Technical and Organizational Measures NICE’s Cloud Services

NICE is committed to protecting the security of Content provided by Customer, and has implemented and maintains the technical and organizational measures (“TOMS”) described in this document.

This document details the TOMS employed by NICE for protecting Customer Content from unauthorized access, corruption, and loss.

1. NICE Policies and Procedures

NICE employs safety, physical security, and computer system security policies and procedures for the Cloud Services that are: (a) aligned with applicable prevailing industry standards and applicable laws; (b) designed to ensure the security and confidentiality of Customer Content including consumer data; and (c) designed to protect against anticipated threats or hazards to the security or integrity of Customer Content, including unauthorized intrusion, disclosure, misuse, alteration, destruction, or other compromise of such information.

2. Awareness and Training

All NICE employees are required to receive training on information security policies and risks on an annual basis. Additionally, NICE continues to provide its employees security training in order to develop products consistent with industry standard security considerations.

3. Personnel Security

NICE conducts pre-employment background checks as permitted by applicable law for all employees.

4. Access Controls

4.1 NICE maintains policies and processes to control and secure access to the Cloud Services and Customer Content based upon the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that take into account the risk associated with the particular information system and the type of information stored therein. These processes include multiple layers of access controls such as firewalls, tokens, security keys, and authentication.

4.2 NICE maintains safeguards to prevent unauthorized access to Customer Content through fraud or error. User access management to the Cloud Services includes processes around user registration, access provisioning, management of privileged access rights to information, information systems, and removal or adjustment of access rights.

4.3 Data centers have physical access control systems to permit only authorized personnel to have access to the secure areas. These physical controls include, but are not limited to, identification and signatures of all access requirements, escorted access of authorized personnel, intrusion detection systems, access control devices, closed circuit television cameras (“CCTV”).

4.4 Access logs are maintained on a centralized repository, to allow for security review and analysis by the security team. Such logs include but are not limited to log-on, failover attempts and log off attempts.

5. Data Segregation Data is being segregated on a private tier, which is not accessible through the internet and is made available to the Customer in a secured manner e.g. using the web interface or through an Application Programming Interface (“API”).

6. Audit and Accountability

NICE engages third parties to perform annual audits of its data security measures for the Cloud Services. Such audits are in the form of a Service Organization Control (SOC) 2 Type II report (or equivalent). Upon request, NICE will provide its Customers with a copy of the most recent SOC 2 report. Additionally, upon request, NICE will provide its Customers with a copy of the executive summary associated with its most current annual penetration testing results of infrastructure and applications applicable to Cloud Services. All audit reports, summaries, and related information and documentation provided by NICE to its Customers constitutes NICE’s Confidential Information. 

7. Viruses, Malware, Phishing, etc.

NICE continuously implements best practices and security technologies to protect its environment. NICE works with leading security vendors to deploy various tools to mitigate the threat of viruses, malware, and phishing.

8. Encryption

NICE employs encryption to mitigate the risk of unauthorized disclosure or alteration of Customer Content while in transit or at rest. Cryptographic keys shall be protected against unauthorized access, disclosure, modification, and data loss.

9. Business Continuity

NICE endeavors to maintain continuity of its operations through business continuity, redundancy, appropriate staffing of incident response personnel, and timely recovery of critical NICE processes and systems. NICE tests its business continuity plans on an annual basis.

10. Incident Response

If NICE becomes aware of an actual Data Incident, NICE will immediately: (a) take all necessary measures to contain the Data Incident and ensure that the same or similar Data Incident does not recur; and (b) investigate the Data Incident and cooperate with Customer in responding to any disclosure obligation related with the Data Incident.

11. Customer Content Retention and Disposal

Customer Content is retained until the expiration or termination of Customer’s contract for the relevant Cloud Service, after which it is disposed of in accordance with the appropriate Destruction Measures. The Cloud Services may include self-service tools that allow Customers to limit data retention during the term of the Cloud Services. Additional services to assist in managing data retention may be available from NICE as chargeable professional services.

12. Change Control

NICE may change the TOMs from time to time to adapt to the evolving security landscape and will notify Customers of such changes. 

Exhibit A - Definitions

“Cloud Services” means the services identified in the applicable order document.

“Confidential Information” shall have the meaning set forth in the master agreement or non-disclosure agreement between the parties.

“Content” means any Customer data hosted by NICE.

“Customer” means the Customer identified in the applicable ordering document or master agreement.

“Data Incident” means any incident that has resulted in any unauthorized access to any Customer Content in the possession or custody of NICE or any third party acting on behalf of NICE.

“Destruction Measures” means destruction of the Content in a manner that prevents recovery or re-creation of the Content, electronically or otherwise; and (b) effective removal from NICE equipment and media using disk sanitizing processes appropriate for the classification of information contained therein and storage media type.