Information Security and Data Integrity Policy
Last Updated: November 17, 2017
Zapproved Information Security and Data Integrity Policy
Zapproved maintains an Information Security Policy and Incident Response Plan that is documented and available to our customers in order to ensure the confidentiality and integrity of all customer information under our care. This policy is in place to protect customer information from loss, misuse, unauthorized access, disclosure, alteration or destruction.
- Zapproved classifies all customer data as our most sensitive and critical information classification (“Confidential and Proprietary Information”). No customer data will be disclosed to third parties without express written permission (unless required by law).
- Pre-defined types of data:
- Zapproved’s Information Security Policy applies to all employees, contractual third parties and agents of the company who have access to our information systems or application data.
- All personnel are subject to company non-disclosure and confidentiality requirements. New hires and contractors to be provided with access to customer data are subject to pre-employment ID verification and criminal background screening. All personnel, including employees and contractors, receive new-hire security training and regular security awareness training programs (at least annually).
- Information security policies are guided by the fundamental principle of least privilege. Least privilege protects our customer data by requiring that no individual, program or system be granted more access privileges than are necessary to perform a task.
- All personnel take precautions to protect sensitive and critical information in their possession, and will limit retention of any confidential customer data only as required to perform their personnel functions.
- All computer hardware and storage devices (including mobile devices) used for Zapproved business that may contain customer confidential and proprietary information will utilize encrypted storage and be protected by password authentication. All computers will have up-to-date antivirus software installed, and auto-update enabled to ensure the latest security patches are installed in a timely manner.
- Lost or stolen devices will be immediately reported to the CTO in accordance with Zapproved’s Incident Response Policy, and are subject to remote wipe facilities to prevent unauthorized access.
- Failure to comply with Zapproved’s Information Security policies, processes and procedures will be subject to disciplinary action, up to and including termination.
Data Center Standards
- All Zapproved applications and databases containing customer data will be hosted in Tier-4 data centers which adhere with industry-standard best practices, including ISO 27001 Framework and SOC 2 Type 2 Report/SAS-70 Type II security protocols in accordance with SSAE 16 professional standards.
- Physical access to computing facilities is strictly controlled to restrict access only to authorized personnel, including visitor sign-in and supervision, use of proximity-based access cards and biometric hand scanners (or similar approved security authentication methods), and monitored internal visual surveillance mechanisms.
- Environmental controls will be in place to minimize the effect of malfunction or physical disaster to any data facilities, including access to dedicated and redundant power supplies, HVAC, backup power, temperature and humidity monitoring, smoke and water detection monitoring, and central fire suppression systems.
Data Retention and Encryption
- All personnel shall take all necessary and practical actions to ensure the protection of customer data during transmission, retention and disposal.
- All customer information being transmitted to and from Zapproved applications and a customer’s web browser (data-in-transit) is done via HTTPS and TLS with encryption. Additionally, all customer information being retained (data-at-rest) is encrypted using unique encryption keys (256-bit encryption) and strict access control.
- Zapproved retains customer data solely at the discretion of our customers, with no automatic disposition or destruction of data. At any time, Customers can direct us to return and/or dispose of their data pursuant to their instructions.
- Access to Zapproved applications for creating, adding, managing and reporting of customer information is strictly limited to those with authorized user accounts to applications, and users are required to successfully log in to the application using an authenticated user password, user token or single sign-on.
- Zapproved relies on the password policies and practices of our customers to protect the integrity of their user passwords. Organizational requirements on user password strength (including minimum number of characters, required use of alphanumeric and/or special characters), password expiration time period, and password reuse can be configured on request.
- User passwords are stored using one-way encryption in hash-value format, and are not accessible to anyone other than the primary user (and accessible only via email sent to the user’s primary email address).
- Only authorized Zapproved employees have access to view read-only application audit and system logs.
- Only authorized Zapproved development staff have direct access to the application database, with access strictly controlled by two-factor authentication (via AWS IAM) and auditing.
- Authorized Zapproved Customer Support staff may be granted reporting access to applications for troubleshooting and other issues resolution in support of specific customer needs.
Application Development and Change Management
- All development processes follow software development best practices for secure applications, which include design reviews, threat modeling and completion of a risk assessment prior to any new deployment (including OWASP 10 standards).
- Zapproved maintains a complete audit trail of all application code changes, features and functionality changes; as well as a complete list of hardware and operating software, network infrastructure equipment, and system configurations.
- Application testing is performed on test data only; customer data will not be used or replicated (except for Disaster Recovery purposes), nor removed from the production environment without express approval of the customer.
Intrusion Detection and Prevention
- Zapproved applications utilize layered defenses, including border defenses, intrusion detection, reverse proxy defenses, and packet inspection systems (both monitoring and defense). Applications reside behind a firewall, and firewalls are always configured to only allow traffic inbound or outbound on only required ports.
- All application and database servers are maintained using the latest software versions, including utilizing the most-recent stable version and patch level, as well as current industry-standard antivirus and anti-spyware detection and repair software. Applications are further protected and tested against a wide variety of security vulnerabilities, including cross-site scripting and forgery safeguards, anti-phishing barriers, and tamper-resistant cookies.
- Zapproved routinely monitors application performance, system availability, and audit log activities for abnormalities that may signal a data intrusion attempt or data compromise.
- Network vulnerability and penetration testing is performed routinely (including third-party assessment at least annually) using both manual and automated testing protocols.
Reports of and Response to Security Breach
- Zapproved maintains a dedicated Security Incident Response Plan for identifying and responding to security incidents (whether incidents occur within our hosting provider networks or within our own facilities and/or computer equipment).
- Customers are to be notified as soon as possible (within 24 hours or less of any suspected breach), to include details of the incident, what data may have been affected, what information is available from our own analysis and hosting provider, and all documentation available in connection with the event.
- Our hosting provider, as part of our terms of service, will immediately report any known or suspected unauthorized access or release of customer information, and continually monitor their network via host intrusion detection systems (IDS) and intrusion prevention systems (IPS).
- Our customers have a responsibility to immediately notify Zapproved of any known or suspected security incident or concern.
Business Continuity Planning
- All applications and database content are backed up on a daily basis, including off-site redundancy to geographically dispersed data centers. (Zapproved applications data is retained only in US domestic data centers).
- Industry best practices are utilized to ensure rapid data and services recoverability, with recovery time objective (RTO)/recovery point objective (RPO) no longer than 8 hours. Active logging of all transactions and mirrored production systems in place would prevent loss of data in the event of a catastrophic event. Further, when the system is unavailable for any reason, new transactions are blocked (thereby preventing any new transactional data from being lost from a recovery point).
- Our business continuity is protected against pandemic risk through SaaS architected applications that utilize redundant data centers and remote access control.
Privacy Shield Policy
- Zapproved certifies that it adheres to the EU-US and Swiss-US Privacy Shield Principles as formerly issued by the U.S. Department of Commerce as a Data Processor. Our EU-US and Swiss-US Privacy Shield Policy outlines our specific policies and manner of compliance.
- As required by international privacy obligations, Zapproved ensures that Personal Information being provided to Zapproved as a Data Processor is protected against loss, misuse, unauthorized access, disclosure, alteration and destruction.
- All customer information remains under the ownership and control of our customers. Zapproved receives such information from our customers merely as a Data Processor on behalf of our customers, and our customers are contractually obligated to ensure all information provided to Zapproved has been acquired and managed in accordance with applicable data protection laws.
- Zapproved requires its customers to maintain appropriate procedures for handling individuals’ requests to access, correct or delete their Personal Information, in accordance with applicable law.
Confidentiality and Privacy Statement
- Vendors and third-party sub-service organizations utilized by Zapproved that use or have access to Zapproved Confidential and Private Information must have Confidentiality and Privacy controls in place that are no less stringent than the controls that they use to protect their own confidential and private information (and in no event no less stringent that a reasonable standard of care).
- Vendors and third-party sub-service organizations will not disclose Zapproved Confidential and Private Information during the contract term and for a minimum of two years thereafter. Vendors and third-party sub-service organizations will take all reasonable measures to avoid disclosure, dissemination or unauthorized use of Zapproved Confidential and Private Information, including, at a minimum, measures taken by the vendor to protect their own confidential and private information of a similar nature. Vendors and third-party sub-service organizations will not issue any press release or make any other public communication with respect to agreements with Zapproved without prior authorization.
- Zapproved reviews vendor and sub-service organizations vendor agreements at time of contracting and each renewal to verify that the Confidentiality and Privacy terms are consistent with Zapproved’s current practices. Any changes to such terms shall be reflected on the Zapproved website and shall be notify to vendors and sub-service organizations at time of renewal.