Effective Date: January 22, 2026
DATA SECURITY TERMS
Where the Applicable Product Terms state that Discord will act as a Processor of Personal Data, subject to the Data Processing Agreement - Discord as a Processor (https://support.discord.com/hc/en-us/articles/37891902561687-Data-Processing-Agreement-Discord-as-a-Processor), Discord will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:
1. Discord has agreed to employ appropriate technical and organizational measures to protect against unauthorized or unlawful Processing of Data and against accidental loss or destruction of, or damage to, Personal Data (“Information Security Program”).
2. Discord’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Data (“Data Personnel”). Discord’s security requirements cover the following areas:
a. Information Security Policies and Standards. Discord will maintain information security policies, standards, and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. These policies, standards, and procedures shall be designed and implemented to:
i. Prevent unauthorized persons from gaining physical access to Personal Data Processing systems (e.g. physical access controls);
ii. Prevent Personal Data Processing systems from being used without authorization (e.g. logical access control);
iii. Ensure that Personnel gain access only to such Personal Data as they are entitled to access (e.g. in accordance with their access rights) and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
iv. Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Personal Data by means of data transmission facilities can be established and verified (e.g. data transfer controls); and
v. Ensure that all systems that Process Personal Data are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
b. Physical Security. Discord will maintain commercially reasonable security systems at all Discord sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) and will reasonably restrict access to such Processing Locations or require that Processing Locations have implemented reasonable restrictions to access.
c. Organizational Security. Discord will maintain information security policies and procedures addressing:
i. Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
ii. Incident Response. All Personal Data security incidents are managed in accordance with appropriate incident response procedures.
d. Network Security. Discord maintains commercially reasonable information security policies and procedures addressing network security.
e. Access Control (Governance).
i. Discord governs access to information systems that Process Personal Data.
ii. Only authorized Discord staff can grant, modify or revoke access to an information system that Processes Personal Data.
iii. Discord implements commercially reasonable physical and technical safeguards to create and protect passwords.
f. Virus and Malware Controls. Discord protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
g. Personnel.
i. Discord has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting.
ii. Personnel who have access to Personal Data strictly follow established security policies and procedures. Disciplinary process is applied if Personnel who have access to Personal Data fail to adhere to relevant policies and procedures.
iii. Discord shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Personal Data.