Synopsys Information Security Requirements for Vendors

Table of Contents


PURPOSE:
The purpose of these requirements (“Requirements”) is to establish minimum information security standards and data privacy requirements for any person or entity that performs services for Synopsys or otherwise has access to Synopsys Data (“Vendor”). Vendor must handle, treat, and otherwise protect Synopsys Data in accordance with these Requirements and any contractual agreement between such Vendor and Synopsys.

Defined terms used herein are found in Section 4 (Definitions) below.

SECTION 1: ACCESS TO SYNOPSYS NETWORKS AND/OR SYNOPSYS DATA PROCESSED WITHIN SYNOPSYS- CONTROLLED ENVIRONMENT

1.1 Compliance: Vendor shall comply with all applicable privacy and security laws to which it is subject, and shall not by act or omission place Synopsys in violation of any applicable privacy or security law, including without limitation HIPAA. Vendor policies and practices must comply with all applicable laws, regulations, and contractual obligations under its agreements with Synopsys. Where local laws appear to prevent compliance with these Requirements, Vendor is responsible for notifying Synopsys to determine appropriate compensating controls. In the event Vendor transfers Personal Data from the European Economic Area (EEA) to outside the EEA, either directly or via onward transfer, Vendor agrees to comply with the revised Standard Contractual Clauses issued by European Commission Decision 2021/914/EC (the “2021 SCCs”) available for review at https://www.synopsys.com/company/legal/dpa-supplement.html.

1.2 Third Party Disclosure: Vendor shall not disclose Synopsys Data to any third party (including, without limitation, Vendor’s subsidiaries and affiliates and any person or entity acting on behalf of Vendor) unless with respect to each such disclosure: (A) the disclosure is necessary in order to carry out Vendor’s obligations under its agreements with Synopsys; (B) such third party is bound by the same provisions and obligations as set forth in these Requirements; (C) Vendor has received Synopsys’s prior written consent; and (D) Vendor remains responsible for any breach of the obligations set forth herein to the same extent as if Vendor caused such breach.

1.3 Breach and Security Threat Notification: Vendor shall notify Synopsys Information Security immediately but in no event later than 48 hours from the date of obtaining actual knowledge of any Data Security Breach or potential security threat or security incident (such as any security attack or hack allowing unauthorized access to Vendor’s or its customer’ network) that could impact Synopsys Information or Synopsys Information Assets.  At Vendor’s cost and expense, Vendor shall assist and cooperate with Synopsys concerning any investigation, or disclosures to affected parties, and other remedial measures as requested by Synopsys or required under applicable law. Vendor shall indemnify Synopsys from any resulting damages and costs, including, without limitation, identity protection assistance and services procured for data subjects and reasonable attorneys and technical consultant fees for Synopsys’ handling of the incident.  Notification shall be submitted to Information Security using the form: https://www.synopsys.com/cgi-bin/contactus.cgi. Vendor shall respond within 3 business days to Synopsys’ request to complete a security assessment/questionnaire concerning the level of impact to Synopsys and/or Synopsys Data associated with an identified exploit or vulnerability.

1.4 Remote Access Control: If Vendor requires remote access to Synopsys Data, Vendor must always use a Synopsys-approved method when connecting. Vendor must not install technology that provides remote access to any Synopsys Data on the Synopsys network, including, but not limited to wireless access points, modems, Virtual Private Networks, remote access software, etc. Synopsys reserves the right to monitor all systems used by Vendor to connect to Synopsys networks or access Synopsys Data.

1.5 Data Owner: Synopsys Data shall at all times remain the sole property of Synopsys and nothing in these Requirements will be interpreted or construed as granting Vendor any license or other right under any patent, copyright, trademark, trade secret, or other proprietary right to Synopsys Data.

1.6 Derivative Data: Vendor shall not create or maintain data which are derivative of Synopsys Data, except for the purpose of performing its obligations under its agreements with Synopsys and as authorized by Synopsys. Any derivative of Synopsys Data, regardless of how created, shall be deemed Synopsys Data.

1.7 Background and Screening Checks: To the extent permitted by local law, Vendor shall conduct appropriate background and screening checks prior to permitting any employee or contractor of Vendor to have access to Synopsys Data. Vendor shall in no event expose Synopsys to a level of risk which is commercially unreasonable or which is higher than that to which the Vendor would be comfortable exposing itself. Synopsys may at its sole option require more extensive background checks for any employee or contractor of Vendor who will have access to Personal Data or other information deemed highly sensitive by Synopsys.

1.8 Security Awareness and Education: Vendor shall have a defined program to provide periodic information security awareness training to Vendor’s employees and contractors who will have access to Synopsys Data. Education and awareness training shall include Vendor’s security policies and standards for the secure handling of Synopsys Data. If Vendor’s services include software development, Vendor training must include secure application development training to ensure Vendor developers are programming according to secure coding techniques and principles.

1.9 Audits: Vendor shall, at the Vendor’s expense, agree to submit to reasonable data security and privacy compliance audits by Synopsys and/or, at Synopsys’ request, by an independent third party, to verify compliance with these Requirements, applicable law, and any applicable contractual undertakings.

SECTION 2: ACCESS TO SYNOPSYS DATA PROCESSED EXTERNAL TO SYNOPSYS CONTROLLED ENVIRONMENT

If a Vendor (A) provides Cloud or SaaS services, or (B) provides outsourced software development services, or (C) Processes Synopsys Data external to a Synopsys controlled environment, the following provisions shall apply in addition to the provisions in Section 1 above:

2.1 Technical and Organizational Security Measures: Vendor shall have in place appropriate and reasonable Technical and Organizational Security Measures to protect the security of Synopsys Data and prevent a Data Security Breach. Upon Synopsys’ request, Vendor shall provide evidence that it has established and maintains Technical and Organizational Security Measures governing the Processing of Synopsys Data.

2.2 Cryptographic Controls: Vendor shall employ encryption when transmitting Synopsys Data across public or wireless networks. Vendor shall encrypt during storage or transmission any and all Highly Sensitive Personal Data and other information deemed highly sensitive by Synopsys such as authentication credentials and cryptographic keys. Vendor shall maintain up-to-date Secure Sockets Layer (SSL) certificates on all software applications that perform or are connected to assets that store or have access to information associated with Synopsys Information or products.

2.3 Access Control: Vendor shall implement safeguards and controls to limit access to Synopsys Data to those employees and contractors whose role requires such access, and to prevent any unauthorized access.

2.4 Network, Operating System, and Application Control: Vendor must ensure that the Vendor networks that Process Synopsys Data employ industry best-practice safeguards and controls to monitor and block unauthorized network traffic.

2.5 Malware Protection: Where technically feasible, Vendor must deploy malware protection on all IT systems that access Synopsys Data. Vendor must ensure malware protection technology has the latest and up-to-date manufacturer’s signatures, definition files, software, and patches.

2.6 Asset Management and Equipment: Vendor must have processes in place to inspect all Vendor-supplied computing or data storage equipment used in providing services to Synopsys to ensure that data is securely overwritten prior to disposal. Vendor must physically destroy storage media or overwrite information using industry standard techniques to make the original information unrecoverable (e.g., “wiped” or degaussed). Vendor shall ensure accurate and timely inventory for computing assets that perform or are connected to assets that store or have access to information associated with Synopsys Information or products.  This includes ensuring software composition analysis (SCA) of IT assets to provide a Software Bill of Materials (SboM) license types and known vulnerabilities in the respective IT Assets.  These SCA reports shall be made available to Synopsys as part of any monitoring or review of third party provider services.

2.7 Physical Security: Vendor must implement safeguards and controls that restrict unauthorized physical access to areas containing equipment used to access Synopsys Data. Vendor must implement clear desk procedures to secure any printed Synopsys Data from unauthorized access.

2.8 Information Security Risk Management: Vendor must have an established process that periodically assesses risk within the organization with respect to the possession and Processing of Synopsys Data.

2.9 Password Management and Authentication Controls: Vendor must ensure that systems which Process Synopsys Data employ strong password complexity rules, including the following configurations: Passwords must be configured to expire every 90 days or less, systems must enable system lockout after failed login attempts, and systems must enable O/S screen saver locks after a period of inactivity. Vendor must encrypt authentication credentials during storage and transmission. Vendor must prohibit its users from sharing passwords.

2.10 System Security: Vendor must establish and maintain configuration standards to address currently known security vulnerabilities and industry best practices for all network devices and hosts. These standards must address configuration with all applicable security parameters to prevent misuse, including but not limited to unauthorized access to data. Vendor must remove or disable non-essential functionality (i.e., hardening each system) such as scripts, drivers, features, subsystems, or file systems (e.g., unnecessary web servers, default, or sample files, etc.). Vendor must ensure that software used in operational systems maintains up-to-date patching support by its supplier.

Vendor will implement policies and procedures to apply security patches promptly to Software following a change management process, including operational and regression testing in accordance with the following timelines: “High Severity” rated patches should be patched within 30 days for CVSS ratings 7.0 – 8.9 – and “Critical Severity” vulnerability patches should be remediated within 14 days (9.0 and higher per CVSS ver. 3.0 and related CWE scoring systems and scores).

2.11 Return of Synopsys Data: Vendor shall return, delete, or destroy (at Synopsys’ election), or cause or arrange for the return, deletion, or destruction of, all Synopsys Data subject to these Requirements, including all originals and copies of such Synopsys Data in any medium and any materials derived from or incorporating such Synopsys Data, upon the expiration or earlier termination of the agreement between Synopsys and Vendor, or when there is no longer any legitimate business need (as determined by Synopsys) to retain such Synopsys Data, or otherwise on the instruction of Synopsys, but in no event later than ten (10) days from the date of such expiration, earlier termination, expiration of the legitimate business need, or instruction. If applicable law prevents or precludes the return or destruction of any Synopsys Data, Vendor shall notify Synopsys of such reason for not returning or destroying such Synopsys Data and shall not Process such Synopsys Data thereafter without Synopsys’ express prior written consent. Vendor’s obligations under these Requirements to protect the security of Synopsys Data shall survive termination of its business relationship with Synopsys.

SECTION 3: ACCESS TO CARDHOLDER DATA

If Vendor has access to Cardholder Data, whether processed in Vendor’s environment or a Synopsys-controlled environment, the following provisions will apply in addition to the provisions in Sections 1 and 2 above.

3.1 Attestation of Compliance, PCI-DSS: Vendor represents that it is presently in compliance, and will remain in compliance with the current PCI-DSS for protecting individual credit and debit card account numbers. Vendor agrees to provide Synopsys with a copy of its PCI-DSS Attestation of Compliance annually at the time of filing.

3.2 Attestation of Compliance, PA-DSS: If Vendor provides to Synopsys software that processes any payments via a Payment Application, Vendor represents that software provided to Synopsys has been assessed and complies with the current PA-DSS and agrees to provide Synopsys with all documentation, including the PA-DSS Implementation Guide, necessary for Synopsys to deploy the software in a manner consistent with PCI-DSS. Vendor agrees to re-assess software following any changes determined to impact payment application security in accordance with the PA-DSS, provide updated documentation as necessary, and immediately notify Synopsys of any change in its PA-DSS compliance status.

SECTION 4: DEFINITIONS

For purposes of these Requirements, the following definitions shall apply:

“Cardholder Data” has the same meaning as defined by the PCI-DSS.

“Data Security Breach” means: (A) the loss or misuse (by any means) of Synopsys Data, including, without limitation any unauthorized access or disclosure to unauthorized individuals; (B) the inadvertent, unauthorized and/or unlawful Processing, corruption, modification, transfer, sale or rental of Synopsys Data; or (C) any other act or omission that compromises the security, confidentiality, or integrity of Synopsys Data. Data Security Breach includes, without limitation, a breach resulting from or arising out of Vendor’s internal use, Processing or other transmission of Synopsys Data, whether between or among Vendor’s subsidiaries and affiliates or any other person or entity acting on behalf of Vendor.

“Highly Sensitive Personal Data” is that subset of Personal Data whose unauthorized disclosure or use could reasonably entail enhanced risk for the data subject. Highly Sensitive Personal Data includes (A) Social Security number, passport number, driver’s license number, or similar national identifier; (B) financial or medical account authentication data, such as passwords or PINs; and (C) Cardholder Data, including credit card numbers and CVV codes.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder.

“PA-DSS” means Payment Application Data Security Standard 2.0, its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

“Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorization or settlement.

"PCI-DSS" means the current version of the Payment Card Industry (PCI) Data Security Standard (DSS), its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

“Personal Data” means any information that can be used to identify, locate, or contact an individual, including an employee, contractor, customer, or potential customer of Synopsys, including, without limitation: (A) first and last name; (B) home or other physical address; (C) telephone number; (D) email address or online identifier associated with an individual; or (E) any other information relating to an individual, including cookie information and usage and traffic data or profiles, that is combined with any of the foregoing. Personal Data specifically includes (F) Individually Identifiable Health Information as defined pursuant to HIPAA; (G) the meaning assigned under European Union Directive 96/46/EC and (H) criminal history, race, ethnicity, national origin, and information about sexual orientation or activity, political opinions, and religious beliefs.

“Processing” or “Process” means any operation or set of operations that is performed upon Synopsys Data, whether or not by automatic means, including without limitation collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, blocking, deletion, erasure, or destruction.

“Synopsys Data” means any non-public information which is commercially valuable, proprietary, privileged, or personal, the unauthorized disclosure of which could adversely affect Synopsys and/or its employees (e.g., competitively, by waiver of legal privilege, monetary loss, or violation of law or right of privacy). Synopsys Data includes Personal Data of employees, contractors, customers, or potential customers of Synopsys, any classified information Synopsys receives in connection with participation in government programs, and any data the unauthorized disclosure of which could cause significant harm to Synopsys or the individual to whom the information pertains.

“Technical and Organizational Security Measures” means security measures, consistent with the sensitivity of the Synopsys Data being Processed and the services being provided by Vendor, to protect Synopsys Data, which measures shall implement best industry protections and include physical, electronic and procedural safeguards to protect Synopsys Data supplied to Vendor against any Data Security Breach, and any security requirements, obligations, specifications, or event reporting procedures set forth in any agreement between Vendor and Synopsys.