Information Security Policy
Benchling considers protection of Customer Data a top priority. Taking into account the available technology, and the nature, scope, context and purposes of processing, as well as the risk to data subjects’ rights, Benchling uses commercially reasonable technical and organizational measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data. Benchling maintains these security measures in accordance with ISO 27001. This Data Security Policy supplements the Master Services Agreement (“Agreement”) entered into between the parties. Capitalized terms used but not defined herein shall have the meaning set forth in the Agreement.
“Customer Systems” means information systems and resources supplied or operated by Customer or its other service providers, including network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, proprietary applications, printers, and internet connectivity.
“Benchling Infrastructure” means information processing resources supplied or operated by Benchling, including without limitation, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, printers, proprietary applications, internet connectivity, printers and hard drives that are used, either directly or indirectly, in support of Benchling’s processing of Customer Data.
2. Information Security Management Program and Policies.
2.1 Policies and Procedures. Benchling shall maintain a written security management program with policies and procedures designed with the intent to prevent, detect, contain, and correct vulnerabilities. These policies and procedures shall:
(a) assign specific data security responsibilities and accountabilities to specific individual(s).
(b) include a risk management program that includes periodic risk assessments.
(c) be made available, upon written request, to the Customer.
2.2 Infrastructure Protection. To the extent applicable to the provision of the Application Services provided to Customer, Benchling shall maintain policies, procedures, and industry standard security capabilities and practices to protect Benchling Infrastructure, protect Customer Data, detect threats and risks against Benchling Infrastructure, and adequately respond to threats and risks to Benchling Infrastructure and Customer Data including:
(a) security programs (policies, standards, processes, etc.).
(b) processes for becoming aware of, and maintaining, security patches and fixes.
(c) processes for identifying security vulnerabilities in software, databases, infrastructure, and networks, and processes for remediating security vulnerabilities.
(d) procedures for employing mechanisms to restrict access to the Benchling Infrastructure, including all local-site networks that may be accessed via the internet (whether or not such sites transmit information) and any and all systems that store, process, and support use of Customer Data.
(e) procedures designed to protect the Benchling Infrastructure, including any and all systems that store, process and support use of Customer Data, against attack and penetration.
(f) Whenever technically possible, Benchling Infrastructure and any systems that store, process, access, and support Customer Data, are protected by and configured with:
network-based firewalls prohibiting unauthorized network traffic.
intrusion detection and prevention systems.
accounts configured with the minimum necessary privilege required for functionality.
the minimum number of services configured for functionality.
routine vulnerability scanning of infrastructure, applications, and operating systems.
patch management solutions that identify missing patches and apply patching when a vendor makes patches available.
encryption of Customer Data in accordance with Section 7.1 (Encryption).
(g) If security risks, vulnerabilities, and/or issues during a security audit or assessment are identified, Benchling shall remediate the risks, vulnerabilities, and gaps identified. Benchling will use commercially reasonable efforts to remediate validated security risks, vulnerabilities, and issues, with risk severity being determined by Benchling.
3. Access Control.
3.1 Identification and Authentication. Access to Customer Data, or any Benchling Infrastructure shall be Identified and Authenticated (as defined below). “Identification” or “Identified” refers to processes that establish the identity of the person requesting access to the Customer Data, and/or Benchling Infrastructure. “Authentication” refers to processes that validate the purported identity of the requestor. For access to Customer Data, or Benchling Infrastructure, Benchling shall require Authentication by the use of an individual, unique user ID and an individual password or other appropriate Authentication technique. Benchling shall maintain industry standard procedures designed for the protection, integrity, and soundness of any passwords created by Benchling and/or used by Benchling in connection with the performance of the Application Services to Customer.
3.2 Account Administration. Benchling shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for Benchling Infrastructure and Customer Data, and shall include procedures for granting and revoking emergency access to Benchling Infrastructure and to any systems used to store, process, or support Customer Data.
3.3 Access Control. Benchling shall maintain appropriate access control mechanisms designed to prevent access to Customer Data, and/or Benchling Infrastructure, except by authorized users. The access and privileges granted shall be limited to the minimum necessary to perform the assigned functions. Benchling shall maintain appropriate mechanisms and processes designed to detect, record, analyze, and resolve unauthorized attempts to access Customer Data or Benchling Infrastructure.
4. Personnel Security.
4.1 Access to Customer Data. Benchling shall require its personnel and its approved sub-processors’ personnel who have, or may be expected to have, access to Customer Data or Customer Systems to comply with the provisions of this Data Security Policy. Benchling shall remain responsible for any breach of this Data Security Policy by its personnel or the personnel of its sub-processors.
4.2 Security Awareness. Benchling shall require that its employees and sub-processors remain aware of Benchling’s security practices, and their responsibilities for protecting Customer Data. This shall include:
(a) protection against viruses and malware;
(b) appropriate password protection and password management practices; and
(c) appropriate use of workstations and computer system accounts, and
(d) appropriate use of the Internet, network infrastructure, applications, communications systems, including email, productivity software, and software-as-a-service.
5. Risk Management.
5.1 General Requirements. Benchling shall maintain appropriate safeguards and controls and exercise due diligence designed to protect Customer Data, and Benchling Infrastructure and systems used to store, process, access, and support Customer Data against unauthorized access, use, and/or disclosure, considering:
(a) applicable data protection law; and
(b) information technology and industry practices; and
(c) the relative level and severity of risk of harm should the integrity, confidentiality, availability or security of Customer Data be compromised, as determined by Benchling as part of an overall risk management program; and
(d) protect Customer Data from security threats and risks, identify and appropriately respond to security threats and risks to Customer Data, and minimize the impact of adverse security events impacting the security of Customer Data.
5.2 Security Evaluations. Benchling shall, on an annual basis, evaluate its processes and systems with respect to the confidentiality, integrity, availability, and security of Customer Data, Benchling Infrastructure, and systems that store, process, access, and support Customer Data. Benchling shall document the results of these evaluations and any remediation activities taken in response to these evaluations and shall make available written summaries of such evaluations and remediations if requested by the Customer.
5.3 Internal Records. Benchling shall maintain and implement policies and programs to capture, record, and examine information relevant to security related events. In response to such events, Benchling shall take appropriate action to address and remediate identified vulnerabilities to Customer Data and Benchling Infrastructure.
6. Hosted Security. The Application Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of AWS. Detailed information about AWS security is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/shared-responsibility-model/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
7. Communications Security.
7.1 Encryption. Whenever technically possible, Benchling shall maintain encryption, at rest and in transit, in accordance with industry standards (including AES-256 at rest and TLS 1.2 or higher in transit), for all storage of and transmission of Customer Data via public and private networks.
7.2 Protection of Storage Media. Benchling shall delete Customer Data from all storage media prior to disposal or re-use and the deletion method will be in compliance with NIST 800-88. All systems and media on which Customer Data is stored shall be protected against unauthorized access or modification. Benchling shall maintain industry standard processes and mechanisms designed to maintain accountability and tracking of the receipt, removal and transfer of systems and storage media used for processing of Customer Data.
7.3 Data Integrity. Benchling shall maintain processes designed to prevent unauthorized or inappropriate modification of Customer Data that is stored and processed by Supplier.
8. Remote Access to Customer Systems. Benchling’s remote access to Customer Systems, infrastructure, and applications shall be limited to the extent minimally necessary to provide the services to Customer.
9. Business Continuity Management. Benchling shall have a plan in place designed to counteract interruptions to business activities and protect critical business processes from the effects of failures of information systems or disasters.