Ready to Get Real About Revenue?

Learn How
See Clari in action

Salesloft, Inc. Security Addendum

This Security Addendum is issued under and forms part of the Salesloft Master Subscription Agreement or other equivalent agreement (the “Agreement”) between Salesloft, Inc. and its Affiliates, including Clari Inc., (collectively, “Salesloft”) and Customer (as defined in the Agreement), which specifically references this Security Addendum. Any capitalized terms not defined herein shall have the meanings provided in the Agreement.

Salesloft is committed to protecting Customer Data and maintains industry standard cybersecurity measures to safeguard the security of Customer Data. In order to protect Salesloft’s network from evolving threats and disruptions, and to ensure ongoing effective security controls, Salesloft regularly reviews and may update this Security Addendum to reflect new features and updated practices. Any such modifications shall enhance and/or not materially diminish Salesloft’s security program.

Audits & Certifications.

  • Salesloft’s information security management system used to provide the Services is assessed on an annual basis by accredited third party auditors issuing the following certifications:
    • SOC 2 Type II
    • ISO 27001
    • ISO 27701
  • Salesloft agrees to maintain the certifications and standards listed above, or the appropriate and comparable successors thereof.
  • Salesloft performs annual penetration testing, including black box automated and manual penetration tests of Salesloft’s security infrastructure. The third-party audit results, and summarizations of penetration tests may be made available to customers (subject to standard confidentiality obligations).

Hosting Location of Customer Data.

  • Clari Services: Customer Data is hosted in the production cloud environment, located in the US-east region.
  • Salesloft Services: Customer Data is hosted in the production cloud environments located in the United States (AWS US-east-1 and GCP uscentral-1) and/or the European Union (AWS eu-central-1 and GCP europewest-3), depending on the applicable service configuration and customer selection.

Encryption.

  • Encryption Key Management: Salesloft’s encryption key management conforms to NIST 800-53 and involves regular rotation of encryption keys. Cloud-based hardware security modules are used to safeguard top-level encryption keys.
  • Encryption of Customer Data: Salesloft encrypts Customer Data at rest using AES 256-bit (or higher) encryption. Salesloft uses Transport Layer Security (TLS) 1.2 (or higher) for Customer Data in-transit to/from the Services over untrusted networks.

Business Continuity Plan Management.

  • Salesloft’s Service is a distributed system designed to spread the processing of data across multiple physical servers and multiple fault-independent availability zones within the applicable hosting region, so that any one hardware or availability zone failure will not compromise the availability of the Services or Customer Data. The Services perform backups of Customer Data at least daily. Salesloft accordingly maintains an industry standard business continuity and disaster recovery plan (the “BCP”). The BCP is tested and reviewed annually and is designed to restore the Services in the event of a service failure.

Network & Systems Security.

  • Access Controls:
    • All Salesloft personnel’s access to the Salesloft cloud environment is via a unique user ID, is consistent with the principle of least privilege, requires a VPN, and requires multi-factor authentication.
    • Salesloft personnel will not access Customer Data except as reasonably necessary to provide Salesloft’s Services under the Agreement, or to comply with applicable law or a binding order of a governmental body.
  • Endpoint Controls: For access to the Salesloft cloud environment, Salesloft personnel must use Salesloft-issued laptops which utilize security controls that include, but are not limited to, disk encryption, endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and malicious code.
  • Separation of Environments: Salesloft logically separates production environments from development environments. Salesloft’s production environment is both logically and physically separated from Salesloft’s corporate networks.
  • Firewalls: Salesloft protects its production environment by using industry standard firewalls, security groups or network access controls, denying ingress/egress traffic other than business required.
  • Hardening: Salesloft’s production environment is hardened using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching.

Monitoring & Logging.

  • User Logging: Salesloft captures logs of certain activities within our customers’ accounts and makes those logs available via API to the Customer for their own analysis.
  • Infrastructure Logging: Salesloft uses monitoring tools covering network, cloud environments and identity solutions to log activities within the production environment. These logs are monitored, analyzed for anomalies, and stored for a period of at least one year.

Vulnerability Management.

  • Penetration Testing: Salesloft regularly conducts penetration tests and engages independent third parties to test the Services at least annually. Salesloft also facilitates ongoing security testing by independent researchers through a responsible disclosure and bug bounty program. Additionally, Salesloft performs vulnerability scans on the production environment at least daily using up-to-date vulnerability databases.
  • Antivirus and Workload Protection: Salesloft’s production environment is protected by antivirus, anti-malware and security detection tools which are used to monitor and alert for suspicious activities, and potential malicious code.

Incident Detection & Response.

  • Security Incident Reporting: If Salesloft becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident”), Salesloft shall notify Customer without undue delay, but no later than 72 hours of discovery of any such Security Incident.
  • Investigation: In the event of a Security Incident, Salesloft shall promptly take commercially reasonable steps to contain, investigate and mitigate any Security Incident. Any logs relating to a Security Incident will be preserved for at least one year.
  • Communication and Cooperation: Salesloft’s notification to Customer of any Security Incident shall: (i) provide Customer timely information about the Security Incident to the extent known by Salesloft, including, but not limited to, the nature and consequences of the Security Incident, the measures taken by Salesloft to mitigate or contain the Security Incident, the status of Salesloft’s investigation, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; and (ii) provide a Salesloft representative where Customer may obtain further information about the Security Incident. Communications made by or on behalf of Salesloft in connection with any such Security Incident shall not be interpreted as an acknowledgement by Salesloft of any fault or liability with respect to such Security Incident.

Employee Access, Screening & Controls.

Salesloft maintains policies and practices that include, at a minimum, the following controls and safeguards for Salesloft personnel:

  • Criminal background screening, employment and identity verification as part of its hiring process performed in accordance with applicable laws.
  • All Salesloft employees with access to Customer Data complete security awareness training, addressing the protection, security and confidentiality of Customer Data.
  • Salesloft personnel are required to sign confidentiality agreements, as well as an information security policy.
  • Salesloft reviews the access privileges of its personnel on a defined cadence, with mechanisms to identify changes in user roles and permissions. Access is terminated for separated employees using an automated deprovisioning checklist.
  • Restricted access to Customer Data to prevent unauthorized access, including a formalized access management process for request, review, approval and provisioning.
  • Salesloft maintains a vendor risk management program for vendors that process Customer Data to ensure each vendor maintains security measures consistent with this Security Addendum.

Customer Rights & Shared Responsibility.

  • Customer Audit Rights: Customer shall utilize Salesloft’s third-party certifications and other security documentation to assess Salesloft’s compliance with its obligations hereunder. Only to the extent that Customer is not able to do so, and in any event, no more than once per year except if required by applicable law, and following at least 45 days’ notice in writing from Customer, Salesloft shall provide Customer (and/or Customer’s third-party consultants who are not reasonably objected to by Salesloft, and who are subject to appropriate confidentiality obligations) with access to documents, systems, Salesloft employees and electronic data as reasonably necessary to audit Salesloft’s compliance with its obligations under this Security Addendum. Salesloft shall provide assistance, cooperation, and access reasonably required by Customer when conducting such audits. Customer shall ensure that the audit does not disrupt Salesloft’s business. In no event shall Customer be permitted to access any information, including without limitation personal data, that belongs to Salesloft’s other customers or such other information that is not relevant to Salesloft’s compliance with this Security Addendum. Except as required by law, Salesloft and Customer shall mutually agree in advance on the scope, methodology, timing and conditions of such audits.