The following information provides an overview of the security measures designed and implemented by CircleCo, Inc. ("Circle") to protect its systems, including the physical, technical, and administrative controls that govern access and use of the systems.
- Introduction
- Circle employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure or destruction.
- Governance and Policies
- Circle assigns personnel with responsibility for the determination, review and implementation of security polices and measures.
- Circle:
- has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
- reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
- Circle establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.
- Breach response
Circle has a breach response plan that has been developed to address data breach events. The plan is tested and updated at least annually.
- Intrusion, anti-virus and anti-malware defenses
- Circle's IT systems used to process personal data have appropriate data security software installed on them, including as follows:
- Inbound and outbound traffic passes through firewalls that are monitored and protected by intrusion detection / prevention systems that allow traffic flowing through the firewalls to be logged.
- IT systems have appropriate antivirus, anti-spyware and anti-malware software installed. Such software is updated at least daily and performs ongoing scans for threats and malicious programs.
- Circle performs penetration tests on its IT systems at least annually.
- Circle performs regular, and at least monthly vulnerability scans.
- Circle collects, maintains, reviews and audits event logs.
- Circle deploys data loss prevention tools at network and host level.
- Circle monitors all traffic leaving the organization and unauthorized use of encryption.
- Access controls
- Circle limits access to personal data by implementing appropriate access controls, including:
- limiting administrative access privileges and use of administrative accounts;
- changing all default passwords before deploying operating systems, assets or applications;
- requiring authentication and authorization to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems);
- only permitting user access to personal data which the user needs to access for his/her job role or the purpose for which they are given access to Circle's IT systems (i.e. Circle implements measures to ensure least privilege access to IT systems);
- having in place appropriate procedures for controlling the allocation and revocation of personal data access rights. For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role;
- enforcing password policies that require users to use strong passwords, such as passwords with over eight characters, combination of upper and lower case letters, numbers and special characters;
- enforcing regular password renewal;
- use of multi-factor authentication;
- automatic timeout and locking of user terminals if left idle;
- access to IT system is blocked after multiple failed attempts to enter correct authentication and/or authorization details;
- monitoring and logging access to IT systems; and
- monitoring and logging amendments to data or files on IT systems.
- Availability and Back-up personal data
- Circle has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated at least annually.
- Circle regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested at least annually.
- Segmentation of personal data
- Circle:
- separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes; and
- does not use live data for testing its systems.
- Disposal of IT equipment
- Circle:
- has in place processes to securely remove all personal data before disposing of IT systems; and
- uses appropriate technology to purge equipment of data and/or destroy hard disks.
- Encryption
- Circle uses encryption technology to protect personal data at rest and in transit, including:
- applying AES-256 encryption to data at rest and TLS 1.2 or higher to data in transit; and
- encryption of portable devices used to process personal data.
- Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.
- Transmission or transport of personal data
- Appropriate controls are implemented by Circle to secure personal data during transmission or transit, including:
- use of VPNs;
- encryption in transit using TLS 1.2 or higher;
- logging personal data when transmitted electronically;
- logging personal data when transported physically; and
- ensuring physical security for personal data when transported on portable electronic devices or in paper form.
- Device hardening
- Circle removes unused software and services from devices used to process personal data.
- Circle ensures that default passwords that are provided by hardware and software producers are not used.
- Circle ensures that all operating systems are hardened in accordance with configuration recommendations published by the Center for Internet Security.
- Asset and Software management
- Circle maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.
- Circle:
- documents and implements rules for acceptable use of IT assets.
- requires network level authentication and uses client certificates to validate and authenticate systems;
- deploys application whitelisting;
- deploys automated patch management tools and software update tools for operating systems and software;
- proactively monitors software vulnerabilities and promptly implements any out of cycle patches; and
- permits the use of only the latest versions of fully supported web browsers and email clients.
- Circle stores all API keys securely, including as follows:
- Circle stores API keys directly in its environment variables;
- Circle does not store API keys on client side;
- Circle does not publish API key credentials in online code repositories (whether private or not); and
- Circle uses API key management tools to retrieve and manage credentials for large development projects.
- Staff training and awareness
- Circle's agreements with staff and contractors and employee handbooks set out its personnel's responsibilities in relation to information security.
- Circle carries out:
- regular staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the onboarding procedures); and
- appropriate screening and background checks on individuals that have access to sensitive personal data.
- Circle ensures that information security responsibilities that are applicable immediately before termination or change of employment and those which apply after termination / change of employment are communicated and implemented.
- Staff are subject to disciplinary measures for breaches of Circle's policies and procedures relating to data privacy and security.
- Selection of service providers and commission of services
- Circle assesses service providers’ ability to meet their security requirements before engaging them.
- Circle has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Circle's instructions.
- Circle conducts annual audits of vendors (including subprocessors) that have access to data either through physical inspection by appropriately qualified security auditors or by reviewing vendors' security accreditation (such as ISO 27001 or SOC II) reports.
- Circle's breach response protocol and agreements with vendors provide for the audit of vendors (and subprocessors) following receipt of any notice of a security incident from that vendor.
- Assistance with Data Subject Rights Requests
- Circle has implemented appropriate policies and measures to identify and address data subject rights requests, including:
- the data processed on behalf of each Customer is stored separately from data processed by Circle;
- Circle maintains accurate records to enable it to identify quickly all personal data processed on behalf of a Customer; and
- back-ups of personal data processed by Circle are overwritten on a regular basis to ensure deletion and rectification requests are fully actioned.