These NICE Company Security Terms (“Security Terms”) are incorporated into and made a part of the Master Relationship Agreement or such other written or electronic agreement between NICE and Customer for the purchase of Services (“Agreement”). Except as otherwise set forth herein, defined terms used in these Security Terms shall have the meanings provided in the Agreement.

I. Purpose

These Security Terms describes the information security standards NICE implements and follows in its business and in the provision of Services. These Security Terms do not apply to trial, beta, evaluation, or free Services, nor to third-party products or services sold but not developed by NICE. NICE may update these Security Terms from time to time to reflect changes in NICE’s security program provided such changes do not materially diminish the level of security provided herein.

II. Company Security

1. Overview. This Section II (Company Security) describes the information security controls NICE implements and follows for the protection of its IT systems, networks, facilities and assets (“Company Systems”), and any Confidential Information accessed or processed therein, from anticipated threats or hazards, unauthorized or unlawful access, use, disclosure, alteration, or destruction, and accidental loss, destruction or damage (“Company Security Program”). The Company Security Program has technical and organizational measures that are appropriate to the nature, size, and complexity of NICE’s business operations, the resources available to NICE, the type of information that NICE stores, and the need for security and confidentiality of such information.
2. Company Security Policies. NICE has and maintains company information security policies (“Company Security Policies”) designed to educate its employees, contractors, and vendors on the appropriate use, access, and storage of Confidential Information. The Company Security Policies include access restrictions for personnel who have a ‘need to know’ such information, policies preventing terminated employees from accessing NICE’s information and information systems post-termination and imposing disciplinary measures for failure to abide by the Company Security Policies.
3. Risk Assessment and Change Management. NICE uses a risk-based methodology to help it reasonably identify internal and external risks to the Company Systems and information resources and decide whether the Company Security Program is sufficient or needs to be updated to address any identified risks. NICE uses a change management process to ensure any changes to the Company Security Program or Company Security Policies are reviewed, tested, and approved.
4. System Access Controls. NICE uses monitoring and logging tools to help detect and prevent unauthorized access to its networks and systems. NICE’s monitoring includes a review of Company Systems use through authentication and privileged access controls based upon the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that take into account the risk associated with the particular information system, and the type of information stored therein. Access logs are maintained on a centralized repository, to allow for security review and analysis by the security team. Such logs include log-on, failover attempts and log off attempts. Users must authenticate with two-factor authentication prior to accessing NICE servers or systems. Personal devices used to access NICE systems must be enrolled in the NICE portal for security and access controls.
5. Threat and Vulnerability Management. NICE monitors the Company Systems and the technology implemented therein for vulnerabilities that are acknowledged by third-party vendors, reported by researchers, or discovered internally. Any such vulnerabilities are identified for mitigation or fixes based on severity level. NICE or third parties acting at its direction periodically perform network vulnerability and penetration tests on the Company Systems. NICE uses real-time anti-virus and malware solutions to protect the Company Systems and its personnel’s computers against viruses, worms, and other forms of malicious code that may cause damage. Definition updates are performed and monitored on an automated basis.
6. Training. All NICE employees and contractors are required to receive training on Company Security Policies upon hiring/onboarding and on an annual basis thereafter to maintain compliance with the Company Security Policies. Additional, more in-depth training may be required based on the roles and responsibilities performed by such personnel. NICE also implements periodic security awareness campaigns to educate its personnel and to maintain a secure work environment.
7. Secure Product Development. When developing its software and technologies, NICE employs a methodology for the acquisition, development, configuration, maintenance, modification, and management of such technology with the intent of maximizing its inherent security. Source code access is restricted to authorized personnel only. NICE uses a risk-based approach when applying such methodology to production software, which may include activities such as performing security architecture reviews, open-source security scans, dynamic application security testing, network vulnerability scans, code review, and external penetration testing in the development environment. NICE scans packaged software to ensure it’s free from trojans, viruses, malware and other malicious threats.
8. Storage and Secure Disposal. NICE’s Company Security Policies contain procedures and controls regarding the secure disposal of tangible and intangible materials containing Confidential Information, which are designed to ensure such Confidential Information cannot be viewed or reconstructed when possible.
9. Third-Party Vendors. NICE puts each third-party vendor and its partners through a rigorous due diligence process, including privacy and security reviews for those with access to Confidential Information, including Content and personal data (as defined under the General Data Protection Regulation (EU) 2016/679 (“GDPR”)) (“Personal Data”), prior to contracting with any such third party. Third-party vendors are subject to contractual obligations of confidentiality and risk assessments to determine the sensitivity of information being shared. Vendors are expected to comply with any pertinent contract terms relating to the confidentiality and security of data, as well as any applicable NICE policies or procedures such as the NICE Supplier Code of Conduct. Periodically, NICE may re-evaluate a vendor and its security posture to help ensure compliance.
10. Personnel Security. NICE requires each employee and contractor to enter into confidentiality agreements upon hire or engagement, as applicable, and to agree to its Code of Ethics and Business Conduct. NICE performs background checks on its potential employees prior to hiring, as permitted by applicable law. In addition to the Company Security Policies, NICE also requires its employees and contractors to agree and adhere to teleworking, internet acceptable use, social media, electronic messaging, clear desk/clear screen, and other work policies.
11. Facilities. NICE grants physical access to its facilities based on role and logs visitor access. NICE removes physical access when access is no longer required, including upon termination. Employees and visitors must visibly display and wear identity badges when in a NICE facility. Visitors must always be accompanied while at a NICE facility. NICE reviews data center physical access, including remote access, on a regular basis to confirm that access is restricted to authorized personnel. NICE employs additional measures to protect its employees and assets, including video surveillance systems and onsite security personnel.
12. Company Business Continuity and Disaster Recovery. NICE endeavors to maintain continuity of its operations through business continuity, redundancy, appropriate staffing of incident response personnel, and timely recovery of critical NICE processes and systems. NICE has a business continuity and disaster recovery plan for its business operations (“BCP/DRP”), which is reviewed and approved by management at least annually. The BCP/DRP includes actions and procedures for NICE facilities, business functions/operations, HR, IT, and communications, which are designed to ensure the survivability for NICE’s internal services, mission-critical applications, infrastructure and data, and enable the recovery thereof to effective service levels as soon as possible to minimize the impact the business should a reasonably foreseeable event occur, which causes significant operational disruption and crisis to NICE’s business and Company Systems. Training exercises and tests of the BCP/DRP are performed to ensure it is reliable and effective, and updates are made to the plan based on findings of these tests.
13. Certifications. NICE strives to align its Company Security Policies to ISO 27001 standards for information security where practical.