Security and privacy overview

Production infrastructure is monitored to identify availability, reliability, and security concerns.

Automatic backups support customer data recovery and service continuity.

Production systems can only be remotely accessed by authorized employees with valid MFA.

Remote production access requires approved encrypted connections.

Sensitive customer data is prohibited from being used or stored in non-production environments.

Network segmentation helps prevent unauthorized customer data access.

Production network access requires unique credentials or authorized SSH keys.

Systems and applications require unique user authentication or authorized SSH keys.

A multi-location strategy supports recovery if a facility is unavailable.

Formal policies define requirements for vulnerability management and system monitoring.

Software delivery follows secure development practices throughout implementation and release.

Secrets are managed to reduce exposure of credentials, keys, and sensitive configuration.

Application inputs are validated to protect product workflows and customer data.

Background checks are performed for new employees.

Employees complete security awareness training within thirty days of hire and at least annually.

Contractors sign confidentiality agreements at engagement.

A formal inventory of production system assets is maintained.

Employees sign confidentiality agreements during onboarding.

Electronic media containing confidential information is purged or destroyed according to best practices.

BC/DR plans are documented and tested at least annually.

The incident response plan is tested at least annually.

Access is based on job role or documented manager-approved requests.

Backup and recovery requirements for customer data are documented.

Security and privacy incident response policies are documented and communicated.

Configuration procedures keep system configurations consistent.

Management oversees control design and implementation responsibilities.

Product and service descriptions are communicated to users.

Security policies are documented and reviewed at least annually.

Users can report failures, incidents, concerns, and complaints.

Security control responsibilities are formally assigned.

Data center access is reviewed at least annually.

A formal SDLC governs systems and technology changes.

Cybersecurity insurance mitigates financial impact from disruptions.

BC/DR plans include communication plans for security continuity.

The privacy policy communicates collection, obligations, rights, and contact points.

Formal retention and disposal procedures guide secure handling of data.

Privacy complaints are addressed, documented, tracked, and communicated.

The privacy policy is available before or when information is collected.

The privacy policy is reviewed when needed or when changes occur.

The policy explains jurisdictions, rights, data categories, collection, sources, and disclosures.

Deletion requests are validated, flagged, and completed under applicable requirements.

BC/DR communication plans support security continuity if key personnel are unavailable.

The documented BC/DR plan is tested annually.

PII collection is limited to the minimum necessary for its purposes.

PII is encrypted in transit.