Is your finance operating model ready for the Context Era?

Get the guidealert arrow

Planful Information Security Addendum

This INFORMATION SECURITY ADDENDUM (“Security Addendum”) is incorporated into and forms part of the Master Subscription Agreement (the “MSA”, and together with its exhibits, addenda, SOWs, and Order Form(s), the “Agreement”) between Planful, Inc. (“Planful”) and the client identified in the applicable Order Form (“Client”). This Security Addendum describes the technical and organizational security measures comprising the Information Security Program referenced in Section 9.3 of the MSA and Section 5 of the Data Processing Addendum (the “DPA”) and constitutes the detailed description of Planful’s security practices referenced in Section 9.3 of the MSA. Capitalized terms used but not defined in this Security Addendum have the meanings given to them in the MSA or the DPA, as applicable.

1. Definitions

1.1 Incorporated Terms.  “Application Services,” “Authorized User(s),” “Client Data,” “Confidential Information,” “Documentation,” “Order Form,” and “Subscription Term” have the meanings given to them in the MSA. “Client Personal Data,” “Process,” “Security Incident,” and “Designated POC” have the meanings given to them in the DPA.

1.2 “Information Security Program.”  “Information Security Program” has the meaning given to it in Section 9.3 of the MSA. The Security Measures described in this Security Addendum describe and form part of the Information Security Program.

1.3 “Security Measures.”  “Security Measures” means the administrative, technical, organizational, and physical safeguards described in this Security Addendum, as updated from time to time in accordance with Section 20.

2.  Information Security Program

2.1 Security Program.  Planful maintains the Information Security Program as a written program of policies, procedures, and controls governing the processing, transmission, storage, and security of Client Data, designed to protect the confidentiality, integrity, and availability of Client Data and to protect against anticipated threats or hazards to its security or integrity. The Information Security Program is designed to align with the ISO/IEC 27001 and ISO/IEC 27701 standards and to be consistent with the objectives set forth in SOC 2 Type II, commensurate with the nature, scope, and sensitivity of the Client Data processed by the Application Services.

2.2 Governance.  Planful designates qualified personnel responsible for the coordination, implementation, and oversight of the Information Security Program, and maintains a security governance function responsible for the creation and periodic review of its security policies and procedures.

2.3 Risk Assessment.  Planful conducts a formal risk assessment of the Application Services not less than annually to identify reasonably foreseeable internal and external risks and to assess the sufficiency of safeguards in place to control those risks and maintains a risk register that is reviewed at least annually.

2.4 Policy Review.  Planful reviews its information security policies, procedures, and standards at least annually and upon any significant change to its operating environment.

2.5. Use of Subprocessors.  The appointment of third-party subprocessors and the flow-down of relevant data privacy and security requirements are managed in accordance with the DPA. Planful performs security-focused risk evaluations of these service providers.Planful remains responsible for the performance of its subprocessors’ obligations as set forth in the DPA.

3. Certifications and Audit Reports

3.1 Certifications.  During the Subscription Term, Planful will maintain a SOC 2 Type II examination (or a substantially equivalent successor standard) covering the Application Services. In addition to the SOC 2 Type II report, Planful currently maintains certifications and attestations for ISO/IEC 27001:2022, ISO/IEC 27701, SOC 1 Type II (SSAE-18) (collectively referred to as the “Audit Reports”).  Planful may add, substitute, or replace any certification or attestation (other than the SOC 2 Type II examination) with one that provides a substantially equivalent or greater level of assurance.

3.2 Provision of Reports.  Upon Client’s reasonable written request, and no more than once per twelve (12) month period, Planful will make available to Client a copy of its then-current Audit Reports, consistent with Section 9.3 of the MSA and Sections 5 and 8 of the DPA. Audit Reports constitute Planful’s Confidential Information under the MSA and may be provided subject to Planful’s reasonable confidentiality requirements.

4. Personnel Security

4.1 Screening.  Planful performs background screening on its personnel prior to granting access to Client Data, to the extent permitted by applicable law.

4.2 Confidentiality.  Planful personnel with access to Client Data are bound by confidentiality obligations substantially similar to the protections afforded to Confidential Information and the confidentiality requirements of the Agreement.

4.3 Training.  Planful requires its personnel to complete security awareness and data privacy training.

4.4 Termination.  Planful maintains procedures to promptly revoke access rights to systems containing Client Data upon the change in role or termination of personnel.

5. Access Control and Authentication

5.1 Least Privilege.  Planful restricts access to Client Data and production systems to personnel with a legitimate business need, on a least-privilege and role-based basis.

5.2 Authentication.  Planful enforces strong authentication controls, including a documented password policy and the use of multi-factor authentication (MFA) and/or single sign-on (SSO) for privileged access, production system access, and third-party system or application access. The foregoing includes, without limitation, MFA for administrative access to systems that process Client Data as set forth in Section 9.3 of the MSA.

5.3 Access Reviews.  Planful conducts periodic (not less than semi-annual) reviews of access rights to systems containing Client Data to confirm that access remains appropriate.

5.4 Hardening.  Planful maintains documented system hardening and build standards for servers and workstations used in connection with the Application Services.

6. Encryption and Key Management

6.1 Encryption.  Planful encrypts Client Data in transit over public networks and at rest using industry-standard cryptographic protocols and algorithms, consistent with the Agreement.

6.2 Key Management.  Planful maintains documented procedures for the secure generation, storage, handling, and rotation of encryption keys, and restricts access to key material to authorized personnel.

7. Network and Infrastructure Security

7.1 Network Controls.  Planful employs network security controls, including firewalls, restriction of traffic to required ports and services, and source IP allowlisting where appropriate, designed to protect the Application Services from unauthorized access.

7.2 Integrity Controls.  Planful implements measures designed to protect the integrity of Client Data and the systems that process it, including file integrity monitoring (FIM) and access controls.

8.  Data Segregation

8.1 Logical Separation.  The Application Services are designed to logically separate Client Data from the data of other clients. Planful maintains separate databases per client such that an Authorized User of one client tenant is not able to access the Client Data of any other client organization.

9. Secure Development and Vulnerability Management

9.1 Secure SDLC.  Planful maintains a secure software development lifecycle that incorporates security considerations into the design, development, and deployment of the Application Services, including documented methodologies for static code analysis.

9.2 Testing.  Planful conducts periodic (not less than annual) penetration testing and external network vulnerability scanning of the Application Services, consistent with Section 9.3 of the MSA. A summary of penetration test results may be made available to Client subject to Section 3.2.

9.3 Remediation.  Planful evaluates identified vulnerabilities and remediates them on a risk-prioritized basis within commercially reasonable timeframes.

10. Change and Patch Management

10.1 Change Management.  Planful maintains a documented change control process governing changes to the production environment supporting the Application Services.

10.2 Patch Management.  Planful maintains a documented patch management process and applies security patches to systems supporting the Application Services on a risk-prioritized basis.

11. Endpoint and Malware Protection

11.1 Malware Controls.  Planful deploys and maintains anti-virus and anti-malware controls on systems used in connection with the Application Services and updates such controls in accordance with its policies.

12. Logging and Monitoring

12.1 Monitoring.  Planful conducts continuous (24×7) monitoring of the production environment and records and analyzes security-relevant event logs designed to detect unauthorized activity affecting Client Data, consistent with Section 9.3 of the MSA.

12.2 Audit Logs.  Planful maintains audit logs of administrative and security-relevant activity within the Application Services for a period consistent with its retention policies.

13. Physical and Environmental Security

13.1 Data Centers.  The Application Services are hosted in data center facilities that maintain industry-recognized physical and environmental security controls, including restricted physical access, monitoring, and environmental safeguards.

14.  Business Continuity, Disaster Recovery, and Backup

14.1 Resilience.  Planful maintains a business continuity and disaster recovery program designed to support the continued availability of the Application Services and the recovery of Client Data in the event of a significant disruption, and tests material elements of that program on a periodic basis.

14.2 Backups.  Planful performs regular backups of Client Data in the production environment and maintains documented backup and restoration procedures. Availability commitments, if any, are set forth in the service level agreement referenced in Section 2.1 of the MSA.

16. Security Incident Management and Notification

16.1 Incident Response.  Planful maintains a documented incident response plan governing the identification, investigation, containment, and remediation of Security Incidents, consistent with Section 9.3 of the MSA and Section 6 of the DPA.

16.2 Notification.  Where a Security Incident involves Client Personal Data, Planful will notify Client in accordance with the Security Incidents provisions of the DPA, which govern the timing, recipient, and content of such notice. Where a Security Incident affects Client Data that is not Client Personal Data, Planful will notify Client’s Designated POC without undue delay following Planful’s confirmation of the Security Incident. Planful’s notification of, or response to, a Security Incident is not an acknowledgment by Planful of any fault or liability.

16.3 Cooperation.  Planful will take reasonable steps to mitigate the effects of a Security Incident and will cooperate with Client’s reasonable requests for information regarding the Security Incident to the extent such information is within Planful’s control.

17. Client Responsibilities

Security of the Application Services is a shared responsibility. Without limiting Client’s obligations under Section 2.4 of the MSA, Client is responsible for:

  • configuring and using the Application Services in accordance with the Documentation and applicable security guidance;
  • managing and safeguarding its user credentials, access provisioning, and role assignments within its tenant, including the enforcement of available authentication controls;
  • the acts and omissions of its Authorized Users; and
  • the accuracy, quality, legality, and appropriateness of Client Data, and ensuring it has the right to submit Client Data to the Application Services.

18.  On-Site Audit.

Any on-site audit right is governed exclusively by Section 8 (Audits) of the DPA, including the SOC 2 safe harbor and the conditions, frequency, notice, scope, and cost-allocation provisions set forth therein. This Security Addendum does not create any separate or additional audit right.

19. Changes to Security Measures

Planful may update or modify the Security Measures from time to time, provided that such updates will not materially diminish the overall level of security provided to Client Data during the Subscription Term. Planful may satisfy any commitment in this Security Addendum through alternative measures that provide a substantially equivalent or greater level of protection.

20. General

20.1 Order of Precedence.  This Security Addendum is an exhibit to, and forms part of, the Agreement, and the order of precedence set forth in Section 10.9 of the MSA applies. To the extent this Security Addendum concerns the Processing of Client Personal Data, the DPA shall control in the event of a conflict, consistent with Section 1(a) of the DPA.

20.2 Limitation of Liability.  Planful’s obligations and liability under this Security Addendum are subject to the limitations of liability and other terms set forth in Section 8 of the MSA.

20.3 No Third-Party Beneficiaries.  This Security Addendum does not confer any rights on any person or entity other than the parties to the Agreement.

Get Started with Planful

  • LinkedIn
    How much time will you save?
  • LinkedIn
    How will your finance team evolve?
  • LinkedIn
    Where will technology support you?