Accenture’s Client Data Safeguards
The following terms describe the technical and organizational measures, internal controls and information security routines that Accenture maintains to safeguard data provided by or on behalf of our clients in connection with a client service engagement (“Client Data”). These security measures are intended to protect Client Data when in Accenture’s environments (e.g., systems, networks, facilities) against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction. When Client Data includes personal data, our implementation of and compliance with these measures (and any additional security measures set out in the applicable client agreement) is designed to provide an appropriate level of security in respect of the processing of the personal data. Accenture may change these measures from time to time, without notice, so long as any such revisions do not materially reduce or degrade the protection provided for the Client Data.
STANDARD DATA SAFEGUARDS:
- Organization of Information Security
- Security Ownership. Accenture will appoint one or more security officers responsible for coordinating and monitoring the security rules and procedures.
- Security Roles and Responsibilities. Accenture’s personnel with access to Client Data will be subject to confidentiality obligations.
- Risk Management Program. Accenture will have a risk management program in place to identify, assess and take appropriate actions with respect to risks related to the processing of the Client Data in connection with the applicable agreement between the Parties.
- Asset Management
- Asset Inventory. Accenture will maintain an asset inventory of its infrastructure, network, applications and cloud environments. Accenture will also maintain an inventory of its media on which Client Data is stored. Access to the inventories of such media will be restricted to personnel authorized in writing to have such access.
- Data Handling. Accenture will
- Classify Client Data to help identify such data and to allow for access to it to be appropriately restricted.
- Limit printing of Client Data from its systems to what is minimally necessary to perform services and have procedures for disposing of printed materials that contain Client Data.
- Require its personnel to obtain appropriate authorization prior to storing Client Data outside of contractually approved locations and systems, remotely accessing Client Data, or processing Client Data outside the Parties’ facilities.
- Human Resources Security
- Security Training. Accenture will
- Inform its personnel about relevant security procedures and their respective roles.
- Inform its personnel of possible consequences of breaching the security rules and procedures.
- Only use anonymous data in its training environments.
- Security Training. Accenture will
- Physical and Environmental Security
- Physical Access to Facilities. Accenture will implement and maintain procedures to limit authorized access to its facilities where information systems that process Client Data are located.
- Physical Access to Components. Accenture will maintain records of the incoming and outgoing media containing Client Data, including the kind of media, the authorized sender/recipients, date and time, the number of media, and the types of Client Data they contain.
- Component Disposal. Accenture will use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) processes to delete Client Data when it is no longer needed.
- Communications and Operations Management
- Operational Policy. Accenture will maintain security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Client Data.
- Mobile Device Management (MDM)/Mobile Application Management (MAM). Accenture will maintain a policy for its mobile devices that:
- Enforces device encryption.
- Prohibit use of blacklisted apps.
- Prohibits enrollment of mobile devices that have been “jail broken.”
- Data Recovery Procedures. Accenture will
- Have specific data recovery procedures with respect to its systems in place designed to enable the recovery of Client Data being maintained in its systems.
- Review its data recovery procedures at least annually.
- Log data restoration efforts with respect to its systems, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
- Malicious Software. Accenture will have anti-malware controls to help avoid malicious software gaining unauthorized access to Client Data, including malicious software originating from public networks.
- Data Beyond Boundaries. Accenture will
- Encrypt Client Data that it transmits over public networks.
- Protect Client Data in media leaving its facilities (e.g., through encryption).
- Implement automated tools where practicable to reduce the risks of misdirected email, letters, and / or faxes from its systems.
- Event Logging.
- For its systems containing Client Data, Accenture will log events consistent with its stated policies or standards.
- Access Control
- Access Policy. Accenture will maintain a record of security privileges of individuals having access to Client Data via its systems.
- Access Authorization. Accenture will
- Maintain and update a record of personnel authorized to access Client Data via its systems.
- When responsible for access provisioning, promptly provision authentication credentials.
- Deactivate authentication credentials where such credentials have not been used for a period of time (such period of non-use not to exceed 90 days).
- Deactivate authentication credentials upon notification that access is no longer needed (e.g. employee termination, project reassignment, etc.) within two business days.
- Identify those personnel who may grant, alter or cancel authorized access to data and resources.
- Ensure that where more than one individual has access to its systems containing Client Data, the individuals have unique identifiers/log-ins (i.e., no shared ids).
- Least Privilege. Accenture will
- Only permit its technical support personnel to have access to Client Data when needed
- Maintain controls that enable emergency access to productions systems via firefighter ids, temporary ids or ids managed by a Privileged Access Management (PAM) solution.
- Restrict access to Client Data in its systems to only those individuals who require such access to perform their job function.
- Limit access to Client Data in its systems to only that data minimally necessary to perform the services.
- Support segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest (e.g., developer/ reviewer, developer/tester).
- Integrity and Confidentiality. Accenture will instruct its personnel to disable administrative sessions when leaving premises or when computers are otherwise left unattended.
- Authentication. Accenture will
- Use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) practices to identify and authenticate users who attempt to access its information systems.
- Where authentication mechanisms are based on passwords, require that the passwords are renewed regularly.
- Where authentication mechanisms are based on passwords, require the password to contain at least eight characters and three of the following four types of characters: numeric (0-9), lowercase (a-z), uppercase (A-Z), special (e.g., !, *, &, etc.).
- Ensure that de-activated or expired identifiers are not granted to other individuals.
- Monitor repeated attempts to gain access to its information systems using an invalid password.
- Maintain industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- Use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, as well as during storage.
- Multi Factor Authentication. Accenture will implement Multi-Factor Authentication for internal access and remote access over virtual private network (VPN) to its systems.
- Penetration Testing and Vulnerability Scanning of Accenture Systems.
- At least annually, Accenture will perform penetration and vulnerability assessments on Accenture’s IT environments in accordance with Accenture’s internal security policies and standard practices.
- Accenture agrees to share with Client summary level information related to such tests as conducted by Accenture to the extent applicable to the Services.
- For clarity, as it relates to such penetration and vulnerability testing, Client will not be entitled to (i) data or information of other customers or clients of Accenture; (ii) test third party IT environments except to the extent Accenture has the right to allow such testing; (iii) any access to or testing of shared service infrastructure or environments, or (iv) any other Confidential Information of Accenture that is not directly relevant to such tests and the Services.
- For any Accenture IT systems that are physically dedicated to Client, the Parties may agree to separate, written testing plans and such testing will not to exceed two tests per year.
- Network and Application Design and Management. Accenture will
- Have controls to avoid individuals gaining unauthorized access to Client Data in its systems.
- Use email-based data loss prevention to monitor or restrict movement of sensitive data.
- Use network-based web filtering to prevent access to unauthorized sites.
- Use firefighter IDs or temporary user IDs for production access.
- Use network intrusion detection and / or prevention in its systems.
- Use secure coding standards.
- Scan for and remediate OWASP vulnerabilities in its systems.
- To the extent technically possible, expect that the Parties will work together to limit the ability of Accenture personnel to access non-Client and non-Accenture environments from the Client systems.
- Maintain up to date server, network, infrastructure, application and cloud security configuration standards.
- Scan its environments to ensure identified configuration vulnerabilities have been remediated.
- Patch Management
- Accenture will have a patch management procedure that deploys security patches for its systems used to process Client Data that includes:
- Defined time allowed to implement patches (not to exceed 90 days for high or medium patches as defined by Accenture’s standard); and
- Established process to handle emergency or critical patches as soon as practicable.
- Accenture will have a patch management procedure that deploys security patches for its systems used to process Client Data that includes:
- Workstations
- Accenture will implement controls for workstations it provides that are used in connection with service delivery/receipt incorporating the following:
- Software agent that manages overall compliance of workstation and reports at a minimum on a weekly basis to a central server
- Encrypted hard drive
- Patching process so that workstations are patched within the documented patching schedule
- Ability to prevent blacklisted software from being installed
- Antivirus with a minimum weekly scan
- Firewalls installed
- Accenture will implement controls for workstations it provides that are used in connection with service delivery/receipt incorporating the following:
- Information Security Breach Management
- Security Breach Response Process. Accenture will maintain a record of its own security breaches in its systems with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the process for recovering data.
- Service Monitoring. Accenture’s security personnel will review their own logs as part of their security breach response process to propose remediation efforts if necessary.
- Business Continuity Management
- Accenture will have processes and programs that are aligned to ISO 22301 to enable recovery from events that impact its ability to perform in accordance with the Agreement.
SUPPLEMENTARY MEASURES. In addition, in accordance with regulatory guidance following the European Court of Justice “Schrems II” decision, Accenture further commits to maintaining the following additional technical, organizational and legal/contractual measures with respect to Client Data, including personal data.
Technical Supplementary Measures:
- The Client Data in transit between Accenture entities will be strongly encrypted with encryption that:
- is state of the art,
- secures the confidentiality for the required time period,
- is implemented by properly maintained software,
- is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
- does not contain back doors in hardware or software, unless otherwise agreed with the applicable Client.
- The Client Data at rest and stored by any Accenture entities will be strongly encrypted with encryption that:
- is state of the art,
- secures the confidentiality for the required time period,
- is implemented by properly maintained software,
- is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
- does not contain back doors in hardware or software, unless otherwise agreed with the applicable Client.
Organizational Supplementary Measures:
- The Client Data transfer between Accenture entities and the processing by any Accenture entities will be in accordance with:
- Accenture’s internal policies and procedures to manage requests from public authorities to access personal data,
- Accenture’s internal data access and confidentiality policies and procedures,
- Accenture’s internal data minimization policies and procedures, and
- Accenture’s internal data security and data privacy policies and procedures.
- Accenture will maintain a documented log of requests for access to personal data received from public authorities and the response provided, along with the legal reasoning and the involved parties.
- Accenture will regularly provide reports of public authority requests for personal data, if any, to Accenture’s Chief Compliance Officer.
Legal/Contractual Supplementary Measures:
- Accenture will maintain regularly updated assessment reports with respect to the surveillance laws and privacy practices for the countries in which Accenture processes Client Data where such country is not formally recognized as providing a lever of protection essentially similar to EU countries and will provide copies of applicable reports to clients upon request.
- The Accenture entity/s processing Client Data certify that, unless otherwise agreed with the applicable Client, (a) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data (b) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (c) to the best of Accenture’s knowledge, applicable national law or government policy does not require the Accenture entity to create or maintain back doors or to facilitate access to personal data or systems or for the Accenture entity to be in possession or to hand over the encryption key without a legally valid order and following an appropriate legal review.
- To the extent permitted under applicable law the Accenture entity/s processing Client Data will inform the client of Government Requests relating to Personal Data that Accenture is processing on behalf of the client. If, under applicable law, Accenture is not permitted to inform the client of a Government Request, Accenture will take reasonable steps to either (i) obtain administrative or judicial leave to inform the client at the earliest possible time or (ii) request that the respective Government Authority directly informs the client. In any event, Accenture will take reasonable steps before the courts or in administrative proceedings to challenge Government Requests it deems unlawful.
- Accenture will advise the applicable client of any change in applicable law that would affect Accenture’s ability to comply with the data transfer mechanism relied on.
- The Accenture entity/s processing Client Data will allow the applicable client to verify if its personal data was disclosed to public authorities via agreed audit procedures as set out in the applicable client agreement.
- The Accenture entity/s processing Client Data will not engage in any onward transfer of Client Data, or suspend ongoing transfers, without the client’s approval as required in the applicable client agreement or as otherwise required by law.
- Nothing herein shall prejudice the rights of the data subject to recover damages from Accenture to the extent permitted by applicable law in the event Accenture discloses Client Data transferred in violation of its commitments contained under the chosen transfer tool.