Security Program Addendum
Effective as of January 18, 2022
LaunchDarkly has implemented and shall maintain a commercially reasonable information security program, which shall include technical and organizational measures designed to ensure an appropriate level of security for Customer Data taking into account the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Customer Data, and the nature of the Customer Data to be protected having regard to the state of the art and the cost of implementation. This document communicates the security program applicable to the LaunchDarkly Service, in accordance with LaunchDarkly’s Terms of Service or Master Service Agreement as applicable (collectively, the “Agreement”). Except as otherwise modified or defined herein, capitalized terms shall have the same meaning as in the Agreement.
1. Security Program
1.1. ISO27001-based Information Security Management System (ISMS). LaunchDarkly shall maintain an ISMS risk-based security program to systematically manage and protect the organization’s business information and the information of its customers and partners. With respect to the LaunchDarkly Service, LaunchDarkly has completed a SOC 2 Type 2 audit and ISO 27001 certification. LaunchDarkly will complete a SOC 2 Type 2 audit annually and maintain ISO 27001 certification throughout the term of the Agreement or until such time as LaunchDarkly receives any industry certification applicable to the LaunchDarkly Service which replaces such certifications. Upon written request from Customer, LaunchDarkly will provide a copy of such then-current certifications and audit reports subject to confidentiality terms.
1.2. Security Governance Committee. LaunchDarkly shall maintain a security committee comprised of leaders across business units that oversees the company’s security program. This committee shall meet regularly to review the operational status of the ISMS (including risks, threats, remediation actions, and other security-related issues) and drive continuous security improvement throughout the business.
1.3. Security Incident Response Policy. LaunchDarkly shall maintain policies and procedures to (1) investigate and respond to security incidents, including procedures to assess the threat of relevant vulnerabilities or security incidents using defined incident classifications and categorizations and (2) establish remediation and mitigation actions for events, including artifact and evidence collection procedures and defined remediation steps.
1.4. Policy Maintenance. All security and privacy related policies shall be documented, reviewed, updated, and approved by management at least annually.
1.5. Communication and Commitment. Security and privacy policies and procedures shall be published and communicated to all relevant and applicable personnel and subcontractors. Security shall be addressed at the highest levels of the company with executive management regularly discussing security issues and leading company-wide security initiatives.
2. Personnel Security.
2.1. Background Screening. Personnel who have access to Customer Data shall be subject to background screening (as allowed by local laws) that shall include verification of identity, right to work and academic degrees and a check of criminal records, and sex offender registries.
2.2. Confidentiality Obligations. Personnel who have access to Customer Data shall be subject to a binding contractual obligation with LaunchDarkly to keep the Customer Data confidential.
2.3. Security Awareness Training. Personnel shall receive training upon hire and at least annually thereafter covering security practices and privacy principles.
2.4. Code of Conduct. LaunchDarkly shall maintain a code of conduct and business ethics policy requiring ethical behavior and compliance with applicable laws and regulations.
3. Third-Party Security.
3.1. Screening. LaunchDarkly shall maintain policies and procedures designed to ensure that all new sub-processors, SaaS applications, IT software, and IT service solutions are subject to reasonable due diligence to confirm their ability to meet corporate security and compliance requirements as well as business objectives.
3.2. Contractual Obligations. LaunchDarkly shall maintain controls designed to ensure that contractual agreements with sub-processors include confidentiality and privacy provisions as appropriate to protect LaunchDarkly’s interests and to ensure LaunchDarkly can meet its security and privacy obligations to customers, partners, employees, regulators, and other stakeholders.
3.3. Monitoring and Review. As practicable, LaunchDarkly shall periodically review existing third-party sub-processors in a manner designed to ensure the sub-processor’s compliance with contractual terms, including any security and availability requirements. This review program shall review sub-processors at least annually (regardless of length of contractual term) to determine whether the sub-processor/solution is still meeting the company’s objectives and the sub-processor’s performance, security, and compliance postures are still appropriate given the type of access and classification of data being accessed, controls necessary to protect data, and applicable legal and regulatory requirements.
4. Physical Security.
4.1. Corporate Data Center Security. LaunchDarkly’s systems used to process Customer Data shall be protected by measures designed to control logical or physical access; equipment used to process Customer Data cannot be upgraded or reconfigured without appropriate authorization and protection of the information; and Customer Data shall be disposed of in a manner that would prevent its reconstruction.
4.2. LaunchDarkly Service Data Center Security. LaunchDarkly leverages Amazon Web Services (AWS) data centers for hosting the LaunchDarkly Service. AWS follows industry best practices and complies with numerous standards. Details on AWS data center physical security are available at https://aws.amazon.com/compliance/data-center/controls/.
5. Solution Security.
5.1. Software Development Life Cycle (SDLC). LaunchDarkly shall maintain a software development life cycle policy that defines the process by which personnel create secure products and services and the activities that personnel must perform at various stages of development (requirements, design, implementation, verification, documentation and delivery).
5.2. Secure Development. Product management, development, test and deployment teams are required to follow secure application development policies and procedures that are aligned to industry-standard practices, such as the OWASP Top 10.
5.3. Vulnerability Assessment. LaunchDarkly shall conduct risk assessments, vulnerability scans and audits (including third-party penetration testing of a representative instance of the LaunchDarkly Service at least annually). Identified product solution issues shall be scored using the Common Vulnerability Scoring System (CVSS) risk-scoring methodology based on risk impact level and the likelihood and potential consequences of an issue occurring. Vulnerabilities are remediated on the basis of assessed risk. Upon the written request of Customer, LaunchDarkly shall provide an executive summary of the most recent third-party penetration test to Customer.
6. Operational Security.
6.1. Access Controls. LaunchDarkly shall maintain policies, procedures, and logical controls to establish access authorizations for employees and third parties. Such controls shall include:
6.1.1. requiring unique user IDs to identify any user who accesses systems or Customer Data;
6.1.2. managing privileged access credentials in a privileged account management (PAM) system;
6.1.3. requiring that user passwords are (a) of sufficient length; (b) stored in an encrypted format; (c) subject to reuse limitations; and
6.1.4. automatically locking out users’ IDs when a number of erroneous passwords have been entered.
6.2. Least Privilege. Personnel shall only be permitted access to systems and data as required for the performance of their roles; only authorized personnel are permitted physical access to infrastructure and equipment; authorized access to production resources for the LaunchDarkly Service is restricted to employees requiring access; and access rights are reviewed and certified at least annually.
6.3. Malware. LaunchDarkly shall utilize measures intended to detect and remediate malware, viruses, ransomware, spyware, and other intentionally harmful programs that may be used to gain unauthorized access to information or systems.
6.4. Encryption. LaunchDarkly shall use Internet industry-standard encryption methods to protect data in transit and at rest as appropriate to the sensitivity of the data and the risks associated with loss; all laptops and other removable media, including backups, on which Customer Data is stored shall be encrypted.
6.5. Business Continuity and Disaster Recovery (BCDR). LaunchDarkly shall maintain formal BCDR plans designed to ensure LaunchDarkly’s systems and services remain resilient in the event of a failure, including natural disasters or system failures, and such plans shall be reviewed, updated, and approved by management at least annually.
6.6. Data Backups. LaunchDarkly shall backup data and systems using alternative site storage available for restore in case of failure of the primary system. All backups shall use Internet industry-standard encryption methods to protect backups in transit and at rest.
6.7. Change Management. LaunchDarkly shall maintain change management policies and procedures to plan, test, schedule, communicate, and execute changes to the infrastructure, systems, networks, and applications applicable to the LaunchDarkly Service.
6.8. Network Security. LaunchDarkly shall implement industry-standard technologies and controls designed to protect network security, including firewalls, intrusion detection systems, monitoring, and network segmentation. Networks shall be designed and configured to restrict connections between trusted and untrusted networks, and network designs and controls shall be reviewed at least annually.
6.9. Data Segregation. LaunchDarkly shall implement logical controls, including logical separation, access controls and encryption, to segregate Customer’s Personal Data from other Customer and LaunchDarkly data in the LaunchDarkly Service. LaunchDarkly shall additionally ensure that production and non-production data and systems are separated.