Our data will NOT be communicated or shared informally, nor will it be transferred outside the company. Data will not be distributed to any other party except for the data’s owner (the client) and designated internal personnel who require access in order to deliver information to our clients.
Protection of our Amazon AWS Environment
Our data will be stored within an Amazon VPC with layer-based protection. The VPC is protected by internet gateway controls. Once a user’s IP address is approved, they will then need to login with a unique ID which will allow us to trace every login and login attempt to an individual (users will not be able to cache these credentials). The list of those approved to access our protected VPC will be checked quarterly, and those who no longer require access will have their accounts removed. Multifactor authentication will also be necessary for anyone attempting to access our AWS environment. Users have been assigned to IAM security groups to restrict access so that once they are in the AWS environment they will only be allowed to view information to which they have been granted access.
Protection of our Data, Database and API
The data within our database will be protected according to Amazon policy. All data in transit will be protected by SSL certificates (HTTPS). This protection will be enforced on all applicable external endpoints used by customers as well as internal communication channels and operational tooling.
The database will be protected by defense in depth security measures. We will ensure archived data is stored securely and for no longer than the client desires. We will create a record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed of to hold our developers accountable and to ensure we comply with Amazon regulations. This record will be updated regularly to ensure it is in keeping with Amazon policy.
We will also implement special measures to restrict access to PII Data. PII data for shipping purposes will be deleted within 30 days, or as necessary to calculate/remit taxes (as specified by Amazon policy). We will only use data to perform acceptable Amazon seller activities for which we are authorized to perform on behalf of our clients. PII data will be protected by AES 256-bit keys. PII data at rest will also be encrypted and stored cold.
Security Checks, Enforcement, and Updates
Regular inspections will be made to the architecture of our database to identify any potential weaknesses within our system. A log system will be used to monitor access and authorization, intrusion attempts, and configuration changes. Logs will be stored for at least 90 days. We have an incident response plan to detect and handle security incidents. The plan outlines protocols, solutions, and contact information in accordance with Amazon policy. We will review this plan every 6 months and after any major infrastructure or system change.
Lastly, the source code for our project will be securely stored within an EC2 instance within a protected VPN. The code will NOT be stored on Github or any other public site with credential-enabled access.