This Security Addendum is issued under and forms part of the Clari Master Subscription Agreement or other equivalent agreement (the “Agreement”) between Clari Inc. (“Clari”) and Customer (as defined in the Agreement), which specifically references this Security Addendum. Any capitalized terms not defined herein shall have the meanings provided in the Agreement.
Clari is committed to protecting Customer Data and maintains industry standard cybersecurity measures to safeguard the security of Customer Data. In order to protect Clari’s network from evolving threats and disruptions, and to ensure ongoing effective security controls, Clari regularly reviews and may update this Security Addendum to reflect new features and updated practices. Any such modifications shall enhance and not materially diminish Clari’s security program.
Audits & Certifications
Clari’s information security management system used to provide the Services is assessed on an annual basis by accredited third party auditors issuing the following certifications:
- SOC 2 Type II
- ISO 27001
- ISO 27701
Clari agrees to maintain the certifications and standards listed above, or the appropriate and comparable successors thereof.
Clari performs annual penetration testing, including black box automated and manual penetration tests of Clari’s security infrastructure. The third-party audit results, and summarizations of penetration tests may be made available to customers (subject to standard confidentiality obligations).
Hosting Location of Customer Data
Customer Data is hosted in the production cloud environment, located in the US-East region.
Encryption
Encryption Key Management: Clari's encryption key management conforms to NIST 800-53 and involves regular rotation of encryption keys. Cloud-based hardware security modules are used to safeguard top-level encryption keys.
Encryption of Customer Data: Clari encrypts Customer Data at rest using AES 256-bit (or higher) encryption. Clari uses Transport Layer Security (TLS) 1.2 (or higher) for Customer Data in-transit to/from the Services over untrusted networks.
Business Continuity Plan Management
Clari’s Service is a distributed system designed to spread the processing of data across multiple physical servers all located in the US, so that any one hardware failure will not compromise the availability of the Services or Customer Data. Clari accordingly maintains an industry standard business continuity and disaster recovery plan (the “BCP”). The BCP is tested and reviewed annually, and is designed to restore the Services in the event of a service failure.
Network & Systems Security
Access Controls:
- All Clari personnel’s access to the Clari cloud environment is via a unique user ID, is consistent with the principle of least privilege, requires a VPN, and requires multi-factor authentication.
- Clari personnel will not access Customer Data except as reasonably necessary to provide Clari’s Services under the Agreement, or to comply with applicable law or a binding order of a governmental body.
Endpoint Controls: For access to the Clari cloud environment, Clari personnel must use Clari-issued laptops which utilize security controls that include, but are not limited to, disk encryption, endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and malicious code.
Separation of Environments: Clari logically separates production environments from development environments. Clari’s production environment is both logically and physically separated from Clari’s corporate networks.
Firewalls: Clari protects its production environment by using industry standard firewalls, security groups or network access controls, denying ingress/egress traffic other than business required.
Hardening: Clari’s production environment is hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching.
Monitoring & Logging
User Logging: Clari captures logs of certain activities within our customers’ accounts and makes those logs available via API to the Customer for their own analysis.
Infrastructure Logging: Clari uses monitoring tools covering network, cloud environments and identity solutions to log activities within the production environment. These logs are monitored, analyzed for anomalies, and stored for a period of at least one year.
Vulnerability Management
Penetration Testing: Clari regularly conducts penetration tests and engages independent third parties to test the Services at least annually. Additionally, Clari performs vulnerability scans on the production environment at least weekly using up-to-date vulnerability databases.
Antivirus and Workload Protection: Clari’s production environment is protected by antivirus, anti-malware and security detection tools which are used to monitor and alert for suspicious activities, and potential malicious code.
Incident Detection & Response
Security Incident Reporting: If Clari becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident”), Clari shall notify Customer without undue delay, but no later than 72 hours of discovery of any such Security Incident.
Investigation: In the event of a Security Incident, Clari shall promptly take commercially reasonable steps to contain, investigate and mitigate any Security Incident. Any logs relating to a Security Incident will be preserved for at least one year.
Communication and Cooperation: Clari’s notification to Customer of any Security Incident shall: (i) provide Customer timely information about the Security Incident to the extent known by Clari, including, but not limited to, the nature and consequences of the Security Incident, the measures taken by Clari to mitigate or contain the Security Incident, the status of Clari’s investigation, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; and (ii) provide a Clari representative where Customer may obtain further information about the Security Incident. Communications made by or on behalf of Clari in connection with any such Security Incident shall not be interpreted as an acknowledgement by Clari of any fault or liability with respect to such Security Incident.
Employee Access, Screening & Controls
Clari maintains policies and practices that include, at a minimum, the following controls and safeguards for Clari personnel:
- Criminal background screening, employment and identity verification as part of its hiring process performed in accordance with applicable laws.
- All Clari employees with access to Customer Data complete security awareness training, addressing the protection, security and confidentiality of Customer Data.
- Clari personnel are required to sign confidentiality agreements, as well as an information security policy.
- Clari reviews the access privileges of its personnel on a defined cadence, with mechanisms to identify changes in user roles and permissions. Access is terminated for separated employees using an automated deprovisioning checklist.
- Restricted access to Customer Data to prevent unauthorized access, including a formalized access management process for request, review, approval and provisioning.
- Clari maintains a vendor risk management program for vendors that process Customer Data to ensure each vendor maintains security measures consistent with this Security Addendum.
Customer Rights & Shared Responsibility
Customer Audit Rights: Customer shall utilize Clari’s third-party certifications and other security documentation to assess Clari’s compliance with its obligations hereunder. Only to the extent that Customer is not able to do so, and in any event, no more than once per year except if required by applicable law, and following at least 45 days’ notice in writing from Customer, Clari shall provide Customer (and/or Customer’s third-party consultants who are not reasonably objected to by Clari, and who are subject to appropriate confidentiality obligations) with access to documents, systems, Clari employees and electronic data as reasonably necessary to audit Clari’s compliance with its obligations under this Security Addendum. Clari shall provide assistance, cooperation, and access reasonably required by Customer when conducting such audits. Customer shall ensure that the audit does not disrupt Clari’s business. In no event shall Customer be permitted to access any information, including without limitation personal data, that belongs to Clari’s other customers or such other information that is not relevant to Clari’s compliance with this Security Addendum. Except as required by law, Clari and Customer shall mutually agree in advance on the scope, methodology, timing and conditions of such audits.