Security Addendum

This Security Addendum* forms part of and is subject to the Master Subscription and Services Agreement or such other agreements entered into between the parties (the “Agreement”) under which Contentful provides the cloud-based content management and publication platform as a service offering (“Subscription Services”) to Customer. Customer and Contentful are collectively referred to in the Security Addendum as “Parties” or each a “Party.” Capitalized terms not otherwise defined in this Security Addendum have the meaning given to them in the Agreement.

Contentful maintains a documented security program (“Security Program”) that sets forth the administrative, technical, and physical safeguards Contentful takes to preserve the confidentiality, integrity, and availability of Subscription Services and the content uploaded to and managed by Customer in the Subscription Services (“Customer Content”). Contentful may update or modify this Security Addendum from time to time as security controls are implemented or modified, provided such updates do not materially diminish our Security Program or material commitments. Contentful makes available on the site where this Security Addendum is posted a mechanism to subscribe to notifications of any updates, which will take effect within thirty (30) days from the date they are published.

1. Information Security Program

1.1. Security Accreditation: Contentful’s Security Program is governed by our Information Security Management System (“ISMS”) which aligns with and is accredited against ISO 27001:2013 (“ISO 27001.”) as described in the certificate. The ISMS is a systematic approach for implementing, maintaining, and improving safeguards that are tailored to Contentful’s size, complexity, and resources.

1.2. Executive Sponsorship:Contentful’s Executive Leadership Team (“ELT”) provides management direction for the Security Program with direct ELT sponsorship provided by Contentful’s Chief Technical Officer (“CTO”). The Vice President of Security leads the Security Program and is responsible for the ISMS. The ISMS is monitored through regular management reviews with the CTO, briefings to the ELT, and through annual internal and external audits and assessments.

1.3. Security Team: Contentful has a dedicated security team, composed of personnel with designated roles and duties. Each member possesses expertise in security domains and receives training pertinent to their respective duties and obligations.

2. Information Security Policies

2.1. Policies: The ISMS is built upon a framework of written policies (“Security Policies”) accredited against ISO 27001 and aligned to industry practices to preserve the confidentiality, integrity, and availability of Customer Content.

2.2. Policy Maintenance: Each Security Policy has a designated owner tasked with its development, maintenance, and compliance. These policies undergo annual reviews and are updated as necessary. Employees are required to comply with applicable Security Policies, which are readily available on the company's intranet.

3. Physical & Environmental Security

3.1. Data Centers: Subscription Services are hosted via Amazon Web Services (“AWS”), which maintains physical and environmental security measures for its data centers, including, but not limited to, access controls, surveillance systems, backup systems, and climate management systems.

3.2. Corporate Facilities: Contentful maintains physical and environmental security measures at corporate facilities. These safeguards include, but are not limited, to:

3.2.1. Physical entry points are recorded by Closed-Circuit Television and have an access card verification system, allowing only authorized personnel to enter office premises. Visitors are required to sign in and wear an identification badge. Building lessor, in conjunction with third parties, provides physical security services, including monitoring, walkthroughs, and building entry control, where appropriate.

3.2.2. Equipment, such as networking and other hardware, required to support office operations are located in secure areas with an access card verification system, allowing only authorized personnel access. Equipment is maintained by Contentful’s Information Services department inline with manufacturer guidelines and Security Policies.

3.2.3. Contentful corporate offices provide wireless access and enforce a minimum of Wi-Fi Protected Access (“WPA) version 2. Access to a corporate network mandates sign-on through Single Sign-On (SSO) with multi-factor authentication. Guest networks, where needed, use shared passwords changed quarterly. Corporate and guest networks are logically separated.

3.3. Clear Desk and Screen: Employees are required to keep workspaces and digital screens clear of sensitive information when not in active use pursuant to Security Policies.

4. Personnel Security

4.1. Employee Screening: Contentful performs employee background and criminal history checks, as permitted by law, during the employee vetting process. Employees are required to sign confidentiality agreements prior to starting employment.

4.2. Security Training: Employees complete annual awareness training covering information security, data privacy, and Security Policy topics.

5. Network & System Security

5.1. Separation of Environments: Subscription Services use public subnets for Internet-facing resources and private subnets for backend systems. Traffic restriction controls use a deny-all default policy designed to prevent accidental exposure. Subscription Services maintain logically separated production and non-production environments, which are logically and physically separated from corporate infrastructure.

5.2. Protection Against Malicious Traffic: Subscription Services employ a multi-layered defense strategy against malicious traffic, including volumetric attacks such as Distributed Denial of Service (DDoS), through the use of caching, throttling, traffic filtering, and web application firewalls.

5.3. Intrusion Detection: Subscription Services use cloud-centric intrusion detection services that combine AWS data sources and threat intelligence to detect a broad range of threat behaviors. These systems generate alerts with forensic data investigated by the Contentful security team.

5.4. Access Controls: Access to the infrastructure that supports Subscription Services follows a principle of least privilege, limiting access based on job function necessity. User accounts are controlled through SSO to centrally manage provisioning, deprovisioning, and account protections. User accounts are unique, require a password that meets or exceeds generally accepted industry standards, and require multi-factor authentication.

5.5. Endpoint Controls: Contentful personnel develop, access, and administer Subscription Services through company issued devices (“Contentful Devices”) managed through a mobile device management policy.

5.5.1. Contentful Devices enforce Security Policies, including disk encryption, automatic screen locks after inactivity, and the maintenance of security scanning, logging, and monitoring utilities.

5.5.2. Endpoint detection and response tools detect and prevent malicious software and activities using both signature-based and advanced, non-signature methods, including behavioral analysis and machine learning.

5.5.3. Contentful Devices undergo regularly scheduled vulnerability scans.

6. Storage & Transmission Security

6.1. Cryptographic Policies: Contentful maintains cryptographic policies that stipulate the minimum usage of cryptographic algorithms and protocols for encrypting Customer Content. These policies are updated at least annually and align with generally accepted industry standards.

6.2. Storage Encryption: Customer Content is encrypted at rest using AES 256-bit encryption. Contentful uses AWS Key Management Service (KMS) to provide centralized control over the lifecycle and permissions of cryptographic keys. KMS integrates with the AWS services and manages the creation, revocation, and automatic rotation of keys used to encrypt Customer Content.

6.3. Transit Encryption: Customer Content is transmitted securely via encrypted transport layer security (TLS) version 1.2 or higher leveraging modern ciphers over untrusted networks. Contentful uses AWS Certificate Manager (ACM) to centrally manage the lifecycle of TLS certificates, including their issuance, revocation, and automatic rotation.

6.4. Credential Management: Credential information, such as credentials used to facilitate communication between systems, used by Subscription Services are stored in AWS Secrets Manager. Access to these credentials is restricted to automated services and select individuals following the principle of least privilege.

7. Secure Disposal, Deletion & Storage of Customer Content

7.1. Storage: Customer Content is stored on AWS servers.

7.2. Deletion: Subscription Services include functionality that Customer may use at any time during the term of the Agreement to retrieve or delete Customer Content. Within 35 days of a written request by Customer upon termination or expiration of the Agreement, Contentful will delete (such that it cannot be recovered or reconstructed) all Customer Content within its possession or control.

7.3. Disposal: Customer Content is stored in AWS which ensures that media storage devices that reach the end of their useful life are decommissioned using techniques detailed in the National Institute of Standards and Technology (NIST) publication 800-88. Contentful personnel develop, access, and administer Subscription Services through Contentful Devices which are wiped prior to being reissued or decommissioned.

8. Vulnerability Management

8.1. Vulnerability Management Program: Contentful maintains a vulnerability management program designed to ensure the ongoing identification, prioritization, and remediation of security vulnerabilities.

8.2. Monitoring & Identification: Contentful monitors the security posture and vulnerabilities of Subscription Services including but not limited to, insecure configurations and software vulnerabilities. Additionally, Contentful performs regular testing to identify vulnerabilities and risks in applications including, but not limited to, injection flaws, authentication issues, and other application security flaws.

8.3. Bug Bounty: Contentful actively participates in a bug bounty program, inviting researchers to report weaknesses.

8.4. Automated Dependency Updates: Monitoring tools review code repositories for outdated or vulnerable libraries and packages, and automatically generate requests for review, testing, and merge when new versions become available.

8.5. Severity Scoring: Contentful evaluates the severity of vulnerabilities by using the Nation Vulnerability Database’s (NVD) Common Vulnerability Scoring System (CVSS) and incorporating factors and controls pertinent to Subscription Services. In cases where vulnerabilities are not listed or rated in the NVD, Contentful employs the NIST CVSS calculator as a part of severity assessments.

8.6. Prioritization & Remediation: Contentful prioritizes vulnerability remediation based on severity and impact to Subscription Services and tracks patching and mitigation inline with generally accepted industry standard software level objectives.

8.7. Retesting: Vulnerabilities that have been remediated are subjected to a retesting process and confirmation to ensure their effective resolution before they are officially closed.

9. Incident Response & Breach Notification

9.1. Incident Response Plan: Contentful maintains a security Incident Response Plan (IRP) which outlines roles, responsibilities, and procedures for identifying, managing, documenting, and reporting incidents. The security IRP incorporates protocols to align with Contentful’s organization-wide incident management plan ensuring coordinated cross-functional management of incidents. Contentful may engage with third-party security consultants to assist with forensics and investigations, as necessary. The IRP is reviewed and tested annually. Individuals with responsibilities outlined in the IRP are responsible for reviewing updates to the IRP and participate in annual training.

9.2. Breach Notification: If Contentful becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content (“Data Breach”) Contentful will notify Customer without undue delay and, in any case, where feasible, within 72 hours after becoming aware. Notification will be sent to the email address that Customer has specified within the Subscription Services to receive security-related notifications. Where no such email address is provided, Customer acknowledges that the means of notification shall be at Contentful’s reasonable discretion (which may include using other Customer-designated email addresses such as the administrator or owner of the relevant organization), and that this may impact Contentful’s ability to timely notify. Customers are solely responsible for determining whether to notify their relevant supervisory or regulatory authorities in relation to any Data Breach.

9.3. Breach Remediation: Contentful shall promptly employ its IRP and take commercially reasonable steps to contain or mitigate a Data Breach.

9.4. Breach Cooperation: Contentful shall provide Customer timely information about the Data Breach, to the extent known, including, but not limited to, the nature and consequences of the Data Breach and measures taken to mitigate the impact. As Contentful generally does not have visibility to Customer Content, Contentful may not be able to provide information as to the particular nature of the Customer Content.

10. Secure Development and Change Management

10.1. Software Development Lifecycle: Contentful’s development process embeds security throughout the lifecycle. Security testing is integrated throughout development pipelines to supplement ongoing collaborative implementation reviews, minimizing risk of exposure in production environments.

10.2. Deployment: Production changes for Subscription Services are designed to ensure that each production code merger is reviewed and approved by at least one additional individual, distinct from the original merger, ensuring peer review for all changes.

11. Disaster Recovery

11.1. High Availability: Subscription Services infrastructure is composed of content delivery and content management services, which are strategically deployed across multiple AWS Availability Zones within a primary AWS region. In parallel, content delivery services provide availability across multiple points of presence within our content delivery network providers. A secondary region capable of assuming content delivery operations is available should an adverse event render the primary region inaccessible.

11.2. Backups: In addition to Customer’s backup responsibilities set forth in the Agreement, backups are performed daily and are retained for 30 days, providing a point-in-time recovery option. In addition, a secondary region maintains a copy of Customer Content to mitigate risks of delivery service disruptions in the event of localized failures.

11.3. Restoration: Contentful maintains a Disaster Recovery Plan (DRP) in the event of a disaster or region-wide outage impacting our primary deployment. Requisite services are deployed within the secondary region, whereupon incoming Application Programming Interface (API) traffic is redirected to this contingency infrastructure. We annually test and review our DRP in order to maintain an adaptive disaster recovery program.

12. Business Resilience and Continuity

12.1. Resilience Framework: Contentful’s Business Continuity Management System provides a structured approach for preparedness, response, and recovery from business interruptions, aligning with generally accepted industry standards. This framework includes plans and processes to facilitate an organized and coordinated response to interruptions across business units.

12.2. Business Continuity: Our Business Continuity Plans (BCPs) are designed to safeguard operational continuity in the event of disruptions. BCPs are tested and reviewed annually.

13. Risk Management

13.1. Risk Management Framework: Contentful’s risk management framework defines the requirements and processes to identify and treat privacy and information security risks, ensuring they remain within acceptable tolerance levels. These risks undergo regular reviews, documentation in a risk register, and assessment based on likelihood and various impact factors. Each risk is assigned an owner and corresponding treatment plan.

13.2. Risk Assessments: Contentful conducts a range of internal and externally facilitated assessments to identify areas of improvement and potential risks. These assessments include, but are not limited to, ISO 27001 accreditation audits, third-party penetration testing evaluations, internal audits, and security design and architecture reviews.

13.3. Third-Party Security Assessment and Commitments: Contentful conducts a risk-based security assessment of prospective third-party service providers who are contractually required to meet Contentful’s security and data protection requirements.

14. Customer Rights & Share Responsibilities

14.1. Security Documentation: Subject to written requests, Customer may request a copy of third party attestations or third party penetration report summaries, which shall constitute Contentful Confidential Information.

14.2. Penetration Tests: Subject to a written request and the execution of Contentful’s Customer Conduct Security Assessment Agreement (“Customer PenTest Agreement”), Customer may responsibly and professionally conduct penetration tests, adhering to best practices and ethical standards as outlined in the Customer PenTest Agreement. Customers may report findings to Contentful in a written report. Contentful will assess these findings and assign a severity score. As previously detailed, this severity score accounts for various factors and controls relevant to Subscription Services. Consequently, any plans for remediation and associated timelines will be at Contentful’s sole discretion and aligned with the assigned severity score. Any results of a Customer-conducted penetration test shall constitute Contentful Confidential Information.

14.3. Audit Rights: To the extent that the Agreement does not otherwise give the information and audit rights pertaining to the processing of Customer Content, Contentful will upon reasonable request make available to Customer such information reasonably necessary to demonstrate compliance with this Security Addendum, and will allow for and contribute to audits, including inspections, by Customer or an auditor designated by Customer and agreed to by Contentful, which  consent will not be unreasonably withheld.

14.3.1. The audits and inspections referred to in Section 14.3 are primarily carried out by Customer reviewing and inspecting audit reports resulting from an audit performed by an independent third-party information security expert at Contentful’s expense and choice in accordance with Contentful’s ISO 27001 compliant ISMS. Customer hereby instructs Contentful to perform audits as described in this section 14.3.1.

14.3.2. If Customer wishes to alter its above instructions concerning audits, Customer will issue a suggestion for altered audit instructions to Contentful in writing reasonably in advance of the requested audit and the parties will mutually agree upon the details of the audit. Customer will take all reasonable endeavors to minimize disruption to Contentful’s business. The audit and any information arising therefrom shall be considered Contentful’s Confidential Information and may only be shared with a third-party with Contentful’s prior written agreement.

14.3.3. Customer will not carry out more than one audit per year of the Agreement term and Contentful reserves the right to charge a fee (rates shall be reasonable, taking into account the resources expended by Contentful) for audits described in section 14.3.2.

14.4. Content Accountability: Contentful has no obligation to assess the content, accuracy, or legality of Customer Content including to identify information subject to any specific legal, regulatory or other requirement and Customer is responsible for making appropriate use of Subscription Services to ensure a level of security appropriate to the particular content of Customer Content.

14.5. User Management: Customer is responsible for managing access to its account through user management and role based access controls built into the platform or through SSO integration. This includes, but is not limited to, setting secure unique passwords and enabling multi-factor authentication.

*For clarity, where Customer’s Agreement refers to Security Standards, such reference shall be interpreted to refer to this Security Addendum.