Anaplan’s Data and Security Policy

Confidential Information

This Policy describes Anaplan’s policies and procedures related to the principles and architecture of, the security- and privacy-related audits and certifications received for, and the administrative, organizational, technical and physical controls applicable to the Anaplan Service. Capitalized terms in this Policy shall have the meaning assigned to them in the applicable SaaS Subscription Agreement (or other agreement between the parties in which this Policy is referenced) unless otherwise defined herein.

  1. Principles. Anaplan emphasizes the following principles in the design and implementation of its security program and practices.
    • 1.1 Confidentiality – Prevention of disclosure of information to unauthorized individuals or systems.
    • 1.2 Integrity – Maintaining the accuracy and consistency of data over its life cycle.
    • 1.3 Availability – Maximizing availability of information.
  2. Security Program. Anaplan strives to maintain an effective security program, aligned with ISO 27000 series standards and NIST Cybersecurity Framework standards consisting of many of the industry’s best practices, which includes the following:
    • 2.1 Maintaining an up-to-date inventory of information assets classified by their sensitivity and value.
    • 2.2 Utilizing a formal risk management and treatment program that includes vendor risk;
    • 2.3 Conducting periodic risk assessments of all systems and networks that process Client Data, on at least an annual basis;
    • 2.4 Conducting periodic reviews of any prior security incidents and subsequent remediation;
    • 2.5 Maintaining a detailed written security policy that explicitly addresses and provides guidance to its personnel in furtherance of the confidentiality, integrity and availability of Client Data and Anaplan’s systems. The policies are endorsed by Anaplan’s senior management and state ramifications for noncompliance;
    • 2.6 Having Anaplan resources (i.e., identified individual(s)) to foster and focus on information security efforts, led by Anaplan’s Chief Information Security Officer;
    • 2.7 Adhering to applicable legal, regulatory, and contractual obligations related to information security;
    • 2.8 Requiring personnel to receive information security and privacy awareness training at time of hire and annually;
    • 2.9 Undergoing regular third-party assessments of security and compliance programs.
  3. Architecture.
    • 3.1 Private and Public Cloud. Anaplan either wholly owns, or it manages, maintains and controls access to the systems used to provide the Anaplan Service as hosted out of data center facilities in the United States and in Europe (the “Anaplan Private Cloud”). Anaplan also engages with third-party providers of cloud infrastructure as identified in our List of Subprocessors to operate the Anaplan Service to store Client model data through their infrastructure under Anaplan’s direction (the “Anaplan Public Cloud”), with the application and platform metadata stored and operated out of the Anaplan Private Cloud data center facilities. All data centers are backed up for disaster recovery purposes to a corresponding data center in the same region. That is, United States data centers are backed up to United States disaster recovery data centers while European data centers are backed up in Europe. Cloud environments are backed up to a different availability zone in the same region. Each facility is fully protected 24x7x365 by a variety of security measures such as, by way of example, fences, walls, moats, mantraps, badge-reader doors, biometric authentication devices, security guards and video cameras. All activity is logged, recorded and stored for no less than 30 days. Entry to each facility requires prior authorization and verification of government-issued identification and biometric confirmation. Each facility has an annual audit by industry-leading firms for ISO 27001 and Service Organization Control compliance. Please review the platform Subprocessor information for both Anaplan Private Cloud and Anaplan Public Cloud locations and backup regions.
    • 3.2 Redundant Infrastructure. Anaplan infrastructure utilizes a redundant “active/passive” design to enable full operational failover.
    • 3.3 Environmental Controls. Each facility includes controls regarding utilities such as power, air quality, temperature, humidity, lighting, fire suppression, and other environmental factors.
    • 3.4 Security Infrastructure. Each environment is protected by a “defense-in-depth” security architecture consisting of Web Application Firewall (WAF), next-gen physical and/or virtual firewalls, Intrusion Protection System (IPS), Endpoint Detection and Response (EDR), and Distributed Denial of Service (DDoS) mitigation service.
    • 3.5 Network Infrastructure. The internal network infrastructure is securely segmented using firewalls, Virtual Networks (VLANS) and Access Control Lists (ACLs) which limit the access and communication between systems and environments. Systems and individuals are not permitted to reach other systems without proper authorization.
    • 3.6 Server Infrastructure. Every server is hardened and imaged to contain only the necessary services to operate. All hosts are subject to a regular patching and maintenance routine and are continuously monitored for vulnerabilities and security threats using industry-leading technology. All servers are controlled and managed by an automation system to ensure consistent configuration across the environment.
    • 3.7 Containers, Virtualization. Containers and virtualized environments are hardened and imaged to contain only the necessary services to operate. All virtual infrastructure is subject to a regular patching and maintenance routine and continuously monitored for vulnerabilities and security threats using industry-leading Cloud Security Posture Management (CSPM). Anaplan controls and manages virtualized environments to ensure consistent configuration across the environments.  These environments use Cloud Workload Protection (CWP) providing container runtime protection, threat monitoring and alerting.
  4. Data Protection.
    • 4.1 Data Storage. All data is stored, processed, and maintained solely on Anaplan-managed servers.  Data is held on redundant encrypted storage using industry standard encryption technology. Data is also securely streamed in near real-time to backup and disaster recovery storage. Backed-up data is stored using industry standard encryption technology. In the event that data needs to be restored, the local backups would be used first. Anaplan will keep all Client Data physically and logically secured and logically segregated from other client data.
    • 4.2 Data Management. Anaplan allows clients to manage data themselves. Clients may download data from the Service at any time during the subscription period. Anaplan’s model history records changes made to data, by whom, and when.
    • 4.3 Data Encryption. Anaplan uses industry-standard encryption products to protect Client Data and communications during transmissions between a client’s network and Anaplan, including management of public keys. All data in transit between client and server is encrypted using HTTPS/TLS 1.2 or higher. Data at rest is secured using AES 256-bit full disk encryption.
  5. Audits and Certifications
    • 5.1 Service Organization Control (SOC) Reports. The information security control environment applicable to Anaplan’s operations undergoes an evaluation in the form of Service Organization Control (SOC) reports. Data center and public cloud facilities also undergo ISO 27001 audits and SOC audits.
    • 5.2 ISO.  Anaplan currently holds and will strive to maintain ISO 27001, 27017, 27018, and 27701 certifications.
    • 5.3 Security Documentation. Upon Client’s written request Anaplan will make available (a) its then-current SOC 1 Type 2 and SOC 2 Type 2 audit reports (or comparable industry-standard successor reports); (b) provide an executive summary of its most recently conducted penetration test; (c) then-current ISO certifications; and (d) then-current SSAE19 AUP audit report.
    • 5.4 TRUSTe Privacy Seal: Anaplan has been awarded and strives to maintain the TRUSTe Enterprise Privacy Seal signifying that Anaplan’s Web Site Privacy Statement and associated practices related to Anaplan have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements, including transparency, accountability, and choice regarding the collection and use of personal data.
    • Anaplan has achieved EU-US, UK, and Swiss-US Data Protection Framework, APEC Cross Border Privacy Rules (CBPR), and the Privacy Recognition for Processors (PRP) certifications and will strive to maintain these certifications (or any successor standards, as applicable).
  6. Security Controls
    • 6.1 Client End User Access Controls. Anaplan supports a variety of configurable security controls including: unique user identifiers (user IDs) to ensure that activities can be attributed to the responsible individual; controls to revoke access after several consecutive failed login attempts; controls to ensure generated initial passwords must be reset on first use; controls to force a user password to be changed periodically or to expire after a period of use; controls to terminate a user session after a period of inactivity; password complexity requirements; and denial of access to new users by default subject to the client’s granting or enabling of end user access.  The client may also enable and configure an IP Allow List requiring user logons to originate from specific IP addresses or ranges. Further, Anaplan supports SAML 2.0 SSO (Single Sign-On), which clients can use to centrally manage user access.
    • 6.2 Access Control. Anaplan ensures that only duly authorized personnel have access to systems supporting the Anaplan Service. Anaplan and its subservice organizations have implemented the following controls for access to systems: logical access to systems can only be made using multi-factor authentication (MFA) via secure, production-specific (i.e., separate from non-production) VPN; access to Anaplan-managed servers is further protected by the mandatory use of SSH public key infrastructure (PKI) technology; Client must explicitly grant Anaplan personnel access to its workspaces and models for support, model building, or other purposes; access is based on the information security principles of ‘least privilege’ and ‘need to know’ with access strictly limited to a select number of skilled individuals; all access is monitored and logged; personnel accessing systems holding Client Data are trained on documented information security and privacy procedures; all personnel are subject to background checks prior to employment; all personnel must follow a ‘clean desk, clear screen’ policy; all personnel are required to sign client data confidentiality agreements; and, access is immediately revoked on termination of employment. 
    • 6.3 Third party service providers. Anaplan personnel perform commercially reasonable due diligence to select and retain only third-party service providers that will maintain and implement security measures consistent with the measures stated in this Policy and in accordance with all applicable state, federal or international laws and/or regulations.  Key vendors are vetted prior to engagement and at least annually such vetting includes contractual obligations for security, privacy, and confidentiality.  Anaplan will continue to have management of key vendors described and tested by external auditors as part of ongoing compliance audits.
  7. Vulnerability and Malware Management
    • 7.1 Malware and Viruses. Anaplan systems will not knowingly or intentionally introduce any virus or malware to a client’s systems. Scans are performed on systems holding Client Data for viruses and malware that could be included in attachments or other Client Data uploaded to the Anaplan Service.
    • 7.2 Web Application Vulnerability Management. The Anaplan Service is subjected to regular Web Application Scanning (WAS) process carried out using market leading security and compliance providers.
    • 7.3 Source code scanning.  Anaplan’s source code is scanned for vulnerabilities regularly, from initial development, through release, and thereafter on an ongoing basis.  Source code must be free of critical- rated vulnerabilities prior to release. 
    • 7.3 Third Party Penetration Testing. The Anaplan Service undergoes penetration testing by a third-party firm at least once per year. Anaplan will provide Client with an attestation letter from our CISO describing the timing, vendor, methodology, and summary result of the most recent 3rd party test.  Anaplan will also continue to include a control in ongoing compliance audits verifying the execution of the 3rd party penetration test and associated remediation activities.  Clients are prohibited from executing their own penetration tests.
  8. Security Procedures, Policies and Logging. All Anaplan-managed systems used in the provision of the Anaplan Service, including firewalls, routers, network switches, operating systems, and virtualized environments log information to their respective system log facility and to a centralized Security Incident and Event Management (SIEM) system.  The SIEM is configured to alert security personnel of anomalous activity. All authentication activity by Client and personnel is monitored and logged. Logging will be kept for a minimum of 365 days.  Within the models, the model History records every change to a model with user/date/time stamp and pre/post values (data change) or description (model change).  History is automatically enabled, cannot be disabled, and is retained for the life of the model.  Client’s Anaplan administrators can view the History at any time, export to file, or restore the model to any point in the History. The Anaplan Audit feature allows Clients to track events in their tenant for logging and alerting purposes.
  9. Disaster Recovery. Disaster recovery plans are in place and tested at least once per year. Anaplan utilizes disaster recovery facilities that are in the same geopolitical region and geographically remote from their primary data centers, along with the required hardware, software, and Internet connectivity. In the event production capabilities at the primary data centers were rendered unavailable, the disaster recovery hosting facilities would be enabled and brought online.
  10. System Maintenance. Maintenance is carried out during Scheduled Maintenance hours as provided in the Anaplan Availability and Support SLA. Scheduled Maintenance is most commonly used for new version releases but may be performed for other updates.
  11. Change Management. Anaplan fully documents change management procedures for all tiers of the service covering application, underlying services, containers, virtualization, operating system, server and network layers. All configuration changes are tracked and managed through a written ticketing system and require management approval prior to being deployed to Production.
  12. Incident Management. Anaplan maintains incident management policies and procedures describing the roles and responsibilities of the Support, Platform Operations, Security, and Engineering teams and other functional groups. Escalations between the teams are determined based on the nature of issue (infrastructure, security, application or client model), duration of issue, and/or scope of issue. A root cause analysis is performed after an issue is resolved.  In the event of an incident impacting Client Data, Anaplan will notify the client’s Anaplan administrators via email within 48 hours of confirmation of the incident.  Anaplan will provide timely information and cooperation as Client may reasonably require in order for Client to fulfill regulatory obligations. Anaplan reserves the right to update its Data and Security Policy from time to time, provided that no such update will materially and adversely diminish the overall security of the Anaplan Service during the Subscription Term.

Confidential Information