SECURITY ANNEX
Security of Data Processing.
Panther has implemented and will maintain technical and organizational measures inclusive of administrative, technical and physical safeguards to ensure a level of security appropriate to the risk of the data processing for the Panther Services as described in this Panther Security Annex (collectively, the “Security Measures”). The Security Measures may be changed by Panther from time to time during the Term of the Agreement (as defined below) in order to take into account advancements in available security technologies. However, Panther will not materially decrease the overall security of the Services during the Term of the Agreement.
This Panther Security Annex supplements (1) the Panther Enterprise Subscription Agreement available at https://panther.com/enterprise-subscription-agreement/ or other agreements existing between the parties (the “Agreement”), and (2) the Panther Privacy Policy available at https://panther.com/privacy-policy. In case of a conflict between this Panther Security Annex and the Agreement, the Agreement shall prevail. Capitalized terms not defined herein have the meaning provided in the Agreement or Panther Privacy Policy, as applicable.
The Security Measures include, but will not be limited to, the following measures for ensuring the ongoing confidentiality, integrity, and availability of Customer Data in order to prevent unauthorized access, use, modification or disclosure of Customer Data:
Panther Shared Responsibility Model
Panther Responsibilities
Panther is responsible for the confidentiality, integrity and availability (the “security”) of the Services and internal Panther information technology systems. In addition to those measures detailed in “Security of Data Processing” above, Security Measures include, but are not limited to, server-level patching, vulnerability management, penetration testing, security event logging & monitoring, incident management, operational monitoring, and ensuring customer site availability in accordance with SLAs entered into between the parties.
Panther uses Subprocessors for the Services and to support Panther as a Processor of Customer data, all as more fully set forth on the website https://panther.com/subprocessors. As these Subprocessors are Authorized Contractors as defined in the Agreement, Panther shall remain fully liable for their acts and omissions relating to the performance of the respective Services, subject to the limitation of liability set forth in the Agreement, and shall be responsible for ensuring that their obligations are carried out in accordance with this Security Annex and the Agreement.
Customer Responsibilities
The Customer is responsible for the security of the software used in conjunction with the Services. This includes, but is not limited to, Customer user access management, password configurations, and/or implementing multi-factor authentication. In addition, Customers are also responsible for the secure management of their users that they manage and provision for the purpose of granting access to Panther’s Services and abiding by the Agreement in using Panther’s Services.
Third-Party Audits, Certifications
The Security Measures for Panther’s platform are subject to periodic testing by independent third-party audit organizations, inclusive of the following audits and certifications:
Panther will provide copies of current published audit reports for the Services to Customers upon written request and under NDA. Such audit reports, and the information they contain, are Panther Confidential Information and must be handled by Customer accordingly. Such reports may be used solely by Customer to evaluate the design and operating effectiveness of defined controls applicable to the Services and are provided without any warranty.
Customer Audits
Panther offers its Services in the cloud using AWS. AWS does not allow for physical audits of the AWS data centers but instead provides third-party audits and certifications. Panther’s security program consists of the audits, certifications and available documentation detailed in “Third Party Audits, Certifications” above as part of balancing transparency regarding the security and privacy safeguards that Panther has implemented, while also satisfying security and privacy requirements as part of security and privacy obligations to Panther Customers, and its Subprocessors, including AWS.
Therefore, Customer agrees to exercise its right to conduct an audit or inspection of Panther’s processing of personal data within Customer Data by instructing Panther to carry out the audits as described above in the section “Third Party Audits, Certification” using its current processes and timing. If Customer wishes to change this instruction regarding the audit or inspection, then Customer shall send such request by written notice to Panther and the parties agree to jointly discuss how to implement the changed instruction.