Data Security Policy

This Data Security Policy ("Data Security Policy") is provided by Raintank, Inc. dba Grafana Labs, on behalf of itself and its Affiliates ("Grafana Labs") to each Grafana Labs end-user customer ("Customer") subject to the terms and conditions of the Master Services Agreement or other applicable license agreement ("License Agreement") between each Customer and Grafana Labs or between a Customer and an authorized Grafana Labs channel partner. In the event of a conflict between the License Agreement and this Data Security Policy, the terms of the License Agreement shall govern. Capitalized terms not otherwise defined herein shall have the meaning set forth in the License Agreement.

1.1 Protection of Customer Data and Personal Data.  Grafana Labs will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data and Personal Data, including, but not limited to, measures designed to prevent unauthorized access to or disclosure of Customer Data and Personal Data. The information security program may include, but is not limited to an appropriate software development life cycle (SDLC), access control mechanisms such as multi-factor authentication, encryption of certain data in transit and at rest, regular third party and internal information security testing, regular information security awareness training, and background screening of employees.

1.2 Security Management and Third-Party Security Audit.  Grafana Labs will maintain an externally accredited and business-wide Information Security Management System based on ISO 27001, or equivalent, as recommended by good industry practice, as applicable.  Grafana Labs engages an industry-recognized third-party auditor to conduct a SOC 2 security audit ("SOC 2") on at least an annual basis. Grafana Labs will, upon written request, provide Customer with copies of its then-current SOC 2, including the applicable scope.

1.3 Customer Audit. Customer may, at its sole cost and expense, upon no less than thirty (30) business days’ advance written notice to Grafana Labs, and no more than once per calendar year, perform, and Grafana Labs will reasonably assist with (during regular business hours), a remote vendor risk assessment ("VRA"). The VRA shall consist of a review of Grafana Labs’ security related documentation (at a scope to be mutually agreed) regarding its compliance with this Data Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Grafana Labs’ compliance with this Data Security Policy, and Grafana Labs will make appropriate personnel reasonably available (during regular business hours) to answer such questions related to Grafana Labs’ compliance with this Data Security Policy. In the event of a Security Breach that requires reporting to a supervisory authority or other governmental authority, Customer may conduct an additional VRA on no less than thirty (30) business days’ notice. In addition to Customer’s audit rights herein, Grafana Labs will reasonably cooperate and respond (during regular business hours) to Customer’s annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Grafana Labs’ Confidential Information.

1.4 System Protection & Disaster Recovery.  Grafana Labs has disaster recovery and business continuity plans, and reviews each, and tests its disaster recovery plan, annually. Upon request, Grafana Labs will provide a summary of its disaster recovery and business continuity planning and management practices, and the same shall be treated as Grafana Labs’ Confidential Information under this Data Security Policy.

1.5 Security Breach. Grafana Labs will notify Customer without undue delay after detecting a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Grafana Labs (any such incident, a “Security Breach”). Such notification will include (to the extent known by Grafana Labs): (a) a description of the nature of the Security Breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned); (b) the details of a contact point where more information concerning the Security Breach can be obtained; (c) its likely consequences; and (d) the measures taken or proposed to be taken to address the Security Breach, including to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.