18. Secure Deletion. Okta maintains policies and procedures regarding the deletion of Customer Data in compliance with
applicable NIST guidance and data protection laws, taking into account available technology so that Customer Data cannot
be practicably read or reconstructed. Customer Data is deleted using secure deletion methods including digital shredding of
encryption keys and hardware destruction in accordance with NIST SP800-88 guidelines.
19. Intrusion Detection & Performance Assurance. Okta monitors the Service generally for unauthorized intrusions using
traffic and activity-based monitoring systems, and may analyze and share data, such as data collected by users’ web
browsers (for example, device type, screen resolution, time zone, operating system version, browser type and version,
system fonts, installed browser plug-ins, enabled MIME types, etc.) and authentication event data (collectively, “Threat
Information”) for security purposes, including to detect compromised browsers and to help customers detect fraudulent
authentications, and to ensure that the Service functions properly. For clarity, Threat Information: (1) is only shared if it is
derived from evidenced unauthorized attempt(s) to access and/or use the Service; and (2) does not constitute Customer
Data.
20. Incident Management. Okta has in place a security incident response plan that includes procedures to be followed in the
event of any unauthorized disclosure of Customer Data by Okta or its agents of which Okta becomes aware to the extent
permitted by law (such unauthorized disclosure defined herein as a “Security Breach”). The procedures in Okta’s security
incident response plan include:
a)
Roles and responsibilities: formation of an internal incident response team with a response leader;
b)
Investigation: assessing the risk the incident poses and determining who may be affected;
c)
Communication: internal reporting as well as a notification process in the event of a Security Breach;
d)
Recordkeeping: keeping a record of what was done and by whom to help in subsequent analyses; and
e)
Audit: conducting and documenting a root cause analysis and remediation plan.
Okta publishes system status information on the Okta Trust website, at https://trust.okta.com. Okta typically notifies customers
of significant system incidents by email to the listed admin contact, and for availability incidents lasting more than one hour,
may invite impacted customers to join a conference call about the incident and Okta’s response.
21. Security Breach Management.
a)
Notification: In the event of a Security Breach, Okta notifies impacted customers of such Security Breach. Okta
cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and Okta
provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.
b)
Remediation: In the event of a Security Breach, Okta, at its own expense, (i) investigates the actual or suspected
Security Breach, (ii) provides any affected customer with a remediation plan, to address the Security Breach and to
mitigate the incident and reasonably prevent any further incidents, (iii) remediates the effects of the Security Breach
in accordance with such remediation plan, and (iv) reasonably cooperates with any affected customer and any law
enforcement or regulatory official investigating such Security Breach.
22. Logs. Okta provides procedural mechanisms that record and examine activity in information systems that contain or use
electronic information, including appropriate logs and reports. Okta (i) backs-up logs on a daily basis, (ii) implements
commercially reasonable measures to protect such logs from unauthorized modification or erasure, and (iii) retains such
logs in compliance with Okta’s data retention policy. If there is suspicion of inappropriate access to the hosted Service,
Okta has the ability to provide customers log entry records to assist in forensic analysis. This service will be provided to
customers on a time-and-materials basis.
23. Communications with Users. Separate from and as a complement to the Service, Okta may provide Users access to online
communities that provide technical support resources and communicate with Users from time to time, including to send
announcements and details about Okta’s products, services, industry events, professional certifications, and other relevant
information that Users may find useful. Administrator Users who do not want their organization’s Users to receive such
communications may, on behalf of their organizations, update their communications preferences by visiting their Okta
Admin console and adjusting the “Okta User Communications” setting.