Main Cloud Services Agreement
This Main Cloud Services Agreement (the “MCSA”) is entered into as of the Effective Date between Segmind Solutions Pvt. Ltd., (“Segmind” or “we“) and Customer (as defined below). This agreement, together with any other Agreements that reference this Agreement (MCSA) governs the Customer’s use of the Segmind Services (the “Platform Services”), on each cloud service where Segmind directly provides customers with access to such Platform Services. Unless otherwise indicated, capitalized terms have the meaning assigned to them in this MCSA or in an incorporated Schedule. In the event of any conflict or inconsistency in the definition or interpretation between the body of this Agreement, the Schedules, and/or Schedules, between Schedules, or between Schedules such conflict or inconsistency shall be resolved by giving precedence first to the body of this Agreement, and then to the Schedules.
- “Beta Service” means any Segmind Service (or feature of a Segmind Service) that is clearly designated as “beta”, “experimental”, “preview” or similar, that is provided prior to general commercial release, and that Segmind at its sole discretion offers to Customer, and Customer at its sole discretion elects to use.
- “Customer Content” means all Customer Data, Customer Instructional Input, and Customer Results.
- “Customer Data” means the data, other than Customer Instructional Input, made available by Customer and its Authorized Users for processing within the Platform Services or Support Services.
- “Customer Instructional Input” means information other than Customer Data that Customer inputs into the Platform Services to direct how the Platform Services to process Customer Data, including without limitation the code and any libraries (including third party libraries) Customer utilizes within the Platform Services.
- “Customer Results” means any output Customer or its Authorized Users generate from their use of the Platform Services.
- “Documentation” means the documentation related to the Platform Services located at docs.segmind.com(or such other location as Segmind may provide, and as may be updated from time to time).
- “External User” means users who have been invited to use Platform Services that were set up by another Segmind Customer.
- “Pay-as-you-go Service” means the Platform Services provided on a month-to-month basis with payment based only on the Customer’s usage of the Platform Services during the billing month.
- “Support Policy” means the available Support Services plans as described at segmind.com/support.or such other locations as Segmind may provide, and as may be updated from time to time).
- “Single sign-on (SSO)” refers to an authentication scheme that allows a user to log in with their existing official email address provided.
- “Compute Instance” or “instance” means a Platform Services environment; a Customer may have multiple Instances.
- “Acceptable Use Agreement” means the Acceptable Use Agreement governing the Platform Services, made available as a schedule to this agreement.
- Platform Services
- Cloud Platform Services
- Use Authorization: Customer and its Authorized Users may, subject to this Agreement, access and use the Segmind Platform Services on any permitted Cloud Service Provider solely for Customer’s internal business purposes.
- Cloud Service Providers: A list of, and applicable information relating to the use of the Platform Services on such Cloud Service Providers is set forth in the Cloud Provider Directory shared below:
- Amazon Web Services (AWS)
- Lambda Inc.
- Google Cloud Platform (GCP)
- Microsoft Azure
- Modifications and Updates: Segmind reserves the right to improve or otherwise modify the Platform Services and its System architecture at any time subject to maintaining appropriate industry standards of practice relating to the provision and security of the Platform Services, and provided that any such modification does not materially diminish the core functionality or security of the Platform Services.
- Authorized Users.
- On-boarding Authorized Users: You must obtain separate credentials (e.g., user IDs, email, or similar unique identifiers and passwords) via the Platform Services for each Authorized User and may not permit the sharing of Authorized User credentials.
- Your Responsibilities Regarding Authorized Users: You will at all times be responsible for and expressly assume the risks associated with all users of the Platform Services under an Authorized User’s account (including for the payment of fees related to such use), whether such action was taken by an Authorized User or by another party, and whether or not such action was authorized by an Authorized User, provided that such action was not (1) taken by Segmind or by a party acting under the direction of Segmind, or (2) action by a third party that Segmind should reasonably have prevented. This responsibility includes the security of each Authorized User’s credentials, and you will not share (and will instruct each Authorized User not to share) such credentials with any other person or entity, or otherwise permit any other person or entity to access or use the Platform Services.
- Usage Limits.
- You will not (and will not permit your Authorized Users to):
- violate the Acceptable Use Agreement or use the Platform Services other than in accordance with the Documentation;
- copy, modify, disassemble, decompile, reverse engineer, or attempt to view or discover the source code of the Platform Services, in whole or in part, or permit or authorize a third party to do so, except to the extent such activities are expressly permitted by the Agreement or by law notwithstanding this prohibition;
- sell, resell, license, sublicense, distribute, rent, lease, or otherwise provide access to the Platform Services to any third party except to the extent explicitly authorized in writing by Segmind;
- use the Platform Services to develop or offer a service made available to any third party that could reasonably be seen to serve as a substitute for such third party’s possible purchase of any Segmind product or service;
- transfer or assign any of your rights hereunder; or
- during any free trial period granted by Segmind, including during the use of any Beta Service, use the Segmind Services for any purpose other than to evaluate whether to purchase the Segmind Services.
- Customer Content
- Ownership: As between you and Segmind, you retain all ownership or license rights in Customer Content, which shall be deemed your Confidential Information.
- Limits on what Customer Content may Contain: You agree that you may not include in Customer Data or Customer Instructional Input, or generate any Customer Results that include:
- any data for which you do not have all rights, power and authority necessary for its collection, use and processing as contemplated by the Agreement;
- any data that is prohibited by the Acceptable Use Agreement;
- Usage Data: You acknowledge and agree that, notwithstanding anything to the contrary in the Agreement, Segmind may collect usage data and telemetry regarding your Authorized Users’ use of the Platform Services and that such usage data may occasionally contain Customer Instructional Input (e.g., it may contain the queries entered by an Authorized User) but will not contain Customer Data or Customer Results (“Usage Data”). Segmind will not share (other than with third parties providing services to Segmind who agree in writing to terms at least as restrictive regarding the processing of Usage Data as those set forth in the Agreement) or publicly make available any Usage Data that identifies Customer, or any of its Authorized Users, other data subjects, or customers, nor use any Usage Data in a manner that derives its value from the unique aspects of your Customer Instructional Input.
- Shared Responsibility: The customer acknowledges that the Platform Services operate according to a shared responsibility model that requires both parties to take reasonable security precautions relating to the Platform Services and the protection of Customer Content.
- Different Architectures: Segmind provides the Platform Services according to different architectural models depending on the specific feature being used by the Customer, as further described in the Documentation. Accordingly, Customer acknowledges and agrees that different portions of the Platform Services are and may in the future be subject to terms that provide for different rights and responsibilities of the parties.
- Segmind Responsibilities: Segmind shall implement administrative, physical, and technical safeguards to protect the security of the Platform Services and the Customer Content as set forth in the Security policy (“Security Measures”);
- Customer Responsibilities: Customer shall:
- use commercially reasonable efforts to ensure that its Authorized Users review the portions of Documentation relevant to the Customer’s use of the Platform Services and any security information published by Segmind and referenced therein that is designed to assist the Customer in securing Customer Content;
- remain at all times fully responsible for all Customer Instructional Input and any consequences arising from Segmind’ execution of such Customer Instructional Input except to the extent caused by Segmind’ breach of its Security Measures or gross negligence or willful misconduct;
- shall configure the Platform Services in an appropriate way taking into account the sensitivity of the Customer Content that Customer chooses to process using the Platform Services; and
- ensure that Segmind at all times has updated and accurate contact information for the appropriate person for Segmind to notify regarding data security issues relating to the Segmind Services, with such contact information to be updated in each order form and any subsequent changes to be provided by email to firstname.lastname@example.org (with “Contact Change” in the subject).
- Support Services.
Segmind will provide you with the level of Support Services specified on an order form in accordance with the Support Policy. If Support Services are not specified on an order form, your support shall be limited to public documentation and forums.
- Compliance with Laws; Data Protection.
- By Segmind.
Segmind will provide the Platform Services in accordance with its obligations under laws and government regulations applicable to Segmind’s provision of the Platform Services to its customers generally, including, without limitation those related to data protection and data privacy, without regard to Customer’s particular use of the services and subject to Customer’s use of the Segmind Services in accordance with the Agreement.
- By Customer.
You represent and warrant to Segmind that your use of Segmind Services will comply with all applicable laws, including without limitation any privacy or data protection laws applicable to your use of the Platform Services to process Personal Data.
- Suspension; Termination.
Segmind may temporarily suspend any or all Platform Services Workspaces at any time: (a) immediately without notice if Segmind reasonably suspects that you have violated your obligations under Section 3.1 (Usage Limits), Section 4.2 (Limits on what Customer Content may Contain), Section 5.4 (Customer Responsibilities) or Section 4 (Compliance with Laws; Data Protection) in a manner that may cause material harm or material risk of harm to Segmind or to any other party; (b) upon five (5) business days’ notice if Segmind reasonably suspects that you have committed any other violation of Section 3.1 (Usage Limits), Section 4.2 (Limits on what Customer Content may Contain), Section 5.4 (Customer Responsibilities), or Section 4 (Compliance with Laws; Data Protection); or (c) upon five (5) business days’ notice if you fail to pay undisputed Fees after receiving notice that you are delinquent in payment.
- Termination; Workspace Cancellation.
Segmind may terminate any or all of the Platform Services Workspaces and this Agreement for material breach of the Agreement or this Agreement, including without limitation your breach of Section 3.1 (Usage Limits), Section 4.2 (Limits on what Customer Content may Contain), Section 5.4 (Customer Responsibilities), or Section 4 (Compliance with Laws; Data Protection). If this Agreement is terminated for any reason or upon your written request, Segmind may cancel your accounts. Segmind will delete all Customer Content contained within a Workspace within thirty (30) days following the cancellation of such account. Upon termination of the Agreement for any reason, you will delete all stored elements of the Platform Services from your Systems.
- Pay-as-you-go service
Notwithstanding anything in the Agreement to the contrary, Segmind may suspend or terminate any pay-as-you-go Services account, and delete any Customer Content relating to such account that may be stored within the Platform Services or other Segmind’ Systems, upon thirty (30) day’s prior written notice (over email) if Segmind reasonably determines the account is inactive as set forth in the Acceptable Use Agreement.
Notice under this Section 5 (Suspension; Termination) may be provided by email sent to a person the party providing notice reasonably believes to have responsibility for the other party’s activities under the Agreement.
- Warranty; Warranty Remedy.
- Multi-Cloud Platform Services Warranty.
In addition to any other express warranties stated elsewhere in this agreement, Segmind warrants that, during the term of an order form for Platform Services: (a) the Platform Services will function substantially in accordance with the Documentation, and (b) it will employ commercially reasonable efforts in accordance with industry standards to prevent the transmission of malware or malicious code via the Platform Services not caused by Customer or its Authorized Users.
- Multi-Cloud Platform Services Disclaimer.
THE WARRANTIES IN SECTION 6.1 (MULTI-CLOUD PLATFORM SERVICES WARRANTY) ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, REGARDING SEGMIND AND SEGMIND’s SERVICES PROVIDED HEREUNDER. SEGMIND AND ITS LICENSORS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, CONDITIONS AND OTHER TERMS, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY OR FITNESS FOR A PARTICULAR PURPOSE. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN: (a) ANY SERVICES PROVIDED UNDER ANY FREE TRIAL PERIOD ARE PROVIDED “AS-IS'' AND WITHOUT WARRANTY OF ANY KIND; (b) WITHOUT LIMITATION, SEGMIND DOES NOT MAKE ANY WARRANTY OF ACCURACY, COMPLETENESS, TIMELINESS, OR UNINTERRUPTABILITY, OF THE PLATFORM SERVICES; (c) SEGMIND IS NOT RESPONSIBLE FOR RESULTS OBTAINED FROM THE USE OF THE PLATFORM SERVICES OR FOR CONCLUSIONS DRAWN FROM SUCH USE; AND (d) SEGMIND WILL TAKE REASONABLE EFFORTS TO RESTORE LOST OR CORRUPTED CUSTOMER INSTRUCTIONAL INPUT DESCRIBED THEREIN SHALL BE SEGMIND’s SOLE LIABILITY AND YOUR SOLE AND EXCLUSIVE REMEDY IN THE EVENT OF ANY LOSS OR CORRUPTION OF CUSTOMER CONTENT IN CONNECTION WITH THE SEGMIND SERVICES.
- Multi-Cloud Platform Services Warranty Remedy.
FOR ANY BREACH OF THE WARRANTIES IN SECTION 6.1 (MULTI-CLOUD PLATFORM SERVICES WARRANTY), YOUR EXCLUSIVE REMEDY AND SEGMIND’s ENTIRE LIABILITY WILL BE THE MATERIAL CORRECTION OF THE DEFICIENT SERVICES THAT CAUSED THE BREACH OF WARRANTY, OR, IF WE CANNOT SUBSTANTIALLY CORRECT THE DEFICIENCY IN A COMMERCIALLY REASONABLE MANNER, SEGMIND WILL END THE DEFICIENT SERVICES AND REFUND TO YOU THE PORTION OF ANY PREPAID FEES PAID BY YOU TO SEGMIND APPLICABLE TO THE PERIOD FOLLOWING THE EFFECTIVE DATE OF TERMINATION.
- Additional Indemnities.
In addition to the Customer indemnities set forth in the MCSA, Customer’s obligation to defend and indemnify Segmind Indemnitees will include a Claim Against Segmind arising from any Customer Content or its use with the Segmind Services, including any claim that such Customer Content infringes or misappropriates such party’s Intellectual Property Rights.
Acceptable use agreement
This acceptable use agreement (“AUA'') sets forth certain restrictions relating to the access to, and use of, the Segmind Services by you or someone on your behalf under your agreement with Segmind applicable to the Segmind Services. The restrictions set forth in this AUA are not exhaustive. Any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. This AUA may be updated by Segmind from time to time upon reasonable notice, which may be provided through the Segmind Services or by posting an updated version of this AUA. Updates of the AUA become binding, including on existing users, on the later of the date specified in the updated AUA or thirty (30) days after posting. Any modification to the AUA within an update will relate solely to restrictions on use of, and access to, the Segmind Services. Any violation of this AUA may result in the suspension or termination of your access to and use of the Segmind Services.
You shall not (and shall not permit your Authorized Users to):
- attempt to access, search, or create accounts for any of our services by any means other than our publicly supported interfaces or as otherwise authorized by us;
- create multiple accounts for the purpose of extending your free trial;
- interfere with or disrupt (or attempt to interfere with or disrupt) the Segmind Services, or gain (or attempt to gain) access to any Systems that connect thereto (except as required to appropriately access and use the Segmind Services);
- use the Segmind Services to violate the security or integrity of, or otherwise abuse, any System of any party (including without limitation the Platform Services or Support Services), including but not limited to gaining unauthorized access to any System (including attempting to probe, scan, monitor, or test the vulnerability of a System), forging any headers or other parts of any message describing its origin or routing, interfering with the proper functioning of any System (including any deliberate attempt by any means to overload a System), implementing denial-of-service attacks, operating non-permissioned network services (including open proxies, mail relays or recursive domain name servers), using any means to bypass System usage limitations, or storing, transmitting or installing malicious code;
- use the Segmind Services to distribute or facilitate the sending of unsolicited or unlawful (i) email or other messages, or (ii) promotions of any kind;
- use the Segmind Services to engage in or promote any other fraudulent, deceptive or illegal activities;
- use the Segmind Services to process, store or transmit material, including any Customer Data, in violation of any Law or any third party rights, including without limitation privacy rights;
- provide a custom deployment name for your Workspace that might reasonably be considered inappropriate or that includes the trade name of any third party unless such party has provided you with express writing permission;
- disclose any benchmarking of the Segmind Services; or
- use the Segmind Services in any circumstances where failure could lead to death, personal injury or environmental damage, and you further acknowledge that the Segmind Services are not designed or intended for such use.
Segmind may modify cluster, project, and instance names if they are found to be in violation of this AUA.
Inactive pay-as-you-go accounts:
If an account for which Segmind is providing pay-as-you-go Services is found to be inactive, the account may be suspended or terminated by Segmind, and any Customer Content relating to such account is stored within the Subscription Services or other Segmind Systems may be deleted. Segmind will provide at least 15 days' notice (in accordance with the Agreement) prior to permanently deleting your account unless we deem it reasonably necessary to suspend or terminate your account without notice. For the avoidance of doubt, if we determine that the email associated with your account is invalid (e.g., because it bounces upon our notification of inactivity), we may terminate your account without further notice.
An account may be considered inactive if:
- No Customer Authorized User has logged into the account for at least three months;
- No Customer Instructional Input was ever created within or input into the account and at least three months has passed since the account was established; or
- If your account is set up to be paid by credit card, you (i) did not provide a valid credit card number or (ii) you failed to update an expired or invalid credit card number and at least three months have passed without a valid credit card number is on file, provided that for the avoidance of doubt this provision does not limit Segmind’s right to terminate your account for non-payment relating to actual usage.
This Security Policy is incorporated into and made a part of the written agreement between Segmind, Inc. (“Segmind”) and the Customer that references this Security policy (“Agreement”).
Segmind maintains a comprehensively documented security program that is based on industry-standard security framework. Pursuant to the Security Program, Segmind implements and maintains administrative, physical, and technical security measures to protect the Platform Services and Support Services and the security and confidentiality of Customer Content (including any Customer Personal Data that may be contained therein) (each as defined in the Agreement) under Segmind’s control that is processed by Segmind in its provisioning of the Platform Services or Support Services (the “Security Measures'').
Segmind’s compliance with this policy shall be deemed to satisfy any more general measures included within any Agreement
In accordance with its Security Program, Segmind will, when any Customer Content is under its control: (i) comply with the Security Measures identified below with respect to such Customer Content, and (ii) where relevant, keep documentation of such Security Measures.
Segmind regularly tests and evaluates its Security Program, and may review and update this Security policy at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Content by these Security Measures.
- Deployment Model
- Shared Responsibility.
Segmind operates in a shared responsibility model, where both Segmind and the Customer maintain security responsibilities. This is covered in more detail in our Documentation.
Segmind is a hybrid platform-as-a-service offering. The components responsible for managing and controlling the Platform Services are referred to as the ‘Segmind Control Plane’ and are hosted within a Segmind Cloud Service Provider account. The compute resources that perform data processing operations are referred to as the “Data Plane”. For certain Cloud Service Providers, the Data Plane may either be deployed in the Customer’s Cloud Service Provider account (known as the ‘Customer Data Plane’) or, for Segmind Serverless Compute, in a Segmind-controlled Cloud Service Provider account (known as the ‘Segmind Data Plane’). Data Plane shall refer to both Customer Data Plane and Segmind Data Plane unless otherwise specified.
- Compute Resources.
Compute resources are created and coordinated by the Segmind Control Plane and deployed into the Data Plane. Compute resources are launched as new virtual machines that leverage the latest base image and Segmind source code and do not have data from previous machines. When compute resources terminate, the data on their local hard drives is overwritten by Segmind or by the Cloud Service Provider
- Data Storage of Customer Content.
- Customer Data and Customer Results.
- Customer Control.
Most Customer Data is stored within the Customer’s own Cloud Service Provider account at rest (e.g., within Customer’s AWS S3 bucket or AWS EBS Storage) or within other Systems under the Customer’s control. Customers may choose where this Customer Data resides. Please see the Documentation for more details.
- Segmind Control.
Small amounts of Customer Data may be stored within the Segmind Control Plane, including Customer Results and metadata about Customer Data (e.g., contained within the metastore). Segmind offers Customers options regarding the storage of certain Customer Content within the Platform Services (e.g., the location of Customer Results created by the use of interactive notebooks). Please see the Documentation for more details.
- Customer Instructional Input. Customer Instructional Input is stored at rest within the Segmind Control Plane.
- Deployment Region. Customers may specify the region(s) where their Platform Services Workspaces are deployed. Customers can choose to deploy the Data Plane into any supported Segmind region. The Segmind Control Plane may not be deployed into the same region. Segmind will not, without Customers’ permission, move a Customer's Workspace into a different region.
- Segmind’ Audits & Certifications. Segmind uses independent third-party auditors to assess the Segmind Security Program at least annually.
- Administrative Controls
- Governance. Segmind’s Chief Security Officer leads the Segmind’s Information Security Program and develops, reviews, and approves (together with other stakeholders, such as Legal, Human Resources, Finance, and Engineering) Segmind’s Security Policies (as defined below).
- Change Management. Segmind maintains a documented change management policy, reviewed annually, which includes but is not limited to, evaluating changes of or relating to systems authentication.
- Personnel Training. The personnel receives comprehensive training on the Security Policies upon hire and refresher training is given annually. Personnel is required to certify and agree to the Security Policies and personnel who violate the Security Policies are subject to disciplinary action, including warnings, suspension, and up to (and including) termination.
- Personnel Screening and Evaluation. All personnel undergo background checks prior to onboarding (as permitted by local law), which may include, but are not limited to, criminal record checks, employment history verification, education verification, and global sanctions and enforcement checks. Segmind uses a third-party provider to conduct screenings, which vary by jurisdiction and comply with applicable local law. Personnel is required to sign confidentiality agreements.
- Monitoring & Logging. Segmind employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.
- Access Review. Active users with access to the Platform Services are reviewed at least quarterly and are promptly removed upon termination of employment. As part of the personnel offboarding process, all accesses are revoked and data assets are securely wiped.
- Third-Party Risk Management. Segmind assesses the security compliance of applicable third parties, including vendors and subprocessors, in order to measure and manage risk. This includes, but is not limited to, conducting a security risk assessment and due diligence prior to engagement and reviewing external audit reports from critical vendors at least annually. In addition, applicable vendors and sub-processors are required to sign a data processing agreement that includes compliance with applicable data protection laws, as well as confidentiality requirements.
- Physical and Environmental Controls
- Cloud Service Provider Data Centers. Segmind regularly reviews Cloud Service Provider audits conducted in compliance with ISO 27001, SOC 1, SOC 2, and PCI-DSS. Security controls include, but are not limited to the list below:
- Biometric facility access controls
- Visitor facility access policies and procedures
- 24-hour armed physical security
- CCTV at ingress and egress
- Intrusion detection
- Business continuity and disaster recovery plans
- Smoke detection sensors and fire suppression equipment
- Mechanisms to control temperature, humidity, and water leaks
- Power redundancy with backup power supply
- Systems & Network Security
- Platform Controls.
Segmind leverages multiple layers of network security controls, including network-level isolation, for separation between the Segmind Control Plane and Customer Data Plane, and between Workspaces within the Segmind Data Plane.
- Firewalls & Security Groups.
Firewalls are implemented as network access control lists or security groups within the Cloud Service Provider’s account. Segmind also configures local firewalls or security groups within the Customer Data Plane.
- Segmind employs industry standards to harden images and operating systems under its control that are deployed within the Platform Services, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.
- For Systems under Segmind control supporting the production data processing environment, Segmind tracks security configurations against industry-standard baselines such as CIS and STIG.
- Encryption of data-in-transit.
Customer Content is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit between (1) Customer and the Segmind Control Plane and (2) the Segmind Control Plane and the Data Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt communications between clusters within the Data Plane.
- Encryption of data-at-rest.
Customer Content is encrypted using cryptographically secure protocols (AES-128 bit, or the equivalent or better) while at rest within the Segmind Control Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt at rest Customer Content within the Data Plane.
Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.
- Customer Options; Responsibilities.
Customers may choose to leverage additional encryption options for data in transit within the Customer Data Plane or Segmind Data Plane as described in the Documentation. Customer shall, based on the sensitivity of the Customer Content, configure the Platform Services and Customer Systems to encrypt Customer Content where appropriate.
- Monitoring & Logging
- Intrusion Detection Systems
Segmind leverages security capabilities provided natively by Cloud Service Providers for security detection.
- Generation. Segmind generated audit logs from Customer’s use of the Platform Services. The logs are designed to store information about material events within the Platform Services.
- Delivery. Customers may, depending on the entitlement tier of the Platform Services, enable delivery of audit logs. It is Customer’s responsibility to configure this option.
- Integrity. Segmind stores audit logs in a manner designed to protect the audit logs from tampering.
- Retention. Segmind stores audit logs for at least one year.
- Penetration Testing. Segmind conducts third-party penetration tests at least annually, employs in-house offensive security personnel, and also maintains a public bug bounty program.
- Vulnerability Management & Remediation. Segmind regularly runs authenticated scans against representative hosts in the SDLC pipeline to identify vulnerabilities and emerging security threats that may impact the Data Plane and Segmind Control Plane. Segmind will use commercially reasonable efforts to address critical vulnerabilities within 14 days, high severity within 30 days, and medium severity within 60 days measured from, with respect to publicly declared third party vulnerabilities, the date of availability of a compatible, vendor-supplied patch, or for internal vulnerabilities, from the date such vulnerability is confirmed. Segmind leverages the National Vulnerability Database’s Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating, combined with an internal analysis of contextual risk to determine criticality.
- Control Plane. Segmind deploys new code to the Segmind Control on an ongoing basis.
- Data Plane. New Data Plane virtual machines use the latest applicable source code and system images upon launch and do not require Segmind to patch live systems. Customers are encouraged to restart always-on clusters on a periodic basis to take advantage of security patches.
- Segmind Personnel Login to Customer Workspaces. Segmind utilizes an internal technical and organizational control tool that permits Segmind personnel to log in to a Customer Workspace to provide support to our Customers and permits limited Segmind engineering personnel to log in to certain Platform Services infrastructure. Customers may optionally configure certain limitations on the ability for Segmind personnel to access Customer Workspaces.
- Access Controls
- Authentication. Segmind personnel is authenticated through single sign-on (SSO), 802.1x (or similar) where applicable, and use a unique user ID and password combination and multi-factor authentication. Privileges are consistent with least privilege principles. Security Policies prohibit personnel from sharing or reusing credentials, passwords, IDs, or other authentication information. If your identity provider supports the SAML 2.0 protocol, you can use Segmind’s SSO to integrate with your identity provider.
- Role-Based Access Controls (RBACs). Only authorized roles are allowed to access systems processing customer and personal data. Segmind enforces RBACs (based on security groups and access control lists) and restricts access to Customer Content based on the principle of ‘least privilege’ and segregation of responsibilities and duties.
- Pseudonymization. Information stored in activity logs and databases is protected where appropriate using a unique randomized user identifier to mitigate the risk of re-identification of data subjects.
- Workstation Controls: Segmind enforces certain security controls on its workstations used by personnel, including:
- Full-disk encryption
- Anti-malware software
- Automatic screen lock after 15 minutes of inactivity
- Secure VPN
- Incident Detection & Response
- Detection & Investigation. Segmind’s dedicated Detection engineering team deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team (SIRT) for triage and response. The SIRT employs an incident response framework to manage and minimize the effects of unplanned security events.
- Security Incidents; Security Breaches. “Security Breach” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data under Segmind control. A “Security Incident” is any actual or attempted breach of security that does not rise to the level of a Security Breach. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. Segmind maintains a record of known Security Incidents and Security Breaches that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed Security Incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed Security Incidents, Segmind will take appropriate, reasonable steps to minimize product and Customer damage or unauthorized disclosure. All incidents are logged in an incident tracking system that is subject to auditing on an annual basis.
- Communications & Cooperation. In accordance with applicable data protection laws, Segmind will notify the Customer of a Security Breach for which that Customer is impacted without undue delay after becoming aware of the Security Breach, and take appropriate measures to address the Security Breach, including measures to mitigate any adverse effects resulting from the Security Breach.
- Backups, Business Continuity, and Disaster Recovery
- Business Continuity and Disaster Recovery. Segmind Business Continuity (BC) and Disaster Recovery (DR) plans are reviewed and drills are conducted annually.
- Data Resiliency. Segmind performs backups for the Segmind Control Plane (including any Customer Instructional Input stored therein), generally managed by the Cloud Service Provider capabilities, for data resiliency purposes in the case of a critical systems failure. While Segmind backs up Customer notebooks that persist in the Segmind Control Plane as part of the resiliency of its systems, those backups are maintained only for emergency recovery purposes and are not available for Customers to use on request for recovery purposes.
- No Data Restoration. Due to the hybrid nature of the Segmind Platform, Segmind does not provide backup for Customer Content, and Segmind is unable to restore an individual Customer’s Instructional Input upon request. To assist Customers in backing up Customer Instructional Input, Segmind provides certain features within the Platform Services (like the ability to synchronize notebooks via a customer’s Github or Bitbucket account).
- Self-service Access. Segmind makes available certain features within the Platform Services that permit customers to access, export, and delete certain Customer Content (e.g., experiments) contained within the Segmind Control Plane.
- Customer Managed Backups. Customers retain ownership of their Customer Content and must manage their own backups, including to the extent applicable, enabling backup within the Systems in which the Customer Data is stored.
- Data Deletion.
- During Use. The Platform Services provide Customers with functionality that permits Customers to delete Customer Content under Segmind’s control.
- Upon Workspace Cancellation. Customer Content contained within a Customer Workspace is permanently deleted within thirty (30) days following cancellation of the Workspace.
- Secure Software Development Lifecycle (“SDLC”)
- Security team. Segmind Engineering and the security organization co-run a Security program, in which senior engineers are trained and socialized as virtual members of the security team. Security programs are available to all engineering staff for design or code review.
- Security Design Review. Feature designs are assessed by security personnel for their security impact to the Segmind Platform, for example, additions or modifications to access controls, data flows, and logging.
- Security Training. Engineers are required to take Secure SDLC training, including but not limited to, content provided by OWASP.
- Peer Code Review. All production code must be approved through a peer code review process.
- Change Control. Segmind’s controls are designed to securely manage assets, configurations, and changes throughout the SDLC.
- Code Scanning. Static and dynamic code scans are regularly run and reviewed.
- Penetration Testing. As part of the Security Design Review process, certain features are identified and subjected to penetration testing prior to release.
- Code Approval. Functional owners are required to approve code in their area of responsibility prior to the code being merged for production.
- Multi-Factor Authentication. Accessing the Segmind code repository requires Multi-Factor Authentication.
- Code Deployment. Production code is deployed via automated continuous integration / continuous deployment (CI/CD) pipeline processes. The release management teams are separated from the engineering teams that build the product.
- Production Separation. Segmind separates production Platform Services Systems from testing and development Platform Services Systems.