(For Paid Subscription Service only, under the Master Software License Agreement)
1. Data Security Procedures
Orbital Labs shall maintain reasonable operating standards and security procedures and shall use their best efforts to secure Personal Data and Confidential Information (collectively, “Confidential Data”) through the use of appropriate administrative, physical, and technical safeguards including, but not limited to, appropriate network security and encryption technologies. Such security measures shall also include the following:
(i) Implementation of controls to manage access to Confidential Data, including:
(a) Restricting access privileges to only those Orbital Labs personnel that must access Confidential Data to deliver the Subscription Service; (b) Immediately terminating access privileges to Confidential Data for any Orbital Labs personnel that no longer need such access, and conducting quarterly reviews of access lists to ensure that access privileges have been appropriately provisioned and terminated; (c) Requiring the use of multi-factor authentication to access Confidential Data
(ii) Maintenance of firewalls to segregate Orbital’s internal networks from the internet, and employing appropriate monitoring, and logging capabilities to enable detecting and responding to potential security breach attempts;
(iii) Application of all manufacturer-recommended security updates to all systems, devices, or applications storing, processing or transiting Confidential Data in a timely manner that aligns with industry best practices.
(iv) Maintenance and enforcement of policies and procedures to ensure that all of the following requirements are met:
(a) access to Orbital’s computer resources and networks (including wireless networking and remote access) shall be limited to approved configurations utilizing appropriate identification and authentication methods, including the following minimum password requirements:
(1) passwords shall be a minimum of eight (8) characters in length, and shall contain characters from three (3) of the following four categories: uppercase letters, lowercase letters, numeric (0-9), and special (!@#$%^&*);
(2) the operating system shall enable a dictionary check to reject commonly used passwords, and shall lock out the user account for fifteen (15) minutes upon ten (10) failed authentication attempts; and
(3) Orbital Labs shall implement measures to ensure that credentials are not shared between users and accounts unless necessary.
(c) Confidential Data shall only be used for the purposes of performing Orbital’s obligations under this Agreement, and shall not be distributed, repurposed, or shared with third parties or Orbital’s business units without Customer’s prior written approval;
(d) Confidential Data shall at all times be encrypted in accordance with the Encryption Standards described below, regardless of whether such Confidential Data is at rest or in transit;
(e) All encryption shall be accomplished with an AES 128-bit or stronger key, or RSA with a 2048-bit or stronger key, or equivalent algorithms and their respective key strengths, and in accordance with industry standards for secure key and protocol negotiation and key management (collectively, the “Encryption Standards”);
(f) Confidential Data shall not be transmitted outside of Orbital’s secure facilities (which include its cloud hosting environments and subprocessors), transmitted on networks other than those controlled by Customer or Orbital Labs, or stored on any portable storage device, including but not limited to laptops, tablets, smartphones, flash drives, or removable media, unless, in each instance such information has been encrypted in accordance with the Encryption Standards;
(g) All documents and electronic media containing Confidential Data shall be protected in accordance with Orbital’s obligations under Section 5 (Confidentiality) of the Agreement, and if disposal is permitted by the Agreement, shall be disposed of in a secure manner;
(v) Ensuring that all electronic mail (email) communications pertaining to the Services or any Confidential Data are conducted to and from an email domain that is owned by Orbital Labs, and, upon Orbital’s request, providing Orbital Labs with domain registration documents or other documentation as reasonably required to confirm Orbital’s ownership of such email domain;
If requested by Customer at any time during the Term of the Agreement, Orbital Labs shall provide Customer with a copy of the then-current information security policy maintained by Orbital Labs.
2. Information Security Breach; Other Investigations
Orbital Labs shall promptly notify Customer if Orbital Labs knows or has reason to believe there has been any misuse, compromise, loss, or unauthorized disclosure or acquisition of, or access to, Confidential Data (“Information Security Breach”). Upon any discovery of an Information Security Breach, Orbital Labs will notify the Customer of the Information Security Breach, investigate, remediate, and mitigate the effects of the Information Security Breach, and provide Customer with assurances that such Information Security Breach will not recur. Orbital Labs shall provide at Customer’s request information related to any such Information Security Breach, including but not limited to, vulnerabilities or flaws, start or end date, date of discovery, and specific actions taken to contain and/or mitigate. If any Information Security Breach occurs as a result of an act or omission of Orbital Labs, Orbital Labs will, at Orbital’s sole expense (but subject to Section 8 of the Agreement), undertake remedial measures (including notice, credit monitoring services, fraud insurance, reputation loss, and the establishment of a call center to respond to customer inquiries) in accordance with Customer’s instructions.
Orbital Labs shall provide Customer with reasonable assistance and support and shall act solely at Customer’s direction in (i) responding to an investigation or cooperation request by a data protection regulator or similar authority; (ii) providing notice of an Information Security Breach to any third party where required or requested by Customer; (iii) conducting legally required privacy, security, or data protection impact assessments; and (iv) consulting with the relevant authorities when required in relation to such impact assessments.
4. Return or Destruction of Confidential Data
Upon termination of this Agreement for any reason, Orbital Labs shall promptly contact Customer for instructions regarding the secure return, destruction or other appropriate action with regard to Confidential Data. Upon termination of this Agreement for any reason, or at any time at the request of Customer, Orbital Labs shall: (i) return all Confidential Data to Customer, including but not limited to all paper and electronic files, materials, documentation, notes, plans, drawings, and all copies thereof, and ensure that all electronic copies of such Confidential Data are rendered unrecoverable from Orbital’s (and where applicable, its Subcontractors’) systems; or (ii) if requested by Customer in writing, promptly destroy, delete and render unrecoverable all tangible and electronic instances of Confidential Data from Orbital’s (and where applicable, its Subcontractors’) systems, all in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization. If requested by Customer, Orbital Labs shall provide Customer with written confirmation of its compliance with the requirements of this Section.
5. Notification of Non-Compliance
If Orbital Labs is unable to comply with the obligations stated in this Exhibit, Orbital Labs shall promptly notify Customer, and Customer may take any one or more of the following actions: (i) suspend the transfer of Confidential Data to Orbital Labs; (ii) require Orbital Labs to cease processing Confidential Data; (iii) demand the secure return or destruction of Confidential Data; and/or (iv) immediately terminate this Agreement.
Orbital Labs shall make available to Customer such information reasonably necessary to demonstrate compliance with the obligations of this Exhibit A and all applicable laws, regulations, and international accords or treaties pertaining to Personal Data.
This section is not legally binding.
We strive to provide a secure product, but we're not perfect. If you find a security vulnerability, please contact us for responsible disclosure.