Touchpoint Dashboard Position on Data Protection

We take confidentiality and security very seriously.  We understand the sensitive nature of your information.  Here is a summary of our position on this topic based on data from our subscription agreement, internal policy manual, and our third party hosting partners.

From our Subscription Agreement

4.2. Our Protection of Your Data. We shall maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data. We shall not (a) modify Your Data, (b) disclose Your Data except as compelled by law in accordance with Section 8.3 (Compelled Disclosure) or as expressly permitted in writing by You, or (c) access Your Data except to provide the Services and prevent or address service or technical problems, or at Your request in connection with customer support matters.

8.1. Definition of Confidential Information.  As used herein, “Confidential Information” means all confidential information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Your Confidential Information shall include Your Data.

8.2. Protection of Confidential Information.  The Receiving Party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) (i) not to use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) except as otherwise authorized by the Disclosing Party in writing, to limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees, contractors and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein.

What else we do at Touchpoint Dashboard

  • We use automated database backups stored in in a secure and encrypted vault

  • We monitor backups to verify they are complete

  • We label backup media appropriately, to avoid errors or data exposure.

  • We perform regular patching of our code base to improve security and functionality.

  • Internal passwords are stored in a secure password management tool accessible only to authorized programming staff

  • Access to any servers is key-based and only granted to authorized personnel

  • We use CSRF tokens for form data authentication

  • We use a REST interface that only allows the needed operations for each endpoint and checks the user’s login status for every request

  • We store all customer data within US – including backups.

  • We will not access customer confidential data from outside of United States.

  • We have a policy that prohibits sharing of individual accounts and passwords.

  • We have a policy that implements the following Information Security concepts: need to know, least privilege and checks and balances.

  • We have termination or job transfer procedures that immediately protect unauthorized access to information.

  • We have implemented web application firewall protection.

  • We have implemented host firewall protection.

  • Based on user authentication, each user needs to be logged in to access their own data

  • We ensure that remote access is only possible over secure connections.

  • We use separate physical and logical development, test, and production environments and databases.

  • We secure test environments using, at a minimum, equivalent security controls as the production environment.

  • Any data in transit on our platform is encrypted with at least TLS 1.2

  • We have password-protected screen savers that activate automatically to prevent unauthorized access when idle, for computers used by system’s support users.

  • We have changed or disabled all vendor-supplied default passwords or similar “published” access codes for all installed operating systems, database management systems, network devices, application packages, and any other commercially produced IT products.

  • We use passwords that are a min. of 10 characters, expire at least annually & have complexity requirements.

  • We ensure that passwords are never stored in clear text or are easily decipherable.

  • We check all systems and software to determine whether appropriate security settings are enabled.

  • We manage file and directory permissions following least privilege and need-to-know practices.

  • We authenticate all user access with a password, a key/token, or biometric methods.

  • We do not use production data for both development and testing, unless it has been sanitized.

  • We limit access to development and test environments to personnel with a need to know.

  • We set the account lockout feature for successive failed logon attempts on all system’s support computers.

  • We have implemented protections for Common Vulnerabilities and Exposures (CVEs) in a timely manner to protect from exploits.

  • We ensure that application, server, and database software technologies are kept up-to-date with the latest security patches.

  • We immediately remove, or modify, access when personnel terminate, transfer, or change job functions.

  • We achieve individual accountability by assigning unique IDs and prohibiting password sharing.

  • We ensure that critical data, or systems, are accessible by at least two trusted and authorized individuals, in order to limit having a single point of service failure.

  • We ensure that staff have the authority to only read or modify those programs, or data, which are needed to perform their duties.

  • We perform vulnerability scanning at least quarterly.

  • Use of third-party service to defend against Distributed Denial of Service (DDoS) and other web attacks

How we access and storage of user-uploaded files

We have role-based access levels for uploading and downloading files:

  1. Licensed users who created the project or licensed users who were invited to the project with an Editor or Manager role can download and upload project files.

  2. Unlicensed users cannot create projects, but can be invited to projects with the Viewer role. They can only download project files.

  3. Users that where not invited to the project can not access the project or its attached files.

Touchpoint Dashboard stores files encrypted on Amazon’s S3 storage service in a private vault, which has a 99.99% durability.

References

http://aws.amazon.com/s3/faqs/#How_secure_is_my_data

http://aws.amazon.com/s3/faqs/#How_durable_is_Amazon_S3