Security Policy
Last Updated: September 8, 2020
Unless otherwise defined herein, capitalized terms have the meanings ascribed to such terms in the Master Services Agreement (MSA).
A. Customer Responsibilities
-
Customer will, at Customer’s discretion, either (a) incorporate the Olo Privacy Policy into, or link to the Olo Privacy Policy from, Customer’s digital ordering websites and/or applications; or (b) provide on Customer’s digital ordering websites and applications Customer’s own privacy policy which complies with applicable legal requirements and regulations and is consistent with the terms of the Olo Policy.
-
Customer will, at Customer’s discretion, either (a) incorporate the Olo Terms of Use into, or link to the Olo Terms of Use from, Customer’s digital ordering websites and applications; or (b) provide on Customer’s digital ordering websites and applications Customer’s own terms of use agreement to End Users, which terms of use shall require End Users to accept responsibility for safeguarding End Users’ account credentials, and for any activity performed using the End User’s account credentials (Customer’s own user agreement, together with Customer’s own privacy policy, the “Customer Policies”).
-
Customer Policies shall include provisions at least as protective of Olo as the provisions of the Olo Privacy Policy. Olo will notify Customer of any material changes to the Olo Privacy Policy that are reasonably likely to require a corresponding change in Customer Policies. Customer shall be responsible for any claims arising out of Customer Policies, for any actions or inactions of its End Users, and for any activity performed using the End User’s account credentials.
-
Customer may request that Olo make Customer Data available to Customer Third Party Providers in accordance with the process set forth in the Master Services Agreement. If Olo receives a request from a Customer Third Party Provider to share certain Customer Data with such Customer Third Party Provider, Olo will notify the Customer representative, as designated in the Order Form. Upon authorization, Olo will provide Customer Third Party Provider with access to such Customer Data.
-
Customer will not, will not attempt to, and will not assist or knowingly permit any third party to: (i) except as otherwise expressly permitted by Olo copy, reproduce, distribute, republish, download, display, modify, disassemble, decompile, reverse engineer, or create derivative works of any Licensed Application (or portion thereof); (ii) breach, break, decrypt, disable, interfere with, or develop or use any workaround for, or otherwise misuse or damage, any Licensed Application; (iii) copy, distribute, sell, resell, or exploit for any commercial purposes any portion of the Licensed Applications; (iv) use any manual or automated software, devices or other processes, including, without limitation, spiders, robots, scrapers, data mining tools, and the like, to “scrape” or download data from any web pages contained in the Licensed Applications; (v) use your access to the Licensed Applications to assist you or a third party, including, but not limited to, a Customer Third Party Provider, in building a competing or similar website, application or service; or (vi) provide access to the Licensed Applications to an unauthorized third party by any means, including but not limited to the sharing of login information or credentials. Customer will take all reasonable measures to ensure appropriate safeguards and protections for such credentials, and will be solely responsible for any acts or omissions of an unauthorized third party resulting from such third party's access to the Licensed Applications. Olo will have the right to revoke Customer's access to the Licensed Applications at any time and at its sole discretion if Olo reasonably suspects Customer of violating this Section 5.
B. Olo Responsibilities
-
Olo will collect, use, disclose and otherwise process End User PII to provide the Services.
-
Olo will maintain an End User-viewable Privacy Policy which shall detail to End Users how End User PII is handled in connection with the Services and End Users’ responsibilities with respect to the Services. Customer agrees that Olo will require End Users to accept responsibility for safeguarding End Users’ account credentials, including their passwords, and for any activity performed using the End User’s account credentials. Olo shall not be liable to Customer or any End User for any activity in End Users’ accounts that is authenticated by login credentials established by the End User to whom the account pertains.
-
Olo has in place a comprehensive, written information security program designed to protect the information under its custody, management or control, including all PII, from unauthorized access, use, disclosure, and loss and theft, using industry standard security practices and technologies. Olo's information security program includes the following safeguards: (a) secure business facilities, data centers, servers, and back-up systems and disaster recovery; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) encryption of PII placed on any electronic notebook, portable hard drive or removable electronic media with information storage capability, such as compact discs, USB drives, flash drives, tapes; (e) encryption of PII in transit over public networks; (f) segregating PII from information of other clients of Olo; and (g) personnel security and integrity including, but not limited to, background checks consistent with applicable law and the requirements of this Agreement.
-
Olo will regularly, but in no event less than annually, evaluate the effectiveness of its information security program and shall promptly adjust and/or update such programs as reasonably warranted by the results of such evaluation.
-
All Olo personnel with access to PII are provided appropriate information security and privacy training regarding Olo's obligations and restrictions under this Agreement and compliance with applicable laws and Olo's information security program.
C. Breaches of Security
-
“Breach of Security” means any loss, misuse, disclosure of, or unauthorized access to PII under Olo’s custody, management or control that materially compromises the privacy, security, integrity or availability of the PII.
-
Olo will promptly notify Customer of any Breach of Security by email to the Customer designee listed in the Order Form. The notification will include an explanation of any actions Olo determines it must take in response to a Breach of Security.
-
Customer shall promptly notify Olo by email at Security@olo.com of any suspicious activity in connection with the Services, which Customer detects or of which Customer becomes aware, that may indicate an actual or suspected Breach of Security is occurring or has occurred. The notification should include an explanation of any actions Customer determines it must take in response to such actual or suspected Breach of Security.
-
Olo will reasonably cooperate with Customer to mitigate any harm caused by a Breach of Security, and will take all steps that Olo determines are reasonably necessary or appropriate to isolate, investigate, and remediate the effects of such occurrence, ensure the protection of those End Users that are affected or likely to be affected by such occurrence, prevent the recurrence of any such Breach of Security, and comply with applicable laws.
-
Olo may determine that responding to a Breach of Security requires Olo to suspend the Services. When this occurs, Olo will notify Customer of such suspension as soon as reasonably practicable. Any suspension under this Section 5 shall not be considered Downtime as defined under the Digital Ordering Terms & Conditions Addendum, if applicable to Customer’s use of the Services.
-
Olo may determine that responding to a Breach of Security requires Olo to communicate directly with End Users by email, in-app or in-site messages, or other means, regarding actions that End Users must take to enable Olo to respond to a Breach of Security, including without limitation, resetting End Users’ login credentials. Olo will undertake such actions in its sole discretion.
-
Except in the event a Breach of Security is directly caused by Olo’s action or omission, Olo will provide reasonable additional assistance under this Section 7 as reasonably requested by Customer, at Customer’s expense.
-
Customer shall be responsible for determining whether any notification to End Users, regulators, law enforcement authorities, or other third parties is required in response to any Breach of Security, and for providing any such notifications. Customer may request that Olo notify affected End Users of a Breach of Security, in which case Olo will provide such notice to End Users solely using the contact information which End Users have provided in connection with the Services.
-
To the extent a Breach of Security results directly from Olo’s action or omission, Olo will promptly reimburse Customer for all reasonable and documented costs actually incurred by Customer in notifying affected End Users and providing credit monitoring to End Users to the extent that notification and/or credit monitoring are required by applicable law or the parties agree in good faith that notification and/or credit monitoring is appropriate under the circumstances. The parties agree that credit monitoring is not appropriate unless the Breach of Security has materially compromised End Users’ government-issued identification numbers or financial account numbers.
D. PCI-DSS
- At all times during the duration of the Agreement, Olo shall be fully compliant with the Payment Card Industry Data Security Standards ("PCI DSS").
- At all times during the duration of the Agreement, Olo shall comply with all applicable rules and guidelines regarding service providers, third-party agents and processors as issued by the Card Associations (the "Card Rules”), as updated from time to time, and including Card Rules applicable to U.S. credit card transactions. The term “Card Associations” means MasterCard, VISA, American Express, Discover, or any other credit card brand or payment card network for or through which Olo processes payment card transactions on behalf of Customer.
- Olo shall validate its PCI DSS compliance as required by the applicable Card Rules. As of the date set forth below, Olo has complied with all applicable requirements to be considered compliant with PCI-DSS, and has performed all necessary steps to validate its compliance with the PCI-DSS. Without limiting the foregoing, Olo represents and warrants that it (i) undergoes yearly On-Site PCI Data Security Assessments ("Annual Assessment") by a qualified security assessor (“QSA”) and pursuant to its most recent Annual Assessment, it is currently certified as compliant with the current version of PCI DSS by the QSA; (ii) undergoes a quarterly network scan ("Scan") by an approved scanning vendor and that it is has passed its most recent Scan.
- Olo shall notify Customer within seven (7) days if it (i) receives a non-compliant Annual Assessment from a QSA, (ii) fails to complete any Annual Assessment prior to the expiration of the previous year's Annual Assessment, or (iii) is no longer in compliance with PCI DSS; provided that Olo shall first have a remediation period of thirty (30) days (“the Cure Period”) to come into compliance with PCI DSS after determining it is noncompliant, and if Olo cures such noncompliance within the Cure Period, Olo shall not be required to notify Customer hereunder.
- Olo agrees to supply evidence of its most recent Annual Assessment prior to or upon execution of this Agreement. Thereafter, Olo, upon Customer’s reasonable request, shall supply to Customer evidence of Olo's successful completion of its Annual Assessment.
-
For the avoidance of doubt, and notwithstanding the foregoing, Customer shall be solely responsible for ensuring compliance with PCI DSS (a) of its custom built front end websites, mobile applications, or other web properties, or (b) to the extent Customer has incorporated any custom, non-standard software code into Olo’s standard white label front end website offering. Olo shall have no obligation to monitor such custom web properties for compliance with PCI DSS or to notify Customer of any noncompliance.
E. Security Vulnerabilities
If you believe you have found a security vulnerability in one of our products or our services, or if you have found sensitive Olo data outside of our systems, you may reach the Olo security team at security@olo.com. The Olo security team can provide various methods to encrypt sensitive communications.