Your Security
is Our Priority

At saleskultur, we understand that you need to know how your data is protected and secured when using our online Services. These saleskultur Security Practices describe the practices and safeguards, which include physical, organizational, and technical measures, utilized by saleskultur that are designed to preserve the security, integrity, and confidentiality of the online Services and Customer Content to protect against information security threats.

1.       General.

1.1     Information Security Program. saleskultur shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the Processing and security of Customer Content and the saleskultur systems or networks used to Process or secure Customer Content in connection with providing the Services (“saleskultur Information Systems”). 

1.2     Confidentiality; Training. saleskultur will ensure that saleskultur Personnel: (a) are bound by confidentiality obligations with respect to Customer Content substantially as protective as those set forth in the Agreement; and (b) are subject to appropriate training relating to the Processing of Customer Content.

1.3     Definitions. 

• 1.3.1    “Agreement” means the agreement that governs Customer’s access to and use of the online Services.
• 1.3.2    “Customer” means the individual or entity that executes or accepts an Order or registers for free trial access to and use of a Service and has entered into an Agreement.
• 1.3.3    “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by saleskultur on behalf of Customer. 
• 1.3.4    “Process” means any operation or set of operations performed upon Customer Content, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
• 1.3.5    “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.
• 1.3.6    “Services” means the Subscription Services and any other online service or application provided or controlled by saleskultur for use with the Subscription Services.
• 1.3.7    “saleskultur Personnel”  means any individual authorized by saleskultur to Process Customer Content.
• 1.3.8    “Subscription Service” means the subscription-based online services and applications that are provisioned or controlled by saleskultur. 
• 1.3.9    “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.

2.      Security Controls.

In accordance with its information security program, saleskultur shall implement appropriate physical, organizational, and technical controls designed to: (a) ensure the security, integrity, and confidentiality of Customer Content Processed by saleskultur; and (b) protect Customer Content from known or reasonably anticipated threats or hazards, including to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of Processing. Without limiting the foregoing, saleskultur will, as appropriate, utilize the following controls:

2.1    Firewalls. saleskultur will install and maintain firewall(s) to protect data accessible via the Internet. 

2.2    Updates. saleskultur will maintain programs and routines to keep the saleskultur Information Systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications.

2.3    Anti-malware. saleskultur will deploy and use anti-malware software and will keep the anti-malware software up to date. saleskultur will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected. 

2.4    Testing. saleskultur will regularly test its security systems, processes, and controls to ensure they meet the requirements of these Security Practices.

2.5    Access Controls. saleskultur will secure Customer Content processed by saleskultur Information Systems by complying with the following:

• 2.5.1    saleskultur will assign a unique ID to saleskultur Personnel with access to saleskultur Information Systems. 
• 2.5.2    saleskultur will restrict access to saleskultur Information Systems to only saleskultur Personnel necessary to perform a specified obligation as permitted by the Agreement. 
• 2.5.3    saleskultur will regularly review (at a minimum once every ninety (90) days) the list of saleskultur Personnel and services with access to saleskultur Information Systems and remove accounts that no longer require access.
• 2.5.4    saleskultur will not use manufacturer supplied defaults for system passwords on any operating systems, software, or saleskultur Information Systems, will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below), and will require that all passwords and access credentials be kept confidential and not shared among saleskultur Personnel. 
• 2.5.5    At a minimum, saleskultur production passwords will: (i) contain at least eight (8) characters; (ii) not match previous passwords, the user’s login, or common name; (iii) be changed whenever an account compromise is suspected or assumed; and (iv) be regularly replaced.
• 2.5.6    saleskultur will enforce account lockout by disabling accounts Processing Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period.
• 2.5.7    saleskultur will maintain log data for all use of accounts or credentials by saleskultur Personnel for access to saleskultur Information Systems and will regularly review access logs for signs of malicious behavior or unauthorized access. 

2.6    Policies. saleskultur will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for saleskultur Personnel that meet the standards set forth in these Security Practices, including methods to detect and log policy violations. 

2.7    Development. Development and testing environments will be separate from saleskultur Information Systems. 

2.8    Deletion. saleskultur will utilize procedures that are at a minimum in accordance with National Institute of Standards and Technology (NIST) SP 800-88 Revision 1 recommendations (or a successor standard widely used in the industry) to render Customer Content unrecoverable prior to disposal of media.  

2.9    Encryption. saleskultur will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, saleskultur will encrypt Customer Content at rest within the online Services and will only allow encrypted connections to the online Service for the transfer of Customer Content.

2.10  Remote Access. saleskultur will ensure that any access from outside of its protected corporate or production environments to saleskultur Information Systems or to saleskultur’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication. 

3.      Use of Third Parties.

3.1    General. Third parties engaged by saleskultur in accordance with the Agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.

3.2    Data Hosting. saleskultur will ensure that any third party hosting provider (“Infrastructure-as-a-Service” or “IaaS”) utilized by saleskultur to Process Customer Content meet the following requirements:

• 3.2.1    Base Requirements. At a minimum saleskultur will ensure IaaS providers: (a) maintain adequate physical security and access controls as set forth in Section 1.2 of these Security Practices; (b) use professional HVAC & environmental controls; (c) utilize professional network/cabling environment; (d) use professional fire detection/suppression capability; and (e) maintain a comprehensive business continuity plan.
• 3.2.2    Annual Audit; Assessment. Conduct annual independent risk assessments and audits. Such assessments and audit reports will be provided to saleskultur and, if required by law, made available to Customer, provided saleskultur may remove all commercial and confidential information or terms unrelated to the security practices of the IaaS. In addition, saleskultur shall conduct annual reviews and assessments of any critical IaaS to validate the security measures at a minimum meet the requirements of these Security Practices.
• 3.2.3    Enhanced Requirements. Possess requirements and capabilities of a highly-available, redundant (“N+1”) data center, where multiple components each give at least one independent backup component to ensure that system functionality continues at acceptable performance levels in the event of a system failure.

4.      System Availability.

saleskultur will maintain (or, with respect to systems controlled by third parties, ensure that such third parties maintain) a disaster recovery (“DR”) program designed to recover the Subscription Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical saleskultur Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed therein.

5.      Security Breach.

5.1    Procedure. 

• 5.1.1    saleskultur will notify Customer in writing without undue delay upon saleskultur becoming aware of confirmed Security Breach. 
• 5.1.2    saleskultur will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with saleskultur’s security incident policies and procedures (“Breach Management”).
• 5.1.3    Subject to saleskultur’s legal obligations, saleskultur will provide Customer with information available to saleskultur as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligation under applicable laws as a result of a Security Breach.
• 5.1.4    If Customer requires information relating to a Security Breach in additional to the Incident Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, saleskultur will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

5.2    Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Breach subject to this Section 5. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.

5.3    Customer or User Involvement. Unauthorized or unlawful access to Customer Content that results from the Customer’s configuration settings, compromise of a User’s login credentials, or from the intentional or inadvertent sharing or disclosure of Customer Content by the Customer or a User is not a Security Breach.

5.4    Notifications. Notification(s) of Security Breach, if any, will be delivered to one or more of Customer’s SysAdmin users by any reasonable means saleskultur selects, including email. Customer is solely responsible for maintaining accurate contact information in the online Service at all times.

5.5    Disclaimer. saleskultur’s obligation to report or respond to a Security Breach under this Section 5 is not an acknowledgement by saleskultur of any fault or liability of saleskultur with respect to the Security Breach.

6.      Auditing and Reporting.

6.1    Monitoring. saleskultur monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls. 

6.2    Audit Reports. saleskultur uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Subscription Services. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at saleskultur’s selection and expense; and (d) result in the generation of a SOC2 report (“Audit Report”), which will be saleskultur’s Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.  

6.3    Penetration Testing. saleskultur uses external security experts to conduct penetration testing of certain online Services, including the Subscription Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at saleskultur’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be saleskultur’s Confidential Information. Pen Test Reports will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.  

6.4    Customer Audit. If Customer legally requires information for its compliance with applicable laws in addition to the Audit and Pen Test Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, saleskultur will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to saleskultur’s Processing of Customer Content (“Customer Audit”), provided that:

• 6.4.1.   Customer provides saleskultur reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;
• 6.4.2    saleskultur approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;
• 6.4.3    Customer and the auditor act to avoid causing any damage, injury, or disruption to saleskultur’s premises, equipment, or business in the course of such Customer Audit; and 
• 6.4.4.   Customer initiates only one Customer Audit in any calendar year unless otherwise required by  law enforcement.

Last updated: April 14, 2023