These measures supplement the Fitbit Security and Privacy Terms.
Fitbit requires Vendors who handle Fitbit Data to adhere to certain minimum organisational and technical security measures.
Vendor must develop, maintain and/or implement a comprehensive written information security programme that adheres to these measures. Vendor’s information security program shall include administrative, technical and physical safeguards to protect Fitbit Data that are no less rigorous than accepted industry practices (including, without limitation, the International Organization for Standardization’s standards: ISO/IEC 27001:2013 – Information Security Management Systems – Requirements and ISO-IEC 27002:2013 – Code of Practice for Information Security Controls, or American Institute of CPAs (AICPA) Service Organization Control (SOC) 2 standard) and other security measures designed to: (i) ensure the security and confidentiality of Fitbit Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Fitbit Data; and (iii) protect against any actual or suspected unauthorised processing, loss, use, disclosure or acquisition of or access to any Fitbit Data. Without limiting the generality of the foregoing, such measures shall include, at a minimum:
- Secure user authentication protocols. Use a multifactor authentication login solution to govern user access to Vendor information technology environment, including, without limitation, in connection with access to: (a) any VPN connections into Vendor’s corporate information technology environment (including Vendor’s e-mail system if it can be accessed from the Internet); (b) any connections into Vendor’s production information technology environment; and (c) any other software or services Vendor may use in its performance under the Applicable Agreements that may transmit, process or store Fitbit Data.
- Secure access control measures. To the extent that Vendor provides a SaaS solution to Fitbit, it must integrate with a Fitbit approved Single Sign On (SSO) solution, via SAML.
- Handling Fitbit Data. Maintain a boundary between Vendor’s corporate and production information technology environments, including, without limitation, maintaining controls gating access into the production boundary and limiting access to the production information technology environment to those individuals whose roles require such access. Vendor must provide for segregation between Fitbit Data and Vendor’s other customers’ data located in Vendor’s production information technology environment. Vendor must not move Fitbit Data out from Vendor’s corporate or production information technology environment unless Vendor receives Fitbit’s prior written consent. Specifically, Fitbit Data must not be downloaded to phones, tablets, laptops, or desktops, and must not be shared with third parties outside of Vendor’s corporate or production information technology environments.
- Secure Transmission. If Vendor’s handling of Fitbit Data involves the transmission of Fitbit Data over a network, Vendor shall ensure a level of security appropriate to the risks associated with transmission and the nature of the Fitbit Data (e.g. personal data) including, without limitation, the use of secure, actively supported, versions of Transport Layer Security (TLS) for transport encryption.
- At-rest encryption. Encryption of Fitbit Data stored at rest utilising industry standard encryption algorithms (e.g. AES).
- Secure configuration. Implementation of network, device, application, database and platform security controls consistent with industry standards (e.g. SANS Information Security Policy Templates, DSIA STIGs).
- Ongoing monitoring and response. Implementation and maintenance of continuous end-point detection and response tools and an updated anti-malware capability. Proactively monitor, detect and alert suspicious or malicious activity within Vendor’s corporate and production information technology environments, as applicable. Vendor must also maintain an incident response programme capable of responding to and remediating security incidents upon discovery.
- Software development lifecycle and change management. Implement and maintain secure software development lifecycle capability taking into account the Open Web Application Security Project best practices and formal change management procedures that consider the security impact of changes before they are made.
- Vulnerability management. A security vulnerability management programme that includes regular detection and remediation of vulnerabilities in systems that transmit, process or store Fitbit Data. The programme must include procedures to assess and mitigate vulnerabilities based upon criticality and validate remediation work.
- Vulnerability remediation. Promptly fix high and critical severity findings, including applying security patches as required, to Vendor’s corporate and production information technology environment, including, without limitation, Vendor’s servers, endpoints, and endpoint management systems. Any vulnerabilities rated ‘critical’ and ‘high’ severity not addressed within sixty (60) days of Vendor becoming aware of the vulnerability must be reported to Fitbit, including identifying any risks to Fitbit Data arising from Vendor’s inability to fix the vulnerability.
- Application and network penetration testing. At least once per year, have an independent third-party perform tests with the intent of testing Vendor’s application and network security. These tests must be performed upon: (i) any SaaS solutions Vendor is providing to Fitbit; (ii) all aspects of the Internet-facing perimeter of Vendor’s network infrastructure; and (iii) Vendor’s corporate and production information technology environment. Upon request, Vendor must provide Fitbit with information summarising which third party performed such tests and the related scope and summary of results.
- Personnel security. Vendor must implement and maintain reasonable personnel security and integrity procedures and practices, including, without limitation, conducting background checks in accordance with applicable laws.
- Security awareness. A security training and awareness programme that is delivered in connection with new hire on-boarding and annually thereafter.
Furthermore, to the extent that as part of performing under the Applicable Agreements, Vendor transmits, stores or processes cardholder data (as such term is defined in the Payment Card Industry Data Security Standard (“PCI DSS”)) on behalf of Fitbit, then, in connection therewith, Vendor must comply with the PCI DSS. Furthermore, Vendor shall perform any and all tasks, assessments, reviews, penetration tests, scans and other activities required (including any compliance guidance issued by the PCI Security Standards Council) or otherwise to validate Vendor’s compliance with the PCI DSS as it relates to the system elements and portions of the cardholder data environment (as such terms are defined in the PCI DSS) for which Vendor responsible. Upon Fitbit’s request, Vendor shall deliver to Fitbit a copy of its annual PCI Attestation of Compliance to verify such compliance.
In support hereof, from time to time, upon Fitbit’s reasonable request, Vendor shall promptly complete a certificate representing and warranting to Fitbit its ongoing compliance with the foregoing measures, as well as to furnish to Fitbit any information Fitbit reasonably determines is necessary for it to ascertain that Vendor is performing in compliance herewith.