of Crypto APIs, Inc.
Updated: November 1, 2022
This Data Security Policy describes the measures Crypto APIs takes to protect Customer Data when Customer uses the Subscription Service. This Data Security Policy forms a part of any legal agreement into which this Data Security Policy is explicitly incorporated by reference (the “Agreement”) and is subject to the terms and conditions of the Agreement. Capitalized terms that are not otherwise defined herein shall have the meaning given to them in the Agreement.
While providing the Subscription Service, Crypto APIs shall maintain a written information security program of policies, procedures and controls (“Security Program”) governing the processing, storage, transmission and security of Customer Data. The Security Program includes industry standard practices designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction. Crypto APIs may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the commitments, protections or overall level of service provided to Customer as described herein.
PHYSICAL, TECHNICAL AND ADMINISTRATIVE SECURITY MEASURES
The Security Program shall include the following physical, technical and administrative measures designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction:
2.1. Physical Security Measures (a) Data Center Facilities: (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (for example, Contract Number: fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor. (b) Systems, Machines and Devices: (i) Physical protection mechanisms; and (ii) entry controls to limit physical access. (c) Media: (i) Industry standard destruction of sensitive materials before disposition of media; (ii) secure safe for storing damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Customer Data.
2.2. Technical Security Measures (a) Access Administration. Access to the Subscription Service by Crypto APIs employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationship. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, complex passwords with expiration dates, and a two-factored authenticated connection) and is accessible for administration. (b) Logging and Monitoring. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team. (c) Firewall System. An industry-standard firewall is installed and managed to protect Crypto APIs systems by residing on the network to inspect all ingress connections routed to the Crypto APIs environment. (d) Vulnerability Management. Crypto APIs conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Crypto APIs will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Crypto APIs's then current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems. (e) Antivirus. Crypto APIs updates anti-virus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software. (f) Change Control. Crypto APIs ensures that changes to platform, applications and production infrastructure are evaluated to minimize risk and are implemented following Crypto APIs’ standard operating procedure.
2.3. Administrative Security Measures (a) Data Center Inspections. Crypto APIs performs routine reviews at each data center to ensure that it continues to maintain the security controls necessary to comply with the Security Program. (b) Personnel Security. Crypto APIs performs background and drug screening on all employees and all contractors who have access to Customer Data in accordance with Crypto APIs’ then current applicable standard operating procedure and subject to applicable law. (c) Security Awareness and Training. Crypto APIs maintains a security awareness program that includes appropriate training of Crypto APIs personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at Crypto APIs. (d) Vendor Risk Management. Crypto APIs maintains a vendor risk management program that assesses all vendors that access, store, process or transmit Customer Data for appropriate security controls and business disciplines.
3. DATA PROTECTION AND SERVICE CONTINUITY
3.1. Data Centers; Data Backup. Crypto APIs shall host Customer’s instances in a Cloud based service. Crypto APIs encrypts the whole HTTP traffic between the Customer and the Subscription Service with TSL 1.3 certificates issued by the Cloud service provider. Crypto APIs shall encrypt the internal traffic between Crypto APIs’ applications with TSL 1.3 certificates issued by the Cloud service provider. Crypto APIs is using Cloud based private networks and the application services which store sensitive information are not exposed outside those networks. All Customer Data information is transferred through SSL encrypted connection. Crypto APIs performs automated daily snapshot backups of Customer Data as well as full weekly backup. Backups are implemented by the Cloud service provider Backup and Restore functionality.
3.2. Personnel. In the event of an emergency that renders the customer support telephone system unavailable, all calls are routed to an answering service that will transfer to a Crypto APIs telephone support representative, geographically located to ensure business continuity for support operations.
4. INCIDENT MANAGEMENT AND BREACH NOTIFICATION
4.1. Incident Monitoring and Management. Crypto APIs shall monitor, analyze and respond to security incidents in a timely manner in accordance with Crypto APIs’ standard operating procedure. Depending on the nature of the incident, Crypto APIs security group will escalate and engage response teams necessary to address an incident.
4.2. Breach Notification. Unless notification is delayed by the actions or demands of a law enforcement agency, Crypto APIs shall report to Customer the unauthorized acquisition, access, use, disclosure or destruction of Customer Data (a “Breach”) promptly following determination by Crypto APIs that a Breach occurred. The initial report shall be made to Customer security contact(s) designated in Crypto APIs’ customer support portal. Crypto APIs shall take reasonable measures to promptly mitigate the cause of the Breach and shall take reasonable corrective measures to prevent future Breaches. As information is collected or otherwise becomes available to Crypto APIs and unless prohibited by law, Crypto APIs shall provide information regarding the nature and consequences of the Breach that are reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus.
4.3. Customer Cooperation. Customer agrees to cooperate with Crypto APIs in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, identify its root cause(s) and prevent a recurrence.
5. PENETRATION TESTS
Crypto APIs pennant and security tests are part of the testing environment. During development and testing, Crypto APIs is using tools like https://brakemanscanner.org/docs/introduction/.
6. SHARING THE SECURITY RESPONSIBILITY
6.1. Product Capabilities. The Subscription Service has the capabilities to: (i) authenticate users before access; (ii) encrypt passwords; (iii) allow users to manage passwords; and (iv) prevent access by users with an inactive account. Customer manages each user’s access to and use of the Subscription Service by assigning to each user a credential and user type that controls the level of access to the Subscription Service.
6.2. Customer Responsibilities. Crypto APIs provides, through the Cloud the cloud environment that permits Customer to use and process Customer Data in the Subscription Service. The architecture in the Subscription Service includes, without limitation, column level encryption functionality and the access control list engine. Customer shall be responsible for using the column level encryption functionality and access control list engine for protecting all Customer Data containing sensitive data, including without limitation, credit card numbers, social security numbers, financial and health information, and sensitive personal data. Customer is solely responsible for the results of its decision not to encrypt such sensitive data. Crypto APIs protects all Customer Data in the Crypto APIs cloud infrastructure equally in accordance with this Data Security Policy, regardless of the classification of the type of Customer Data. Customer shall be responsible for protecting the confidentiality of each user’s login and password and shall manage each user’s access to the Subscription Service.
6.3. Customer Cooperation. Customer shall promptly apply any application upgrade that Crypto APIs determines is necessary to maintain the security, performance or availability of the Subscription Service.
6.4. Limitations. Notwithstanding anything to the contrary in the Agreement or this Data Security Policy, Crypto APIs’ obligations extend only to those systems, networks, network devices, facilities and components over which Crypto APIs exercises control. This Data Security Policy does not apply to: (i) information shared with Crypto APIs that is not data stored in its systems using the Subscription Service; (ii) data in Customer’s virtual private network (VPN) or a third party network; or (iii) any data processed by Customer or its users in violation of the Agreement or this Data Security Policy.