Data Security Policy
Data Security Policy
Last edit: December 22 2022
This Data Security Policy describes the measures Vaultody takes to protect Customer Data when Customer uses the Subscription Service. This Data Security Policy forms a part of any legal agreement into which this Data Security Policy is explicitly incorporated by reference (the “Agreement”) and is subject to the terms and conditions of the Agreement. Capitalized terms that are not otherwise defined herein shall have the meaning given to them in the Agreement.
1. SECURITY PROGRAM
While providing the Subscription Service, Vaultody shall maintain a written information security program of policies, procedures and controls (“Security Program”) governing the processing, storage, transmission and security of Customer Data. The Security Program includes industry standard practices designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction. Vaultody may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the commitments, protections or overall level of service provided to Customer as described herein.
2. PHYSICAL, TECHNICAL AND ADMINISTRATIVE SECURITY MEASURES
The Security Program shall include the following physical, technical and administrative measures designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction:
2.1. Physical Security Measures (a) Data Center Facilities: (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (for example, Contract Number: fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor. (b) Systems, Machines and Devices: (i) Physical protection mechanisms; and (ii) entry controls to limit physical access. (c) Media: (i) Industry standard destruction of sensitive materials before disposition of media; (ii) secure safe for storing damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Customer Data.
2.2. Technical Security Measures (a) Access Administration. Access to the Subscription Service by Vaultody employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationship. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, complex passwords with expiration dates, and a two-factored authenticated connection) and is accessible for administration. (b) Logging and Monitoring. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team. (c) Firewall System. An industry-standard firewall is installed and managed to protect Vaultody systems by residing on the network to inspect all ingress connections routed to the Vaultody environment. (d) Vulnerability Management. Vaultody conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Vaultody will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Vaultody's then current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems. (e) Antivirus. Vaultody updates anti-virus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software. (f) Change Control. Vaultody ensures that changes to platform, applications and production infrastructure are evaluated to minimize risk and are implemented following Vaultody’s standard operating procedure.
2.3. Administrative Security Measures (a) Data Center Inspections. Vaultody performs routine reviews at each data center to ensure that it continues to maintain the security controls necessary to comply with the Security Program. (b) Personnel Security. Vaultody performs background and drug screening on all employees and all contractors who have access to Customer Data in accordance with Vaultody’s then current applicable standard operating procedure and subject to applicable law. (c) Security Awareness and Training. Vaultody maintains a security awareness program that includes appropriate training of Vaultody personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at Vaultody. (d) Vendor Risk Management. Vaultody maintains a vendor risk management program that assesses all vendors that access, store, process or transmit Customer Data for appropriate security controls and business disciplines.
3. DATA PROTECTION AND SERVICE CONTINUITY
3.1. Data Centers; Data Backup. Vaultody shall host Customer’s instances in a Cloud based service. Vaultody encrypts the whole HTTP traffic between the Customer and the Subscription Service with TSL 1.3 certificates issued by the Cloud service provider. Vaultody shall encrypt the internal traffic between Vaultody’s applications with TSL 1.3 certificates issued by the Cloud service provider. Vaultody is using Cloud based private networks and the application services which store sensitive information are not exposed outside those networks. All Customer Data information is transferred through SSL encrypted connection. Vaultody performs automated daily snapshot backups of Customer Data as well as full weekly backup. Backups are implemented by the Cloud service provider Backup and Restore functionality.
3.2. Personnel. In the event of an emergency that renders the customer support telephone system unavailable, all calls are routed to an answering service that will transfer to a Vaultody telephone support representative, geographically located to ensure business continuity for support operations.
4. INCIDENT MANAGEMENT AND BREACH NOTIFICATION
4.1. Incident Monitoring and Management. Vaultody shall monitor, analyze and respond to security incidents in a timely manner in accordance with Vaultody’s standard operating procedure. Depending on the nature of the incident, Vaultody security group will escalate and engage response teams necessary to address an incident.
4.2. Breach Notification. Unless notification is delayed by the actions or demands of a law enforcement agency, Vaultody shall report to Customer the unauthorized acquisition, access, use, disclosure or destruction of Customer Data (a “Breach”) promptly following determination by Vaultody that a Breach occurred. The initial report shall be made to Customer security contact(s) designated in Vaultody’s customer support portal. Vaultody shall take reasonable measures to promptly mitigate the cause of the Breach and shall take reasonable corrective measures to prevent future Breaches. As information is collected or otherwise becomes available to Vaultody and unless prohibited by law, Vaultody shall provide information regarding the nature and consequences of the Breach that are reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus.
4.3. Customer Cooperation. Customer agrees to cooperate with Vaultody in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, identify its root cause(s) and prevent a recurrence.
5. PENETRATION TESTS
Vaultody pennant and security tests are part of the testing environment. During development and testing, Vaultody is are using tools like https://brakemanscanner.org/docs/introduction/.
6. SHARING THE SECURITY RESPONSIBILITY
6.1. Product Capabilities. The Subscription Service has the capabilities to: (i) authenticate users before access; (ii) encrypt passwords; (iii) allow users to manage passwords; and (iv) prevent access by users with an inactive account. Customer manages each user’s access to and use of the Subscription Service by assigning to each user a credential and user type that controls the level of access to the Subscription Service.
6.2. Customer Responsibilities. Vaultody provides, through the Cloud the cloud environment that permits Customer to use and process Customer Data in the Subscription Service. The architecture in the Subscription Service includes, without limitation, column level encryption functionality and the access control list engine. Customer shall be responsible for using the column level encryption functionality and access control list engine for protecting all Customer Data containing sensitive data, including without limitation, credit card numbers, social security numbers, financial and health information, and sensitive personal data. Customer is solely responsible for the results of its decision not to encrypt such sensitive data. Vaultody protects all Customer Data in the Vaultody cloud infrastructure equally in accordance with this Data Security Policy, regardless of the classification of the type of Customer Data. Customer shall be responsible for protecting the confidentiality of each user’s login and password and shall manage each user’s access to the Subscription Service.
6.3. Customer Cooperation. Customer shall promptly apply any application upgrade that Vaultody determines is necessary to maintain the security, performance or availability of the Subscription Service.
6.4. Limitations. Notwithstanding anything to the contrary in the Agreement or this Data Security Policy, Vaultody’s obligations extend only to those systems, networks, network devices, facilities and components over which Vaultody exercises control. This Data Security Policy does not apply to: (i) information shared with Vaultody that is not data stored in its systems using the Subscription Service; (ii) data in Customer’s virtual private network (VPN) or a third party network; or (iii) any data processed by Customer or its users in violation of the Agreement or this Data Security Policy.