During the then-current Term of the applicable Wrike agreement between Wrike and the Customer specified on the applicable Order Form (together, with its governing Terms & Conditions, the “Agreement”), Wrike has established and agrees to maintain a written information security and privacy program (the “Information Security Program”) designed to comply with this Addendum, then-current industry-standard IS027001:2013 and SOC2 organizational controls, and applicable law. As part of its program, Wrike has implemented and agrees to maintain administrative, technical, and physical security safeguards designed to protect the confidentiality, integrity, and availability of Customer Data, including but not limited to the following:
I. Administrative and Organizational Safeguards
- Wrike maintains policies and procedures, including the following:
i. Information Security Program, which sets forth Wrike’s procedures with regard to maintaining the safeguards set forth in this Addendum.
ii. Incident Response Plan, which sets forth Wrike’s procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
iii. Business Continuity and Disaster Recovery Plans, which set forth Wrike’s assessment of the criticality of its systems and data and establishes procedure for maintaining backups, recovering lost Customer Data, operating in emergency mode, and testing contingency and recovery procedures.
- Wrike regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
- Wrike has appointed a Director of Information Security to oversee and manage its Information Security Program and designates an Incident Response Team in the event of a security incident.
- Wrike maintains role-based access restrictions for its systems, including restricting access to only those Wrike employees or subcontractors that require access to perform the services described in the Agreement, or to facilitate the performance of such services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
- Wrike periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Wrike employees that no longer need such access.
- Wrike assigns unique usernames to authorized Wrike employees and requires that Wrike employees’ passwords satisfy minimum length and complexity requirements and be changed periodically.
- Wrike provides training to Wrike employees, as relevant for their roles, at least annually on confidentiality and security, including on the topics of phishing and social engineering.
- Wrike requires Wrike employees to acknowledge Wrike’s Information Security Program annually.
- Wrike has a policy in place to address violations of its Information Security Program.
- Wrike requires background checks on any Wrike employees with access to Customer Data.
- Wrike conducts annual assessments of the risks and vulnerabilities to the confidentiality and security of Customer Data.
II. Technical Security
- Wrike logs system activity—including authentication events, changes in authorization and access controls, and other system activities—and regularly reviews and audits such logs.
- Wrike maintains network security measures, including but not limited to firewalls to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Wrike to suspicious network activity, and anti-virus and malware protection software.
- Wrike has implemented workstation protection policies for its systems, including automatic application logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
- Wrike requires multi-factor authentication for remote network and system access.
- Wrike conducts regular and periodic vulnerability scans and assessments on all systems storing, processing, or transmitting Customer Data to identify potential vulnerabilities and risks to Customer Data.
- Wrike remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, processing, or transmitting Customer Data.
- Wrike has implemented controls, including AES 256 encryption using file system encryption, to ensure that Customer Data is not improperly modified without detection.
III. Physical Security
- Wrike restricts access to its facilities, equipment, and/or devices to Wrike employees with authorized access on a need-to-know basis.
- Wrike logs access to its facilities, equipment, and devices and regularly reviews and audits such logs.
- Wrike runs real-time database replication to ensure that Customer Data is both backed up and available on redundant and geographically dispersed systems, physically separated from the primary Wrike application servers.
- Wrike has implemented policies and produces regarding the proper disposal or re-use of equipment, devices, and electronic media. As part of any such disposal or re-use, Wrike requires that Customer Data on physical media be destroyed such that it cannot reasonably be reconstructed.
- Wrike has disaster recovery and unscheduled incident plans and procedures in place in the event of an emergency, including maintaining a disaster recovery infrastructure that resides in the Google Cloud Platform, which maintains security consistent with SSAE16 / ISAE 3402 Type II, ISO 27001, PCI DSS, HIPAA and other certifications.
IV. Incident Response
- Consistent with its Incident Response Plan, Wrike takes steps in the aftermath of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data to investigate, mitigate, remediate, and otherwise respond to such security incident. Wrike will inform Customer of a confirmed security incident within the time period required by law. Wrike will notify Customer at the email address associated with Customer’s administrator account, or at another email address that Customer provides to Wrike in writing for purposes of security incident notifications.
- In the event that Customer is subject to a regulatory inquiry or threatened litigation relating to a security incident, Wrike will provide Customer with reasonable assistance and support in responding to such investigation.
- Wrike conducts diligence of prospective subcontractors to ensure that they are capable of meeting the security standards set forth in this Addendum and requires them to comply with terms that are substantially similar to those set forth in this Addendum.