FORFARMING DATA SECURITY AND PRIVACY PRINCIPLES
English v0.1, Published 07/2021
a. Capitalized terms used herein have the meanings given below or if not defined below, the meanings given in the applicable written contract between ForFarming and Client for the ForFarming Services.
Client is the entity to which ForFarming is providing the ForFarming Services under a ForFarming Services Document.
c. ForFarming Services:
ForFarming Services are (a) service offerings, including infrastructure or application service offerings that ForFarming delivers and dedicates to or customizes for a Client, and (b) any other services, including consulting, maintenance, or support, that ForFarming provides to a Client.
Components are the application, platform, or infrastructure elements of a ForFarming Service that ForFarming operates and manages.
Content consists of all data, software, and information that Client or its authorized users provide, authorize access to, or input to ForFarming Services.
DSP is this ForFarming Data Security and Privacy Principles document.
g. Transaction Document:
A Transaction Document is a document that details the specifics of transactions, such as charges and a description of and information about a ForFarming Service. Examples of Transaction Documents include statements of work, service descriptions, ordering documents and invoices for a ForFarming Service. There may be more than one Transaction Document applicable to a transaction.
h. ForFarming Services Document:
A ForFarming Services Document is a Transaction Document and any other document that is incorporated into a written contract between ForFarming and a Client and that addresses details of a specific ForFarming Service.
i. Security Incident:
A security incident is an unauthorized access and unauthorized use of Content.
a. The technical and organizational measures provided in this DSP apply to ForFarming Services (including any Components) only where ForFarming has expressly agreed to comply with the DSP in a written contract between ForFarming and Client. For clarity, those measures do not apply where Client is responsible for security and privacy or as specified below or in a ForFarming Services Document.
b. Client is responsible for determining whether a ForFarming Service is suitable for Client’s use and implementing and managing security and privacy measures for components that ForFarming does not provide or manage within the ForFarming Services. Examples of Client responsibilities for ForFarming Services include: (1) the security of systems and applications built or deployed by the Client upon an infrastructure as a service or platform as a service offering or upon infrastructure, Components or software that ForFarming manages for a Client, and (2) Client end-user access control and application level security configuration for a software as a service offering that ForFarming manages for a Client or an application service offering that ForFarming delivers to a Client.
c. Client acknowledges that ForFarming may modify this DSP from time to time at ForFarming’s sole discretion and such modifications will replace prior versions as of the date that ForFarming publishes the modified version. Notwithstanding anything to the contrary in any written contract between ForFarming and Client, the intent of any modification will be to: (1) improve or clarify existing commitments, (2) enable ForFarming to appropriately prioritize its security focus to address evolving data and cybersecurity threats and issues, (3) maintain alignment to current adopted standards and applicable laws, or (4) provide additional features and functionality. Modifications will not degrade the security or data protection features or functionality of ForFarming Services.
d. In the event of any conflict between this DSP and a ForFarming Services Document, the ForFarming Services Document will prevail and if the conflicting terms are in a Transaction Document, they will be identified as overriding the terms of this DSP and will only apply to the specific transaction.
3. Data Protection
a. ForFarming will treat all Content as confidential by not disclosing Content except to ForFarming employees, contractors, and suppliers (including subprocessors), and only to the extent necessary to deliver the ForFarming Services.
b. Security and privacy measures for each ForFarming Service are implemented in accordance with ForFarming security and privacy by design practices to protect Content processed by a ForFarming Service, and to maintain the availability of such Content pursuant to the applicable written contract between ForFarming and Client, including applicable ForFarming Services Documents.
c. Additional security and privacy information specific to a ForFarming Service may be available in the relevant ForFarming Services Document or other standard documentation to aid in Client’s initial and ongoing assessment of a ForFarming Service’s suitability for Client’s use. Such information may include evidence of stated certifications and accreditations, information related to such certifications and accreditations, data sheets, FAQs, and other generally available documentation. ForFarming will direct Client to available standard documentation if asked to complete Client-preferred security or privacy questionnaires.
4. Security Incidents
a. ForFarming will investigate Security Incidents of which ForFarming becomes aware, and, within the scope of the ForFarming Services, ForFarming will define and execute an appropriate response plan. Client may notify ForFarming of a suspected vulnerability or incident by submitting a request through the incident reporting process specific to the ForFarming Service (as referenced in a ForFarming Services Document) or, in the absence of such process, by submitting a technical support request.
b. ForFarming will notify Client without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by ForFarming to affect Client. ForFarming will provide Client with reasonably requested information about such Security Incident and the status of any ForFarming remediation and restoration activities.
5. Access, Intervention, Transfer, and Separation Control
a. ForFarming may use wireless networking technology in its maintenance and support of the ForFarming Services and associated Components. Such wireless networks, if any, will be encrypted and require secure authentication and will not provide direct access to ForFarming Services networks. ForFarming Services networks do not use wireless networking technology.
b. ForFarming will maintain measures for a ForFarming Service that are designed to logically separate and prevent Content from being exposed to or accessed by unauthorized persons. ForFarming will maintain appropriate isolation of its production and non-production environments, and, if Content is transferred to a non-production environment, for example to reproduce an error at Client’s request, security and privacy protections in the non-production environment will be equivalent to those in production.
c. ForFarming will encrypt Content not intended for public or unauthenticated viewing when transferring Content over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, or FTPS, for Client’s secure transfer of Content to and from the ForFarming Services over public networks.
d. ForFarming will encrypt Content at rest if and as specified in a ForFarming Services Document. If a ForFarming Service includes management of cryptographic keys, ForFarming will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.
e. If ForFarming requires access to Content to provide the ForFarming Services, and if such access is managed by ForFarming, ForFarming will restrict access to the minimum level required. Such access, including administrative access to any underlying Components (privileged access), will be individual, role-based, and subject to approval and regular validation by authorized ForFarming personnel following the principles of segregation of duties. ForFarming will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner’s separation or upon the request of authorized ForFarming personnel, such as the account owner’s manager.
f. Consistent with industry standard practices, and to the extent natively supported by each Component, ForFarming will maintain technical measures enforcing timeout of inactive sessions, strong password or passphrase authentication, and secure transfer and storage of such passwords and passphrases.
g. ForFarming will monitor use of privileged access and maintain security information and event management measures designed to: (1) identify unauthorized access and activity, (2) facilitate a timely and appropriate response, and (3) enable internal audits of compliance with documented ForFarming policy.
h. To the extent supported by native device or operating system functionality, ForFarming will maintain computing protections for its end-user systems that include, but may not be limited to, endpoint firewalls, full disk encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.