These Information Security Terms (“Security Terms”) are part of any Agreement between Yahoo! and any entity (“Company”) into which these Security Terms have been incorporated by reference (the “Business Agreement”). Except for the terms defined herein, capitalized terms used herein are defined in the Business Agreement.1. Definitions
Contaminant: Any instrument that is suspected or known by either Party to modify, damage, destroy, record, misuse, distribute, or transmit information to, from, or within The System without intention or permission of the Parties. Contaminant includes, but is not limited to, viruses or worms that may be self-replicating or self-propagating and may be designed to (a) contaminate other components of The System, (b) consume resources, (c) modify, destroy, record, or transmit data, or (d) in some other fashion alter the operation of The System.
Permitted Use: Company’s use of Yahoo! Data shall be limited to only those uses necessary to the activities Company is authorized under the Business Agreement to perform.
Security Issue: (i) Any known or suspected condition in or affecting The System that could compromise the security, confidentiality, or integrity of Yahoo! Data or The System or impair Yahoo!’s ability to meet legal obligations; or (ii) Any unauthorized disclosure or unauthorized use of Yahoo! Data in the possession or under the control or direction of Company.
Security Testing: Examination of The System, directly or indirectly through interfaces to which Yahoo!, its agents, and/or Yahoo! Affiliates have access without the need for Company coordination, by manual interaction with or automated test cases that can identify and/or diagnose, or are intended to identify and/or diagnose, Security Issues.
Security Review: Examination of The System or information related to the security of The System requiring the assistance of or coordination with Company that can identify and/or diagnose, or are intended to identify and/or diagnose, Security Issues.
The System: Any and all components owned, operated, or provided by Company or on behalf of Company, that are involved in performing Company’s obligations under the Business Agreement, including, but not limited to, networks, databases, software, computer systems, backups, devices, processes, documentation, data, and physical premises.
Yahoo! Affiliate: Any partnership, limited liability company, corporation, or other entity that, directly or indirectly though one or more intermediaries, controls, is controlled by, or is under common control with Yahoo! or in which Yahoo! owns an ownership interest of twenty percent (20%) or more.
Yahoo! Data: For the purposes of these Security Terms, Yahoo! Data includes: (a) data and information of Yahoo!, its employees and its users; or (b) “Yahoo! Data” as defined in the Business Agreement, and any copies, reproductions, duplications, and onsite or offsite backups thereof, whether in whole or in part.
Yahoo! ID: A user-specific identifier issued or authorized by Yahoo! which, when combined with a password, provides credentialed access to Yahoo! or Yahoo! Affiliate services.
Company ID: A user specific identifier provided to the Company by Yahoo! for the purpose of identifying a user.
2. The System Security.
A. Operational Requirements:
i. Company will ensure that The System, excluding physical premises, is at all times securely configured, including, but not limited to, (a) disabling all unnecessary services or features, and (b) closing all known and all published security deficiencies therein, including updates and subsequently identified publications thereof.
ii. Company will apply all applicable security patches for The System as soon as possible after any such patch becomes available, but in no event more than thirty (30) calendar days after the release of any such patches.
iii. Company will continuously maintain industry-standard firewall protection for The System. Company will test its perimeter router and firewall devices no less than quarterly for unsafe configurations and vulnerabilities. Unless an alternate method is mutually agreed upon by Yahoo! and Company, in a signed written agreement, tests shall be conducted in a manner consistent with the PCI DSS Security Scanning Procedures, provided however, Company may perform the tests in lieu of using a third party.
iv. Company will make commercially reasonable efforts to ensure that The System components are free of known or suspected Contaminants. Such efforts will include, but are not limited to, running anti-virus software on all Windows systems, updating signatures no less than daily, conducting at least biweekly Contaminant sweeps of The System and purging all Contaminants found. Company will use commercially reasonable efforts to not transmit or distribute Contaminants. Any transmission or distribution of Contaminants is a Security Issue.
B. Design Requirements:
i. Throughout the term of these Security Terms, Company will ensure that The System is not and remains not vulnerable to any issue listed in OWASP Top Ten, found at: http://www.owasp.org, as updated from time to time. If the OWASP Top Ten ceases to exist or becomes obsolete, Yahoo! may designate a successor or replacement list thereafter, and Company will use that list in place of the OWASP Top Ten in performing Company’s obligations under this section.
ii. Company will ensure that warnings are not generated by The System on A-grade browsers according to Yahoo!’s Graded Browser Support (currently found here and incorporated by reference: http://developer.yahoo.com/yui/articles/gbs/), as such list and associated URL may be independently updated by Yahoo! from time to time.
a. Where data must be encrypted under the terms of these Security Terms, the Business Agreement, or applicable law, Company will sign and encrypt using a Yahoo!-approved algorithm.
1. The following algorithms are pre-approved by Yahoo!:
e) The MD5-based signature scheme used for Yahoo! APIs as described on http://developer.yahoo.com, as such scheme may be independently updated by Yahoo! from time to time
2. Other algorithms must be specifically approved by Yahoo!’s security team in writing prior to use and will be subject to any limitations prescribed by Yahoo! in its approval.
b. Company will store and distribute cryptographic keys, shared secrets, and passwords (collectively “Secrets”) in encrypted form. Secrets used by automated processes may only be stored in an unencrypted file when the file:
1. can only be accessed by the automated process;
2. cannot be accessed by the automated process after initialization;
3. is only available to servers running the automated process;
4. is not backed up in unencrypted form; and
5. is not stored on a shared file system.
c. Components of The System that verify a password must only store a salted, cryptographically secure hash of the password for verification.
C. Access Control:
i. Company will permit access to The System only to authorized persons on a need-to-know-basis.
ii. The System, excluding physical premises, must at all times be protected by an authentication system that complies with the following requirements: (i) passwords must be reasonably complex; (ii) use of privileged accounts must be minimized; (iii) authentication credentials must not be shared; (iv) authentication credentials must be kept confidential; (v) individuals must authenticate using their own account and not a shared account (vi) when an authorized individual no longer needs access to The System, Company will ensure his or her authentication credentials and access to The System are terminated immediately; and (vii) authorized individuals must log out of The System at the end of each work day.
iii. Company must at all times protect physical premises of The System using physical security methods commensurate with the type of data being handled. At a minimum, such methods must include (i) visitor sign-ins, (ii) standard keyed or card keyed locks, (iii) limited access to server rooms and archival backup storage, and (iv) burglar/intrusion alarm systems.
D. Logging. Company will log, including time and date, all attempted accesses to its servers involved in performing obligations to or for Yahoo! or otherwise conducted pursuant to these Security Terms and the Business Agreement, and the result of such attempts, successful or unsuccessful. In order to enable a complete audit trail of activities, Company must log, including time and date, all commands that require additional privileges, including all failed attempts to execute privileged commands. Company must protect the logs from tampering. Company will retain all such log entries for at least six months.
E. Payment Card Industry Data Security Standard (“PCI DSS”) If Company receives payment card information from Yahoo! or collects, processes, or stores payment card information on Yahoo!’s behalf as part of its obligations under the Business Agreement, Company shall establish and implement, and thereafter maintain, an information security program that is reasonably designed to protect the security, confidentiality, and integrity of Yahoo! Data in both electronic and physical form and is fully compliant with all requirements in the Payment Card Industry Data Security Standard (“PCI DSS”) and these Security Terms. Company acknowledges that any Yahoo! Data made available to Company for Permitted Use includes "cardholder data" and "sensitive authentication data" (as each such term is used in the PCI DSS), and further acknowledges that it is responsible for the security of Yahoo! Data in its possession or under its control.
3. Security Issue Management, Incident Handling, and Security Review
A. Notification Contact.
Each party has designated Security Notification Contacts as set forth below. Notifications pursuant to these Security Terms will take place via a telephone call and/or email by one Party to the other’s Security Notification Contact. Security Notification Contacts will be available twenty-four hours a day, seven days a week. Security Notification Contact information and communication protocol is as follows:
Yahoo! Security Notification Contacts.
Yahoo! Network Operations Center +1 408-349-5555
(With verbal communication that this is a Partner Security Notification)
(With subject line: Partner Security Notification)
Company Security Notification Contacts.
Company Security Notification Contact information shall be included in the Business Agreement or an appendix attached thereto.
Each Party may update or modify its Security Notification Contact information by providing written notice to the other’s Security Notification Contact.
B. Security Contact.
Company will provide Yahoo! with access to knowledgeable personnel, who can be reached with and respond to security questions or security concerns (“Security Contact”). Security Contact must have a deep, current knowledge about the architecture and operation of The System. Company Security Contact will be available twenty-four hours a day, seven days a week by telephone and email, or through Company’s Security Notification Contact.
C. Security Issue Management:
i. Classification. If Yahoo! believes an issue has not been properly classified as a Security Issue, Yahoo!, in its sole and absolute discretion, has the right to classify the issue as a Security Issue.
ii. Service Level Agreement (SLA).
Company will treat every Security Issue with high priority and commence working on each Security Issue immediately with sufficient numbers of competent personnel to meet the requirements of these Security Terms.
In some cases, unscheduled updates, modifications to legacy code, working during non-business hours, removing Yahoo! Branding, and disabling portions of The System, excluding physical premises, may be required to limit harm.
iii. Monitoring. Company will actively monitor The System and public reports for Security Issues.
iv. Actions. At a minimum, Company will take the following steps in the event of a Security Issue:
a. Notify Yahoo!’s Notification Contact immediately.
b. Provide an estimated time to resolution to Yahoo! within two (2) calendar days.
c. Resolve the Security Issue as soon as possible but no later than five (5) calendar days, unless otherwise agreed to by Parties.
d. Take reasonable steps to preserve logs or other data that may be useful for determining the source, cause, and consequences of the Security Issue. All logs or other data must be retained for one (1) month after the Parties mutually agree that the Security Issue is resolved, unless additional retention is requested by Yahoo!.
e. Maintain a time and date stamped log of all significant actions taken in investigating and addressing the Security Issue. All logs or other data must be retained for one (1) month after the Parties mutually agree that the Security Issue is resolved, unless additional retention is requested by Yahoo!.
f. Identify the root cause and implications of the Security Issue, and provide to Yahoo! for review.
g. Limit Harm: Where the Security Issue causes or is likely to cause imminent harm, and reviewing with Yahoo! would prolong such harm, Company will immediately take the minimum actions necessary to mitigate the harm. Any action beyond the minimum should be taken only after review with Yahoo!.
h. Identify and implement the changes necessary to address the Security Issue to the mutual satisfaction of the Parties. Company will promptly provide Yahoo! with a description of the planned changes. In cases where the changes require significant effort, Company will discuss the plan with Yahoo! prior to implementing changes.
i. Provide Yahoo! with weekly status updates until the Security Issue has been resolved, unless more frequent updates are requested by Yahoo!.
v. Confidentiality: Unless otherwise required by applicable law, Company will not disclose to third parties any information about Security Issues without prior written and express permission from Yahoo! for each disclosure. If Company is required to disclose pursuant to applicable law, Company must notify Yahoo! as soon possible. Company may disclose to the following parties without obtaining such permission:
a. Company’s agents who are working on the issue, have a need-to-know, and have a Non-disclosure Agreement that is no less restrictive than that between Parties.
b. Others who are similarly affected and with whom Company has an obligation to notify. In such cases, Company shall not disclose any information about Yahoo! or Yahoo!’s involvement.
D. Rights to Review:
i. Security Testing
a. Yahoo!, its agents, and/or Yahoo! Affiliates, in its sole discretion, has the right at any time to perform remote Security Testing of The System, excluding physical premises. Such examination does not include actions that the examiner reasonably believes will cause serious harm or damage to The System. Security Testing may result in the identification of Security Issues.
b. Upon Yahoo!’s request, Company will promptly white list IP addresses provided by Yahoo! to allow accurate Security Testing to occur.
c. Company will not impede Yahoo!, its agents, and/or Yahoo! Affiliates from performing Security Testing; provided, however, that if Company reasonably believes the Security Testing will cause serious harm or damage to The System, Company will (a) take the minimum action necessary to mitigate such harm or damage; (b) contact Yahoo! immediately and explain the nature of the harm or damage that occurred; and (c) work with Yahoo! so that full Security Testing can continue without inflicting serious harm or damage to The System.
ii. Security Review
Upon the conditions set forth below, Yahoo!, directly or through a Yahoo! Affiliate designated by Yahoo!, will have the right, at its own expense, to conduct Security Reviews, and/or to have an independent third party subject to a Company-approved confidentiality agreement conduct Security Reviews. In the case that Yahoo! uses an independent third party, the third party will be selected by Yahoo! subject to approval by Company, and such approval will not be unreasonably withheld or delayed. Company will provide sufficient access to its facilities, personnel, and records as required for the Security Review during Company’s regular business hours, and will otherwise support and cooperate with the Security Review. Security Reviews may result in the identification of Security Issues.
a. Yahoo! will have the right to conduct a Security Review: 1) prior to The System being available or in production, 2) when there is or is planned to be a material change to The System, 3) when Yahoo! suspects there may be a Security Issue in The System, 4) upon assignment by Company of any of its rights or obligations under these Security Terms, and 5) upon termination of these Security Terms.
b. Security Reviews will be subject to the following conditions: 1) Yahoo! must provide reasonable notice to Company before such Security Reviews; 2) Security Reviews must be conducted during regular business hours in a manner that does not interfere with normal business activities.
4. Data Handling and Restrictions on Use
A. Data Handling. Company will ensure Yahoo! Data is handled subject to each of the following guidelines, except to the extent otherwise specifically permitted by the Business Agreement:
i. Company must not commingle Yahoo! Data with Company data.
ii. Prior to first handling Yahoo! Data, Company must resolve all identified Security Issues with The System, unless otherwise expressly specified by Yahoo! in writing.
iii. Company must not store or prompt for Yahoo! ID and password pairs.
iv. Company must always use Company ID as the identifier when storing and retrieving user specific data.
v. After the termination of the Business Agreement, Company must return or securely destroy Yahoo! Data, unless otherwise expressly permitted by Yahoo! in writing. Prior to destroying Yahoo! Data, Company must give Yahoo! advance written notification specifying the means of destruction, and such method must be approved by Yahoo! in writing.
vi. Company must not transmit or store in unencrypted form payment instruments, banking information, authentication credentials, or government issued identifiers.
B. Restrictions on Use. Company represents, warrants, and covenants to use Yahoo! Data solely for the Permitted Use. Except as otherwise permitted in the Business Agreement, Company specifically warrants that it shall not do any of the following without obtaining prior written authorization from Yahoo!:
i. Disclose Yahoo! Data in any manner for any purpose to any third party;
ii. Sell, resell, rent, lease or license Yahoo! data in any manner for any purpose; or
iii. Export or use Yahoo! Data outside of the United States.
The foregoing restrictions do not extend to Company's use of any information that Company can, to Yahoo!’s satisfaction, demonstrate was in Receiving Party's possession or under its control prior to the effective date of the Business Agreement or obtained by Company independent of the Business Agreement or these Security Terms.
A. Confidentiality Agreements; Use of Contractors and Subcontractors. All those who perform services related to Company’s obligations to Yahoo! on behalf of Company and who have access to Yahoo! Confidential Information (as defined in the Business Agreement) will be bound by confidentiality agreements or obligations that provide provisions substantially similar to those confidentiality obligations of Company set forth in the Business Agreement or any applicable non-disclosure agreement between the Parties. Company will not enter into any agreement with a contractor or subcontractor that would prevent Yahoo! or Company from conducting the Security Reviews as set forth in Section (3)(D)(ii) of these Security Terms. Company will contractually require those who perform services related to Company’s obligations to Yahoo! on behalf of Company to comply with all the terms and conditions of these Security Terms as if they were the Company.
B. Suitable Personnel. Company will only involve personnel that are competent to perform Company’s obligation to Yahoo!. Company will use the results of competently performed and reasonably inclusive background checks, along with any other pertinent information, in making this determination.
C. Education and Awareness. Company must provide reasonably frequent training and awareness in information security, in the protection of information resources, and in the requirements of this Agreement to its employees, agents, and contractors who access or use Yahoo! Data. Such training and awareness will be mandatory for all personnel involved in performing Company’s obligations to Yahoo! and will include, but is not limited to, identifying social engineering attempts, and good security practices.
6. Injunctive Relief. The Parties agree that breach of these Security Terms will cause Yahoo! irreparable harm and that Yahoo! is therefore entitled to injunctive relief to enforce its provisions, without the requirement of posting a bond therefore, in addition to such other legal and equitable relief as to which Yahoo! may also be entitled.
7. Term and Termination. These Security Terms will remain in force after the termination, in whole or in part, of the Business Agreement so long as Company retains or has access to Yahoo! Data. The preceding does not constitute authorization to retain or access data that was covered by these Security Terms that was not authorized by the Business Agreement.
8. Representations and Warranties. Company represents, warrants, and covenants: (a) that it has the power and the right to enter into these Security Terms on Company’s behalf, that Company has the power and the right to grant all rights conveyed hereby, and to perform its obligations under these Security Terms without breach of any agreements with third parties to which Company is a party or by which it is otherwise bound; (b) Company has not entered into, and will not enter into during the Term, any other contracts which materially interfere with Company’s performance of its obligations under these Security Terms or which frustrate the purposes of these Security Terms; (c) Company has not assigned, delegated, sold, or otherwise transferred any intellectual property or other rights required to perform its obligations under these Security Terms and will not do so during the Term, except as expressly provided herein; and (d) Company will perform its obligations under these Security Terms in accordance with all applicable laws, licenses, regulations, and rules of any governmental agency.
9. Indemnification. Without limitation of any indemnity in the Business Agreement, Company must, at its own expense, indemnify, defend and hold harmless Yahoo! and Yahoo! Affiliates, and their officers, directors, employees, representatives, licensees, and agents from and against and in respect of any and all third party claims, liabilities, allegations, suits, actions, investigations, judgments, deficiencies, settlements, inquiries, demands or other proceedings of whatever nature or kind, whether formal or informal, brought against Yahoo! or Yahoo! Affiliates, or their officers, directors, employees, representatives, licensees, or agents, as well as from and against and in respect of any and all resulting damages, liabilities, losses, costs, charges, fees and expenses, including without limitation, reasonable legal fees and expenses, as and when incurred that directly result from a material breach by Company of any terms or conditions in these Security Terms. The indemnification described in this paragraph shall not be subject to any limitations of liability described in Section 10 of these Security Terms or in the Business Agreement.
10. Limitation of Liability. Except for Company’s indemnification obligations in Section 9 of these Security Terms, under no circumstances will Company or Yahoo! be liable to each other under these Security Terms for indirect, incidental, consequential, special or exemplary damages arising from or in connection with a breach of these Security Terms, even if that party has been advised of the possibility of such damages, such as, but not limited to, loss of revenue or anticipated profits or lost business. Except for Company’s indemnification obligations in Section 9 of these Security Terms, in no event will Yahoo!’s or Company’s total liability under this agreement exceed the total liability agreed to in the Business Agreement.
11. Statement of Compliance. Upon request from Yahoo!, Company shall provide Yahoo! with an annual written statement certified by a Company officer that it has complied with all of the requirements of these Security Terms.
A. Interpretation of the Security Terms: The Parties desire that these Security Terms be construed fairly, according to their terms, in plain English, without constructive presumptions against the drafting Party, and without reference to the section headings, which are for reference only. References to the singular include the plural and vice versa. Governing law and venue, notices, assignment, and relationship of the Parties will be as set forth in the Business Agreement.
B. Entire Agreement: These Security Terms, together with the Business Agreement and any non-disclosure agreement, with respect to its subject matter and exempting any non-contrary provisions of the non-disclosure agreement and these Security Terms constitute the full agreement between Company and Yahoo! and supersede any prior or contemporaneous agreements. Except as specifically provided herein, all other terms and conditions of the Business Agreement remain the same. In the case of inconsistency or conflict between the provisions of these Security Terms and any other part of the Business Agreement, the provisions of these Security Terms will control.