Security Exhibit

Introduction

 

This security policy outlines essential confidentiality, privacy, and data security practices (“Practices”) pertaining to the Customer Data provided to Ping Identity in order for Ping Identity to fulfill its obligations under the Agreement. These Practices incorporate the actions necessary to adhere to Ping Identity’s policies and procedures defined by its Information Security Program (“Security Program”).

 

Ping Identity may update or modify these Practices from time to time provided such updates and modifications will not result in a degradation of the overall security of the Products and/or Support Services during the term of the Agreement.  These Practices may not apply to Beta Versions.

 

Capitalized terms have the meaning defined herein and certain terms are defined at the end of this document.

 

Security Attestation and Risk Management

 

Security Attestation.  Ping Identity will maintain SSAE18 SOC 2 and ISO 27001: 2013 certifications or their equivalents during the term of the Agreement.  Ping Identity engages an independent third party to conduct annual security testing of all commercial Products and its corporate IT network. 

 

Upon Customer’s reasonable written request at any time during the term of the Agreement, Ping Identity will promptly provide Customer with information related to Ping Identity’s information security safeguards and practices, which may include  one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant third party audits, reviews, tests, or certifications of Ping Identity’s systems or processes, including an annual SOC 2 report; (iii) a summary of Ping Identity’s operational practices related to data protection and security; and (iv) making Ping Identity Personnel reasonably available for security-related discussions with Customer.

 

Risk Management.  Ping Identity maintains a documented risk management program that includes an annual risk assessment approved by senior management. 

 

Personnel

 

Organizational Structure. Ping Identity has a designated individual responsible for managing, coordinating and ensuring Ping Identity’s compliance with the obligations set forth in its Security Program.

 

Acceptable Use. Ping Identity maintains an Acceptable Use Policy (“AUP”) that outlines what is appropriate in the operation and care of hardware, software, and services provisioned to an employee of Ping Identity or to contractors engaged by Ping Identity (excluding Sub-processors, discussed below) (such employees and contractors, “Personnel”).  All Personnel shall be required to sign a Non-Disclosure Agreement and accept the AUP upon hire or engagement and upon material changes to the policy. Violations may be subject to disciplinary action.

 

Personnel Equipment. All endpoint devices of Personnel provisioned by Ping Identity shall have the following:

  • Encryption for disk and in-transit encryption
  • Periodic anti-virus and malware scans and signatures where feasible
  • Strong password enforcement
  • Multi-factor authentication
  • Mobile device management

 

Training.  All Personnel must attend mandatory security training upon hire and annually thereafter on information security and information security procedures, risks and threats.  Any Personnel who have access to the Service or confidential information are required to attend additional security training, based upon their role and level of access. Ping Identity maintains an established set of procedures designed to ensure all staff promptly report actual and/or suspected security events.

 

Background Checks. Ping Identity conducts or obtains background checks as legally permissible on Personnel in accordance with applicable local law and statutory regulations.

 

Policies, Standards, and Procedures

 

Policies and Standards. Ping Identity maintains policies or standards addressing the following areas:

 

  • Risk Assessment
  • Information Security
  • Acceptable Use
  • Access Control
  • Software Development Lifecycle
  • Change Control Management
  • Vulnerability Management
  • Information Classification and Encryption
  • Data Retention
  • Incidence Response
  • Backup and Recovery
  • Business Continuity

     

 

Security Response. Ping Identity monitors for actual or reasonably suspected (a) unauthorized or unlawful access to or disclosure, loss, exposure or use of any Customer Data, or (b) unauthorized access to any facility, computer network or system containing any Customer Data (collectively, “Security Incidents”).  Ping Identity shall promptly take all steps necessary to mitigate the damages caused by any Security Incident upon discovery.

 

Backup & Availability. Customer Data and the Service are replicated across multiple hosted datacenters within the same geographic region. Backups are performed on a periodic basis, encrypted, and remotely stored.

 

Business Continuity Program. Ping Identity maintains a program designed to ensure that the necessary steps will be taken to develop and maintain viable recovery strategies and business continuity plans.  Ping Identity will perform testing, conduct exercises, and provide training and enhancements to its business continuity program designed to ensure the continuity of the Products in the event of a disaster.

 

Data Handling and Protection

 

Data Regionalization. With respect to Ping Identity’s Service, Customer may select the data center region(s) in which Customer Data is stored. Customer Data may be transferred to and/or allowed to be accessed by Personnel located in the regions set forth at https://www.pingidentity.com/data-supplement for Service operations and Support Services. Operational log files and files submitted for analysis by Ping Identity’s Support Services are stored in the United States.

 

Customer Data in Transit. Interactions between Users and any connections containing Customer Data are protected using a standard cryptographic protocol such as Transport Layer Security (“TLS”).

 

Customer Data at Rest. Customer Data in the Service is encrypted with standard encryption algorithms.

 

Global Configuration Data. All configuration data is secured and encrypted in its own network compartment.

 

Encryption Algorithms. Ping Identity will utilize standard production ciphers capable of a minimum of AES256-SHA2 with 2048 bit key strength or equivalent.

 

Service Encryption. Each account is configured with its own unique key preventing assertions from other accounts to be processed. Audit logs track all Users who log in and which applications they access.

 

Multi-tenancy and Data Segregation. Ping Identity will create, implement and maintain no less than industry standard logical data segregation in a multi-tenant environment designed to ensure Customer Data is not viewable by unauthorized Users. Ping Identity logically isolates Customer Data, and the Customer controls the specific data stored in the Service.

 

Data Return and Deletion. Ping Identity provides customers a mechanism that can be used to delete their User data. If Customer is unable to delete its Customer Data, and Ping Identity does not need to retain such data for regulatory requirements, Customer Data may be deleted upon request, except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy of no more than two years. In the event that the deletion of Customer Data would be unduly burdensome or cost prohibitive, Ping Identity will continue to protect the Customer Data as set forth in the Agreement.

 

Customer Data Handling. Ping Identity maintains appropriate data security controls addressing the following areas:

  • Logical access controls including user sign-on identification and multi-factor authentication
  • Data access controls (e.g., complex and hashed password protection)
  • Multiple authentication failures will result in the temporary lockout of accounts
  • Authentication messages do not indicate whether the username or password was incorrect
  • Inactivity timeout will log the user out and require re-authentication to access the Service
  • Restricted Customer Data download to disk capability
  • Auditing and logging of all access to production data

 

Personnel are prohibited from copying Customer Data to removable media.

 

All production servers are hardened, monitored or have anti-virus and anti-malware protection software installed and updated periodically. 

 

Secure Application Development

 

Least Privilege. Only authorized Personnel with a specific business purpose shall be allowed access to production and development resources and all access shall be appropriately approved.

 

Manual Code Review. Ping Identity requires a secure code review and peer review for all Products.

 

Automated testing. Ping Identity engineers are required to test each build prior to deployment to the production environment.

 

Management of Vulnerabilities. Ping Identity conducts a software vulnerability scan on all Products.  To the extent that scan identifies any critical or high risk vulnerabilities as determined by Ping Identity, Ping Identity will remediate those vulnerabilities prior to release. All other identified vulnerabilities will be addressed according to Ping Identity’s vulnerability management standard.

 

Change Management. All changes must contain documentation and relevant rollback plans. Each change is reviewed, approved, and tested prior to Service deployment or Software release.

 

Hosting Infrastructure Protection

 

Data Centers. Ping Identity’s Service is provided through geographically distributed, redundant, and secure data centers operated by third party(ies).   Ping Identity relies on the physical and environmental controls of such third party(ies), and reviews their controls to confirm adequate controls are in place and designed to protect the availability, confidentiality and availability of the Service.

 

Data Center Controls. All data centers are SOC 2 or equivalent compliant facilities that provide redundant street power, redundant backup generators, and redundant cooling systems. Network connectivity is provided through multiple Tier 1 providers. Network Operations Centers (“NOC”) are located on site and manned 24x7x365.  NOC personnel are trained to handle all aspects of security for the facility. Physical access to all datacenter floor space is secured according to industry standards, which measures may include security cameras, proximity cards, biometric scanners, mantraps, and complete access logging, or equivalent measures.

 

Sub-processor Security

 

Ping Identity conducts security assessments of its sub-processors that process Customer Data (“Sub-processors”). Ping Identity reviews Sub-processors periodically to ensure effectiveness of their security operational practices.

 

Change of Sub-processors.  Ping Identity’s current Sub-processors are listed at https://www.pingidentity.com/data-supplement.  In the event of the addition of a new Sub-processor, Ping Identity will provide notice to Customer (which notice may be provided through email, updates to https://www.pingidentity.com/data-supplement, or such other reasonable means). Following such update, Customer will have ten (10) business days to reasonably object that such change causes Customer to be in violation of applicable data protection laws and regulations. In the event that Customer has not provided an objection to such changes within ten (10) business days, Customer will be deemed to have waived its right to object and to have consented to the use of the new Sub-processor. In the event that Customer reasonably objects to such change, Ping Identity may, in its sole discretion, use commercially reasonable efforts to (1) offer an alternative to provide the Service to Customer; (2) take the corrective steps requested by Customer in its objection and proceed to use the new Sub-processor; or (3) cancel its plans to use the Sub-processor. If Ping Identity is unable or unwilling to achieve one of (1) through (3) in its sole discretion and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Ping Identity’s receipt of the objection, Customer may, as its sole and exclusive remedy for such change, terminate its applicable subscriptions from Ping Identity with respect only to those aspects of the Service which cannot be provided by Ping Identity without the use of the new Sub-processor.  In such event, Ping Identity will refund Customer any unused, prepaid fees for the applicable Service covering the remainder of the subscription term after the date of termination.

 

Definitions

 

"Agreement" means the subscription or other end user agreement between Ping Identity and Customer governing Customer’s use of the Products.

 

"Beta Versions" mean beta, preview or other pre-release Products or features.

 

"Customer" means the customer of Ping Identity that has entered into the Agreement with Ping Identity to which these Practices apply.

 

"Customer Data" means all electronic data or information submitted by Customer and its Users to the Service. 

 

"Ping Identity" means Ping Identity Corporation and its subsidiaries.

 

"Products" means the Software and Service.

 

"Service" means web-based or mobile applications provided by Ping Identity to Customer.

 

"Software" means the Ping Identity software programs downloaded and/or installed by Customer.

 

"Support Services" means those maintenance and support services that Customer obtains from Ping Identity for the Products.

 

"Users" means (i) individuals who have been granted administrative permissions by Customer to the Service, (ii) individuals who are provisioned by Customer to utilize the Service in connection with Customer’s use of the Service, and/or (iii) entities authorized by Customer to transmit information through the Service to Customer as well as any individuals associated with such entities. 

 

Archived - Security and Operational Procedures (September 26, 2018) > 

Archived - Security and Operational Procedures (February 21, 2017) >