Security Standards

Contentful will abide by the security standards set forth below (“Security Standards”), which detail the various actions taken by Contentful that are designed to ensure the security of the Contentful Services (“Information Security”). During the Subscription Term, these Security Standards may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as deemed reasonably necessary by Contentful, provided that such changes will not bring the Security Standards below industry standard security measures.

Definitions

Terms not defined herein will have the meanings ascribed to them in the relevant agreement for the Contentful Services entered into between the parties.

1. Risk Management.

• An annual Information Security risk assessment is performed covering Contentful facilities and information assets.
• The risk assessment is conducted using an industry standard methodology to aid in identifying, measuring, and treating known risks.
• Risk assessment results and risk mitigation suggestions are shared with the executive management team.
• The risk assessment results will specify proposed changes to systems, processes, policies, or tools, in order to reduce security vulnerabilities and threats, if any.

2. Security Policy.

• Policies, including those related to data privacy, security and acceptable use, are assessed and approved by Contentful senior management. Policies are documented and published among all relevant personnel.
• Employees and contracted third parties are required to comply with Contentful policies relevant to their scope of work.
• New employees attend new hire training, which includes training modules on confidentiality obligations, information security, compliance, and data protection.
• Employees attend annual Information Security training, which covers Contentful Information Security policies and expectations.
• Where required, policies are supported by associated procedures, standards, and guidelines.
• Information Security policies are updated, as needed, to reflect changes to business objectives or risk.
• Senior management performs an annual review of all Information Security policies.
• Information Security policies are stored, maintained, updated, and published in a centralized location accessible to employees and third parties.
• Contentful’s employee handbook contains sections on password requirements, Internet usage, computer security, confidentiality, social media, customer data protection, and Company data protection.

3. Organization of Information Security.

• Information Security governance and data protection compliance for the Company are the responsibility of Contentful ’s Chief Technical Officer.
• Contentful maintains a dedicated Information Security team, with security responsibilities shared across various business units.
• A qualified third-party performs an annual audit of the Company’s Information Security program.
• Confidentiality and non-disclosure agreements are required when sharing sensitive, proprietary personal or otherwise confidential information between Contentful and a third-party.

4. Asset Managment.

• Contentful assigns ownership for all information assets.
• Desktops and laptops utilize encrypted storage partitions whenever an employee is in a role involving access to Customer Content or Contentful intellectual property.
• Contentful maintains a data and media management policy that covers the disposal of electronic assets and associated media.

5. Human Resources Information Security.

• Security roles and responsibilities for employees are defined and documented.
• Contentful performs background screening of applicants, including job history, references, and criminal history (subject to local laws).
• Contentful requires all new employees to sign employee agreements, which include comprehensive non-disclosure and confidentiality commitments.
• Contentful maintains a formal information security awareness and training program that includes new hire training and annual developer secure code training.
• Information Security awareness is enhanced through regular communications using the Contentful ’s internal social media tool and company-wide emails, as necessary.
• The organization maintains attendance records for formal security awareness training sessions.
• Employees with responsibility for Information Security participate in additional training on security protection techniques, risks, and latest trends.
• The Human Resources department notifies Information Technology and Operations Teams of changes in employment status and employment termination.
• Contentful maintains a documented procedure for changes in employment status and employment termination (including notification, access modification, and asset collection). New third party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments commensurate with their access and handling of confidential information.

6. Physical and Environmental Security.

• Physical security controls in all data centers utilized by Contentful, in providing the Service, include protection of facility perimeters using various access control measures (including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems).
• Access to data centers is limited to authorized employees or contractors only.
• Controls are in place to protect against environmental hazards at all data centers.
• All data center facilities have successfully been attested to SSAE 16 SOC 2 type 2, ISO 27001, or similar requirements.
• Contentful office space is secured from visitor access except for areas staffed by reception or security personnel.

7. Communications and Operations Management.

• The operation of systems and applications that support the Contentful Services are subject to documented operating procedures.
• The operations team maintains hardened standard server configurations. Systems are deployed and configured in a uniform manner using configuration management systems.
• Contentful maintains change control programs for development, operations, and Information Technology teams.
• Separate environments are maintained to allow for the testing of changes.
• The organization maintains documented backup procedures. Full backups are performed daily for all production databases. Customer Content backups are transferred to an offsite location and stored encrypted for at least 30 days.
• All systems and network devices are synchronized to a reliable/ and accurate time source via the “Network Time Protocol” (NTP)
• All servers are configured to log authorized access, privileged operations (administrator actions), and unauthorized access attempts.
• All servers are logging executed commands via the sudo utility.
• Log files are transmitted to and stored in a separate log server to protect against modification or loss.
• All event-alerting tools escalate into PagerDuty rotations for Contentful ’s 24x7 incident response teams, providing Operations, Network Engineering, and the Security teams with alerts, as needed.

8. Access Controls.

• Contentful maintains an access control policy that outlines requirements for the use of user IDs and passwords.
• The organization publishes and maintains a password management standard. Passwords must contain
  • A minimum of 8 characters,
  • Both upper and lower case characters (e.g., a-z, A-Z),
  • A number (0-9) and/or a special character (!@#$%^&*()_+|~-=\ {}[]:";'<>?,./),
  • Passwords cannot contain the user ID, and must be different from user's previous three passwords.
• All users are required to use a unique ID and SSH key for access to the production environment.
• Generic accounts are prohibited for user access. Access to the “root” account is restricted to Operations personnel deemed necessary.
• All access to the back-end servers and network infrastructure require 2 levels of authentication, SSH access to the bastion host, and SSH access to the individual servers or network devices.
• All access controls are based on “least privilege” and “need to know” principles. Different roles, including limited and administrative access, are used in the environment.
• Upon notice of termination of Contentful personnel, all user access is removed. All critical system access is removed immediately upon notification.

9. Information Systems Acquisition, Development, and Maintenance.

• Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions.
• Contentful maintains a sustaining engineering team whose primary responsibility is identifying and remediating bugs found in the Contentful Service.
• Source code repositories are scanned regularly by a static analysis / code quality tool. Any security issues are validated, risk ranked, and placed in a dedicated bug tracking system for remediation.
• Contentful conducts secure code training (based off the OWASP Top 10) annually. Contentful also communicates application security vulnerabilities and mitigation approaches during regular brown bag meetings.
• Contentful utilizes framework security controls to limit exposure to common application security risks, including cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection (SQLi).
• Contentful maintains a QA Department dedicated to reviewing and testing application functionality and stability.
• Contentful employs a dedicated application security engineer whose primary responsibility is to identify, validate, and triage security vulnerabilities found in the codebase.
• Contentful performs third-party security audits using a variety of vendors.
• Contentful maintains a "Responsible Disclosure Policy" that provides an avenue for security researchers to submit vulnerabilities to the Information Security group for remediation.
• Application source code is stored in a central repository. Access to source code is limited to authorized individuals.
• Changes to Contentful software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production.
• Contentful follows change control procedures for all system and software configuration changes. These controls include, at a minimum, a documented impact for each change, change review, testing of operational functionality, and back-out procedures.
• Customer Content is not used in testing environments.
• Emergency fixes are pushed to production, as needed. Change management is retrospectively performed.
• Customer Content is stored in a shared database environment with other customers. Account identifiers are used to distinguish data for different customers. Application security controls limit a Customer being able to access another Customer's data or content.

10. Information Security Incident Management.

• Contentful maintains an incident response process that includes direct participation and cooperation between support, security, and operations teams.
• The Contentful incident response process includes notification, escalation, and reporting. When required, Customer notification is initiated through the Contentful status page, Twitter notifications, Contentful initiated reporting tickets, or direct email/phone communication to account contacts.
• Internally, Contentful maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal and shareholder information flow.
• The incident response plan is tested on a regular basis, at least annually.
• Contentful maintains relationships with law enforcement to assist during incidents with criminal intent.
• Contentful has relationships with third-party vendors to assist with forensics and investigations, as necessary.

11. Business Continuity Management.

• For redundancy, Contentful utilizes database replication architectures.
• Database backups are stored on local disk in data centers, as well as copied to a remote storage location. Remote backup archives are transferred using encrypted HTTPS and stored at rest using encryption (AES-256).
• Contentful has implemented redundant data center infrastructure to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of predictable failures such as hardware problems, and also allow for capacity scaling as customer data and usage grows:
  • Contentful utilizes redundant edge routing infrastructure to alleviate hardware failure and allow for system upgrades. In addition to the network routing infrastructure, redundant security groups are implemented in a failover configuration to provide for automated recovery in the case of failure.
  • Contentful uses a professional industry standard email gateway provider. These email gateway servers are located behind redundant load balancers and are comprised of a "fleet" of servers that all provide the same SMTP service. Failures of any individual hosts in this layer do not impact the rest of the system.
  • Contentful "proxy" servers are located behind redundant load balancers and are comprised of a "fleet" of servers that all provide the same service. Failures of any individual host in this layer do not impact on the rest of the system.
  • Contentful application servers are located behind redundant load balancers and are comprised of a "fleet" of servers that all provide the same service. The application server layer is built larger than all other Contentful server farms to accommodate significant spikes in usage
  • Contentful database servers are configured into clustered groups that are comprised of a master database and three slave databases. Contentful operates many of these clusters in support of our customer's data with this N+3 configuration to allow for failures as well as provide scaling and the ability to complete maintenance with a minimum of impact to ongoing operations.

12. Contentful Application Security Features.

• Contentful provides several features within the application, enabling the Customer to configure security controls as required.

12.1.

Authentication.

• Supports numerous user authentication methods including:
  • Native user authentication.
  • Social media SSO. (Google, Twitter, and Github)
  • Enterprise SSO. (SAML)

12.2.

Authorization.

• Depending on the subscription level, Contentful supports various roles with differing privileges in the system. The standard roles include:
  • Owner
  • Admin
  • Member

12.3.

Network Controls.

• SSL encryption on all public interfaces.
• System access is only available through a dedicated entry point, which is hardened and monitored.

12.4.

Audit Log.

• The Audit log shows various account, user, business rule, and app changes. It also includes Customer Content deletion details.

v2017-01-31-US