Undefined capitalized terms used in this Policy will have the meanings set forth in the Zabble Terms of Service available at https://zabblezero.com/termsofuse.
Zabble will adopt and maintain appropriate (including organizational and technical) security measures in dealing with Customer Content in order to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the Processing (defined below) involves the transmission of Customer Content over a network, and against all other unlawful or unauthorized forms of Processing. In determining the security measures required, Zabble will take account of the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. “Processing” means any action, process, or operation (e.g., collecting, copying, structuring, storing, modifying, accessing, using, sharing, making available, transferring, or destroying) performed on any Customer Content.
Without limiting the foregoing, Zabble will implement the following security measures:
A. Systems and Access
1. Customer Content is Processed in physically secured data centers with formal access procedures and records of those who get physical access to such data centers, and Zabble employs mechanisms that are designed to grant only approved access rights to site hosts, logs, data and configuration information.
2. Zabble grants access rights based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need-to-know basis. Zabble maintains audit records of all changes to access configurations and requirements.
3. Access to systems is logged to create an audit trail for accountability.
4. If the Services allow Customer employees or Customer contractors to interactively log in or authenticate into the Services, Zabble will integrate the Services with Customer’s Single Sign On (“SSO”) platform for all Customer logins. Zabble will not be able to ensure multi-factor authentication (“MFA”) for all Customer logins.
5. Zabble requires its personnel to use unique user IDs and strong passwords, and actively monitors for unauthorized account use. Zabble shall also require MFA when Zabble’s employees or contractors access (a) any VPN connection into the Zabble’s internal networks (b) any connection into Zabble’s production environment; (c) Zabble’s email system, if it can be accessed from the internet; and (d) any other services Zabble uses that access, process, or store Customer Content.
6. Where passwords are employed for authentication, password policies require at least industry standard practices, including sufficient password strength.
7. Customer Content is encrypted in transit and at rest using strong industry recognized practices such as AES-256.
8. Systems that Process Customer Content are designed to eliminate single points of failure and minimize the impact of reasonably anticipated risks, with regular preventative and corrective maintenance according to documented procedures.
9. Zabble uses measures designed to ensure ongoing integrity, availability, and resilience of Zabble’s systems and the timely restoration of and access to Customer Content following a Data Incident (defined below).
10. Zabble has internal data access processes and policies, and implements practices, in each case, designed to prevent the accidental destruction or loss of data, prevent unauthorized persons and/or systems from gaining access to systems used to Process Customer Content, and detect a failure to prevent any of the foregoing.
11. Zabble has a comprehensive program for managing security vulnerabilities which includes automated processes for identifying and promptly patching vulnerable software and systems.
12. Zabble monitors for reports of Data Incidents and reacts promptly to probable Data Incidents.
13. Zabble employs automated mechanisms to detect and prevent attacks and proactively plans for and guards against potential attack and unauthorized access to systems that Process Customer Content.
14. Zabble regularly tests the effectiveness of its security measures.
B. Data Incidents
Zabble shall, except to the extent prohibited or otherwise required by applicable law, without undue delay following discovery thereof, notify Customer of any actual or suspected unauthorized or unlawful Processing of Customer Content (“Data Incident”), and thereafter provide reasonable information and assistance to Customer for Customer and Zabble to meet any and all legal obligations relating to such Data Incident.
C. Personnel, Practices and Policies