Qualtrics Technical and Organizational Measures for Suppliers, Contractors and Subprocessors
Revised February 1, 2022. These Technical and Organizational Measures for Suppliers, Contractors and Subprocessors (“TOMs”) form part of the Master Services Agreement (“MSA”) and/or Qualtrics Contractor Agreement on the Commissioned Processing of Personal Data (“CDPA”) between you (“Contractor”) and Qualtrics, LLC (“Qualtrics”). Refer to these TOMs regularly to ensure compliance. These TOMs can be found at www.qualtrics.com/supplier-toms/. Acceptance. Please read these TOMs carefully before providing products or services to Qualtrics as described in the applicable MSA or CDPA (the “Services”). These TOMs take effect when you provide any of the Services. If you are agreeing to these TOMs on behalf of Contractor, you represent to Qualtrics that you have legal authority to bind Contractor. Modifications. Qualtrics may modify these TOMs at any time by posting a revised version on this website (www.qualtrics.com/supplier-toms/) or otherwise providing notice to Contractor. By continuing to provide the Services after the effective date of any modifications to these TOMs, Contractor agrees to be bound by the modified terms.TECHNICAL AND ORGANIZATIONAL MEASURES
Contractor is responsible for the implementation of appropriate security measures. Contractor shall, at its sole expense, undergo an independent evaluation by a recognized third-party audit firm and provide the applicable certificate and/or report to Qualtrics on an annual basis. Acceptable forms of this independent evaluation may include, but are not limited to, ISO/IEC 27001:2013 – Information Security Management Systems or Service Organization Control Type 2 report (“SOC 2 Report”). Contractor, at a minimum, shall maintain the following information security controls:- ACCESS CONTROL
Unauthorized persons shall be prevented from gaining physical access to premises, buildings or rooms, where data processing systems are located which process Personal Data; persons are unauthorized if their activity does not correspond to tasks assigned to them. Exceptions may be granted for the purpose of auditing the facilities to third party auditors as long as they are supervised by the Contractor and do not get access to the personal data themselves.
Including, without limitation, the Contractor must:- Specify authorized individuals;
- Use an access control process to avoid unauthorized access to Contractor’s premises;
- Have an access control process to restrict access to data centers/rooms where data servers are located;
- Use video surveillance and alarm devices with reference to access areas; and
- Personnel without access authorization (e.g. technicians, cleaning personnel) must be accompanied all times.
- SYSTEM ACCESS CONTROL
Data processing systems must be prevented from being used without authorization.
Including, without limitation, the Contractor must:- Ensure that all computers processing Personal Data (this includes remote access) are password protected after boot sequences and when left even for a short period to prevent unauthorized persons from accessing any Personal Data;
- Have dedicated user IDs for authentication against systems user management for every individual;
- Assign individual user passwords for authentication;
- Ensure that the access control is supported by an authentication system;
- Only grant system access to Contractor’s authorized personnel and/or to permitted employees of Contractor’s subcontractors and strictly limit such persons’ access to applications which process personal data as required for those persons to fulfil their function.
- Implement a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords;
- Ensure that passwords are always stored in encrypted form;
- Have a proper procedure to deactivate user account, when user leaves company or function; and
- Have a proper process to adjust administrator permissions, when an administrator leaves company or function.
- ACCESS CONTROL TO PERSONAL DATA
Persons entitled to use a data processing system shall gain access only to the data to which they have a right of access, and Personal Data must not be read, copied, modified or removed without authorization in the course of processing.
Including, without limitation, the Contractor must:- Restrict access to files and programs based on a “need-to-know-basis”;
- Store data carriers in secured areas; and
- Only grant access to Contractor personnel and assign minimal permissions to access data as needed to fulfill their function.
- DATA ENTRY CONTROL
It shall be possible retrospectively to examine and establish whether and by whom Personal Data have been entered into data processing systems, modified or removed.
Including, without limitation, the Contractor must:- Log administrators and user activities; and
- Permit only authorized personnel to modify any Personal Data within the scope of their function.
- JOB CONTROL
Personal Data being processed on commission shall be processed solely in accordance with the CDPA and the service schedule and instructions of the Controller.
Including, without limitation, the Contractor must:- Establish controls of the contractual performance;
- Work according to written instructions or contracts; and
- Process the Personal Data received from different clients to ensure that in each step of the processing the Controller of Personal Data can be identified, so data is always physically or logically separated.
- AVAILABILITY CONTROL
Personal Data shall be protected against disclosure, accidental or unauthorized destruction or loss.
Including, without limitation, the Contractor must:- Create back-up copies stored in specially protected environments;
- Perform regular restore tests from those backups;
- Create contingency plans or business recovery strategies;
- Not use Personal Data for any purpose other than what has been contracted to perform;
- Not remove Personal Data from Contractor’s business computers or premises for any reason (unless data exporter has specifically authorized such removal for business purposes);
- To use only authorized business equipment to perform the Services; Whenever a user leaves its desk unattended during the day and prior to leaving the office at the end of the day, he/she must ensure that
- documents containing Personal Data are placed in a safe and secure environment such as a locked desk drawer, filing cabinet, or other secured storage space (clean desk);
- Implement a process for secure disposal of documents or data carriers containing Personal Data;
- Have firewalls on network level to prevent unauthorized access to systems and services on network level; and
- Ensure that each computer system runs an up to date antivirus solution.
- ORGANIZATIONAL REQUIREMENTS
The internal organization of the Contractor shall meet the specific requirements of data protection. In particular, the Contractor shall take technical and organizational measures to avoid the accidental mixing of Personal Data.
Including, without limitation, the Contractor must:- Designate a data protection officer (or a responsible person if a data protection officer is not required by law);
- Get the written commitment of its employees to maintain confidentiality; and
- Process the Personal Data received from different clients to ensure that in each step of the processing the respective client can be identified, so data is always physically or logically separated.
- DATA TRANSMISSION CONTROL
This section only applies when Contractor may access and/or process Qualtrics or Qualtrics Customer confidential information, e.g. by providing customer-facing, Qualtrics cloud related services.
- Reporting of Security Incidents. The Contractor is required to inform Qualtrics promptly of all critical security incidents without undue delay to the designated Qualtrics point of contact. A security incident is defined as unwanted or unexpected information security events that have a significant probability of compromising Qualtrics business operations and threating Qualtrics information security.
- Security Audits by Qualtrics. The Contractor shall be obliged to verify that the releases of its IT systems, applications and services documented in the configuration or release database are correct and to inspect its systems for security vulnerabilities, by performing annual penetration tests on its own systems. These records are to be kept in a retrievable form and made available in the case that a security audit is performed by Qualtrics.
- Certifications/Attestations. The Contractor is required to submit all current and applicable ISO/BS certifications (e.g. ISO27001 and ISO22301), Service Organizational Control Reports (e.g. SOC2) or other certifications and attestations on an annual basis by using the electronic means as provided by Qualtrics.
- Security Validation by Qualtrics. Qualtrics is entitled to carry out non-invasive security validation on the systems of the Contractor at any time upon prior notification in the case of a request from an external authority, reasonable suspicion of a security incident or findings in documented security audits or other documentation provided to Qualtrics. For this purpose, the confidentiality terms in the Service Agreement apply also to confidential information of Contractor. Qualtrics and the Contractor shall mutually agree to the scope, approach and timing of such testing so that scanning does not interfere with supplier’s normal business operations and performance. Audit results shall contain only relevant information for the services provided to Qualtrics. If security vulnerabilities are discovered during the check, the supplier shall take reasonable steps to mitigate the security vulnerabilities and to minimize any damage from the security incident.
- Data Center as Subcontractors. The Contractor must be certified against ISO 27001 as a minimum for all data center services. If data center services are subcontracted by the Contractor, the Contractor must ensure their subcontractors are also ISO 27001 certified as a minimum requirement. In addition, section 3 above (Certifications/Attestations) will apply.
- Security Principles. The Contractor agrees to fulfill the following security principles as stipulated in this section 6:
- Data in transit protection. The Contractor will adequately protect Qualtrics and Qualtrics Customer data transiting networks against tampering and eavesdropping using a combination of network protection and encryption. No unprotected HTTP connections are allowed. TLS, the protocol underlying secure HTTPS connections, must be configured on the connecting server with a minimum of: minimum TLSv1.2 with forward secrecy, no known insecure cryptographic primitives like SHA-1 or RC4, minimum key size of 2048bits of RSA and 256bit for EC. Any other used protocols used must be secured and encrypted;
- Asset protection and resilience. The Contractor will protect Qualtrics and Qualtrics Customer data, and the assets storing or processing it, against physical tampering, loss, damage or seizure. Controls will exist on the following: physical location and legal jurisdiction; data center security or security of location of data; data at rest protection (physical access to data); data sanitization (off-boarding process); equipment disposal; physical resilience and availability; (IT disaster recovers/business continuity);
- Separation of data. The Contractor will ensure that separation exists between different data involved in a service to prevent malicious or compromised users from affecting the service or data of another service;
- Governance. The Contractor will govern security to coordinate and direct their overall approach to the management of the service and information within: industry standard security policies and security standards; defined responsibilities and risk based decision-making authority processes;
- Operational security. The Contractor will have processes and procedures in place to ensure the operational security of the service provided including:configuration and change management; security patch management; vulnerability management; protective monitoring; security incident management; secure decommissioning;
- Personnel security. The Contractor will ensure that personnel security screening and/or security education is performed regularly and is adequate for all resources utilized to provide the contracted services to Qualtrics;
- Secure development. The Contractor ensures that all software and services used by the Contractor to provision the Contractor services, including those developed by the Contractor and those provided by others, have been developed following a software development lifecycle process which includes industry best practices for achieving and sustaining required security qualities for confidentiality, integrity and availability protection. In addition, software security vulnerabilities (see, for example the OWASP Top Ten or CWE listings) shall be avoided. The expected security measures and controls applied for software provisioning, such as Security Education of the development workforce, Secure Architecture and Design principles, Secure Coding practices, Security Testing methods and tools applied, Security Response to react timely on applicable software vulnerabilities that become known, as well as application security controls embedded and enforced by the software itself, such as identity management, authentication, authorization, encryption etc. shall be adequate to meet relevant business, technology and regulatory risks according to international standards such as ISO/IEC 27034. The Contractor has procedures in place to ensure integrity of software updates and can demonstrate that precautions are taken to ensure that any own or 3rd party or open source software used for providing the Contractor services do not contain known backdoors, viruses, trojans or other kind of malicious code. The Contractor will ensure that Qualtrics is provided with the tools required to help Qualtrics securely manage the service;
- Identity and authentication. The Contractor will ensure that access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorized individuals. Integration with identity access management provider (SAML 2.0) is required;
- External interface protection. The Contractor will ensure that all external or less trusted interfaces of the service are identified and have appropriate state of the art protections to defend against attacks through them;
- Secure services administration. The Contractor will ensure that the methods used by administrators to manage the operational service are designed to mitigate any risk of exploitation that could undermine the security of the service. Remote administration sessions must be encrypted, use at least two-factor for authentication, access to the systems administered must be restricted by IP addresses used by the Contractor by means of access control lists, all access must be logged; and
- Availability management. The Contractor will ensure to monitor and document the reliability, maintainability, serviceability and availability of a system or service on a continuous basis. Contractor agrees all products or services licensed to Qualtrics, other than beta-stage products which are on their face clearly not subject to the same terms and conditions as final released products, will be accompanied by a Service Level Agreement identifying a minimum availability percentage (SLA); Contractor furthermore agrees that if such SLA does not exist, it will ensure minimum availability of 99.99% per month.
- Rights to Information and Examination. The Contractor will ensure that Qualtrics has the rights to information and examination for the relevant supervisory authorities, Qualtrics, its internal auditing department and its auditors of financial statements (Examiners).