Understanding shared responsibility with Analytics Plus

Data accountability

You are responsible for:

• The data you share and receive via the application. You decide whom you share it with, the period, and the means of sharing. We recommend offering minimum privileges to users as required by their business need.
• Ensuring the privacy of data you handle using Analytics Plus, to ensure that you do not accidentally or willingly make any private content publicly available.
• Maintaining the accuracy of the data that you process in your system.
• Ensuring that your account is not used by you or others on your behalf for spamming or illegal activities, that Analytics Plus is only used for its intended purposes.
• Making sure you set passwords for all files either exported from the application and set expiry period for reports published to users.

Passwords

You are responsible for creating a strong password and safeguarding it when you use it to log in the application.

Client and end-point security

• The compromise of one of your endpoints (whether your laptop, desktop, or smart phone) will render all other application controls ineffective.
• You are responsible for your end-point security and are expected to keep your browser services, mobile OS, and mobile applications updated to the latest version and patched against vulnerabilities.

Host infrastructure

You are responsible for protecting and securing the host infrastructure. All servers provisioned in the production network are hardened according to the standards. OS patch management, baseline configuration, and Host intrusion detection technologies are adopted to maintain a secure infrastructure.

Physical security

You are responsible to ensure that your infrastructure is protected from unauthorized physical access, intrusion, and disasters.

Identity and access management

We provide features to protect against the compromise of user accounts through Identity and Access Management (IAM) service by facilitating:

• User registration, de-registration options, and specifications on how to use them.
• Functionality for managing access rights of your application users.
• Strong authentication techniques such as Multi-Factor Authentication.

You are responsible for:

• Implementing strong user access management controls.
• Configuring strong passwords based on the organization's policy and protecting them.
• Enabling Multi-Factor Authentication for your organization's users.
• Administering user accounts and privileges—configuring user roles according to the principle of least privilege.
• Defining the administrator(s) of the organization's account and having a proper process for ownership transfers. Taking necessary steps to ensure that your organization does not lose control of its administrator accounts.
• Periodically reviewing the list of users with access to data and removing access for anyone who should not have it.
• Frequently reviewing devices linked to the organization's user accounts and removing unused or unauthorized devices.
• Monitoring your organization's user accounts for malicious access or usage.
• Notifying ManageEngine of any unauthorized use of your organization’s accounts.
• Educating your users on the importance of good password management, the risks on credential reuse, social logins, and phishing attacks.
• Introducing IP address restrictions to control the perimeter of application access.

Data Management

We provide a platform for you to manage your data with:

• Data sharing features for administrator and user-level controls.
• Audit tracking features to provide transparency on important activities and to track changes.
• Data interoperability—the option to take a complete backup of data and migrate all or a part of your data to another product.
• ManageEngine employees do not have access to your data. On certain occasions, application logs maybe requested (via file servers) for the sole purpose of troubleshooting. The application is designed in a way that the log files do not carry sensitive customer data. Controls are put in place to ensure unintended employees don't get access to this data and the data is auto-deleted.
• The application allows tagging PII information to avoid accidental exposure.
• All fields marked as PII are automatically encrypted.

You are accountable for:

• Due diligence while processing information belonging to special categories (for example, personal/sensitive data) by applying appropriate controls to comply with the requirements of applicable legislation.
• Configuring proper sharing and viewing permissions.
• Enabling audit reports and review them periodically to identify any suspicious activity.
• Maintaining up-to-date contact information with ManageEngine.
• Taking your data out of the system once you stop using our application.

Managing data to other parties

We work towards having secure integrations and extensions to our applications by:

• Marketplace applications: Performing functional testing, security testing, and privacy testing once an application is submitted to us. We also perform product review and content review.
• Sub-processors: Evaluating the security and privacy practices of sub-processors whom we wish to contract to ensure that they are in line with ManageEngine's information security and privacy standards. We then execute appropriate data protection agreements with them.
• We review the privacy policy and terms of service of our vendors and ensure that their operations stick to it.

We expect you to:

• Enable or disable third-party integrations after taking into consideration the data that gets shared to third-party environments. You must review the terms and the privacy policy of the third-party service regarding the collection, use, or disclosure of data.
• Mark your preference on whether you would like to share your details with vendors every time an extension is installed.
• Assess the suitability of the Marketplace Apps and the reasonableness of the requested permissions prior to installation.
• Notify ManageEngine of any malicious behavior identified in the Marketplace Apps.

Encryption

Data encryption is handled at transit and at rest in the following ways:

• Data in transit: We mandate all connections to our servers use Transport Layer Security (TLS 1.2) encryption with strong ciphers for all connections including web access, API access, our mobile apps, and SMTP access.
• Data at rest: Sensitive customer data is encrypted at rest using Advanced Encryption Standard (AES) 256-bit algorithm. We own and maintain the keys using our in-house Key Management Service(KMS).

You are responsible for:

• Ensuring customer data transmitted between your servers/desktops/laptops either over private or public networks is protected using strong encryption protocols.
• When the data from our application is downloaded or exported into your environment or synced within integrations in ManageEngine or with any other third-party integration, you need to ensure that relevant encryption controls are applied. For example, enable disk encryption on your devices and use the export feature with password protection enabled, etc.

Backups

We are equipped with a robust system to:

• Allow periodic backups of data that is stored and maintained in Analytics Plus
• Enable requests for data restoration and provide secure access to it within the retention period. Provide customers a feature to export and take a backup of their data.

From your end, you can:

• Schedule a backup for your data, export it from the application, and store it locally in your infrastructure, if necessary. You are responsible for storing it in a secure manner.

Incident management

From our side, we ensure to:

• Report all incidents of breach that we are aware of and that applies to you along with impact details and suitable actions. For incidents specific to an individual user or an organization, we will notify the concerned party through email registered with us.
• Track such incidents and close them.
• Implement controls to prevent recurrence of similar incidents.
• If requested, we will provide additional evidence related to the incident that applies to you.

We expect you to:

• Take actions suggested by ManageEngine in case of a breach.
• Meet your data breach disclosure and notification requirements, such as notifying your end users and data protection authorities when relevant.
• Report security and privacy incidents that you are aware of to incidents@zohocorp.com.

Awareness and training

We take complete responsibility for:

• Training our employees to be security-conscious and to adhere to a secure development standard. Newly hired employees take part in mandatory security and privacy training besides receiving regular security awareness training via informational emails, presentations, and resources available on our intranet.
• Training our employees on appropriate handling customer data.

You are responsible for training users on:

• Standards and procedures for the use of our application.
• How the risks related to our applications are managed.
• Risks on the general system and the network environment.
• Applicable legal and regulatory considerations.

Policy and compliance

We adhere to set of guidelines, such as:

• We have a comprehensive risk management program in place and effectively implement the controls.
• We operate within the law of various jurisdictions where we operate from.
• We provide evidence of compliance with applicable legislations and based on our contractual requirements.
• We will assist in DPIA assessments of our customers to the extent allowed by the applicable laws.

We expect you to:

• Evaluate regulations and laws that are applicable to you and to review our compliance with regulations and standards that are needed for your business. You can request for additional information to serve as evidence of our compliance.
• Understand our policies, our policy assessment methods, and how we process data.
• Conduct DPIA as required by the data protection laws applicable to your organisation before / while processing data
• Before you process any personal/sensitive data, assess your lawful basis. In case your lawful basis is consent, ensure you obtain the consent from your customers.
• Assess the suitability of our applications based on the information we provide and ensure it is sufficient to meet your compliance needs.
• Understand the risk profile and sensitivity of the data hosted in Analytics Plus and apply appropriate controls.

Vulnerability patching

It is the sole responsibility of ManageEngine to identify vulnerabilities in its own software packages or third-party packages used in Analytics Plus, and ensure security patches are released promptly in order to mitigate risks.

Periodic updates

ManageEngine will release updates to its software with upgraded versions of dependency software packages to ensure all components are up-to-date. It is also ManageEngine's responsibility to communicate the availability of newer software versions to customers through various channels such as email, in-product notification, phone calls, forum posts etc.,