Cloud native EDA tools & pre-optimized hardware platforms
Table of Contents
PURPOSE: The purpose of these requirements (“Requirements”) is to establish minimum information security standards and data privacy requirements for any person or entity that performs services for 草榴社区 or otherwise has access to 草榴社区 Data (“Vendor”). Vendor must handle, treat, and otherwise protect 草榴社区 Data in accordance with these Requirements and any contractual agreement between such Vendor and 草榴社区.
Defined terms used herein are found in Section 4 (Definitions) below.
SECTION 1: ACCESS TO SYNOPSYS NETWORKS AND/OR SYNOPSYS DATA PROCESSED WITHIN SYNOPSYS- CONTROLLED ENVIRONMENT
1.1 Compliance: Vendor shall comply with all applicable privacy and security laws to which it is subject, and shall not by act or omission place 草榴社区 in violation of any applicable privacy or security law, including without limitation HIPAA. Vendor policies and practices must comply with all applicable laws, regulations, and contractual obligations under its agreements with 草榴社区. Where local laws appear to prevent compliance with these Requirements, Vendor is responsible for notifying 草榴社区 to determine appropriate compensating controls. In the event Vendor transfers Personal Data from the European Economic Area (EEA) to outside the EEA, either directly or via onward transfer, Vendor agrees to comply with the revised Standard Contractual Clauses issued by European Commission Decision 2021/914/EC (the “2021 SCCs”) available for review at /company/legal/dpa-supplement.html.
1.2 Third Party Disclosure: Vendor shall not disclose 草榴社区 Data to any third party (including, without limitation, Vendor’s subsidiaries and affiliates and any person or entity acting on behalf of Vendor) unless with respect to each such disclosure: (A) the disclosure is necessary in order to carry out Vendor’s obligations under its agreements with 草榴社区; (B) such third party is bound by the same provisions and obligations as set forth in these Requirements; (C) Vendor has received 草榴社区’s prior written consent; and (D) Vendor remains responsible for any breach of the obligations set forth herein to the same extent as if Vendor caused such breach.
1.3 Breach and Security Threat Notification: Vendor shall notify 草榴社区 Information Security immediately but in no event later than 48 hours from the date of obtaining actual knowledge of any Data Security Breach or potential security threat or security incident (such as any security attack or hack allowing unauthorized access to Vendor’s or its customer’ network) that could impact 草榴社区 Information or 草榴社区 Information Assets. At Vendor’s cost and expense, Vendor shall assist and cooperate with 草榴社区 concerning any investigation, or disclosures to affected parties, and other remedial measures as requested by 草榴社区 or required under applicable law. Vendor shall indemnify 草榴社区 from any resulting damages and costs, including, without limitation, identity protection assistance and services procured for data subjects and reasonable attorneys and technical consultant fees for 草榴社区’ handling of the incident. Notification shall be submitted to Information Security using the form: /cgi-bin/contactus.cgi. Vendor shall respond within 3 business days to 草榴社区’ request to complete a security assessment/questionnaire concerning the level of impact to 草榴社区 and/or 草榴社区 Data associated with an identified exploit or vulnerability.
1.4 Remote Access Control: If Vendor requires remote access to 草榴社区 Data, Vendor must always use a 草榴社区-approved method when connecting. Vendor must not install technology that provides remote access to any 草榴社区 Data on the 草榴社区 network, including, but not limited to wireless access points, modems, Virtual Private Networks, remote access software, etc. 草榴社区 reserves the right to monitor all systems used by Vendor to connect to 草榴社区 networks or access 草榴社区 Data.
1.5 Data Owner: 草榴社区 Data shall at all times remain the sole property of 草榴社区 and nothing in these Requirements will be interpreted or construed as granting Vendor any license or other right under any patent, copyright, trademark, trade secret, or other proprietary right to 草榴社区 Data.
1.6 Derivative Data: Vendor shall not create or maintain data which are derivative of 草榴社区 Data, except for the purpose of performing its obligations under its agreements with 草榴社区 and as authorized by 草榴社区. Any derivative of 草榴社区 Data, regardless of how created, shall be deemed 草榴社区 Data.
1.7 Background and Screening Checks: To the extent permitted by local law, Vendor shall conduct appropriate background and screening checks prior to permitting any employee or contractor of Vendor to have access to 草榴社区 Data. Vendor shall in no event expose 草榴社区 to a level of risk which is commercially unreasonable or which is higher than that to which the Vendor would be comfortable exposing itself. 草榴社区 may at its sole option require more extensive background checks for any employee or contractor of Vendor who will have access to Personal Data or other information deemed highly sensitive by 草榴社区.
1.8 Security Awareness and Education: Vendor shall have a defined program to provide periodic information security awareness training to Vendor’s employees and contractors who will have access to 草榴社区 Data. Education and awareness training shall include Vendor’s security policies and standards for the secure handling of 草榴社区 Data. If Vendor’s services include software development, Vendor training must include secure application development training to ensure Vendor developers are programming according to secure coding techniques and principles.
1.9 Audits: Vendor shall, at the Vendor’s expense, agree to submit to reasonable data security and privacy compliance audits by 草榴社区 and/or, at 草榴社区’ request, by an independent third party, to verify compliance with these Requirements, applicable law, and any applicable contractual undertakings.
SECTION 2: ACCESS TO SYNOPSYS DATA PROCESSED EXTERNAL TO SYNOPSYS CONTROLLED ENVIRONMENT
If a Vendor (A) provides Cloud or SaaS services, or (B) provides outsourced software development services, or (C) Processes 草榴社区 Data external to a 草榴社区 controlled environment, the following provisions shall apply in addition to the provisions in Section 1 above:
2.1 Technical and Organizational Security Measures: Vendor shall have in place appropriate and reasonable Technical and Organizational Security Measures to protect the security of 草榴社区 Data and prevent a Data Security Breach. Upon 草榴社区’ request, Vendor shall provide evidence that it has established and maintains Technical and Organizational Security Measures governing the Processing of 草榴社区 Data.
2.2 Cryptographic Controls: Vendor shall employ encryption when transmitting 草榴社区 Data across public or wireless networks. Vendor shall encrypt during storage or transmission any and all Highly Sensitive Personal Data and other information deemed highly sensitive by 草榴社区 such as authentication credentials and cryptographic keys. Vendor shall maintain up-to-date Secure Sockets Layer (SSL) certificates on all software applications that perform or are connected to assets that store or have access to information associated with 草榴社区 Information or products.
2.3 Access Control: Vendor shall implement safeguards and controls to limit access to 草榴社区 Data to those employees and contractors whose role requires such access, and to prevent any unauthorized access.
2.4 Network, Operating System, and Application Control: Vendor must ensure that the Vendor networks that Process 草榴社区 Data employ industry best-practice safeguards and controls to monitor and block unauthorized network traffic.
2.5 Malware Protection: Where technically feasible, Vendor must deploy malware protection on all IT systems that access 草榴社区 Data. Vendor must ensure malware protection technology has the latest and up-to-date manufacturer’s signatures, definition files, software, and patches.
2.6 Asset Management and Equipment: Vendor must have processes in place to inspect all Vendor-supplied computing or data storage equipment used in providing services to 草榴社区 to ensure that data is securely overwritten prior to disposal. Vendor must physically destroy storage media or overwrite information using industry standard techniques to make the original information unrecoverable (e.g., “wiped” or degaussed). Vendor shall ensure accurate and timely inventory for computing assets that perform or are connected to assets that store or have access to information associated with 草榴社区 Information or products. This includes ensuring software composition analysis (SCA) of IT assets to provide a Software Bill of Materials (SboM) license types and known vulnerabilities in the respective IT Assets. These SCA reports shall be made available to 草榴社区 as part of any monitoring or review of third party provider services.
2.7 Physical Security: Vendor must implement safeguards and controls that restrict unauthorized physical access to areas containing equipment used to access 草榴社区 Data. Vendor must implement clear desk procedures to secure any printed 草榴社区 Data from unauthorized access.
2.8 Information Security Risk Management: Vendor must have an established process that periodically assesses risk within the organization with respect to the possession and Processing of 草榴社区 Data.
2.9 Password Management and Authentication Controls: Vendor must ensure that systems which Process 草榴社区 Data employ strong password complexity rules, including the following configurations: Passwords must be configured to expire every 90 days or less, systems must enable system lockout after failed login attempts, and systems must enable O/S screen saver locks after a period of inactivity. Vendor must encrypt authentication credentials during storage and transmission. Vendor must prohibit its users from sharing passwords.
2.10 System Security: Vendor must establish and maintain configuration standards to address currently known security vulnerabilities and industry best practices for all network devices and hosts. These standards must address configuration with all applicable security parameters to prevent misuse, including but not limited to unauthorized access to data. Vendor must remove or disable non-essential functionality (i.e., hardening each system) such as scripts, drivers, features, subsystems, or file systems (e.g., unnecessary web servers, default, or sample files, etc.). Vendor must ensure that software used in operational systems maintains up-to-date patching support by its supplier.
Vendor will implement policies and procedures to apply security patches promptly to Software following a change management process, including operational and regression testing in accordance with the following timelines: “High Severity” rated patches should be patched within 30 days for CVSS ratings 7.0 – 8.9 – and “Critical Severity” vulnerability patches should be remediated within 14 days (9.0 and higher per CVSS ver. 3.0 and related CWE scoring systems and scores).
2.11 Return of 草榴社区 Data: Vendor shall return, delete, or destroy (at 草榴社区’ election), or cause or arrange for the return, deletion, or destruction of, all 草榴社区 Data subject to these Requirements, including all originals and copies of such 草榴社区 Data in any medium and any materials derived from or incorporating such 草榴社区 Data, upon the expiration or earlier termination of the agreement between 草榴社区 and Vendor, or when there is no longer any legitimate business need (as determined by 草榴社区) to retain such 草榴社区 Data, or otherwise on the instruction of 草榴社区, but in no event later than ten (10) days from the date of such expiration, earlier termination, expiration of the legitimate business need, or instruction. If applicable law prevents or precludes the return or destruction of any 草榴社区 Data, Vendor shall notify 草榴社区 of such reason for not returning or destroying such 草榴社区 Data and shall not Process such 草榴社区 Data thereafter without 草榴社区’ express prior written consent. Vendor’s obligations under these Requirements to protect the security of 草榴社区 Data shall survive termination of its business relationship with 草榴社区.
SECTION 3: ACCESS TO CARDHOLDER DATA
If Vendor has access to Cardholder Data, whether processed in Vendor’s environment or a 草榴社区-controlled environment, the following provisions will apply in addition to the provisions in Sections 1 and 2 above.
3.1 Attestation of Compliance, PCI-DSS: Vendor represents that it is presently in compliance, and will remain in compliance with the current PCI-DSS for protecting individual credit and debit card account numbers. Vendor agrees to provide 草榴社区 with a copy of its PCI-DSS Attestation of Compliance annually at the time of filing.
3.2 Attestation of Compliance, PA-DSS: If Vendor provides to 草榴社区 software that processes any payments via a Payment Application, Vendor represents that software provided to 草榴社区 has been assessed and complies with the current PA-DSS and agrees to provide 草榴社区 with all documentation, including the PA-DSS Implementation Guide, necessary for 草榴社区 to deploy the software in a manner consistent with PCI-DSS. Vendor agrees to re-assess software following any changes determined to impact payment application security in accordance with the PA-DSS, provide updated documentation as necessary, and immediately notify 草榴社区 of any change in its PA-DSS compliance status.
For purposes of these Requirements, the following definitions shall apply:
“Cardholder Data” has the same meaning as defined by the PCI-DSS.
“Data Security Breach” means: (A) the loss or misuse (by any means) of 草榴社区 Data, including, without limitation any unauthorized access or disclosure to unauthorized individuals; (B) the inadvertent, unauthorized and/or unlawful Processing, corruption, modification, transfer, sale or rental of 草榴社区 Data; or (C) any other act or omission that compromises the security, confidentiality, or integrity of 草榴社区 Data. Data Security Breach includes, without limitation, a breach resulting from or arising out of Vendor’s internal use, Processing or other transmission of 草榴社区 Data, whether between or among Vendor’s subsidiaries and affiliates or any other person or entity acting on behalf of Vendor.
“Highly Sensitive Personal Data” is that subset of Personal Data whose unauthorized disclosure or use could reasonably entail enhanced risk for the data subject. Highly Sensitive Personal Data includes (A) Social Security number, passport number, driver’s license number, or similar national identifier; (B) financial or medical account authentication data, such as passwords or PINs; and (C) Cardholder Data, including credit card numbers and CVV codes.
“贬滨笔础础” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder.
“笔础-顿厂厂” means Payment Application Data Security Standard 2.0, its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorization or settlement.
"PCI-DSS" means the current version of the Payment Card Industry (PCI) Data Security Standard (DSS), its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“Personal Data” means any information that can be used to identify, locate, or contact an individual, including an employee, contractor, customer, or potential customer of 草榴社区, including, without limitation: (A) first and last name; (B) home or other physical address; (C) telephone number; (D) email address or online identifier associated with an individual; or (E) any other information relating to an individual, including cookie information and usage and traffic data or profiles, that is combined with any of the foregoing. Personal Data specifically includes (F) Individually Identifiable Health Information as defined pursuant to HIPAA; (G) the meaning assigned under European Union Directive 96/46/EC and (H) criminal history, race, ethnicity, national origin, and information about sexual orientation or activity, political opinions, and religious beliefs.
“笔谤辞肠别蝉蝉颈苍驳” or “Process” means any operation or set of operations that is performed upon 草榴社区 Data, whether or not by automatic means, including without limitation collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, blocking, deletion, erasure, or destruction.
“草榴社区 Data” means any non-public information which is commercially valuable, proprietary, privileged, or personal, the unauthorized disclosure of which could adversely affect 草榴社区 and/or its employees (e.g., competitively, by waiver of legal privilege, monetary loss, or violation of law or right of privacy). 草榴社区 Data includes Personal Data of employees, contractors, customers, or potential customers of 草榴社区, any classified information 草榴社区 receives in connection with participation in government programs, and any data the unauthorized disclosure of which could cause significant harm to 草榴社区 or the individual to whom the information pertains.
“Technical and Organizational Security Measures” means security measures, consistent with the sensitivity of the 草榴社区 Data being Processed and the services being provided by Vendor, to protect 草榴社区 Data, which measures shall implement best industry protections and include physical, electronic and procedural safeguards to protect 草榴社区 Data supplied to Vendor against any Data Security Breach, and any security requirements, obligations, specifications, or event reporting procedures set forth in any agreement between Vendor and 草榴社区.