Security Statement

Our users entrust us with their data and expect the highest levels of security. We take our users’ security and privacy concerns extremely seriously and strive to ensure that user data is kept secure.

This Security Statement aims to create transparency about our security infrastructure and practices in order to help reassure you that your data is appropriately protected.

1 – Application and User Security
•   SSL/TLS Encryption: Clients have the option to opt. for an SSL/TLS certificate. This protects communications by using both server authentication and data encryption and ensures that user data in transit is safe, secure, and available only to intended recipients.

•   User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. We issue a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.

•   User Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
•   Data Encryption: Certain sensitive user data and account passwords, is stored in encrypted format.

•   Privacy: We have a comprehensive privacy policy that provides a very transparent view of how we handle your data.

•   Third Party Security Certification:Vulnerability Scans & Penetration Testing are performed by a Certified Third Parties at specific intervals to certify the security of our application platform.

2 – Physical Security
•   Data Centers: Our information systems infrastructure (servers, networking equipment, etc.) is hosted on AWS (Amazon Web Services). AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two‐factor authentication a minimum of two times to access data center floors. All visitors and contractors are signed in and continually escorted by authorized staff.

AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

•   Assurance: Our provider meets the following Assurances Programs. PCI DSS Level 1, SOC 1/ISAE 3402, SOC 2. SOC 3, ISO 9001, IRAP, CJIS, CSA, FERPA, HIPAA, Fed RAMP, DoD CSM Levels 1-2, 3-5, DIACAP and FISMA, ISO27001, MTCS Tier 3, ITAR, MPAA, G-Cloud, and Section 508/VPAT.

•   Fire Detection and Suppression: Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet‐pipe, double‐interlocked pre‐action, or gaseous sprinkler systems.

•   Power: The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back‐up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back‐up power for the entire facility.

•   Climate and Temperature: Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

•   Storage Device Decommissioning: When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22‐M (“National Industrial Security Program Operating Manual “) or NIST 800‐88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry‐standard practices.

•   Location: All user data is stored on servers located in the United States.

•   Company Facilities: Buildings are staffed by a 24/7 security officer, whom checks in regularly at NFC checkpoints located throughout the facility. Access to our floor is controlled via proximity badge outside of working hours.

3 – Availability
•   Connectivity: Fully redundant IP network connections, with multiple independent connections to a range of Tier 1 Internet access providers.

•   Power: Servers have redundant internal and external power supplies. Data center has backup power supplies, and is able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.

•   Uptime: Continuous uptime monitoring, with immediate escalation to our Network Operations Team for any downtime.

•   Failover: Our database is replicated and log-shipped to standby servers and can failover in less than 30 minutes.

4 – Network Security
•   Secure Network Architecture: Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed.

•   Uptime: Continuous uptime monitoring, with immediate escalation to our Network Operations Team for any downtime.

•   Testing: System functionality, security and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.

•   Firewall: Firewall restricts access to all ports except 80 (http) and 443 (https).

•   Patching: Latest security patches are applied to all operating systems, Database engines, and application files to mitigate newly discovered vulnerabilities.

•   Access Control: Secure VPN and role-based access is enforced for systems management by authorized staff.

•   Logging and Auditing: Central logging systems capture and archive all systems.

•   Corporate Segregation: Logically, the production network is separated from the Corporate Network.  All authorized users connect to the production environment via a private key.

5 – Storage Security
•   Backup Frequency: We backup several times a day to a centralized backup system for storage in multiple geographically disparate sites.

•   Production Redundancy: Data stored in Amazon EBS (Elastic Block Storage) and striped across multiple Amazon EBS volumes.

6 – Organizational & Administrative Security
•   Employee Screening: We perform background screening on all employees.

•   Training: We provide security and technology use training for employees.

•   Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.

•   Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.

•   Audit Logging: We maintain and monitor audit logs on our services and systems.

•   Information Security Policies: We employ a Certified Information Systems Security Professional to maintain our internal/external information security policies, including incident response plans, and regularly review and update them.

7 – Software Development Practices
•   Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding. Our code is tested for security vulnerabilities in staging before being pushed into production.

8 – Handling of Security Breaches
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if we learn of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.

9 – Your Responsibilities
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any data you download to your own computer away from prying eyes. We offer SSL and an option to secure the transmission, but it is your responsibility to ensure that the service is requested if secure transmission between your customer and our application is of importance to you

Questions regarding this statement may be sent to security@fuelcycle.com