A. Layer0 Secure Logging. The Service is designed to support all types of secure transactions without storing any End User data as described below. The Service stores no End User sensitive information (e.g., credit card and other personal information). The Service also does not store or record End User cookies.
B. Secure Transaction Support. Secure Transaction Support is intended to enable Projects to transmit sensitive data to and from End Users using cryptographic protocols that provide communication security over the Internet. When designated in the Order, Layer0 will provide Secure Transaction Support for all identified secure domains in accordance with Payment Card Industry Data Security Standard (PCI-DSS) compliance standards.
C. PCI Compliance. Layer0 maintains PCI-DSS Level 1 compliance by undergoing annual audits from approved Visa and MasterCard auditors. Upon Customer’s reasonable written request no more than one time per year, Layer0 shall provide Customer a copy of Layer0’s then-current executed Attestation of Compliance (AOC).
D. Data Security.
i. Layer0 shall maintain software, hardware, systems, personnel and other resources designed to ascertain whether a penetration attempt is being made against any part of the network, server or other infrastructure / application or facilities used by Layer0 to process or transport Collected Data. Layer0 will inform Customer without undue delay upon verification of a security breach. Customer acknowledges that Layer0 cannot guarantee that unauthorized third parties will never be able to defeat the security measures described in this Policy and the Platform Subscription Agreement.
ii. Layer0 shall conduct periodic security audits of its information systems including, but not limited to, network penetration tests and vulnerability scans.
iii. Layer0 shall encrypt using industry standard strong encryption methods (based upon SSL certificates provided by Customer) Collected Data (to the extent encrypted by Customer) while in-transit from a Project to the Service and from the Service to Customer’s systems.
iv. Layer0 shall establish and maintain least privileged based access controls for all Collected Data. Access controls include, but are not limited to, account provisioning / de-provisioning, authentication, authorization and accountability controls.
v. Notwithstanding anything to the contrary in this Policy or the Platform Subscription Agreement, Customer acknowledges that the Service will inherit and utilize in all cases the level of security and privacy established by the Customer website on which a Project is based for the transmission and protection of data and Customer agrees that Layer0 shall have no liability for any breach of security or privacy resulting from vulnerabilities inherent in the particular level of security or privacy utilized by Customer websites.
E. Disaster Recovery / Business Continuity. Layer0 (a) has implemented business continuity and disaster recovery plans (hereafter referred to as the “Plan”) for the recovery of Layer0 business processes and systems and associated data, (b) will deliver a documented copy of such Plan to Customer within a reasonable period upon request, (c) will periodically update and test the operability of such Plan at least once during every twelve (12) month period, and (d) will implement the Plan upon the occurrence of a disaster. The Plan may be modified by Layer0 from time to time to reflect process improvements or changing practices (but the modifications will not materially decrease Layer0’s obligations as compared to those set forth in the Plan as of the Effective Date).