Data Security & Business Resiliency Statement
Last updated: 8 Oct 2019
We value the trust you place in us as custodians of your data. We take seriously our responsibility to protect and secure your information and our business data.
We strive for complete transparency throughout the company, so we’ve published this overview to help our users better understand how we handle Data Security and Resiliency.
Propared’s technical infrastructure is hosted by Microsoft Azure. Physical security controls at our data centers include 24×7 monitoring, cameras, visitor logs, and entry requirements.
Your data is encrypted in transit and at rest.
Backups and Resiliency
Your data is stored redundantly and backed up regularly.
Our servers automatically store multiple copies across independent sub-systems and multiple locations. Point-in-time-restore backups occur automatically, and are retained for 35 days.
Data is automatically replicated to geographically dispersed regions in multiple data centers.
Additional redundancy and resiliency is built into the application architecture, including (but no limited to) dynamic routing of traffic to avoid network congestion, application load balancing, and automatic failover.
Access & Password Controls
Our internal password policy requires complexity and regular password changes. Propared grants access on a need-to-know basis of least-privilege rules, regularly reviews permissions, and revokes access immediately after employee termination.
Propared users are required to use strong passwords (at least 16 characters).
Propared partners with a reputable third party Credit Card Processor that is compliant with the Payment Card Industry’s Data Security Standards (PCI-DSS Level 1). Sensitive data is stored using several layers of encryption, encrypted when in transit, with new encryption keys that are regularly rotated or generated daily. You can read more about our payment processors here and here.
Propared maintains and regularly reviews its information security policies on an annual basis. Employees must acknowledge and agree to our policies on an annual basis.
Propared communicates its information security policies to all personnel and requires all employees to sign non-disclosure agreements. Additionally, Propared conducts background screenings at the time of hire for all job roles identified as “critical” (to the extent permitted or facilitated by applicable laws and countries).
Propared was intentionally built upon PaaS-based services to ensure all servers and infrastructure automatically receive the latest patches and software updates, helping to ensure the highest possible resilience against security threats and system vulnerabilities.
Our development team employs secure coding techniques and best practices. Developers are formally trained in secure web application development practices.
Propared maintains separate and dedicated development, testing, and production environments. All code changes are peer reviewed and logged for performance, auditing, and forensic purposes prior to deployment to production — and to allow for immediate rollback if necessary.
Incident Management & Response
Propared maintains incident response policies and procedures covering the initial response, investigation, customer notification, public communication, and remediation. These policies are reviewed regularly, and updated as necessary following any incidents.
Despite best efforts, we cannot guarantee absolute security. No method of data transmission over the Internet, and no method of electronic storage, is perfectly secure.
However, if Propared learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country and state laws and regulations, as well as any industry rules or standards applicable to us.
We are committed to keeping our customers fully informed of any matters relevant to the security of their accounts, and to providing all customers the necessarily information for them to meet their own regulatory reporting obligations.
Keeping your data secure also requires that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems and hardware. And never share your username and password with others.
Want to know more?
If you have any other security-related questions, please reach out to us at firstname.lastname@example.org