This Security Addendum is part of your Agreement with BuildQ. Any capitalized terms used but not defined in this Security Addendum have the meaning set forth in BuildQ Services Agreement (“Agreement”). The computing services utilized to offer the Services are cloud-based and provided to BuildQ via one or more cloud service providers and represent the “Cloud Environment.”
1. BuildQ Audits and Certifications
1.1 The information security management system used to provide the Service will be assessed by third-party auditors as described in the following audits and certifications (“Third-Party Audits”) on not less than an annual basis: SOC 2 Type II
1.2 Evidence of completion of Third-Party Audits may be shared with Customer upon reasonable request to BuildQ.
1.3 To the extent that BuildQ decides to discontinue a Third-Party Audit, BuildQ will adopt an equivalent, industry-recognized framework.
2.1 BuildQ encrypts sensitive information in its control wherever practicable through the use of encryption algorithms that meet or exceed industry standards, which may (at the time of drafting) include or exceed AES-256 for data at rest, TLS 1.2 (or better) for sensitive data in transit, and similar. BuildQ does not permit the transmission of plaintext sensitive data in its control over public or untrusted networks without supplemental security controls.
2.2 BuildQ will take all commercially-reasonable measures to responsibly deploy and protect encryption keys, including (i) regular rotation of encryption keys, (ii) hardware security modules to safeguard critical or onboard encryption keys, and (iii) logical controls to separate encryption keys from Customer Materials. Nothing in this section shall require BuildQ to implement controls or encryption algorithms that are not commercially reasonable, industry standard, or that result in substantial impairment to the usefulness or functionality of information systems by a valid user. For the avoidance of doubt, to the extent that BuildQ leverages third parties to provide the Services (including, but not limited to, cloud service providers), BuildQ may comply with this Paragraph by requiring such third parties to take such measures on BuildQ’s behalf.
3.1 BuildQ personnel access to our Cloud Environment is facilitated through a unique user ID and is assigned consistent with the principle of least privilege. Access requires valid user credentials, multi-factor authentication, and passwords meeting or exceeding reasonable length and complexity requirements.
3.2 BuildQ personnel will not access Customer Material except (i) to provide or support the Service or (ii) to comply with the law or a binding order of a governmental body.
3.3 In accessing our Cloud Environment, our personnel utilize security controls that include encryption and that also include endpoint detection and response tools which are reasonably configured to monitor and alert for suspicious activities, malicious code, and vulnerability management as described in Section 4.7.
3.4 Our Cloud Environment leverages industry-standard threat detection tools with routine signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code. While BuildQ may evaluate Customer Materials for security risk, BuildQ shall not be responsible for monitoring Customer Materials for malicious code. Customer shall be responsible for ensuring that any Customer Materials submitted by or on Customer’s behalf are free of malicious code.
3.5 BuildQ is engaging a competent third party to conduct penetration tests of relevant systems used to provide the Service at least annually. Summary results of such penetration tests may be made available to you as described in Section 1.2 of this Security Addendum , and contain, at a minimum: (i) name of penetration testing organization, (ii) date(s) of penetration test, (iii) scope of penetration test, (iv) mode of test / testing approach, and (v) brief summary of the findings. Such assessments will ordinarily include tests for relevant security vulnerabilities identified in the Open Web Application Security Project (OWASP), including cross-site request forgery, cross-site scripting (XSS), SQL injection (SQLi), authentication and authorization vulnerabilities, and other.
3.6 BuildQ uses automated tools to scan publicly available vulnerability databases (e.g. National Vulnerability Database (NVD) or similar) for vulnerabilities in software that may be utilized by us. We timely address vulnerabilities.
3.7 Where appropriate, We may limit the scope of a penetration test contemplated by this section to a simulated or ‘sandbox’ environment, provided that the value of the simulated penetration test is not materially prejudiced by the use of simulated assets.
3.8 For the avoidance of doubt, any materials generated in the courses of or as a result of a penetration test contemplated by this Addendum shall be held as strictly confidential in accordance with, as applicable, any non-disclosure agreement(s) entered into between the parties and/or applicable laws governing the protection or nondisclosure.
4.1 BuildQ personnel are required to sign confidentiality agreements and are required to acknowledge responsibility for reporting security incidents involving Customer Materials.
4.2 BuildQ removes access to critical systems (including systems containing Customer Materials) for all separated personnel within 1 day and removes access to all systems within 3 days. BuildQ additionally reviews the access privileges of its personnel to its cloud environment regularly.
4.3 BuildQ reviews external threat intelligence, including US-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation.
4.4 BuildQ will conduct reasonable background screening checks for all personnel in accordance with applicable law. The scope and extent of background check will be reasonably commensurate with the nature and sensitivity of the individual’s role, but will generally include, at a minimum and to the extent permitted under applicable law: (i) ID check, and (ii) right to work check.
5.1 Our Cloud Environment is maintained by one or more cloud service providers. We ensure that our cloud service providers data centers have appropriate controls as audited under their third-party audits and certifications. Each cloud service provider will have SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls include:
5.2 BuildQ does not maintain physical offices other than for limited corporate and executive purposes. Under no circumstances is Customer Materials stored or hosted at such offices.
6.1 If BuildQ becomes aware of any event that leads to the unauthorized destruction, loss, alteration, unauthorized disclosure of, or access to Customer Materials (a “Security Incident“), BuildQ will notify Customer without undue delay, and in any case, within 72 hours after becoming aware of the Security Incident. You will be notified at the security notice email address indicated on Your currently operative order form or as otherwise determined appropriate by BuildQ. In the event that such Security Incident triggers legal reporting obligations pursuant to applicable data breach reporting laws, BuildQ will cooperate with You in good faith to comply with applicable breach notification laws, which may include (but not be limited to): issuing data breach notification letters to individuals on your behalf upon reasonable request from You, reporting to regulators where required, and otherwise cooperate with You in good faith to comply with all applicable legal regulations. Nothing in this Section shall require BuildQ to undertake efforts where the underlying events occurred as a result of misconduct, negligence, or compromise by any person or entity other than BuildQ.
6.2 In the event of a Security Incident as described above, BuildQ will promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
6.3 BuildQ will provide You with timely information about the Security Incident, including the nature and consequences of the Security Incident, the status of our investigation, and a contact point from which additional information may be obtained. BuildQ will also share information about the measures taken or proposed by BuildQ to mitigate or contain the Security Incident after the investigation into the Security Incident has concluded. Customer acknowledges that because BuildQ personnel may not have visibility to the content of Customer Materials, it may be the case that we are unable to provide detailed analysis of the type of Customer Data and Content impacted by the Security Incident. Communications in connection with a Security Incident will not be construed as an acknowledgment by BuildQ of any fault or liability with respect to the Security Incident.
6.4 Nothing in this section shall require BuildQ to provide information, communications, or records that contain trade secrets, pertain to other BuildQ customers, is speculative or tentative, or subject to the attorney-client privilege or work product doctrine as applicable. Customer acknowledges that any representations made by BuildQ with respect to the existence and scope of a Security Incident may be based on tentative, inaccurate, or incomplete information and, as such, may be subject to change as additional information becomes available.
7.1 BuildQ will take reasonable steps to create, protect, and retain information system audit records to the extent needed to maintain integrity, and will enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. The logging measures contemplated by this paragraph shall, to the extent reasonably practicable and commensurate with industry standards, associate actions of human information system users can be uniquely traced to those user accounts.
7.2 Audit logs are retained for a reasonable period of time and up to one year. Relevant logs may be retained longer at BuildQ’s sole discretion.
8.1 Upon reasonable request and no more often than once per calendar year, at no additional cost to Customer, BuildQ will provide you and/or you appropriately qualified third-party representative (collectively, the “Auditor“) access to reasonably requested documentation evidencing our compliance with our obligations under this Security Addendum (“Audit Reports”). Where an Auditor is a third-party, such third party will be required to execute a separate confidentiality agreement with BuildQ prior to any audit, penetration test, or review of Audit Reports, and BuildQ may object in writing to such third party if in BuildQ’s reasonable opinion the third party is not suitably qualified. Any such objection will require You to appoint another third party to review such Audit Reports. BuildQ is not responsible for any expenses incurred by an Auditor in connection with any review of Audit Reports
8.2 Once a year, You may submit reasonable security questionnaires (not to exceed 50 questions total) and requests for updated security documentation, and BuildQ commits to provide results within a timely fashion and at BuildQ’s own cost. BuildQ shall not be obligated to respond to any questions provided over and above the 50-question limit contemplated by this paragraph, including any subparts.
8.3 In the event of a Security Incident involving Customer Materials, BuildQ may engage a forensic specialist or similar firm at its own cost, and to the extent that your Customer Materials are impacted, BuildQ will provide the results of such a report to You in a timely fashion.
8.4 For the avoidance of doubt, any materials generated in the courses of or as a result of an audit or evaluation contemplated by this Addendum shall be held as strictly confidential in accordance with, as applicable, any non-disclosure agreement(s) entered into between the parties and/or applicable laws governing the protection or nondisclosure.
9. Customer Responsibilities
9.1 It is your responsibility to ensure that you are authorized to use any Customer Materials with the Services and that your usage complies with relevant legal and regulatory obligations.
9.2 You are responsible for managing and securing your methods to access the Services (for example, password, SSO connections, email inboxes for email-code-authentication, etc.). User credentials must be kept confidential and may not be shared with unauthorized parties. A single account may not be shared among multiple persons. You must report any suspicious activities related to Your account(s) (such as actual or suspected account misuse or compromise) to BuildQ promptly. Such report shall be made as soon as possible upon discovery, but in no event later than 24 hours from the point at which the suspicious activity was actually known to You, or through reasonable diligence, should have been discovered by You or your agents.
9.3 You are responsible for keeping your relevant IT systems (such as the browser You use to access the Service) up-to-date and appropriately patched.
