Unity Vendor Security Asset Configurations

Unity Vendor Security Asset Configurations

Vendor Security Asset Configurations

We, Unity Technologies and our corporate affiliates (“Unity”), provide these guidelines for our service providers and vendors that are engaged with us to provide goods and/or services.

By engaging with Unity as a vendor for the supply of good and/services, you as a Vendor agree as Follows:

I. Asset Inventory. Access to Unity Personal Data and Unity Resources will be strictly limited to such Vendor Personnel who are authorized by it to have such access and are necessary to provision of the Services or creation of the Work Product.

II. Information Classification. Vendor will sufficiently classify, categorize and/or tag Unity Personal Data and Unity Resources such that Vendor is able to appropriately restrict access thereto.

III. Trusted Device Standards. Vendor personnel will:

A) Use trusted devices that are configured with security software (i.e., anti-virus, anti-malware, encryption, etc.) and protected against corruption, loss, or disclosure;

B) Follow Unity’s trusted device standards when accessing or having control over Unity Personal Data or Unity Resources. The trusted device standard specifies the requirements that user devices (“Devices”) must satisfy to be trusted when processing Unity Personal Data or use or access to Unity Resources. Unity’s trusted device standards include, at a minimum, the following requirements:

i. Each Device must be uniquely associated with a specific, individual user;

ii. Devices must be configured for automatic patching. All OS and application security patches must be installed within four (4) weeks of release. Devices may be required to immediately install emergency patches as necessary;

iii. Devices must be encrypted (i.e., full disk, endpoint encryption) and secured with a password/PIN screen lock with the automatic activation feature set to ten (10) minutes or less. Users must lock the screen or log off when the Device is unattended;

iv. Devices must not be rooted or jailbroken;

v. Devices must be periodically scanned for restricted or prohibited software (e.g., peer-to-peer sharing and social media apps); and

vi. Devices must run an acceptable industry standard anti-malware solution. On-access scan and automatic update functionality must be enabled.

C. Take measures to prevent accidental exposure of Unity Personal Data (e.g. using privacy filters on laptops when in areas where over-the-shoulder viewing of Unity Personal Data or Unity Resources is possible) and prevent unauthorized access to any Unity Personal Data or Unity Resources (e.g. refrain from sharing of usernames and passwords).