Security Terms

EXHIBIT B – SECURITY TERMS

Last updated: April 14, 2025


Below is a description of the technical and organizational measures Eightfold implements for data protection and security. Eightfold regularly checks that these measures continue to provide an appropriate level of security. These Technical and Organizational Measures (“Security Terms“) are incorporated into and form part of your applicable agreement with Eightfold with respect to your use of Eightfold Services (the “Agreement“). Defined terms used in these Security Measures that are undefined shall have the same meanings as set forth in the Agreement.

Eightfold delivers a software-as-a-service solution through a unified, multi-tenant platform, providing consistency and reliability for all customers. The Service is delivered from a unified, continuously updated codebase, ensuring all users have access to the latest features and security enhancements. This one-to-many model enables Eightfold to maintain rigorous, standardized security and privacy protocols across its customer base. These Security Terms reflect this approach, offering uniform terms to all Customers. Eightfold reserves the right to modify these Security Terms to maintain compliance with applicable laws and industry standards or to enhance security measures, with notice of material changes provided to Customers. Given the nature of the Service, individual negotiations or customizations of these Security Terms are not operationally practicable. All references to “systems” in these Security Terms are to systems used to deliver, maintain, and secure the Services provided to customers. Eightfold has implemented technical and administrative safeguards to protect Customer Data.

Eightfold AI Information Security Program For Customer Data

Eightfold maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of Eightfold systems and Customer Data.

Eightfold’s security measures are continuously improved, reviewed, updated, and validated by independent third-party auditors to ensure ongoing effectiveness and compliance. These security measures are officially documented and published in Eightfold’s Security Policy. Eightfold has appointed a designated management official responsible for leading the information security program, ensuring its effective implementation and alignment with organizational objectives.

Identity and Access

Eightfold maintains formal, documented policies and procedures governing access to information systems that contain Customer Data, ensuring access is restricted to authorized personnel only.

  • Separation of Duties: Eightfold enforces the separation of duties between privileged and non-privileged users. Access to sensitive or customer data is strictly regulated based on role and operational need.
  • Multi-Factor Authentication: All privileged users are required to use MFA for production system access.
  • System Access: Direct system access is minimized. Changes are made through configuration management processes. When direct access is required, MFA and secure VPN connections are used to access systems remotely.
  • Access Rights Management:
    • Eightfold immediately revokes access rights upon personnel termination.
    • Eightfold maintains appropriate password complexity requirements.
    • Privileged accounts inactive for ninety (90) days are automatically disabled.
  • Least Privilege: Access is granted based on least privilege and need-to-know principles.
  • User Identity Lifecycle: Eightfold tracks user identities throughout their lifecycle and performs regular access reviews. User identities are unique and traceable directly to individual personnel.
  • Identity Verification: Eightfold mandates and enforces identity verification before granting access to any system within the security authorization boundary.
  • Authentication Credential Management: Eightfold’s internal policies govern the secure issuance, handling, and revocation of authentication credentials.

Security Awareness

  • Mandatory Training: Upon hire and at least once per year, all Eightfold employees are required to undergo required security awareness training which includes specific security topics such as phishing, insider threat, and data handling.
  • Supplemental Training: Eightfold conducts additional training sessions in response to emerging security threats, significant policy changes, or new technologies. Role-based training is provided in alignment with internal requirements.
  • Effectiveness Evaluation: Eightfold evaluates training effectiveness through scored assessments to measure understanding and retention of security protocols.
  • Policy Updates: Eightfold regularly updates personnel on information security policies, including changes to topic-specific policies and procedures relevant to job functions.
  • Training Updates: Eightfold consistently updates training materials to reflect security developments and regulatory requirements. Eightfold continually reviews and enhances training programs based on feedback and evolving security landscapes.
  • Acceptable Use Policies: Eightfold maintains comprehensive acceptable use policies and rules of behavior for all individuals requiring system access. These policies outline responsibilities, expected behaviors, and compliance requirements regarding information and system usage, security, and privacy.

System Monitoring

  • Scope: Eightfold implements logging and monitoring across all activities within the security authorization boundary, including automated alerting for specified events.
  • Log Generation: Eightfold generates detailed logs of activities, exceptions, faults, and security-relevant events. These logs are aggregated into a central source appropriate to the operational environment.
  • Log Security: Eightfold security logs are immutable and stored in a manner that protects against loss, destruction, falsification, and unauthorized access. Log data is safeguarded using quantum-resistant AES-256-GCM encryption to ensure data confidentiality and integrity.
  • Log Retention: Eightfold audit logs are stored for at least one (1) year.
  • Continuous Monitoring: Eightfold continuously monitors networks, systems, and applications for anomalous behavior that may indicate potential security incidents.

Security Assessments

  • Certifications: Eightfold maintains ISO 27001, ISO 27701, and SOC 2 assessments which are reassessed annually.
  • Qualified Assessors: All assessments are conducted by qualified assessors with relevant technical training and knowledge. Assessors must be affiliated with recognized bodies (e.g., AICPA, FedRAMP 3PAO) or hold appropriate certifications.
  • Penetration Testing: Eightfold contracts with a 3PAO to provide penetration at least annually and internal penetration tests are performed at least quarterly.
  • Continuous Improvement: Eightfold adapts and enhances security protocols and measures in response to assessment findings or to address identified vulnerabilities.
  • Documentation: All assessment results are thoroughly documented including detailing findings, remedial actions, and compliance progress.
  • Availability of Reports: Certifications and report summaries are made available to Customers upon request through a Trust Portal and subject to the confidentiality obligations set forth in the Agreement.
  • Communication: Eightfold shall promptly communicate to Customer significant changes in its security posture that materially and adversely impact Customer.

Configuration Management

  • Change Management: Eightfold maintains established requirements for implementing changes to system configurations. All changes within the security authorization boundary require documented approvals from authorized personnel.
  • Development Process: The Eightfold Secure Development Lifecycle (SDLC) establishes guidelines for planning, delivery, and support of our application security capabilities.
  • Pre-Implementation Review: Eightfold performs comprehensive reviews of relevant changes prior to implementation. This includes code scanning to ensure compliance with security requirements and to prevent the introduction of vulnerabilities.
  • System Inventory: Eightfold maintains a detailed inventory of relevant system components. This inventory is regularly reviewed and updated to ensure accuracy and reflect current configurations.
  • Security Baselines: Eightfold establishes, continuously monitors, and periodically reviews security baseline configurations. Eightfold makes adjustments in response to new security threats or changes in operational requirements.
  • Documentation: Eightfold maintains comprehensive documentation of relevant configuration management processes and changes, providing a clear audit trail and facilitating compliance with relevant standards and regulations.
  • Testing: Eightfold conducts thorough testing of all configuration changes in a non-production environment before deployment to production systems to minimize potential disruptions to the Service.
  • Rollback Procedures: Eightfold maintains documented rollback procedures for relevant configuration changes to achieve rapid restoration of system stability in the event of unforeseen issues.

Contingency Planning

  • Information System Contingency Plan: Eightfold maintains an Information System Contingency Plan (ISCP) designed to ensure readiness and effective response to operational disruptions, including natural disasters, cyber incidents, and system failures. Eightfold’s Recovery Time Objective (RTO) is three (3) business days to functional operation and five (5) business days to return to regular operation. The Recovery Point Objective (RPO) is one (1) hour.
  • Annual Testing: Eightfold performs annual testing of the ISCP in coordination with its Incident Response Plan (IRP). Upon Customer request, Eightfold provides a summary of annual functional test results.
  • Confidentiality: Eightfold treats details of the ISCP and IRP as security-restricted information and implements appropriate controls to protect this sensitive data.
  • Resource Monitoring: Eightfold continuously monitors resources to align with current and projected capacity requirements, protecting against system overloads and maintaining optimal performance.
  • Backup Policy: Eightfold conducts regular backups in accordance with its comprehensive backup policy. This policy specifies frequency, scope, and methods to ensure data integrity and availability.
  • Backup Testing: Eightfold regularly tests backup copies to verify their effectiveness in restoring data and systems, ensuring reliable data recovery in the event of an incident.
  • Redundancy: Eightfold assesses information processing facilities’ redundancy measures to meet availability requirements as specified in the Service Level Agreement (SLA).
  • Continuous Improvement: Eightfold regularly reviews and updates its contingency planning and business continuity measures to address evolving threats and technological advancements.
  • Communication Protocol: In the event of a significant disruption, Eightfold maintains a clear communication protocol to inform Customers of the situation and recovery progress.
  • Third-Party Coordination: Where applicable, Eightfold coordinates with third-party service providers for comprehensive contingency planning across the entire Service delivery chain.

Incident Response

  • Incident Response: Eightfold maintains an established incident response plan designed to address Security Incidents immediately upon detection. The incident response plan is architected based on NIST SP 800-61. Eightfold’s Incident Response Team is trained and equipped to respond quickly to mitigate potential damage.
  • Customer Notification: In the event of a Security Incident, Eightfold notifies customers without undue delay, with a goal of 24 hours and no later than 72 hours from incident confirmation.
  • Notification Content: Details may be restricted during an ongoing Security Incident to minimize additional risk to Eightfold systems and Customer Data and are also subject to the availability of information at the time of notification. Eightfold’s incident notifications to customers include:
    • A description of the incident
    • The type of data involved
    • The implications of the incident
    • Actions taken to secure the data
    • Steps customers can take for further protection
  • Regulatory Compliance: Eightfold communicates relevant Security Incident information to appropriate authorities as required by applicable laws and regulations. Unless laws and regulations prohibit Eightfold from doing so, Eightfold shall notify Customer prior to such communication to authorities and will use commercially reasonable efforts to coordinate first with Customer.
  • Incident Documentation: Eightfold maintains detailed documentation of Security Incidents and corresponding responses. This documentation supports compliance efforts, aids in the continuous improvement of incident response processes.
  • Post-Incident Review: Following the resolution of each Security Incident, Eightfold conducts a review to identify root causes and evaluate the effectiveness of the incident response. Eightfold creates an after-action report (AAR) based on this review. Eightfold treats AAR details as security-restricted information and implements appropriate controls. Upon request, Eightfold provides the affected customers with a summary of the AAR.
  • Regular Testing: Eightfold conducts an annual functional Incident Response Plan (IRP) test in conjunction with the Information System Contingency Plan (ISCP). Eightfold also performs regular tabletop exercises and provides ongoing training to all incident response team members.
  • Continuous Improvement: Eightfold regularly reviews and updates its Incident Response Plan to incorporate lessons learned from incidents, tests, and industry best practices.

Maintenance

  • Maintenance Activities: Maintenance activities, including updates and patches, fall under Eightfold’s configuration and change management processes.
  • Critical Security Patches: Eightfold prioritizes and implements critical security patches to protect against known vulnerabilities. All patches undergo the same rigorous testing and approval processes as other maintenance activities.
  • Maintenance Schedule: Eightfold operates under a continuous deployment model, frequently updating systems to maintain optimal health and security. Customers are provided with access to release notes.
  • Documentation: Eightfold maintains detailed documentation of all maintenance activities, including the nature of the maintenance, date and time of implementation, and any impact on system performance or security.
  • Compatibility Testing: Prior to implementing any major system updates, Eightfold performs compatibility testing for continued functionality of relevant system components and integrations.

Media Protection

  • Data Storage Restrictions: Eightfold stores Customer Data exclusively within the defined security authorization boundary or other authorized systems. Storage of Customer Data on external media or unauthorized locations is prohibited.
  • Secure Hosting Infrastructure: Eightfold hosts its systems within high-security provider data centers. This infrastructure ensures high availability, data redundancy, and advanced security measures to protect Customer Data.
  • External Media: Eightfold prohibits the use of external media for storing or transferring Customer Data and there are technical measures in place to prevent exfiltrating customer data to any unauthorized location.
  • Data Deletion: Eightfold promptly deletes Customer Data when no longer required in accordance with Customer requirements and applicable laws and regulations.
  • Secure Deletion Processes: Eightfold implements data deletion processes that include thorough sanitization techniques to ensure deleted data cannot be recovered or reconstructed. These techniques adhere to the National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization.

Physical and Environmental Protection

  • Physical Access Control: Eightfold controls access to its offices through electronic badge systems and monitors premises using closed-circuit television (CCTV) surveillance.
  • Data Center Management: Eightfold’s production systems and data reside within data centers managed by Infrastructure as a Service (IaaS) providers. Physical data center controls are inherited from these providers and are regularly reviewed as part of Eightfold’s supplier security process.
  • Security Perimeters: Eightfold establishes security perimeters around sensitive areas to protect information and associated assets. These perimeters are protected by mechanisms including physical barriers, electronic detection systems, and access control systems, with specific implementations varying by location.
  • Environmental Threat Protection: Eightfold incorporates protection against physical and environmental threats, including natural disasters, fire, and flooding, into the design and implementation of its facilities to ensure minimal impact to the Service.
  • Visitor Management: Eightfold maintains a visitor management system to track and monitor all visitors to its facilities, ensuring that visitors are properly authorized, logged, and escorted as necessary.
  • Regular Audits: Eightfold conducts regular audits of its physical security measures to ensure their continued effectiveness and compliance with relevant standards and regulations.

Personnel Security

  • Pre-Employment Screening: Eightfold initiates comprehensive background checks on all employees as part of onboarding. These checks include, at minimum, criminal history verification and Office of Foreign Assets Control (OFAC) screening to assess candidate integrity and reliability.
  • Regulatory Compliance: Eightfold ensures all background checks and screenings comply with relevant legal and regulatory requirements, including data protection and privacy laws, to protect individuals’ rights and uphold ethical standards.
  • Secure Record Maintenance: Eightfold maintains comprehensive, secure records of all background checks and verifications, ensuring transparency and accountability in the screening process. These records are accessible only to authorized personnel and are protected against unauthorized access and disclosure.
  • Confidentiality: Eightfold treats all information obtained through background checks as confidential and uses it solely for employment-related purposes.
  • Third-Party Verification: Eightfold engages reputable third-party providers to conduct background checks, promoting impartiality and thoroughness in the screening process.
  • Contractor Screening: Eightfold extends appropriate background check requirements to suppliers, contractors, and temporary workers with access to sensitive information or systems.

Risk Assessment

  • Risk Management Framework: Eightfold assesses security risks using the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).
  • Threat Intelligence Program: Eightfold maintains a threat intelligence program to continuously monitor and analyze emerging threats. This program provides actionable intelligence to inform risk management decisions and enhance Eightfold’s ability to anticipate and respond to potential security incidents.
  • Vulnerability Detection: Eightfold performs regular and comprehensive vulnerability scanning across its entire infrastructure and application stack. Vulnerability scans are run continuously when supported and at least weekly. This includes but is not limited to:
    • Network Vulnerability Scanning: Eightfold conducts regular systems scans to identify potential vulnerabilities.
    • Web Application Scanning: Eightfold performs regular automated and manual scans of all web applications to detect security weaknesses.
    • Container Scanning: Eightfold implements continuous scanning of container images and registries to identify vulnerabilities in containerized applications and their dependencies.
    • Database Scanning: Eightfold conducts regular scans of all database systems to identify misconfigurations, outdated software versions, and potential vulnerabilities.
    • Code Scanning: Eightfold performs static and dynamic code analysis on all application code to identify potential security flaws during the development process.
  • Vulnerability Evaluation: Eightfold evaluates identified vulnerabilities to determine the potential impact on the organization, including the likelihood of exploitation and the severity of consequences. This evaluation informs the prioritization of remediation efforts. Vulnerabilities are scored using the Common Vulnerability Scoring System (CVSS).
  • Risk Mitigation: Eightfold develops and implements appropriate measures to mitigate identified risks based on comprehensive risk assessments and vulnerability evaluations. To protect the integrity of the Eightfold platform and customer data, internal vulnerability information is strictly confidential and not shared externally. Eightfold adheres to the following vulnerability target resolution timeframes, based on severity, fix availability, and date of discovery:
    • Critical Vulnerabilities: Immediate action upon discovery, with mitigation or remediation within 48 hours.
    • High Vulnerabilities: Mitigation or remediation within 30 days of discovery.
    • Medium Vulnerabilities: Mitigation or remediation within 90 days of discovery.
    • Low Vulnerabilities: Mitigation or remediation within 180 days of discovery.

Eightfold strives to address vulnerabilities as quickly as possible, often ahead of these deadlines. Eightfold maintains the right to adjust these timeframes based on risk analysis, operational impact, and resource availability, always prioritizing the security of the platform and customer data.

  • Confidentiality of Vulnerability Information: Eightfold prohibits the external sharing of internal vulnerability information to minimize risk to the Eightfold platform and customer data.
  • Documentation and Reporting: Eightfold documents and reports risk assessment findings and mitigation activities to relevant stakeholders to ensure transparency and facilitate informed decision-making.
  • Continuous Monitoring: Eightfold continuously monitors its systems and networks to detect new vulnerabilities and emerging threats in a timely manner.
  • Regular Risk Assessments: Eightfold conducts regular risk assessments, at least annually or upon significant changes to the information system or operating environment.
  • Third-Party Risk Assessment: Eightfold extends its risk assessment processes to third-party vendors and service providers that may impact the security of Eightfold’s systems or customer data.
  • Risk Treatment Plans: Eightfold develops and maintains risk treatment plans for identified risks that cannot be immediately mitigated, detailing the approach and timeline for risk reduction.
  • Security Metrics: Eightfold maintains and regularly reviews security metrics to measure the effectiveness of its risk management and vulnerability mitigation processes.

Supplier Security

  • Security Requirements: Eightfold maintains stringent security requirements for system and service acquisitions. Each applicable acquisition undergoes a risk assessment to identify potential security risks and ensure alignment with Eightfold’s security posture before integration.
  • Contractual Obligations: Where applicable, Eightfold requires vendors to adhere to specific security requirements in contractual agreements, covering data protection, access controls, incident response, and regulatory compliance.
  • Supplier Monitoring: Eightfold performs regular monitoring of suppliers to ensure continuous compliance with security requirements, including performance reviews and security audits as necessary.
  • Periodic Evaluation: Eightfold periodically reviews and evaluates supplier relationships and performance to assess the effectiveness of their security measures and identify areas for improvement.
  • Corrective Actions: In cases where suppliers do not meet expected security standards, Eightfold implements corrective actions to address deficiencies and mitigate potential risks.
  • Vendor Risk Assessment: Eightfold subjects each vendor to a risk assessment, evaluating the potential impact of their services on operations and data security.
  • Data Protection Obligations: Eightfold specifies data protection obligations in contracts, including encryption, access controls, and incident response procedures for sensitive information.
  • Annual Security Assessments: Eightfold conducts annual security assessments of vendors to evaluate compliance with security requirements and identify new risks or areas for improvement.
  • Incident Response Requirements: Eightfold requires subprocessors to maintain incident response plans and report any security incidents or breaches immediately.
  • Communication: Eightfold maintains communication with vendors to discuss security updates, regulatory changes, and other factors impacting supply chain risk management.
  • Remediation and Termination: If a vendor fails to meet security and compliance standards, Eightfold works with them to develop and implement a remediation plan. Failure to address identified issues within agreed-upon timelines may result in contract termination.

System and Information Integrity

  • Continuous Monitoring and Protection: Eightfold equips systems with continuous monitoring capabilities to detect and respond to security events in real-time. This includes collecting and analyzing log data for anomalies and potential threats. Eightfold continuously monitors relevant systems and communications for suspicious activity and potential security incidents.
  • Endpoint Security: Eightfold protects information stored on, processed by, or accessible via endpoint devices using encryption, access controls, and secure configurations. Eightfold implements extended detection and response (XDR) tools to provide visibility and protection for all endpoint devices. Comprehensive endpoint protection solutions safeguard devices against malware, ransomware, and other security threats.
  • UnifiedEndpoint Management: For applicable devices, Eightfold has implemented Mobile Device Management (MDM) and eXtended Detection and Response (XDR) controls which enforce security controls including specific security configuration settings including encryption enforcement and forced updates.
  • Data Encryption: Eightfold encrypts data on endpoint devices, both at rest and in transit, to prevent unauthorized access and ensure data integrity, even if devices are lost or stolen. Eightfold uses industry-standard protocols such as AES-256 and TLS 1.2 for all data in transit and at rest, protecting against interception and unauthorized access.
  • Audit Trails: Eightfold maintains comprehensive audit trails to record access and modifications to critical data and systems. These logs are regularly reviewed to detect and investigate unauthorized or suspicious activities.
  • Network Security: Eightfold deploys network firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and control incoming and outgoing network traffic, providing an additional layer of defense against unauthorized access and cyber threats. Eightfold implements network segmentation to isolate sensitive systems and data, reducing the risk of lateral movement by attackers and enhancing overall security posture.
  • Application Security: Eightfold implements web application firewalls (WAF) to protect web applications from common threats such as SQL injection, cross-site scripting (XSS), and other application-layer attacks.
  • System Configuration and Maintenance: Eightfold configures systems according to foundational security practices and in accordance with Eightfold AI Security policy. Eightfold regularly applies updates and patches to address known vulnerabilities and protect against potential exploits.
Request demo

Share Popup Title

[eif_share_buttons]