TiDB Cloud Security Addendum (“Addendum”) is subject to, and hereby incorporated into, the applicable agreement (including the applicable Data Processing Agreement entered into therewith) between Customer and PingCAP for TiDB Cloud Services (defined below) (the “Agreement”). This Addendum sets forth the terms and conditions related to PingCAP’s protection of Your Content (as defined in the Agreement), including any CSA Personal Data therein, processed by PingCAP within the Cloud Services, Support Services, and/or Consulting Services, as applicable (“TiDB Cloud Services”). Capitalized terms not defined in this Addendum shall have the meanings set forth in the applicable Agreement.
1. PINGCAP SECURITY PROGRAM
PingCAP shall maintain a security program that is designed to protect the security, confidentiality, and integrity of Your Content (the “PingCAP Security Program”). The PingCAP Security Program will be implemented on an organization-wide basis. The PingCAP Security Program will be designed to ensure PingCAP’s compliance with data protection laws and regulations applicable to PingCAP’s performance under the applicable Data Processing Agreement, and shall include the safeguards set forth on PingCAP Security Controls, which substantially conform to the ISO/IEC 27001/27701 control framework.
2. THIRD-PARTY SERVICE PROVIDERS
PingCAP uses Infrastructure as a Service (IaaS) providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud to provide PingCAP Cloud Services and uses Software as a Service Providers (SaaS), such as Jira to provide Support Services and Consulting Services. PingCAP shall conduct regular due diligence on its third party service providers (which includes reviewing industry standard reports and certifications such as a SOC 2 report), and reasonably ensure, based on their responses, that such third parties have in place security controls that are substantially similar to the PingCAP Security Controls.
3. SECURITY BREACH RESPONSE
Upon becoming aware of a Security Breach, PingCAP shall: (a) without undue delay, notify Customer (at the Customer-designated email address associated with the TiDB Cloud Services) of the discovery of the confirmed Security Breach, which shall include a summary of the known circumstances of the Security Breach and the corrective actions taken or to be taken by PingCAP; (b) conduct an investigation of the circumstances of the Security Breach; (c) use commercially reasonable efforts to mitigate the effects of the Security Breach; and (d) use commercially reasonable efforts to communicate and cooperate with Customer concerning its responses to the Security Breach. “Security Breach” means any confirmed security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Content (including any CSA Personal Data contained therein) that PingCAP has an obligation to safeguard under the Agreement.
4. AUDIT REPORTS
Upon written request, PingCAP shall provide to Customer copies of audit reports (including the Service Organization Control (SOC) II Type 2 examination or similar reports as PingCAP may have obtained as of the date of the written request) applicable to the PingCAP Offerings, and related certificates and attestations, evincing its compliance with industry standards and, as applicable, accreditations. Where applicable, the accredited independent third-party audits will occur at the frequency required by the relevant standard to maintain compliance and accreditation. Upon Customer’s request thereafter, PingCAP shall provide current or updated certificates, attestations, or reports on up to an annual basis.
5. SECURITY ASSESSMENT
Upon the provision of reasonable notice to PingCAP, no more than once every twelve months during the term of the Agreement and during normal business hours, PingCAP shall make appropriate PingCAP personnel reasonably available to Customer to discuss PingCAP’s manner of compliance with applicable security obligations under this Agreement. In advance of such discussion, PingCAP may, in its sole discretion, provide Customer with access to information or documentation concerning PingCAP’s security practices as they relate to this Agreement, including without limitation, access to any security assessment reports designed to be shared with third parties. Any information or documentation provided pursuant to this assessment process or otherwise pursuant to this Addendum shall be considered PingCAP Confidential Information and subject to the Confidentiality section of the Agreement.
6. TiDB Cloud Services
Notwithstanding anything contained herein, Customer shall be responsible for: (i) determining whether the Cloud Services are suitable for Customer’s use; (ii) implementing and managing security and privacy measures to secure Customer’s access and use of the Cloud Services, including, without limitation, managing credentials for and using secure connections to the Cloud Services; (iii) validating plugins before installing them into the Cloud Services; (iv) implementing, maintaining, and monitoring backups of Content stored within the Cloud Services; and (v) removing Content from the Cloud Services environment prior to termination of the relevant Cloud Service.