Anaplan’s Data and Security Policy
This Exhibit describes Anaplan’s policy related to the principles and architecture of, the security and privacy related audits and certifications received for, and the administrative, technical and physical controls applicable to the Anaplan Service. Capitalized terms in this Exhibit shall have the meaning assigned to them in the Agreement unless otherwise defined herein.
- Principles. Anaplan emphasizes the following principles in the design and implementation of its security program and practices.
- 1.1 Confidentiality – Prevention of disclosure of information to unauthorized individuals or systems.
- 1.2 Integrity – Maintaining the accuracy and consistency of data over its life cycle.
- 1.3 Availability – Maximizing availability of information.
- Security Program. Anaplan strives to maintain an effective security program, consisting of many of the industry’s best practices, which includes the following:
- 2.1 Having a formal risk management and treatment program that includes vendor risk;
- 2.2 Conducting periodic risk assessments of all systems and networks that process Client Data, on at least an annual basis;
- 2.3 Conducting periodic reviews of security incidents and subsequent remediation; and
- 2.4 Having a written security policy that explicitly addresses and provides guidance to its personnel in furtherance of the confidentiality, integrity and availability of Client Data and Anaplan’s systems. The policies are endorsed by Anaplan’s senior management and state ramifications for noncompliance.
- 2.5 Having Anaplan resources (i.e. identified individual(s)) to foster and focus on information security efforts.
- 3.1 Data Centers. Anaplan either wholly owns, or it manages, maintains and controls access to the systems used to provide the Anaplan Service as hosted out of data center facilities in the United States and in Europe. The primary data centers are backed up for disaster recovery purposes to a corresponding data center in the same region. That is, United States data centers are backed up to United States disaster recovery data centers while European data centers are backed up in Europe. Each facility is fully protected 24x7x365 by a variety of security measures such as, by way of example, fences, walls, moats, mantraps, security guards and video cameras. All activity is logged, recorded and stored for no less than 30 days. Entry to each facility requires prior authorization and verification of government-issued identification and biometric confirmation. Each facility has an annual audit by industry leading firms for ISO27001 and Service Organization Control compliance.
- 3.2 Redundant Infrastructure. Anaplan infrastructure utilizes a redundant “active/passive” design to enable full operational failover.
- 3.3 Environmental Controls. Each facility includes controls regarding utilities such as power, air quality, temperature, humidity, lighting, fire suppression, and other environmental factors.
- 3.4 Security Infrastructure. Each facility is protected by a “defense-in-depth” security architecture consisting of firewalls, IDS (Intrusion Detection Systems), anti-virus/anti-malware protection, monitoring capabilities, and DDoS protection monitoring and mitigation.
- 3.5 Network Infrastructure. The internal network infrastructure is securely segmented using firewalls, Virtual Networks (VLANS) and Access Control Lists (ACLs) which limits the access and communication between systems and environments. Systems and individuals are not permitted to reach other systems without proper authorization.
- 3.6 Server Infrastructure. Every server is hardened and imaged to contain only the necessary services to operate. All hosts are subject to a regular patching and maintenance routine and are periodically scanned for vulnerabilities and security threats using industry-leading technology. All servers are controlled and managed by an automation system to ensure consistent configuration across the environment.
- Audits and Certifications
- 4.1 Service Organization Control (SOC) reports. Upon Client’s written request and up to once per year, Anaplan will make available (a) its then-current SOC 1, Type 2 and SOC 2, Type 2 audit report (or comparable industry-standard successor reports); and (b) provide copies of the executive summary of its most recently conducted penetration test: (a) The information security control environment applicable to Anaplan’s operations undergoes an evaluation in the form of Service Organization Control (SOC) reports. (b) The information security control environment applicable to Anaplan’s data centers undergoes an evaluation in the form of Service Organization Control (SOC1 and SOC2) reports. These data centers also undergo ISO 27001 audits.
- 4.2 TRUSTe Enterprise Privacy Seal: Anaplan has been awarded and strives to maintain the TRUSTe Enterprise Privacy Seal signifying that Anaplan’s Web Site Privacy Statement and associated practices related to Anaplan have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements, including transparency, accountability, and choice regarding the collection and use of personal data.
- Security Controls
- 5.1 User Access, Controls and Policies. Anaplan supports a variety of configurable security controls including: unique user identifiers (user IDs) to ensure that activities can be attributed to the responsible individual; controls to revoke access after several consecutive failed login attempts; controls to ensure generated initial passwords must be reset on first use; controls to force a user password to be changed periodically or to expire after a period of use; controls to terminate a user session after a period of inactivity; password complexity requirements; and denial of access to new users by default subject to the client’s granting or enabling of end user access. Further, Anaplan supports SAML 2.0 SSO (Single Sign-On), which clients can use to centrally manage user access.
- 5.2 Anaplan Employee Access, Controls and Policies. Anaplan has implemented the following controls for employee access to Anaplan systems: employee access to the data center can only be made using RSA two-factor authentication via secure VPN; access to any data center server is further protected by the mandatory use of SSH public key infrastructure (PKI) technology; Anaplan staff cannot see any end-user data without being granted permission by the end user-owner through the native access control system; access is based on the information security principle of ‘least privilege’ with access strictly limited to a select number of skilled individuals; all access is monitored and logged; employees accessing Anaplan systems are trained on documented information security and privacy procedures; all employees are subject to ‘Employee Background Checks’ prior to employment; all employees are required to sign client data confidentiality agreements; and, access is immediately revoked on termination of employment.
- 5.3 Third party service providers. Anaplan personnel take commercially reasonable steps to select and retain only third- party service providers that will maintain and implement the security measures consistent with the measures stated in this Exhibit and in accordance with all applicable state, federal or international laws and/or regulations.
- Vulnerability and Malware Management
- 6.1 Malware and Viruses. Anaplan systems will not knowingly or intentionally introduce any virus or malware to a client’s systems. Scans are performed for viruses and malware that could be included in attachments or other Client Data uploaded into Anaplan by a client.
- 6.2 Web Application Vulnerability Management. The Anaplan Service is subjected to regular Web Application Scanning (WAS) process carried out using market leading security and compliance providers.
- 6.3 Third Party Penetration Testing. The Anaplan Service undergoes penetration testing by a third party firm at least once per year.
- Security Procedures, Policies and Logging. All Anaplan systems used in the provision of the Anaplan Service, including firewalls, routers, network switches and operating systems, log information to their respective system log facility and to a centralized syslog server. All data access by Client and staff is monitored and logged. All data changes by client and staff are monitored and logged. Logging will be kept for a minimum of 365 days. Logging will be kept in a secure area to prevent tampering.
- Data Encryption. Anaplan uses industry-standard encryption products to protect Client Data and communications during transmissions between a client’s network and Anaplan, including management of public keys. All data in transit between client and server is encrypted using HTTPS/TLS. Data at rest is stored in a unique non-readable binary format and subject to AES 256- bit full disk encryption.
- Backup and Restoration. All onsite data is held on redundant encrypted SAN using industry standard encryption technology. Data is also streamed in near real-time to an offsite backup and disaster recovery center via IPSec tunnel. Backed up data is stored using industry standard encryption technology. In the event that data needs to be restored, the onsite SAN backups would be used first.
- Disaster Recovery. Disaster recovery plans are in place and tested at least once per year. Anaplan utilizes disaster recovery facilities that are geographically remote from their primary data centers, along with the required hardware, software, and Internet connectivity. In the event production capabilities at the primary data centers were rendered unavailable, the disaster recovery hosting facilities would be enabled and brought online. As Client Data is already streamed and held at these same facilities, recovery time would be minimized.
- System Maintenance. Maintenance is carried out during Scheduled Maintenance hours as provided in the Anaplan Availability and Support SLA. Scheduled Maintenance is most commonly used for new version releases but may be performed for other updates.
- Change Management. Anaplan fully documents change management procedures for all tiers of the service covering application, operating system, server and network layers. All configuration changes are tracked and managed through a written ticketing system and require approval from Anaplan’s Change Review Board.
- Incident Management. Anaplan maintains incident management policies and procedure describing the roles and responsibilities of the Support, TechOps, Security and Engineering teams and other functional groups. Escalations between the teams are determined based on the nature of issue (infrastructure, security, application or client model), duration of issue, and/or scope of issue. A root cause analysis is performed after an issue is resolved.
Anaplan reserves the right to update its Data and Security Policy from time to time, provided that no such update will materially and adversely diminish the overall security of the Anaplan Service during the Subscription Term.