IntroLogic Data And Security Policy
This Data and Security was last updated on April 19, 2018.
This is the Data and Security Policy of Sudo Technologies, Inc., (“IntroLogic”, “us”, “we”). It describes the organizational and technical measures IntroLogic implements platform-wide in order to prevent unauthorized access, use, alteration or disclosure of customer data. As described in greater detail in this policy, we take the protection of customer data extremely seriously.
The relationships of our users to their contacts is the core of our business, and we treat those relationships with the utmost respect. Importantly, IntroLogic never sends unsolicited emails to ANY of your contacts, nor does it allow any other user to send unsolicited email to your contacts, nor view their contact information (unless the other user also knows that contact).
Customer data is divided into two categories:
- Private Data: All other data provided by customers (e.g., CRM data, target account data, etc.) is considered their private data, and is NEVER shared with any 3rd party. It is used for the exclusive purpose of helping the customer maximize the value they derive from the IntroLogic Application.
Access to Customer Data
The IntroLogic application depends on customers providing data about their contacts. Customer data is stored in IntroLogic’s production environment within AWS and protected by AWS security as described at http://aws.amazon.com/security/sharing-the-security-responsibility/. Access to the production environment is restricted to a small number of IntroLogic personnel who require access as part of their job functions. We do not share this data with any third parties (not even in anonymized form).
Encryption of Customer Data
Customer data stored in IntroLogic’s production storage environment is fully encrypted at rest using FIPS 140-2 validated cryptographic modules. In the course of standard operations, IntroLogic has no visibility into encrypted customer data. All network communication is done via SSL connections. Our API (utilized by our web application, and in the future by our mobile application) be accessed through the internet through the load balancer accepting only ssl connections through the port 443. All these interactions validate a short-lived and action specific JWT token for authentication and authorization.
Disposal of Data
If a company terminates their relationship with us, we immediately delete their private data from our application.
We use Splunk as a service to log errors and events in our production infrastructure. We ensure that no sensitive information is being logged. Logs are disposed of every 90 days.
General Security Features of the IntroLogic Application
The following are security features regularly implemented on all servers and systems that comprise the IntroLogic Application.
- Regular updates of OS, applications, and database security patches
- Firewall (security groups) configurations.
- Managing and monitoring server accounts and server access. Managing and monitoring system and application resources.
- Logical data separation across customers. Specifically, each customer only has access to the section of the people graph to which they are connected.
- Encryption of data in transit across untrusted networks and for data at rest (see below).
- Rotating two-factor authentication required for all administrative access to production systems
Internal network traffic is strictly controlled to allow only traffic that is required to deploy and run systems. There is no direct access to the internal network and it can only be accessed through a gateway machine. Only users that have a business purpose to access to the network have permission to log in. We enforce 2-step authentication to access our AWS console and Google developer account. All machines in our infrastructure are ephemeral and are created and disposed of automatically by our infrastructure depending on the load of the system. Machine packages and services cannot be configured and installed from inside of the machine- they can be set only through peer reviewed configuration code versioned in our code repository.
External traffic is only allowed through a load balancer. Only ssl traffic through port 443 is allowed. The traffic is proxied by the load balancer to a single machine in our cluster, which serves our application running inside of a docker container. The OS version and packages are kept up-to-date using latest stable and without known vulnerabilities versions, to avoid external users exploiting them. All our code is peer reviewed and security is considered on every review.
Notification of Security Breach
IntroLogic will notify customer promptly in writing upon verification of a security breach of the IntroLogic service. Notification will describe the breach and the status of IntroLogic’s investigation. IntroLogic will provide commercially reasonable assistance to customer to determine whether a verified security breach of the IntroLogic service affected customer data.
Physical Security, Environmental Controls and Compliance
The IntroLogic service is exclusively hosted on Amazon AWS in the US-West-2 region. Amazon does not disclose the location of its data centers. As such, IntroLogic builds on the physical security and environmental controls provided by AWS. See http://aws.amazon.com/security/ for details of AWS security infrastructure. For AWS SOC Reports please see https://aws.amazon.com/compliance/soc-faqs/.
Our physical offices do not contain any sensitive equipment. We forbid employees from leaving computers in the office overnight. Employees’ computers are encrypted and are configured to automatically logout after 5 minutes of inactivity. Also, employees are encouraged to logout every time they leave their computers unattended. The computers are configured with a shortcut to make this easy. Access to all systems containing customer data is controlled by rotating 2-factor authentication.
- Managing its own user accounts and roles from within the IntroLogic service.
- Protecting its own account credentials.
- Compliance with the terms of customer’s service agreement with IntroLogic, including with respect to compliance with laws.
- Promptly notifying IntroLogic if a user credential has been compromised or if customer suspects possible suspicious activities that could negatively impact security of the IntroLogic service or customer’s account.
- Customer may not perform any security penetration tests or security assessment activities without the express advance written consent of IntroLogic.
Changes to This Policy
Our business and services may change from time to time. As a result, at times it may be necessary to make changes to this Data and Security Policy. If we make changes, we will notify you by revising the date at the top of this page. If we make material changes, we will do so in accordance with applicable legal requirements, and we will post a notice on our website alerting you to the material changes prior to such changes becoming effective. Your continued use of our services after any changes or revisions to this Data and Security Policy will indicate your agreement with the terms of such revised Data and Security Policy.
You may contact us by mail at 530 Oak Grove Ave, Suite 207, Menlo Park CA 94025 and by email at firstname.lastname@example.org.