.
(c) “In bulk” log access. Upon Amazon’s request, Supplier will provide to Amazon all logs on “in bulk” access referenced in this section.
4.2.16 Account and password management. Supplier will implement account and password management policies to protect Amazon Information, including, but not limited to:
(a) No default passwords. Before deploying any new hardware, software, or other asset, Supplier will change all default and manufacturer-supplied passwords to a password consistent with the password strength requirements in subsection (c).
(b) Inventory of administrative accounts. Supplier will maintain an inventory
of all administrator accounts with access to Amazon Information and will
provide a list of these accounts to Amazon at Amazon’s request.
(c) Password strength. Supplier will ensure that all Personnel use strong passwords by enforcing the following minimum requirements:
- passwords must be a minimum length of 8 characters;
- passwords may not match commonly used, expected, or compromised passwords; and
- Supplier must force a password change if there is evidence the password may have been compromised.
(d) Credential encryption. Encrypted passwords and other secrets shall be stored in an industry-accepted form that is resistant to offline attacks.
(e) Rate limiting. Supplier shall implement an industry-accepted rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on a user’s account.
4.2.17 Remote access; multi-factor authentication required. Supplier will implement multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access to (i) any network, system, application, or other asset containing Amazon Information; or (ii) Supplier’s corporate or development networks.
4.2.18 Data segregation. Except where expressly authorized by Amazon in writing, Supplier will logically [and physically] isolate Amazon Information at all times from Supplier’s and any third-party information.
4.2.19 Security testing. Supplier will conduct periodic internal and external penetration testing of systems that Process Amazon Information to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of Supplier’s vulnerability management program.
4.2.20 Personnel security and nondisclosure. Amazon may condition access to Amazon Information by Supplier Personnel on Supplier Personnel’s execution and delivery to Amazon of individual nondisclosure agreements, the form of which is specific by Amazon. [If requested by Amazon, Supplier will obtain and deliver to Amazon signed individual nondisclosure agreements from Supplier Personnel that will have access to Amazon Information before granting access to Personnel.]
4.3 PCI DSS requirements. If, in the course of its engagement by Amazon, Supplier has access to or will Process credit, debit, or other payment cardholder information, Supplier shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements (in addition to the minimum requirements in Section 4.2), and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.
4.4 Subcontracts. Except as expressly set forth in the Agreement, Supplier will not subcontract or delegate any of its obligations under this Security Policy to any subcontractors, affiliates, or delegates (“Subcontractors”) without Amazon’s prior written consent.
4.5 Access to Amazon Extranet and Supplier portals. Amazon may grant Supplier Personnel access to Amazon Information via web portals or other non-public websites or extranet services on Amazon’s or a third party’s website or system (each, an “Extranet”) for the Permitted Purposes. If Amazon permits Supplier to access any Amazon Information using an Extranet, Supplier must comply with the following requirements:
4.5.1 Permitted Purpose. Supplier and its personnel will access the Extranet and access, collect, use, view, retrieve, download or store Amazon Information from the Extranet solely for the Permitted Purpose.
4.5.2 Accounts. Supplier will ensure that Supplier Personnel use only the Extranet account(s) designated for each individual by Amazon and will require Supplier personnel to keep their access credentials confidential. Accounts are not to be shared.
4.5.3 Systems. Supplier will access the Extranet only through computing or processing systems or applications running operating systems managed by Supplier and that include: (i) system network firewalls in accordance with Section 4.2.9 (firewalls); (ii) centralized patch management in compliance with Section 4.2.6 (vulnerability and patch management); (iii) operating system appropriate anti-malware software in accordance with Section 4.2.8 (malware defenses); and (iv) for portable devices, full disk encryption.
4.5.4 Restrictions.
Except if approved in advance in writing by Amazon, Supplier will not
download, mirror or permanently store any Amazon Information from any Extranet
on any medium, including any machines, devices or servers.
4.5.5 Account
Termination. Supplier will terminate the account of each
of Supplier’s personnel and notify Amazon no later than 24 hours after any
specific Supplier personnel who has been authorized to access any Extranet (a)
no longer needs access to Amazon Information or (b) no longer qualifies as
Supplier personnel (e.g., the personnel leaves Supplier’s employment).
4.6 Amazon Sub-Domains or URL’s. Any (sub)domain or URL that the Supplier provisions for Amazon’s sole use during the contracted period must not be issued or re-used by a non-Amazon customer for [3-5] years after Amazon terminates use of the service.
5. Data Retention, Return, and Destruction
5.1 Retention. Supplier will retain Amazon Information only as necessary for the Permitted Purposes.
5.2 Return and secure deletion of Amazon Information. At any time during the term of the Agreement at Amazon’s request, or upon the termination or expiration of the Agreement for any reason, Supplier shall, within 5 business days (or 30 calendar days for data in backup or online storage), return to Amazon and securely delete all copies of Amazon Information in its possession or control. Supplier shall confirm in writing that all copies of Amazon Information have been returned and securely deleted.
5.3 Archival copies. If Supplier is required by law to retain archival copies of Amazon Information for tax or similar regulatory purposes, Supplier shall (i) not use the archived information for any other purpose; and (ii) remain bound by its obligations under this agreement, including, but not limited to, its obligations to protect the information using appropriate safeguards and to notify Amazon of any Security Incident involving the information.
5.4 Deletion standard. All Amazon Information deleted by Supplier will be securely deleted using an industry-accepted practice designed to prevent data from being recovered using standard disk and file recovery utilities (e.g., secure overwriting, degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, shredding, or mechanical disintegration). With respect to Amazon Information encrypted in compliance with this Security Policy, Supplier may delete data by permanently and securely deleting all copies of the encryption keys.
5.5 Media destruction. Before permanently discarding or disposing of storage media that (1) Supplier has physical access to or control of (e.g., laptop hard drives, desktop hard drives, USB or “thumb” drives, backup media, hard drives used in the Supplier’s own data center, or other portable storage media) and (2) contains, or has at any time contained, Amazon Confidential Information, Supplier will destroy the storage media using a technique designed to render the media unusable and the data unrecoverable (e.g., disintegration, incineration, pulverizing, shredding, and melting). This section shall not apply to storage media that Supplier does not have physical access to or control of, such as storage media used in a public cloud or other third-party environment. In such cases, Supplier shall ensure that all Amazon Confidential Information stored in the third-party environment is securely deleted when no longer needed using an industry-accepted practice (see Section 5.4, Deletion standard).
6. Security Reviews and Audits
6.1 Vendor assessment questionnaires. Upon Amazon’s request, Supplier will complete a new Amazon risk assessment questionnaire.
6.2 Compliance with agreement. Upon Amazon’s request, Supplier will confirm in writing to Amazon Supplier’s compliance with this Agreement.
6.3 Other reviews; audits. Upon Amazon’s written request, to confirm Supplier’s compliance with this Agreement, Supplier grants Amazon or, at Amazon’s election, a third party on Amazon’s behalf, permission to perform an assessment, audit, examination, or review of the Physical, Administrative, and Technical Safeguards in place to protect Amazon Information Processed by Supplier under the Agreement. Supplier shall fully cooperate with the assessment.
6.4 Remediation. Supplier will promptly address any exceptions or deficiencies identified during Amazon’s security review or in any audit report, by developing and implementing a corrective action plan agreed to by Supplier and Amazon, at Supplier’s sole expense.
7. Security Incidents
7.1 Security Incident defined. A “Security Incident” is (i) any actual or suspected compromise of the Confidentiality, Integrity, or Availability of Amazon Information; (ii) any actual or suspected compromise of, or unauthorized access to, any system that Processes Amazon Information that presents a risk to the Confidentiality, Availability, or Integrity of Amazon Information; or (iii) receipt of a complaint, report, or other information regarding the potential compromise or exposure of Amazon Information Processed by Supplier.
7.2 Incident response plan. Supplier shall maintain a written incident response plan and provide a copy of the plan to Amazon upon request. Supplier will remedy each Security Incident in a timely manner following its response plan and industry best practices.
7.3 Notice required. Supplier will notify Amazon of any Security Incident within 48 hours of becoming aware of the Security Incident.
7.4 Cooperation with Amazon’s investigation. Supplier will reasonably cooperate with Amazon in Amazon’s handling of a Security Incident, including, without limitation: (i) coordinating with Amazon on Supplier’s response plan; (ii) assisting with Amazon’s investigation of the Security Incident; (iii) facilitating interviews with Supplier’s Personnel and others involved in the Security Incident or response; and (iv) making available all relevant records, logs, files, data reporting, forensic reports, investigation reports, and other materials required for Amazon to comply with applicable laws, regulations, or industry standards, or as otherwise required by Amazon.
7.5 Third-party notifications. Supplier agrees that it shall not notify any third party (including any regulatory authority or customer) of any Security Incident without first obtaining Amazon’s prior written consent. Further, Supplier agrees that Amazon shall have the sole right to determine: (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, or others; and (ii) the form and contents of such notice.
8. Notice of Legal Process
Supplier will inform Amazon within 48 hours when Amazon’s data is being sought in response to legal process or other applicable law (e.g., 18 U.S.C. § 2705(b)).