Cvent Information Security Measures

In its provision of services, Cvent may have access to personal data of Customer’s event registrants, survey respondents and others transmitted by Customer or Customer’s agents through the Cvent SaaS Solution pursuant to the provision of the Services provided by Cvent, or (ii) collected by Cvent on behalf of Customer and transmitted into Cvent’s SaaS Solution pursuant to the Services provided by Cvent (collectively, “Customer Personal Data”). Cvent has implemented appropriate administrative, technical, and physical safeguards and other reasonable measures (“Information Security Measures”) in accordance with industry standards and applicable data protection laws to protect Customer Personal Data against a Security Incident as provided below, and Cvent will continue to maintain these or equivalent measures subject to the terms and conditions of the Agreement:

1. Information Security Program. Cvent maintains an Information Security Program based on generally accepted industry Information Security standards and frameworks (for e.g., the then current version of ISO/IEC 27001, ISO/IEC 27701, PCI DSS, SOC2 or NIST Cybersecurity Framework or equivalent frameworks). Cvent will maintain PCI-DSS compliance for all Cvent services and/or systems which process, transmit and/or store credit card information. The Information Security Program will be in place to plan, implement, manage, and monitor processes and measures necessary to meet Cvent’s information security objectives and requirements applicable to the Cvent SaaS Solutions and Services. The Information Security Program will include processes for information security risk management to identify and remediate risks in a timely manner to ensure continued security and confidentiality of Customer Personal Data. Results of internal Information Security risk assessments are deemed Confidential to Cvent and are not available for external review or use. In lieu of internal assessments, Cvent makes available relevant audit certificates or its SOC reports upon written request from customers.
    
2. Information Security Policy. Cvent maintains an Information Security Policy that identifies Cvent’s Information Security Program goals and sets forth Cvent’s Information Security control objectives. The Information Security Policy will outline critical roles and responsibilities for Information Security across Cvent’s business operations and govern maintenance of relevant implementation standards, guidelines and procedures. It will be reviewed annually and communicated to Cvent employees and applicable third parties. 
    
3. Information Security Awareness and Employee Training. Cvent maintains an Information Security Awareness Program directed toward its employees, relevant agents and contractors to provide an understanding of Cvent’s Information Security Program, common threats, and risks to Customer Personal Data resources, as well as fulfilment of their Information Security responsibilities. As part of the Information Security Awareness Program, Security and Data Privacy Awareness training will be conducted annually for all employees, relevant agents and contractors to receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Customer Personal Data,. Training topics covered may include, but are not limited to: Security Policy & Incident Recording, email phishing assessments and reinforcement education, secure code training, role-based targeted security trainings for specific teams and departments, annual crisis management and emergency response exercises, annual IT disaster recovery and continuity plan testing, training and exercises, acceptable use, information classification and privacy, social engineering, and applicable security and privacy laws and regulations, including the GDPR and CCPA.
    
4. Personnel Security. Cvent will provide for the security of Customer Personal Data by requiring all Cvent employees undergo identity and criminal background checks upon hire, as permitted by applicable law. Cvent employees agree to adopt appropriate measures and requirements upon on-boarding to maintain the confidentiality and non-disclosure of Customer Personal Data. Cvent employees are subject to appropriate disciplinary actions if found to be in violation of Cvent’s Information Security Policy. In addition, all employees are required to sign a Non-Disclosure Agreement and Cvent’s Acceptable Use Policy which outlines the acceptable use of Cvent assets and handling of Customer Personal Data.
    
5. Physical Security. Cvent information hosting and processing facilities will maintain secure areas and physical entry controls to provide for prevention of unauthorized physical access or exposure, damage, loss, and/or theft of Customer Personal Data. Hosting facilities are equipped with 24/7 camera monitoring with logs retained for forensics. Entry to the facilities will have layered security controls, including badged access for authorized individuals and strict visitor policies. Equipment housing Customer Personal Data within facilities as well as mobile computing devices will be reasonably safeguarded against unauthorized physical access, damage, loss, or theft, as well as environmental threats that may disrupt processing of Customer Personal Data. Hosting facilities have safeguards against fire hazards and electricity outages with such safeguards maintained and tested regularly. Cvent is a global SaaS company and as such, Customer Personal Data may be accessed from outside the USA or the EU by Cvent’s designated employees using strict data security and access controls, for the sole purpose of supporting the necessary activities required for the agreed upon services.
    
6. Access Control. Cvent will maintain reasonable access controls to authorize, limit and monitor Cvent employee and Cvent contractor access to Customer Personal Data maintained in Cvent’s information systems. Controls include but are not limited to: multi-factor authentication over a secured VPN connection to any systems hosting Production Data; processes to provision user access with formally approved authorization using unique authentication IDs per individual; managing and reviewing privileged user access rights on a regular basis; and prompt removal of user access upon termination of employee or contractor status with Cvent. User passwords and other login information used to facilitate user identification and access to Cvent information systems will be protected from unauthorized access by secure login mechanisms. Passwords are required to be changed every one-hundred and eighty (180) days for user accounts with Multi Factor Authentication and ninety (90) days for user accounts with Single Factor Authentication. A user account will be disabled after a specific number of invalid login attempts. Role-Based Access Controls will be in place to ensure that only authorized Cvent employees have access to any systems that could store or transmit Customer Personal Data.
    
7. Customer Personal Data Protection. Cvent will maintain reasonable controls to safeguard Customer Personal Data maintained in Cvent systems from unauthorized access, exposure, modification, and/or loss. Controls to protect Customer Personal Data may include, but are not limited to, the following: Protecting Customer Personal Data in transit and while at rest, as required by Cvent’s Information Classification standard, by implementing strong cryptography controls using AES-256 for specifically handling Customer Personal Data and Customer financial data. All backups containing Customer Personal Data will be encrypted and all databases logically separated to ensure the confidentiality of Customer Personal Data. Procedures will be in place for securely disposing or destroying Customer Personal Data using techniques consistent with NIST 800-88, “Guidelines for Media Sanitization” or other similar industry standards.
    
8. Network and System Security. Cvent will maintain reasonable controls to operate Information Systems that maintain Customer Personal Data. Controls include but are not limited to: logical and/or physical network segmentation for Development and/or Production regions, network segregation between DMZs and systems hosting sensitive data, controlling and monitoring network access, network filtering devices, firewalls, intrusion detection systems, anti-virus & anti-malware solutions, and logging capabilities to detect and respond to unauthorized or suspicious activity. Cvent will actively monitor Cvent’s Information Systems for known security events and anomalies that may pose a threat to Customer Personal Data. Cvent will also maintain a Change Management process to control significant planned and unplanned changes to Cvent’s Information Systems.
    
9. Vulnerability Management. Cvent will maintain processes to identify, evaluate and address vulnerabilities that may be present on Cvent’s Information Systems and SaaS applications. Cvent will perform annual penetration testing and quarterly vulnerability scanning on all publicly addressable systems as well as internal production and corporate systems. PCI ASV scans will be conducted for all publicly addressable systems within PCI scope and Cvent will work with an industry accredited third party to perform penetration testing on all Cvent PCI-scoped systems. Customers may be provided with an Executive Summary report of our external scan report upon written request. Cvent uses the Common Vulnerability Scoring System (CVSS) and internal risk assessment methodologies to prioritize vulnerabilities and address within reasonable timeframes to reduce the risk of potential exploitation that may lead to system compromise, loss of system availability, or unauthorized access to system(s) or Customer Personal Data. Defined risk levels and corresponding timeframes in accordance with the aforementioned standards are as follows: Critical (Prioritized over other work until fixed, in no case later than 7 days), High (30 days), Medium (90 days) and Low (at the discretion of Cvent). Cvent shall assess different risk levels and adjust remediation timelines based upon business impact of the remediation and the underlying risk of the vulnerability. Any vulnerabilities that cannot be resolved are subject to a formal Risk Acceptance with appropriate documented justification, with relevant compensating controls in place and formal approval from C-Level Management.
    
10. Secure Software Development. Cvent follows secure software development practices whereby all code is passed through a SAST (Static Analysis Security Testing) scan prior to deployment and a DAST (Dynamic Analysis Security Testing) scan after deployment. Cvent requires all software developers to undergo training on secure coding practices in line with OWASP Top 10 guidelines. Cvent will maintain processes to identify, evaluate and address risks to the development of its software solutions. Cvent will maintain an independent test/development environment, separate from production computing resources, for any testing of new software and/or changes to existing software. Production data will not be used for software testing and development purposes unless sanitized and deemed necessary for any intended testing that needs to be performed and all efforts will be made to first utilize mock/test data. Cvent maintains a change control process for application changes pushed to production computing environments. Changes require approvals and specific tasks to be performed, including: Development, Code Review, Testing, Approval of Changes, and Documentation of Changes.
     
11. Third Party/Supply Chain Security. Cvent will maintain a process to identify, evaluate and manage risks associated with third-party vendors and/or service providers. Third parties that access, process, or store Customer Personal Data undergo a robust Security Risk Assessment. Reassessments of critical third parties will be performed annually. Risks identified through Security Risk Assessments are documented by Cvent and the relevant third party is required to mitigate the risk prior to onboarding as a Cvent vendor/service provider.
     
12. Security Incident Management. Cvent will maintain processes to identify, respond to, contain, and minimize the impact of Information Security Incidents to Customer Personal Data. A “Security Incident” is defined as an event that results in the unauthorized disclosure, use, dissemination, or access of any Customer Personal Data.  In the event of a Security Incident, Cvent will notify Customer without undue delay after the Security Incident has been confirmed as impacting the Customer. The notice will include the approximate date and time of the Security Incident and a summary of relevant, then-known facts, including a description of measures being taken to further investigate and address the Security Incident.
     
13. Business Continuity Management. Cvent will maintain controls to recover Information Systems hosting Customer Personal Data to reasonably acceptable levels in the event of an unplanned disruption whose root cause is attributed to an entity or force beyond Cvent’s reasonable ability to control. Controls include a Business Continuity or Disaster Recovery Plan, which includes, but may not be limited to: addressing backup(s) of Customer Personal Data; a process to test such backup(s) at regular intervals; providing a description of resources and steps required to recover Information Systems to acceptable levels of performance and performing testing of the Business Continuity or Disaster Recovery Plan(s) annually. Customers can track the uptime of Cvent Services at status.cvent.com.
     
14. Compliance and Audits. Cvent hires a qualified external audit firm to conduct an audit of Cvent’s product offerings and its supporting infrastructure and processes annually. These audits result in a valid certificate/report for an industry acceptable framework such as SOC1 Type II, SOC2 Type II, PCI DSS, ISO 27001, ISO 27701, and/or other similar certifications/reports as required. Upon Customer’s written request, Cvent may share any relevant audit certificates or summary audit reports.