Teleport Access Plane

Current Supplier Security Requirements Addendum

Updated: June 22, 2022

These Supplier Security Requirements apply to Supplier when it provides Services to Gravitational. Terms used here but not defined here are defined in the Agreement. These Security Requirements are hereby incorporated by reference and shall be bound by all terms of the Agreement, unless otherwise explicitly set forth herein. These Security Requirements are intended to supplement the Agreement. Where there is a conflict between the provisions of these Security Requirements and the Agreement, the provisions of these Security Requirements shall apply.

1. Third-Party Testing and Validation.

1.1. General Testing.

a. Periodic Tests. Supplier shall allow Gravitational, or Gravitational's delegate, to periodically test the security of the Services. When testing Gravitational or its delegate shall: (i) carefully conduct tests that are reasonably designed to safely uncover possible vulnerabilities without undue risk; and (ii) make commercially reasonable efforts to tailor the tests as needed to specifically achieve the purpose of the test.

b. Timing. Gravitational or its delegate may conduct the security tests in Section 1.1 at any time during the term of the Agreement. Gravitational will: (i) provide Supplier with reasonable notice prior to conducting the tests; (ii) promptly inform Supplier of any findings; and (iii) delay further disclosure until Supplier has had reasonable time to resolve issues identified in the findings.

1.2. Vulnerability Disclosure Policy.

a. Generally. Supplier shall publish a Vulnerability Disclosure Policy ("VDP") on its public website. This VDP shall: (i) welcome arbitrary security research; (ii) include all internet-facing assets in scope; (iii) provide safe harbor from the Computer Fraud and Abuse Act ("CFAA") and the Digital Millennium Copyright Act ("DMCA") (and any similar or successor legislation) actions for all good faith research; and (iv) permit responsible disclosure of any vulnerability findings, save that any such disclosure does not violate the confidentiality of Supplier's customers' data.

b. Contact and Service Level Agreement. Supplier shall: (i) post a method by which the public can contact Supplier to report security vulnerabilities; and (ii) use best efforts to respond to these reported security vulnerabilities within a commercially reasonable period of time based on the severity and impact of the vulnerability.

c. Bug Bounty Program. Supplier agrees that Gravitational may make deliverables or results of the Services subject to Gravitational's own Bug Bounty Program ("BBP"). Gravitational will notify Supplier of any material security-related vulnerabilities in the Services or deliverables identified through its BBP. Supplier understands that research and disclosures are governed by Gravitational's BBP, which requires good faith and responsible behavior by participants.

1.3. Application and Network Penetration Testing.

a. Annual Testing. Supplier shall, at least once per year, perform a suite of independent third-party tests. These tests will be performed upon: (i) the Services; (ii) all aspects of Supplier's internet-facing perimeter; and (iii) systems supporting the Services (such as build/release infrastructure). Supplier will supply Gravitational with full details (not just executive summaries) of all third-party tests from the previous year, including names of third-party testers and number of person hours used.

b. Sharing Results. Supplier shall, upon Gravitational's request and under suitable non-disclosure obligations, share with Gravitational: (i) confirmation that the tests required by this Section 1.3 were performed; and (ii) the third-party tests results from Sections 1.3(a)(i) and (ii) above.

1.4. Fixing Issues.

Supplier will fix all critical and high severity vulnerabilities that could affect the security of Gravitational Data, of which Supplier becomes aware, within thirty days of becoming aware of the vulnerability. If Supplier cannot fix the vulnerability within thirty days, Supplier will promptly inform Gravitational, including all details of the risk to Gravitational arising from Supplier's inability to fix the vulnerability.

2. Technical Security Measures.

2.1. Transport Encryption.

Supplier will maintain an SSL Server Test rating (please see https://www.ssllabs.com/ssltest/) of at least "A" for any external website used to store or access Gravitational Data. If Supplier's rating falls below "A," Supplier will: (a) notify Gravitational if this rating is below "A" for two months; and (b) have two months from the date it notifies Gravitational within which to increase its rating back to an "A."

2.2. SAML Authentication Integration.

If the Services include a SaaS service, Supplier will integrate the Services with SAML 2.0 authentication for Gravitational's user authentication needs. This SAML 2.0 authentication integration will be the only method by which Gravitational users log in to the Services.

2.3. Multi-factor Authentication.

Supplier will use a multi-factor authentication ("MFA") login solution for the Services, provided that text or phone call are not acceptable factors. MFA must be used for: (a) any VPN connections into the Supplier's internal networks; (b) any connections into Supplier's production environment; (c) Supplier's e-mail, if it can be accessed from the internet; and (d) any services Supplier uses that contain Gravitational Data.

2.4. Patching.

Supplier will promptly apply any high or critical severity security patches to their production servers, endpoints, and endpoint management systems.

2.5. Detection and Alerting.

Supplier will proactively monitor, detect, and alert its internal security team regarding suspicious or malicious activity within Supplier's production and corporate environments.

2.6. Scanning.

Supplier will run regular automated scans against their internet-facing perimeter, production perimeter, and internal network. Supplier will promptly fix high and critical severity findings.

2.7. Environment Separation and Access.

Supplier will maintain a boundary between its corporate and production environments. Supplier will maintain controls gating access into the production boundary, and Supplier will only provide production environment access to employees or contractors who maintain the production environment.

2.8. Logging.

Supplier will maintain system logs for all systems that access, transmit, or store Gravitational Data for a minimum of one year. Such logs will uniquely identify individual users and their access to associated systems and identify the attempted or executed activities of such users. All systems creating system logs will be synchronized to a central time source. Supplier will secure system logs in a manner to prevent unauthorized access, modification, and accidental or deliberate destruction. Supplier will make available to Gravitational (on a set cycle or upon request by Gravitational) relevant log records concerning Gravitational's use of the Services for ingestion into Gravitational's log management and analysis tool in a manner mutually agreed to by both Supplier and Gravitational.

3. Policy and Compliance.

3.1. Security Incidents.

a. Notification and Timing. Supplier will notify Gravitational in writing of any Security Incident within twenty-four hours of Supplier becoming aware of the Security Incident. This notification is required even if Supplier has not conclusively established the nature or extent of the Security Incident. Supplier will not communicate with any third-party regarding a Security Incident except as specified by Gravitational, or as required by law.

b. Required Information. Supplier's Security Incident notification will describe the known details of the incident, the status of Supplier's investigation, and, if applicable, the potential number of persons affected. Supplier will be solely responsible for all costs associated with any security breach; which includes, if applicable, for notices to and credit monitoring for affected individuals.

3.2. Compliance Certification.

Supplier shall: (a) maintain compliance with at least one of the following: (i) SOC 2; (ii) ISO 27001; or (iii) FedRAMP; (b) provide audit reports or evidence of these certifications to Gravitational upon request; and (c) ensure that all Supplier subcontractors or third-party delegates adhere to the same standards.

3.3. Secure Development Lifecycle.

Supplier shall maintain and follow a Secure Development Lifecycle ("SDL") for the development of its products and services. Supplier's SDL will be supported by at least one full-time security engineer. Supplier will provide Gravitational a copy of its SDL policy and process documents upon request.

3.4. Background Checks.

Supplier shall maintain processes to determine whether a prospective member of Supplier's workforce is sufficiently trustworthy to work in an environment that contains Supplier information systems and Gravitational Data. Without limiting the foregoing, Supplier shall have performed criminal background screening on all of its personnel who will render services and/or have access to Gravitational Data prior to assigning such personnel to provide Services under this Agreement. To the extent permissible under applicable law, such background screening shall at a minimum cover all residences for a seven-year period (for U.S. personnel), or the maximum time period in accordance with local law requirements for non-U.S. personnel.

3.5. Anti-Bribery and Corruption.

Gravitational strictly prohibits bribery or other improper payments in connection with its business operations. This prohibition applies to all business activities, anywhere in the world, whether involving public officials or other commercial enterprises. Supplier and its officers, directors, and employees must adhere to the highest standards of business ethical conduct may not, either directly or indirectly offer or give anything of value to a government official or any other person as an incentive to, or in exchange or as a reward for, obtaining an inappropriate business advantage for Supplier or Gravitational.

3.6. Supporting Information.

Upon Gravitational's request, Supplier will provide its policy and process documents relating to any of the security controls referenced in these Security Requirements to Gravitational.

3.7. Handling of Gravitational Data.

Supplier will not move Gravitational Data from Supplier's production environment unless specifically asked to do so by Gravitational. Specifically, Gravitational Data must not be downloaded to phones or laptops, and must not be shared with third parties. Supplier will delete Gravitational Data permanently upon Gravitational's request.

3.8. Termination of Agreement.

If the Agreement is terminated for any reason, Supplier will, for a period of thirty days from the date of termination, make available a file of Gravitational Data in an industry standard format for download by Gravitational.

4. Modifications.

Gravitational may periodically update these Security Requirements by posting a new version at the following URL: https://goteleport.com/legal/supplier-security-addendum. If Gravitational changes these Security Requirements in a manner that materially increases Supplier's obligations, Gravitational will notify Supplier, and Supplier will have thirty days within which to object to the changes. If Supplier does not object within this timeframe, Supplier agrees to comply with the modified Security Requirements. If Supplier objects within this time frame, and Supplier and Gravitational cannot resolve the objection within thirty days, then Gravitational may terminate the Agreement immediately upon written notice to Supplier.

5. Definitions.

"Affiliate" means any entity which controls, is controlled by, or under common control with a party, where "control" means ownership or control, direct or indirect, of fifty percent (50%) or more of such entity's voting capital, and any such entity shall be an Affiliate of such party only as long as such ownership or control exists.

"Agreement" means the executed Agreement between Supplier and Gravitational.

"Gravitational" means Gravitational, Inc., a Delaware corporation, and its Affiliates.

"Gravitational Data" means any data that is provided to Supplier by Gravitational or on behalf of Gravitational.

"Security Incident" means any: (i) breach or suspected breach of the security of the Services or the systems used to provide the Services that may have resulted in the compromise of Gravitational Data; or (ii) other unauthorized access to or use of Gravitational Data, or Supplier's reasonable belief that access or use may have occurred.

"Security Requirements" means this addendum to the Agreement.

"Services" means the products or services provided by Supplier to Gravitational.

"Suppliers" means those vendors who provide services to Gravitational.