Data Security Policy
This Data Security Policy (“Data Security Policy”) is provided by Grafana Labs to each Grafana Labs end-user customer (“Customer”) subject to the terms and conditions of the Master Services Agreement or other applicable license agreement (“License Agreement”) between each Customer and Grafana Labs or between a Customer and an authorized Grafana Labs channel partner. In the event of a conflict between the License Agreement and this Data Security Policy, the terms of the License Agreement shall govern. Capitalized terms not otherwise defined herein shall have the meaning set forth in the License Agreement.
- Protection of Customer Data and Personal Data. Grafana Labs will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data and Personal Data, including, but not limited to, measures designed to prevent unauthorized access to or disclosure of Customer Data Personal Data. The information security program may include, but is not limited to, (A) install and maintain a working network firewall to protect data accessible via the Internet, (B) keep security patches up-to-date, (C) use and regularly update anti-virus software, (D) don’t use supplier-supplied defaults for system passwords and other security parameters, (E) mandate the use of “strong passwords” on all systems or, in the absence of a mandatory (system enforced) password quality checker, enforce account lockout after no more than 10 consecutive incorrect password attempts, (F) for systems containing Customer Data, mandate use of “strong passwords” with multi-factor authentication, (G) regularly test security systems and processes, (H) maintain a policy that addresses information security for employees and suppliers, (I) restrict physical access to systems containing Customer Data, and (J) restrict remote access to the network by employing remote access controls to verify the identity of users connecting.
- Security Measures. Grafana Labs will align with the physical, technical, operational and administrative measures and protocols regarding data security as set forth in its then-current SOC 2 Type II Report, if applicable (“SOC 2”). Grafana Labs will, upon written request, provide Customer with copies of its then-current SOC 2. In addition: (A) Grafana Labs agrees to meet industry level standards for protecting the confidentiality and integrity of data transmissions sent through the Hosted Services. Approved mechanisms for data transmission may include: (1) XML/HTTP over SSL, with certificate-based authentication utilizing a 2048-bit (or larger) RSA public key, and 128-bit (or stronger) symmetric encryption; (2) Digitally signed and encrypted S/MIME messages over HTTP or SMTP, using certificates with a 2048-bit (or larger) RSA public key, and 128-bit (or stronger) symmetric encryption; (3) Digitally signed and encrypted PGP (Pretty Good Privacy) or GPG (Gnu Privacy Guard) messages over a variety of transports, with 2048-bit (or larger) RSA or DH/DSS public keys, and 128-bit (or stronger) symmetric encryption. (B) For all message-based encryption schemes employing digital signatures (including PGP and S/MIME), Grafana Labs will verify the digital signature of the message and reject messages with invalid signatures. (C) For all encryption schemes employing public key cryptography, Grafana Labs will ensure the confidentiality of the private component of the public-private key pair, and will promptly notify Customer in the event that the private key is compromised. (D) In general, the mechanism choice will depend on a number of factors such as technical capability, transaction volume, latency requirements, availability requirements, and will be chosen by mutual agreement.
- Security Audit. Provided that Customer has paid Fees on an annual basis in excess of $500,000, Customer is entitled, at its sole cost and expense and no more than once per calendar year, to monitor and/or audit Grafana Labs’ compliance with this Data Security Policy during regular business hours at a time and scope to be mutually agreed by the parties, upon no less than thirty (30) business days’ advance written notice to Grafana Labs.
- System Protection & Disaster Recovery. Grafana Labs will protect its computer and operations systems against outages using standard industry methods designed to prevent outages and minimize impacts during any unavoidable service interruptions, including ensuring that (a) its computer system is UPS protected, backed up automatically, and (b) it has implemented and regularly tests a disaster recovery or business continuity plan for its facilities where Customer Data is stored or processed.
- Data Retention. (A) Customer has no obligation to provide any Customer Data to Grafana Labs, (B) Grafana Labs will retain Customer Data only for as long as is necessary to provide the Grafana Product(s), and (C) Grafana Labs will delete all live (online or network accessible) instances of the Customer Data within 30 days after termination or expiration of the License Agreement.
- Security Breach. Grafana Labs will notify Customer without undue delay after detecting a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Grafana Labs (any such incident, a “Security Breach”). Grafana Labs shall make reasonable efforts to identify the cause of such Security Breach and take those steps as Grafana Labs deems necessary and reasonable in order to remediate the cause of such a Security Breach to the extent the remediation is within Grafana Lab’s reasonable control. The obligations herein shall not apply to a Security Breach caused by Customer or its Users.