├── LICENSE ├── README.md └── model-contract.md /LICENSE: -------------------------------------------------------------------------------- 1 | CC0 1.0 Universal 2 | 3 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 4 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 5 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 6 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 7 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 8 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 9 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 10 | HEREUNDER. 11 | 12 | Statement of Purpose 13 | 14 | The laws of most jurisdictions throughout the world automatically confer 15 | exclusive Copyright and Related Rights (defined below) upon the creator 16 | and subsequent owner(s) (each and all, an "owner") of an original work of 17 | authorship and/or a database (each, a "Work"). 18 | 19 | Certain owners wish to permanently relinquish those rights to a Work for 20 | the purpose of contributing to a commons of creative, cultural and 21 | scientific works ("Commons") that the public can reliably and without fear 22 | of later claims of infringement build upon, modify, incorporate in other 23 | works, reuse and redistribute as freely as possible in any form whatsoever 24 | and for any purposes, including without limitation commercial purposes. 25 | These owners may contribute to the Commons to promote the ideal of a free 26 | culture and the further production of creative, cultural and scientific 27 | works, or to gain reputation or greater distribution for their Work in 28 | part through the use and efforts of others. 29 | 30 | For these and/or other purposes and motivations, and without any 31 | expectation of additional consideration or compensation, the person 32 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 33 | is an owner of Copyright and Related Rights in the Work, voluntarily 34 | elects to apply CC0 to the Work and publicly distribute the Work under its 35 | terms, with knowledge of his or her Copyright and Related Rights in the 36 | Work and the meaning and intended legal effect of CC0 on those rights. 37 | 38 | 1. Copyright and Related Rights. A Work made available under CC0 may be 39 | protected by copyright and related or neighboring rights ("Copyright and 40 | Related Rights"). Copyright and Related Rights include, but are not 41 | limited to, the following: 42 | 43 | i. the right to reproduce, adapt, distribute, perform, display, 44 | communicate, and translate a Work; 45 | ii. moral rights retained by the original author(s) and/or performer(s); 46 | iii. publicity and privacy rights pertaining to a person's image or 47 | likeness depicted in a Work; 48 | iv. rights protecting against unfair competition in regards to a Work, 49 | subject to the limitations in paragraph 4(a), below; 50 | v. rights protecting the extraction, dissemination, use and reuse of data 51 | in a Work; 52 | vi. database rights (such as those arising under Directive 96/9/EC of the 53 | European Parliament and of the Council of 11 March 1996 on the legal 54 | protection of databases, and under any national implementation 55 | thereof, including any amended or successor version of such 56 | directive); and 57 | vii. other similar, equivalent or corresponding rights throughout the 58 | world based on applicable law or treaty, and any national 59 | implementations thereof. 60 | 61 | 2. Waiver. To the greatest extent permitted by, but not in contravention 62 | of, applicable law, Affirmer hereby overtly, fully, permanently, 63 | irrevocably and unconditionally waives, abandons, and surrenders all of 64 | Affirmer's Copyright and Related Rights and associated claims and causes 65 | of action, whether now known or unknown (including existing as well as 66 | future claims and causes of action), in the Work (i) in all territories 67 | worldwide, (ii) for the maximum duration provided by applicable law or 68 | treaty (including future time extensions), (iii) in any current or future 69 | medium and for any number of copies, and (iv) for any purpose whatsoever, 70 | including without limitation commercial, advertising or promotional 71 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 72 | member of the public at large and to the detriment of Affirmer's heirs and 73 | successors, fully intending that such Waiver shall not be subject to 74 | revocation, rescission, cancellation, termination, or any other legal or 75 | equitable action to disrupt the quiet enjoyment of the Work by the public 76 | as contemplated by Affirmer's express Statement of Purpose. 77 | 78 | 3. Public License Fallback. Should any part of the Waiver for any reason 79 | be judged legally invalid or ineffective under applicable law, then the 80 | Waiver shall be preserved to the maximum extent permitted taking into 81 | account Affirmer's express Statement of Purpose. In addition, to the 82 | extent the Waiver is so judged Affirmer hereby grants to each affected 83 | person a royalty-free, non transferable, non sublicensable, non exclusive, 84 | irrevocable and unconditional license to exercise Affirmer's Copyright and 85 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 86 | maximum duration provided by applicable law or treaty (including future 87 | time extensions), (iii) in any current or future medium and for any number 88 | of copies, and (iv) for any purpose whatsoever, including without 89 | limitation commercial, advertising or promotional purposes (the 90 | "License"). The License shall be deemed effective as of the date CC0 was 91 | applied by Affirmer to the Work. Should any part of the License for any 92 | reason be judged legally invalid or ineffective under applicable law, such 93 | partial invalidity or ineffectiveness shall not invalidate the remainder 94 | of the License, and in such case Affirmer hereby affirms that he or she 95 | will not (i) exercise any of his or her remaining Copyright and Related 96 | Rights in the Work or (ii) assert any associated claims and causes of 97 | action with respect to the Work, in either case contrary to Affirmer's 98 | express Statement of Purpose. 99 | 100 | 4. Limitations and Disclaimers. 101 | 102 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 103 | surrendered, licensed or otherwise affected by this document. 104 | b. Affirmer offers the Work as-is and makes no representations or 105 | warranties of any kind concerning the Work, express, implied, 106 | statutory or otherwise, including without limitation warranties of 107 | title, merchantability, fitness for a particular purpose, non 108 | infringement, or the absence of latent or other defects, accuracy, or 109 | the present or absence of errors, whether or not discoverable, all to 110 | the greatest extent permissible under applicable law. 111 | c. Affirmer disclaims responsibility for clearing rights of other persons 112 | that may apply to the Work or any use thereof, including without 113 | limitation any person's Copyright and Related Rights in the Work. 114 | Further, Affirmer disclaims responsibility for obtaining any necessary 115 | consents, permissions or other rights required for any use of the 116 | Work. 117 | d. Affirmer understands and acknowledges that Creative Commons is not a 118 | party to this document and has no duty or obligation with respect to 119 | this CC0 or use of the Work. 120 | 121 | For more information, please see 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Vendor Security Model Contract 2 | 3 | This is model contract language similar to a security addendum we use at Dropbox for security requirements for SaaS-style vendors. Please note that this is only one part of a model contract and does not cover topics such as privacy, etc., that would be covered under other addendums. 4 | 5 | This is not legal advice. We highly recommend working with your own legal team to determine how to best employ the model language and modify it to suit your particular needs. Every security program has different challenges and risks, and we hope this is a useful starting recipe. 6 | 7 | For more information, see https://blogs.dropbox.com/tech/2019/03/towards-better-vendor-security-assessments/ 8 | -------------------------------------------------------------------------------- /model-contract.md: -------------------------------------------------------------------------------- 1 | # Dropbox Supplier Security Requirements 2 | 3 | These Supplier Security Requirements apply to Supplier when it provides services to Dropbox. Terms used here but not 4 | defined here are defined in the Agreement. 5 | 6 | ## 1. Third Party Testing and Validation. 7 | 8 | ### 1.1. General Testing. 9 | 10 | **a. Periodic Tests.** Supplier shall allow Dropbox, or Dropbox’s delegate, to periodically test the security of the 11 | Services. When testing Dropbox or its Delegate shall: (i) carefully conduct tests that are reasonably designed 12 | to safely uncover possible vulnerabilities without undue risk; and (ii) make commercially reasonable efforts to 13 | tailor the tests as needed to specifically achieve the purpose of the test. 14 | 15 | **b. Timing.** Dropbox or its delegate may conduct the security tests in Section 1.1 at any time during the term of 16 | the Agreement. Dropbox will: (i) provide Supplier with reasonable notice prior to conducting the tests, (ii) 17 | promptly inform Supplier of any findings; and (iii) delay further disclosure until Supplier has had reasonable time 18 | to resolve issues identified in the findings. 19 | 20 | ### 1.2. Vulnerability Disclosure Policy. 21 | 22 | **a. Generally.** Supplier shall publish a Vulnerability Disclosure Policy (“VDP”) on its public website. This VDP 23 | shall: (i) welcome arbitrary security research; (ii) include all internet facing assets in scope; (iii) provide safe 24 | harbor from CFAA and DMCA actions for all good faith research; and (iv) not place restrictions on disclosure. 25 | 26 | **b. Contact and Service Level Agreement.** Supplier shall: (i) post a method by which the public can contact 27 | Supplier to report security vulnerabilities; and (ii) use best efforts to respond to these reported security 28 | vulnerabilities within a commercially reasonable period of time based on the severity and impact of the 29 | vulnerability. 30 | 31 | **c. Bug Bounty Program.** Supplier agrees that Dropbox may make deliverables or results of the Services subject 32 | to Dropbox’s Bug Bounty Program. Dropbox will notify Supplier of any material security-related vulnerabilities 33 | in the Services or deliverables identified through its Bug Bounty Program. Supplier understands that research 34 | and disclosures are governed by Dropbox's VDP, which requires good faith and responsible behavior by 35 | participants. 36 | 37 | ### 1.3. Application and Network Penetration Testing. 38 | 39 | **a. Annual Testing.** Supplier shall, at least once per year, perform a suite of independent third-party tests. These 40 | tests will be performed upon: (i) the Services; (ii) all aspects of Supplier’s internet-facing perimeter; and (iii) 41 | Supplier’s internal corporate network and internal systems. Supplier will supply Dropbox with details of all 42 | third-party tests from the previous year, including names of third-party testers and number of person hours 43 | used. 44 | 45 | **b. Sharing Results.** Supplier shall, upon Dropbox’s request and under suitable non-disclosure obligations, share 46 | with Dropbox: (i) confirmation that the tests required by this Section 1.3 were performed; and (ii) the third 47 | party tests results from Sections 1.3(a)(i) and (ii) above. 48 | 49 | ### 1.4. Fixing Issues. 50 | Supplier will fix all critical and high severity vulnerabilities that could affect the security of Dropbox 51 | Data, of which Supplier becomes aware, within sixty days of becoming aware of the vulnerability. If Supplier 52 | cannot fix the vulnerability within sixty days, Supplier will promptly inform Dropbox, including all details of the risk 53 | to Dropbox arising from Supplier’s inability to fix the vulnerability. 54 | 55 | ## 2. Technical Security Measures. 56 | 57 | ### 2.1. Transport Encryption. 58 | Supplier will maintain an SSL Labs rating (please see https://www.ssllabs.com) of at least 59 | “A” for any external website used to store or access Dropbox data. If Supplier’s rating falls below “A,” 60 | Supplier will: (a) notify Dropbox if this rating is below “A” for three months; and (b) have three months from the 61 | date it notifies Dropbox within which to increase its rating back to an “A.” 62 | 63 | ### 2.2. Google G Suite Authentication Integration. 64 | If the Services include a SaaS service, Supplier will integrate the 65 | Services with Google G Suite authentication for Dropbox’s login needs. This Google G Suite authentication 66 | integration will be the only method by which Dropbox users log in to the Service. 67 | 68 | ### 2.3. Multifactor Authentication. 69 | Supplier will use a multifactor authentication (“MFA”) login solution for the Services, 70 | provided that text or phone call are not acceptable factors. MFA must be used for: (a) any VPN connections into 71 | the Supplier’s internal networks; (b) any connections into Supplier’s production environment; (c) Supplier’s e-mail, 72 | if it can be accessed from the internet; and (d) any services Supplier uses that contain Dropbox Data. 73 | 74 | ### 2.4. Patching. 75 | Supplier will promptly apply any high or critical severity security patches to their production servers, 76 | endpoints, and endpoint management systems. 77 | 78 | ### 2.5. Detection and Alerting. 79 | Supplier will proactively monitor, detect, and alert its internal security team regarding 80 | suspicious or malicious activity within Supplier’s production and corporate environments. 81 | 82 | ### 2.6. Scanning. 83 | Supplier will run regular automated scans against their internet facing perimeter, production perimeter, 84 | and internal network. Supplier will promptly fix high and critical severity findings. 85 | 86 | ### 2.7. Environment Separation and Access. 87 | Supplier will maintain a boundary between its corporate and production 88 | environments. Supplier will maintain controls gating access into the production boundary, and Supplier will only 89 | provide production environment access to employees or contractors who must maintain the production 90 | environment. 91 | 92 | ## 3. Policy and Compliance. 93 | 94 | ### 3.1. Security Incidents. 95 | 96 | **a. Notification and Timing.** Supplier will notify Dropbox in writing of any Security Incident within seventy-two 97 | hours of Supplier becoming aware of the Security Incident. This notification is required even if Supplier has 98 | not conclusively established the nature or extent of the Security Incident. Supplier will not communicate with 99 | any third party regarding a Security Incident except as specified by Dropbox, or as required by law. 100 | 101 | **b. Required Information.** Supplier’s Security Incident notification will describe the known details of the incident, 102 | the status of Supplier’s investigation, and, if applicable, the potential number of persons affected. Supplier will 103 | be solely responsible for all costs associated with any security breach; which includes, if applicable, for 104 | notices to and credit monitoring for affected individuals. 105 | 106 | ### 3.2. Compliance Certification. 107 | Supplier shall: (a) maintain compliance with at least one of the following: (i) SSAE 108 | 16/SOC 1; (ii) SOC 2; or (iii) ISO 27001; (b) provide audit reports or evidence of these certifications to Dropbox 109 | upon request; and (c) ensure that all Supplier subcontractors or third party delegates adhere to the same 110 | standards. 111 | 112 | ### 3.3. Secure Development Lifecycle. 113 | Supplier shall maintain and follow a Secure Development Lifecycle (“SDL”) for 114 | the development of its products and services. Supplier’s SDL will be supported by at least one full time security 115 | engineer. Supplier will provide Dropbox a copy of its SDL policy and process documents upon request. 116 | 117 | ### 3.4. Supporting Information. 118 | Upon Dropbox’s request, Supplier will provide its policy and process documents relating 119 | to any of the security controls referenced in these Security Requirements to Dropbox. 120 | 121 | ### 3.5. Handling of Dropbox Data. 122 | Supplier will not move Dropbox Data from Supplier’s production environment unless 123 | specifically asked to do so by Dropbox. Specifically, Dropbox Data must not be downloaded to phones or laptops, 124 | and must not be shared with third parties. Supplier will delete Dropbox Data permanently upon Dropbox’s request. 125 | 126 | ## 4. Modifications. 127 | Dropbox may periodically update these Security Requirements by posting a new version. If Dropbox 128 | changes these Security Requirements in a manner that materially increases Supplier’s obligations, Dropbox will notify 129 | Supplier, and Supplier will have ninety days within which to object to the changes. If Supplier does not object within 130 | this timeframe, Supplier agrees to comply with the modified Security Requirements. If Supplier objects within this time 131 | frame, and Supplier and Dropbox cannot resolve the objection within thirty days, then Dropbox may terminate the 132 | Agreement immediately upon written notice to Supplier. 133 | 134 | ## 5. Definitions. 135 | 136 | “Agreement” means the executed Agreement between Supplier and Dropbox. 137 | 138 | “Dropbox Data” means any data that is provided to Supplier by Dropbox or on behalf of Dropbox. 139 | 140 | “Security Incident” means any: (i) breach or suspected breach of the security of the Services or the systems used to 141 | provide the Services that may have resulted in the compromise of Dropbox Data; or (ii) other unauthorized access to 142 | or use of Dropbox Data, or Supplier's reasonable belief that access or use may have occurred. 143 | 144 | “Services” means the products or services provided by Supplier to Dropbox. 145 | 146 | “Suppliers” means those vendors who provide services to Dropbox. 147 | --------------------------------------------------------------------------------