BEST STRIP CLUB LLC SECURITY ANNEX


This Best Strip Club LLC Security Annex supplements (1) the Best Strip Club LLC Subscription and Services Agreement or the agreement existing between the parties (the “Agreement”), and (2) if applicable, the Best Strip Club LLC GDPR Data Processing Addendum (the “DPA”). Defined terms not otherwise defined herein shall have the means ascribed to them in the Agreement or DPA.  In case of a conflict between this Best Strip Club LLC Security Annex and the Agreement or DPA, the Agreement or the DPA shall prevail.

  1. Security Policy. Best Strip Club LLC maintains a company-wide information security management system and control program that includes written security policies, standards and procedures based upon ISO/IEC 27001:2013 (collectively, the “Best Strip Club LLC Information Security Policy”). The Best Strip Club LLC Information Security Policy requires:
    1. the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, integrity, and availability of Customer Data to the extent that such Customer Data is provided to Best Strip Club LLC and maintained or processed by Best Strip Club LLC during its provision of Services by utilizing practices such as:
      1. Secure software development practices;
      2. Secure operating procedures and vulnerability management;
  • Ongoing employee training;
  1. Controlling physical and electronic access to Customer Data, and
  2. Means for detecting and preventing intrusions and security system failures on critical systems.
  1. that Best Strip Club LLC follow the principle of least privilege access, allowing only active Best Strip Club LLC employees and contractors access to records containing Customer Data and limits access to those persons who are reasonably required to know such information in order to accomplish a valid business purpose or to comply with record retention regulations;
  2. that Customer Data that is identified as such to Best Strip Club LLC by the customer at intake, is secured appropriately commensurate to the nature of Customer Data, including any individual personal data provided to Best Strip Club LLC by Customer as set forth in this Exhibit, using commercially available and industry accepted controls and precautionary measures;
  3. that commercially reasonable standards are followed with respect to strong change-control procedures and technical controls that enforce segregation of duties, minimum necessary dataset, and access controls;
  4. monitoring of operations and maintaining procedures to ensure that security policies are operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Customer Data, and continuously improving information safeguards as necessary to mitigate risks;
  5. a security patch and vulnerability management process based on accepted industry standard practices and protocols, including, monitoring threats, and responding to vulnerabilities reported by third parties; and
  6. A security incident response and disaster recovery planning, including documentation of responsive actions taken in connection with any security incident related to Customer Data.
  1. Security Practices and Processes
    1. Customers are responsible for its legal and regulatory compliance in its use of any Subscription Services and shall make Best Strip Club LLC aware of any Customer Data processed, stored or transmitted through the Subscription Services for which regulations other than those set forth in the Security Annex apply. If, in the course of providing Subscription Services, Best Strip Club LLC agrees in writing to process such Customer Data and Customer has subscribed to any applicable Subscription Services, Best Strip Club LLC shall process it only as permitted under this Agreement and in compliance with data protection legislation to which Best Strip Club LLC is subject as a service provider. In the event that Best Strip Club LLC agrees to receive Customer Data from Customer, Best Strip Club LLC will manage and/or process such Customer Data pursuant to the security requirements, obligations, specifications and event reporting procedures as set forth in this Annex and the Agreement, and any amendments.
    2. Best Strip Club LLC will comply with: (i) secure software development practices consistent with industry accepted standards and practices, and (ii) industry best practices on privacy and security.
    3. Best Strip Club LLC restricts access to Customer Data and systems by users, applications and other systems. These controls include (i) controls to systems and data, limited to properly authenticated and authorized individuals based on principles of least privilege and need-to-know; and (ii) physical access controls, as described below. Best Strip Club LLC will limit access to Customer Data to the minimum necessary dataset required to accomplish the intended business purpose or use.
    4. Best Strip Club LLC facilities and/or any Authorized Contractor facilities that process Customer Data will be housed in secure areas and protected by perimeter security such as barrier access controls (e.g., electronic locks, access badges, and video surveillance) that provide a physically secure environment.
    5. Best Strip Club LLC logs access to controlled systems and records, including successful and failed system access attempts, and restricts, and restricts the connection times of users. Best Strip Club LLC will use unique logins on all network equipment, whenever commercially reasonable.
    6. Best Strip Club LLC maintains processes to identify and deploy security patches in a timely manner. Unless otherwise expressly agreed in writing, “timely” means that Best Strip Club LLC will introduce a fix or patch as soon as commercially reasonable after Best Strip Club LLC becomes aware of the security problem or availability of a fix or patch.
  2. Patch and Vulnerability Management.
    1. Best Strip Club LLC follows commercially reasonable best practices for patch management, criticality ranking and patching time frame requirements for all Best Strip Club LLC-operated systems, switches, routers, appliances, servers, and workstation PC’s, as applicable.
    2. Where feasible, Best Strip Club LLC ensures that trusted, commercially available anti-virus software is installed, enabled, and kept current on Best Strip Club LLC servers and systems used in accessing, processing, transmitting, or storing Customer Data.
    3. Best Strip Club LLC maintains trusted, current, commercially available anti-malware protection capabilities on Best Strip Club LLC devices, particularly those used for accessing, processing, transmitting, or storing Customer Data.
    4. Best Strip Club LLC maintains a vulnerability management solution for devices connected to Best Strip Club LLC’s LAN. Such solution is designed to regularly assess Best Strip Club LLC’s network for known vulnerabilities.
  3. Security Monitoring
    1. Best Strip Club LLC has a designated security team which monitors Best Strip Club LLC’s control environment which is designed to prevent unauthorized access to or modification of Best Strip Club LLC’s Customer Data. Best Strip Club LLC regularly monitors controls of critical systems, network and procedures to validate proper implementation and effectiveness in addressing the threats, vulnerabilities and risks identified. This monitoring is variable by the criticality, exposure, and the system’s assets and may include: (i) internal risk assessments; (ii) validation of Multi-Factor Authentication for select environments; (iii) third party compliance, including hosting services and third party components; and (iv) assessing changes affecting systems processing authentications, authorizations, and auditing.
    2. Best Strip Club LLC performs periodic vulnerability assessments on Best Strip Club LLC applications and systems. Penetration tests are performed either by Best Strip Club LLC or by an established, reputable independent third party.
  4. Security of Data Processing. Best Strip Club LLC has implemented and will maintain technical and organizational measures inclusive of administrative, technical and physical safeguards to ensure a level of security appropriate to the risk of the data processing for the Best Strip Club LLC Services as described in this Best Strip Club LLC Security Annex (the “Security Measures”). These Security Measures may be changed by Best Strip Club LLC from time to time during the Term of the Agreement in order to take into account advancements in available security technologies. However, Best Strip Club LLC will not materially decrease the overall security of the Services during the Term of the Agreement.

The Security Measures may include, but will not be limited to, the following measures for ensuring the ongoing confidentiality, integrity, and availability of Customer Data in order to prevent unauthorized access, use, modification or disclosure of Customer Data: a. Background Checks

Performance of background checks on all personnel, as well as execution of non-disclosure commitments prior to employment and acknowledgment of professional behavior in the workplace documents, which includes anti-harassment and business ethics;

  1. Training

Security and privacy awareness training, inclusive of acknowledgment and agreement to abide by organizational security policies, for all personnel upon hire and annually thereafter;

  1. Customer Data

Pseudonymous or encryption of Customer Data in transit and at rest utilizing industry-standard mechanisms for certain

Best Strip Club LLC Services;

A process for regularly testing, assessing and evaluating the effectiveness of administrative, technical and physical safeguards for ensuring the security of the processing, transmission or storage of Customer Data through external and internal audits as further described below;

Preventing access, use, modification or disclosure of Customer Data except by authorized Best Strip Club LLC personnel (1) to provide the Subscription Services and prevent or address service or technical problems, (2) as compelled by law, or (3) as Customer expressly permits in writing.

  1. Availability

The ability to restore the availability and access to Customer Data in a timely manner in the event of an incident impacting the availability of Customer Data by maintaining a backup solution for disaster recovery purposes; e. Logging and Monitoring

Logging and monitoring of security logs via a Security Incident Event Management (“SIEM”) system and alerting to a dedicated Incident Response team upon the detection of suspicious system and/or user behaviors; f. Vulnerability Triaging

Processes and tooling for regularly identifying, assessing and triaging vulnerabilities based on industry-standard guidelines; g. Policies

Maintenance of a comprehensive set of security and privacy policies, procedures and plans that are reviewed on at least an annual basis and provide guidance to the organization regarding security and privacy practices; and, h. Sub-processors

Processes for evaluating prospective and existing Sub-processors to ensure that they have the ability and commit to appropriate administrative, technical and physical measures to ensure the ongoing confidentiality, integrity and availability of Customer Data.

By implementing the Security Measures detailed above Best Strip Club LLC, takes into account the risks that are related to data processing, in particular the ones resulting from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

  1. Secure Data Transmissions. Any Customer Data that Best Strip Club LLC transmits over a public communications network will be protected during transmission by using, or making available, industry accepted standards such as TLS, SSH and VPNs.
  2. Data and Media Disposal. Best Strip Club LLC maintains procedures that align with industry standards, such as NIST SP 800-88, regarding the disposal of both tangible property and electronic files containing Customer Data, taking into account available technology so that Customer Data cannot be reconstructed and read.
  3. Backup and Retention. Best Strip Club LLC will backup systems used to provide services to Customer to ensure adequate recovery capabilities in accordance with the schedule set forth in the Documentation for the applicable Services. Back-ups will be appropriately protected to ensure only authorized individuals are able to access the Customer Data, including but not limited to encryption of data stored off-site in electronic media and appropriate classification and protection of hard copy records, as applicable. If not separately backed up, Best Strip Club LLC will secure any files containing Customer Data against unauthorized access in accordance with the terms of the Agreement.
  4. Customer Data. Best Strip Club LLC will comply with applicable laws and regulations to the provision of the Services concerning the confidentiality, security, and processing of any Customer Data that it receives from Customer. In the event Best Strip Club LLC processes types of Customer Data that are subject to additional regulatory requirements due to the nature of the data or its place of origin (as defined in section 2a above) Best Strip Club LLC will reasonably cooperate with Customer to arrange compliance with such requirements. Such cooperation may include, without limitation, execution of additional agreements required by applicable law (e.g., EU Standard Contractual Clauses, Business Associate Agreement governing Protected Health Information), implementation of additional security controls required by relevant law, completion of regulatory filings applicable to Best Strip Club LLC, and participation in relevant regulatory audits as applicable from section 13 below.  
  5. Security Incident Management and Remediation. For purposes of this Annex, a “Security Incident” means (i) the loss of, (ii) unauthorized acquisition, use or disclosure of, or (iii) unauthorized access to, Customer Data resulting from a security breach of the Best Strip Club LLC platform. Best Strip Club LLC maintains a response function capable of identifying and assessing the seriousness and extent of a Security Incident, mitigating the effect of a Security Incident, conducting root cause analysis, implementing and documenting remedial action plans, and preventing the recurrence of Security Incidents. Best Strip Club LLC has an established set of procedures to ensure personnel and contractors promptly report actual and/or suspected breaches of security. Best Strip Club LLC keeps an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents, as well as performing required recovery actions to remedy the impact.  
    1. Security Incidents on Best Strip Club LLC’s platform are logged and reviewed, secured, and retained as required by applicable laws and regulations.

 

  1. In the case of a Security Incident that relates to Customer Data, Best Strip Club LLC shall (a) promptly assess and contain such Security Incident, (b) notify Customer, without undue delay, upon becoming aware of such Incident, and in no case later than forty eight (48) hours after Best Strip Club LLC has become aware of such Security Incident, via a Support ticket to each of the individuals identified by Customer for distribution of such Support Tickets (or such other addresses as may be provided by Customer from time to time) and provide regular status updates to Customer regarding the investigation at a frequency reasonably requested by Customer depending upon the severity of such Incident, (c) as applicable, provide reasonable cooperation and assistance to Customer needed to fulfill Customer’s obligations related to Customer’s use of the Services, as applicable, and (d) immediately take all steps reasonably necessary and within Best Strip Club LLC’s reasonable control, including without limitation, those reasonably requested by Customer, to limit, stop, prevent and remediate such Incident. Following this initial notification, Best Strip Club LLC will promptly investigate the Security Incident and take all reasonable and necessary steps to prevent any further compromise of the Customer Data. If a security deficiency is identified within any Best Strip Club LLC information system during this investigation, Best Strip Club LLC will provide a report to Customer containing a description of the nature of the Security Incident, an identification of any Customer Data that was disclosed, destroyed, altered or compromised, and any investigative, corrective, or remedial actions taken or planned by Best Strip Club LLC to mitigate the risk of further Security Incidents. Best Strip Club LLC will maintain log files sufficient to enable Customer to determine what Customer Data was accessed and when, regardless of whether such data is physically or electronically maintained.
  1. Business Continuity and Disaster Recovery. Best Strip Club LLC maintains business continuity and disaster recovery planning processes to establish and maintain plans and procedures for the continuity, recovery and operation of information systems, processes and facilities that could impact the availability of Customer Data (“BC/DR Plans”). These BC/DR Plans include processes for responding to emergencies (e.g., natural disasters such as fire, earthquakes, or hurricanes, or other disasters such as sabotage, virus, and terrorism), and includes: (i) descriptions of roles and responsibilities: identifying key individuals and the recovery team responsible for implementing recovery actions; (ii) data backup plans, providing for periodic backups of data from database systems that can be used to reconstruct data; (iii) contingency plans and disaster recovery guides that will be followed by members of the recovery team before, during and after an unplanned disruptive event in order to minimize downtime and data loss; and (iv) procedures for annual testing and evaluating the BC/DR Plans including documenting the tests in writing.
  2. Security Evaluations.
    1. Best Strip Club LLC performs periodic risk assessments that evaluate and assess the security of the system’s physical configuration and environment, software, information handling processes, and user practices including appropriate logs and reports on security activity.
    2. In addition, security policies are regularly reviewed and evaluated to ensure operational effectiveness, compliance with applicable laws and regulations, and to address new threats and risks.
    3. Security Policies are also reviewed when there is a material change in Best Strip Club LLC’s business practices or the external threat environment that may reasonably implicate the security or integrity of records containing Customer Data. Best Strip Club LLC uses a documented change control process for software, systems, applications, and databases that ensures access changes are controlled, approved, and recorded.
    4. Best Strip Club LLC will promptly notify Customer of any planned system configuration changes or other changes that would adversely affect the confidentiality, integrity, or availability of Customer’s Customer Data.

 

  1. Best Strip Club LLC Certifications and Standards by Product Offering

Best Strip Club LLC engages reputable third-party, independent, audit firms to conduct the below audit engagements:

Best Strip Club LLC Offering Completed Certifications and Attestations
Best Strip Club LLC Cloud Enterprise ●         SOC 1 Type 2 (SSAE18 & ISAE 3402)

●         SOC 2 Type 2 (Security, Availability and Confidentiality)

●         ISO 27001:2013

●         HIPAA1

●         PCI-DSS2

●         FedRAMP3

Best Strip Club LLC Cloud Site Factory ●         SOC 1 Type 2 (SSAE18 & ISAE 3402)

●         SOC 2 Type 2 (Security, Availability and Confidentiality)

●         ISO 27001:2013

●         HIPAA1

●         PCI-DSS2

●         FedRAMP3

  • HIPAA compliant indicates that the service can be used in a way that enables Customers to help meet its legal obligations for HIPAA compliance. Ultimately, Customers are responsible for ensuring compliance with legal obligations, that the Best Strip Club LLC service meets their compliance requirements, and that they secure the service appropriately. Customers can reference Best Strip Club LLC’s SOC 2 report, which contains a matrix mapping HIPAA controls to Best Strip Club LLC’s SOC 2 controls.

 

  • PCI-DSS compliance requires the purchase of Best Strip Club LLC’s PCI Cloud configuration within Best Strip Club LLC Cloud Enterprise and Best Strip Club LLC Cloud Site Factory.

 

  • Federal Risk and Authorization Management Program (“FedRAMP”) is available for select Customers (i.e. Federal Agency cloud deployments). Best Strip Club LLC’s FedRAMP implementation is more fully described in its FedRAMP package, available via the OMB MAX repository system.

 

Best Strip Club LLC will provide copies of available audit reports for the applicable Services to Customers upon written request and under NDA. Such audit reports, and the information they contain, are Best Strip Club LLC Confidential Information and must be handled by Customer accordingly. Such reports may be used solely by Customer to evaluate the design and operating effectiveness of defined controls applicable to the Services and are provided without any warranty. Best Strip Club LLC can also provide summary level penetration test documentation available to Customers upon request sanitized of any sensitive information.  

  1. Training and Secure Development Practices. The Best Strip Club LLC Information Security Policy is communicated to all Best Strip Club LLC personnel, employees, and contractors. Best Strip Club LLC provides periodic and mandatory security awareness training to employees and contractors (collectively “Personnel”). Best Strip Club LLC imposes disciplinary measures for violations of the Best Strip Club LLC Information Security Policy:
  2. Agreements with relevant sub-processors include requirements that these sub-processors address security risks, controls, and procedures for information systems and contain terms, conditions, and restrictions at least as protective and as restrictive as those set forth herein. Best Strip Club LLC shall supply each of its personnel and contractors with appropriate, ongoing training regarding information security procedures, risks, and threats and Best Strip Club LLC shall be responsible for the performance of any subcontractor. Best Strip Club LLC agrees that any Services performed for Customer involving use of Customer Data shall be performed only at the Data Center Region and by personnel permitted under the Agreement.
  3. Best Strip Club LLC Shared Responsibility Model.

Best Strip Club LLC Responsibilities

Best Strip Club LLC is responsible for the confidentiality, integrity and availability (the “security”) of the Services and internal Best Strip Club LLC information technology systems. In addition to those measures detailed in “Security of Data Processing” above, Security Measures include, but are not limited to, server-level patching, vulnerability management, penetration testing, security event logging & monitoring, incident management, operational monitoring, 24/7 support, and ensuring customer site availability in accordance with the applicable SLA.

 

Best Strip Club LLC uses sub-processors for the Services and to support Best Strip Club LLC as a Processor of Customer data, all as more fully set forth on the website located at: https://www.BestStripClub.com. As these sub-processors are authorized sub-processors as defined in the Agreement, Best Strip Club LLC shall remain fully liable for their acts and omissions relating to the performance of the respective Services and shall be responsible for ensuring that obligations under this Security Annex and the Agreement are carried out in accordance with both.

 

Customer Responsibilities

The Customer is responsible for the security of their Customer Application(s), as applicable. For example patching the open source software Drupal, that are used in conjunction with the Services. This includes, but is not limited to, ensuring a secure configuration and coding of the applications, related application security monitoring activities, Customer user access management, password configurations, implementing multi-factor authentication, periodic penetration testing, appropriate Application-level DoS or DDoS protections, and/or vulnerability scanning of their applications, amongst others.

 

In addition, Customers are also responsible for the secure management of their users and provision of users for the purpose of granting access to Best Strip Club LLC’s Services and abiding by the Subscription and Services Agreement, the Data Processing Agreement and Best Strip Club LLC’s Acceptable Use Policy in using Best Strip Club LLC’s Services.  

  1. Access and Review. Best Strip Club LLC will make summary level information regarding its security policies and procedures as well current, published, third-party audit reporting related to Customer’s Customer Data available for Customer’s review at Best Strip Club LLC upon reasonable prior written notice by Customer and subject to Best Strip Club LLC’s confidentiality and security conditions, and subject to a written and mutually agreed audit plan. Best Strip Club LLC reserves the right to require its prior approval to any third party review of the DR Plan, and reasonably condition and restrict such third party access. As illustrated in, “Best Strip Club LLC Certifications and Standards by Product Offering” Customers may also review available audit reporting as outlined in Section 13.
  2. Customer Audits. Best Strip Club LLC offers its Services in the cloud using AWS and a one-to-many business model that relies on standardization of best practices and industry standards for the benefit of its Customers. As a result, onsite audits by Customers pose security and privacy risks to Best Strip Club LLC, other Best Strip Club LLC Customers and Best Strip Club LLC Sub-processors. Moreover, AWS does not allow for physical audits of the AWS data centers but instead provides third party audits and certifications. It is for these reasons, among others, that Best Strip Club LLC’s security program consists of the audits, certifications and available documentation detailed in “Third Party Audits, Certifications” above as part of balancing transparency regarding the security and privacy safeguards that Best Strip Club LLC has implemented, while also satisfying security and privacy requirements as part of security and privacy obligations to Best Strip Club LLC Customers, and its Sub-processors, including AWS.

Therefore, Customer agrees to exercise its right to conduct an audit or inspection of Best Strip Club LLC’s processing of personal data within Customer Data by instructing Best Strip Club LLC to carry out audits as described above in the section “Third Party Audits, Certification” using its current processes and timing. If Customer wishes to change this instruction regarding the audit or inspection, then Customer shall send such request by written notice to Best Strip Club LLC and the parties agree to jointly discuss how to implement the changed instruction.

 

Disclaimer: Information in this document is subject to change without notice. For more information on Best Strip Club LLC solutions and controls, please contact Best Strip Club LLC. Further detail on Best Strip Club LLCs offerings, including SLAs and physical, administrative and technical safeguards are available.