Security Annex

This TraceLink Security Annex supplements the executed written agreement between you, the Customer, and TraceLink, Inc. (the “Agreement”). In case of a conflict between this Security Annex and the Agreement, the Agreement shall prevail. Capitalized terms used herein that are not defined shall have the meaning set forth in the Agreement.

1. Security of Data Processing

TraceLink has implemented and will maintain technical and organizational measures inclusive of administrative, technical, and physical safeguards to ensure a level of security appropriate to the risk of the data processing for the products and services offered by TraceLink (“Services”) as described in this TraceLink Security Annex (the “Security Measures”). These Security Measures may be changed by TraceLink from time to time during the applicable Term of the Agreement in order to take into account advancements in available security technologies. However, TraceLink will not materially decrease the overall security of the Services during the then-current Term of the Agreement.

The Security Measures include, but will not be limited to, the following measures for ensuring the ongoing confidentiality, integrity, and availability of Customer Data in order to prevent unauthorized access, use, modification, or disclosure of Customer Data:

  1. maintenance of a comprehensive set of security and privacy policies, procedures, and plans that are reviewed on at least an annual basis and provide guidance to the organization regarding security and privacy practices;
  2. performance of background checks on all personnel, to the extent permitted by law, as well as signature of non-disclosure commitments and business ethics prior to employment;
  3. security awareness training, inclusive of acknowledgment and agreement to abide by organizational security policies, for all personnel upon hire and annually thereafter;
  4. encryption of Customer Data in transit and at rest utilizing industry-standard mechanisms;
  5. performance of backups and/or replication to meet the availability and integrity requirements, as well as test restoration capabilities to support recoverability; in accordance with documented procedures;
  6. logging and monitoring of security logs and alerting upon the detection of suspicious activity;
  7. processes and tooling for regularly identifying, assessing, and triaging vulnerabilities based on industry-standard guidelines;
  8. maintain a security incident response plan and readiness to support detection, containment, and remediation of security incidents, and promptly report any confirmed breach of TraceLink’s security procedures which results in unauthorized third-party access to Customer Data;
  9. processes for evaluating prospective and existing sub-processors to ensure that they have the ability and commitment to appropriate technical and organizational measures to ensure the ongoing confidentiality, integrity, and availability of Customer Data;
  10. a process for regularly testing, assessing, and evaluating the effectiveness of administrative, technical, and physical safeguards for ensuring the security of the processing, transmission, or storage of Customer Data through external and internal audits as further described in Section C below; and,

By implementing the Security Measures detailed above TraceLink takes into account the risks that are related to data processing, in particular the ones resulting from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

2. TraceLink Shared Responsibility Model

TraceLink Responsibilities

TraceLink is responsible for the confidentiality, integrity, and availability (the “security”) of the Services and internal TraceLink information technology systems. In addition to those measures detailed in “Security of Data Processing” above, Security Measures include, but are not limited to, server-level patching, vulnerability management, penetration testing, security event logging and monitoring, incident management, operational monitoring, and support and availability in accordance with any applicable TraceLink’s service levels.

TraceLink uses sub-processors for the Services and to support TraceLink as a processor of Customer Data. TraceLink shall remain fully liable for its sub-processors' acts and omissions relating to the performance of the respective Services and shall be responsible for ensuring that obligations under this Security Annex and the Agreement are carried out in accordance with both.

Customer Responsibilities

Customer is responsible for:

  1. security of its connection(s) to access the Services, the security of such link(s), and the security of any endpoints used to access the Services;
  2. account and access management associated with its employees, contractors, agents, trade partners, and data in accordance with Customer’s policies and procedures. This includes:
    • provisioning, modifying, and disabling its user accounts in a timely manner
    • managing role assignments associated with its accounts to ensure
    • ensuring appropriate authentication (via native sign-on settings provided with the Services or integration with separate single sign-on solution)
    • ensuring information sharing configured within the Services aligns with Customer’s business processes and policies for information classification, handling, and protection
  3. ensuring that all Customer's users comply with your obligations under this Security Annex and the Agreement in using TraceLink’s Services, and should you become aware of any violation of your obligations under this Security Annex and the Agreement caused by a Customer user, you will immediately suspend access to the Services by such user; 
  4. reporting to TraceLink, via email to security-alerts [at] tracelink.com, any potential or confirmed security incidents or identified vulnerabilities that may impact the Services; and
  5. ensuring any security testing of the Services is done with TraceLink’s written consent and in accordance with TraceLink’s policy, and in no way includes any unsolicited testing that would result in a denial of service (DoS) or any other harmful actions against the Services.

3. Third Party Audits, Certifications, and Testing

The Security Measures for TraceLink’s platform offerings are subject to periodic testing by independent third-party organizations, inclusive of the following audits, certifications, and assessments:

  • ISO 27001 and ISO 27017
  • SOC 2 / ISAE 3000 Type II
  • Penetration testing

TraceLink will provide evidence of independent review to Customer upon written request and under NDA. Such documents, and the information they contain, are TraceLink Confidential Information and must be handled by Customer accordingly. Such reports may be used solely by Customer to evaluate the design and operating effectiveness of defined controls applicable to the Services and are provided without any warranty.

Customer may perform its own external security testing of the Services in accordance with TraceLink’s written consent and TraceLink’s documented procedures. TraceLink offers its Services in the cloud using AWS and a one-to-many business model that relies on standardization of best practices and industry standards for the benefit of its Customers. It should be noted that AWS does not allow for physical audits of the AWS data centers but instead provides third party audits and certifications. It is for these reasons, among others, that TraceLink’s security program consists of the audits, certifications, and available documentation detailed herein as part of balancing transparency regarding the security and privacy safeguards that TraceLink has implemented, while also satisfying security and privacy requirements as part of security and privacy obligations to TraceLink Customers, and its sub-processors, including AWS.