Data Security Addendum: Twitch Security Standards
- Scope
Processor will comply in all respects with Twitch’s information security requirements as set forth these third- party security requirements (the “Security Policy”). The Security Policy applies to Processor’s performance under the Agreement and all Processing of, and Security Incidents involving, Twitch Information. This Security Policy does not limit other obligations of Processor, including under the Agreement or laws that apply to Processor, Processor’s performance under the Agreement, or the Permitted Purpose. To the extent this Security Policy conflicts with the Agreement, Processor will promptly notify Twitch of the conflict and will comply with the requirement that is more restrictive and protective of Twitch Information (which may be designated by Twitch). These commitments apply to Processor and its Personnel.
Definitions
The following definitions apply to this Security Policy.
1.1 “Aggregate” means to combine or store Twitch Information with any data or information of Processor or any third party.
1.2 “Twitch Information” means: (a) all Twitch Confidential Information (as defined in the Agreement or in the non-disclosure agreement between the parties); (b) all other data, records, files, content or information received from Twitch or its affiliates and Processed by Processor in connection with the Agreement; and (c) data derived from (a) or (b), even if Anonymized.
1.3 “Confidentiality, Integrity, and Availability” refers to the three properties of the information-security model known as the “CIA Triad.” Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity is the property that data or information have not been altered or destroyed in an unauthorized manner. Availability is the property that data or information is accessible and useable upon demand by an authorized person.
1.4 “Personnel” means Processor’s or Subcontractor’s employees, agents, subcontractors, and other authorized users of its systems and network resources.
1.5 “Physical, Administrative, and Technical Safeguards” refers to the controls an organization implements to maintain information security. Physical safeguards address physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Administrative safeguards address administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic data or information and to manage the conduct of Personnel in relation to the protection of that data or information. Technical safeguards address the technology, and the policies and procedures for its use, that protect electronic data or information and control access to it.
1.6 “Process” means to perform any operation or set of operations on data, such as access, use, collection, receipt, storage, alteration, transmission, dissemination or otherwise making available, erasure, or destruction.
Permitted Purposes
Processor will Process Twitch Information only as follows (each, a “Permitted Purpose”).
1.7 Authorized data. Processor may Process only the Twitch Information expressly authorized under the Agreement. If there is no express authorization, the Processor may process only the Twitch Information necessary to perform the services under the Agreement.
1.8 Only for purposes expressly authorized. Processor may Process Twitch Information only for purposes expressly authorized under the Agreement.
1.9 Sale or other transfer prohibited. Processor will not transfer, rent, barter, trade, sell, rent, loan, lease, or otherwise distribute or make any Twitch Information available to any third party.
1.10 Data aggregation prohibited. Processor will not Aggregate Twitch Information, even if anonymized or pseudonymized, except as expressly authorized under the Agreement.
Information Security Requirements
1.11 General security requirement. Processor will maintain Physical, Administrative, and Technical safeguards consistent with industry-accepted best practices (including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or other similar industry standards for information security) to protect the Confidentiality, Integrity, and Availability of Twitch Information.
1.12 Specific safeguard requirements. In addition to following the above standards, Processor’s information security program will include, at a minimum, the following safeguards and controls:
1.12.1 Written information security program. Processor shall implement a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. The program will apply to Processor’s employees, agents, subcontractors, and Processors. Processor will maintain a process to monitor and enforce program compliance and log program violations.
1.12.2 Security awareness training. Processor will provide periodic security training to its Personnel on relevant threats and business requirements such as social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.
1.12.3 Data inventory. Processor will document and maintain information regarding how and where Twitch Information is Processed while in Processor’s possession or control.
1.12.4 Secure configurations. Processor shall manage security configurations of its systems using industry best practices to protect Twitch Information from exploitation through vulnerable services and settings.
1.12.5 Controlled use of administrative privileges. Processor shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices.
1.12.6 Vulnerability and patch management. Processor will maintain a process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Twitch Information.
1.12.7 Maintenance, monitoring, and analysis of audit logs. Processor will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect Twitch Information. Logs will be kept and maintained for at least 18 months. In a multi-tenant environment with a shared responsibility model (e.g. a SaaS), Processor shall associate all logs with a unique Twitch implementation id. Processor will provide logging information pertaining to Twitch user interactions with the platform, or API calls using credentials or tokens issued to Twitch, to Twitch upon request.
1.12.8 Malware defenses. Processor will deploy anti-malware software to and configure all workstations and servers on Processor’s network to control and detect the installation, spread, and execution of malicious code.
1.12.9 Firewalls. Processor will maintain and configure firewalls to protect systems containing Twitch Information from unauthorized access. Processor will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
1.12.10 Suitable Environment. Data will be used in an environment suitable to its purpose. Production data will not be used on test equipment and test data will not be used on production equipment.
1.12.11 Change Management. Changes to production systems are tracked, recorded, and reviewed.
1.12.12 Disablement of services. Disable all unnecessary services, protocols, and ports. Authorized services must be documented with a business justification and be approved.
1.12.13 Encryption. Processor will encrypt all Twitch Information at rest and when in transit across open networks in accordance per minimum standards set forth in this section. Upon Twitch written request, the Processor will confirm that all copies of encryption keys have been securely deleted. All copies of encryption keys used for Twitch data at rest must be managed by an authorized key management service for which Twitch has provided the Processor approval.
- Data at rest. Processor will use an industry-standard secure cipher (such as AES) that has at least 128 bits of strength for Twitch Information at rest.
- Data in transit. Processor will use TLS 1.2 or newer with a cipher suite configuration that is in line with industry best practices for all Twitch Information in transit.
1.12.14 Access controls. Processor will implement the following access controls with respect to Twitch Information:
- Unique IDs. Processor will assign individual, unique IDs to all Personnel with access to Twitch Information, including accounts with administrative access. Accounts with access to Twitch Information must not be shared.
- Need-to-know. Processor will restrict access to Twitch Information to only those Personnel with a “need-to-know” for a Permitted Purpose.
- User access review. Processor will periodically review Personnel and services with access to Twitch Information and remove accounts that no longer require access. This review must be performed at least once every 90 days.
1.12.15 “In bulk” access. Except where expressly authorized by Twitch in writing, Processor will not access, and will not permit access to, Twitch Information “in bulk” whether the Twitch Information is in an Twitch- or Processor-controlled database or stored in any other method, including storage in file-based archives (e.g., flat files).
- Definition of “in bulk” access. For purposes of this section, “in bulk” access means accessing data by means of database query, report generation, or any other mass transfer of data.
- “In bulk” safeguards. Processor will implement appropriate Physical, Administrative, and Technical Safeguards—including access controls, logging of all attempted or successful “in bulk” access, and monitoring to prevent and detect “in bulk” access to Twitch Information or, where authorized by Twitch, to (1) limit such access only to specified employees with a “need to know”, and (2) require explicit authorization and logging of all “in bulk” access.
- “In bulk” log access. Upon Twitch’s request, Processor will provide to Twitch all logs on “in bulk” access referenced in this section.
1.12.16 Account and password management. Processor will implement account and password management policies to protect Twitch Information, including, but not limited to:
- No default passwords. Before deploying any new hardware, software, or other asset, Processor will change all default and manufacturer-supplied passwords to a password consistent with the password strength requirements in subsection (c).
- Inventory of administrative accounts. Processor will maintain an inventory of all administrator accounts with access to Twitch Information and will provide a list of these accounts to Twitch at Twitch’s request.
- Password strength. Processor will ensure that all Personnel use strong passwords by enforcing the following minimum requirements:
- passwords must be a minimum length of 8 characters;
- passwords may not match commonly used, expected, or compromised passwords; and
- Processor must force a password change if there is evidence the password may have been compromised.
- Credential encryption. Encrypted passwords and other secrets shall be stored in an industry-accepted form that is resistant to offline attacks.
- Rate limiting. Processor shall implement an industry-accepted rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on a user’s account.
1.12.17 Remote access; multi-factor authentication required. Processor will implement multi-factor authentication (i.e., hardware token, mobile authenticator, or biometrics, along with username and password) for remote access to (i) any network, system, application, or other asset containing Twitch Information; or (ii) Processor’s corporate or development networks.
1.12.18 Data segregation. Except where expressly authorized by Twitch in writing, Processor will logically and physically isolate Twitch Information at all times from Processor’s and any third-party information.
1.12.19 Security testing. Processor will conduct periodic internal and external penetration testing of systems that Process Twitch Information to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of Processor’s vulnerability management program.
1.12.20 Personnel security and nondisclosure. Twitch may condition access to Twitch Information by Processor Personnel on Processor Personnel’s execution and delivery to Twitch of individual nondisclosure agreements, the form of which is specific by Twitch. If requested by Twitch, Processor will obtain and deliver to Twitch signed individual nondisclosure agreements from Processor Personnel that will have access to Twitch Information before granting access to Personnel.
1.12.21 API Tokens. Processor will implement the following controls with respect to any API tokens issued by the Processor’s platform which grant access to Twitch Information:
- Lifetime. Processor API tokens, including access tokens and refresh tokens, must have a lifetime no greater than 90 days.
- Access. Processor must enable Twitch to view all active API tokens.
- Revocation. Processor must enable Twitch to revoke any active Processor API token.
- New Tokens. Processor must enable Twitch to centrally block the issuance of new API tokens.
1.13 PCI DSS requirements. If, in the course of its engagement by Twitch, Processor has access to or will Process credit, debit, or other payment cardholder information, Processor shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements (in addition to the minimum requirements in Section 4.2), and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.
1.14 Subcontracts. Except as expressly set forth in the Agreement, Processor will not subcontract or delegate any of its obligations under this Security Policy to any subcontractors, affiliates, or delegates (“Subcontractors”) without Twitch’s prior written consent.
1.15 Access to Twitch Extranet and Processor portals. Twitch may grant Processor Personnel access to Twitch Information via web portals or other non-public websites or extranet services on Twitch’s or a third party’s website or system (each, an “Extranet”) for the Permitted Purposes. If Twitch permits Processor to access any Twitch Information using an Extranet, Processor must comply with the following requirements:
1.15.1 Permitted Purpose. Processor and its personnel will access the Extranet and access, collect, use, view, retrieve, download or store Twitch Information from the Extranet solely for the Permitted Purpose.
1.15.2 Accounts. Processor will ensure that Processor Personnel use only the Extranet account(s) designated for each individual by Twitch and will require Processor personnel to keep their access credentials confidential. Accounts are not to be shared.
1.15.3 Systems. Processor will access the Extranet only through computing or processing systems or applications running operating systems managed by Processor and that include: (i) system network firewalls in accordance with Section 1.12.9 (firewalls); (ii) centralized patch management in compliance with Section 1.12.6 (vulnerability and patch management); (iii) operating system appropriate anti-malware software in accordance with Section 1.12.8 (malware defenses); and (iv) for portable devices, full disk encryption.
1.15.4 Restrictions. Except if approved in advance in writing by Twitch, Processor will not download, mirror or permanently store any Twitch Information from any Extranet on any medium, including any machines, devices or servers.
1.15.5 Account Termination. Processor will terminate the account of each of Processor’s personnel and notify Twitch no later than 24 hours after any specific Processor personnel who has been authorized to access any Extranet (a) no longer needs access to Twitch Information or (b) no longer qualifies as Processor personnel (e.g., the personnel leaves Processor’s employment).
1.16 Twitch Sub-Domains or URL’s. Any (sub)domain or URL that the Processor provisions for Twitch’s sole use during the contracted period must not be issued or re-used by a non-Twitch customer for 5 years after Twitch terminates use of the service.
Data Retention, Return, and Destruction
1.17 Retention. Processor will retain Twitch Information only as necessary for the Permitted Purposes.
1.18 Return and secure deletion of Twitch Information. At any time during the term of the Agreement at Twitch’s request, or upon the termination or expiration of the Agreement for any reason, Processor shall, within 5 business days (or 30 calendar days for data in backup or online storage), return to Twitch and securely delete all copies of Twitch Information in its possession or control. Processor shall confirm in writing that all copies of Twitch Information have been returned and securely deleted.
1.19 Archival copies. If Processor is required by law to retain archival copies of Twitch Information for tax or similar regulatory purposes, Processor shall (i) not use the archived information for any other purpose; and (ii) remain bound by its obligations under this agreement, including, but not limited to, its obligations to protect the information using appropriate safeguards and to notify Twitch of any Security Incident involving the information.
1.20 Deletion standard. All Twitch Information deleted by Processor will be securely deleted using an industry-accepted practice designed to prevent data from being recovered using standard disk and file recovery utilities (e.g., secure overwriting, degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, shredding, or mechanical disintegration).
1.21 Media destruction. Before permanently discarding or disposing of storage media that (1) Processor has physical access to or control of (e.g., laptop hard drives, desktop hard drives, USB or “thumb” drives, backup media, hard drives used in the Processor’s own data center, or other portable storage media) and (2) contains, or has at any time contained, Twitch Confidential Information, Processor will destroy the storage media using a technique designed to render the media unusable and the data unrecoverable (e.g., disintegration, incineration, pulverizing, shredding, and melting). This section shall not apply to storage media that Processor does not have physical access to or control of, such as storage media used in a public cloud or other third-party environment. In such cases, Processor shall ensure that all Twitch Confidential Information stored in the third-party environment is securely deleted when no longer needed using an industry-accepted practice (see paragraph 1.20, Deletion standard).
Security Reviews and Audits
1.22 Vendor assessment questionnaires. Upon Twitch’s request, Processor will complete a new Twitch risk assessment questionnaire.
1.23 Compliance with agreement. Upon Twitch’s request, Processor will confirm in writing to Twitch Processor’s compliance with this Agreement.
1.24 Other reviews; audits. Upon Twitch’s written request, to confirm Processor’s compliance with this Agreement, Processor grants Twitch or, at Twitch’s election, a third party on Twitch’s behalf, permission to perform an assessment, audit, examination, or review of the Physical, Administrative, and Technical Safeguards in place to protect Twitch Information Processed by Processor under the Agreement. Processor shall fully cooperate with the assessment.
1.25 Remediation. Processor will promptly address any exceptions or deficiencies identified during Twitch’s security review or in any audit report, by developing and implementing a corrective action plan agreed to by Processor and Twitch, at Processor’s sole expense.
Security Incident
1.26 Security Incident defined. A “Security Incident” is (i) any actual or suspected compromise of the Confidentiality, Integrity, or Availability of Twitch Information; (ii) any actual or suspected compromise of, or unauthorized access to, any system that Processes Twitch Information that presents a risk to the Confidentiality, Availability, or Integrity of Twitch Information; or (iii) receipt of a complaint, report, or other information regarding the potential compromise or exposure of Twitch Information Processed by Processor.
1.27 Designated official. Processor must designate a security official responsible for the development, implementation, and maintenance of an Information Security Program. Processor will inform Twitch of the security official.
1.28 Incident response plan. Processor shall maintain a written incident response plan and provide a copy of the plan to Twitch upon request. Processor will remedy each Security Incident in a timely manner following its response plan and industry best practices.
1.29 Notice required. Processor will notify Twitch of any Security Incident within 24 hours of becoming aware of the Security Incident.
1.30 Cooperation with Twitch’s investigation. Processor will reasonably cooperate with Twitch in Twitch’s handling of a Security Incident, including, without limitation: (i) coordinating with Twitch on Processor’s response plan; (ii) assisting with Twitch’s investigation of the Security Incident; (iii) facilitating interviews with Processor’s Personnel and others involved in the Security Incident or response; and (iv) making available all relevant records, logs, files, data reporting, forensic reports, investigation reports, and other materials required for Twitch to comply with applicable laws, regulations, or industry standards, or as otherwise required by Twitch.
1.31 Third-party notifications. Processor agrees that it shall not notify any third party (including any regulatory authority or customer) of any Security Incident without first obtaining Twitch’s prior written consent. Further, Processor agrees that Twitch shall have the sole right to determine: (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, or others; and (ii) the form and contents of such notice.
Notice of Legal Process
Processor will inform Twitch within 48 hours when Twitch’s data is being sought in response to legal process or other applicable law (e.g., 18 U.S.C. § 2705(b)).