Technical & Organizational Measures | Five to Nine
This document describes all measures and efforts taken by Five To Nine to ensure the security and quality of the data it processes.
Within this document, the following definitions apply:
- Customer: any user of Five to Nine services
- Customer Data: any information provided or submitted by the Customer that is processed by Five to Nine services
- Personal Data: means any information relating to an identified or identifiable natural person
- Personnel: means Five to Nine employees and authorized individual contractors/vendors
- Strong Encryption: means the use of industry standard encryption measures
Data is collected and processed by Five to Nine for testing, staging, and production purposes on the Amazon Web Services (AWS) cloud computing platform in the Virginia region (us-east-1). As documented from Amazon:
Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. All entrances to AWS data centers, including the main entrance, the loading dock, and any roof doors/hatches, are secured with intrusion detection devices that sound alarms and create an alarm in AWS centralized physical security monitoring too if a door is forced open or held open. In addition to electronic mechanisms, AWS data centers utilize trained security guards 24×7, who are stationed in and around the building. All alarms are investigated by a security guard with root cause documented for all incidents. All alarms are set to auto-escalate if response does not occur within SLA time. Physical access points to server location are recorded by closed circuit television camera (CCTV) as defined in the AWS Data Center Physical Security Policy. Images are retained for 90 days, unless limited to 30 days by legal or contractual obligations. AWS Physical Security Mechanisms are reviewed by independent external auditors for our SOC, PCI DSS, ISO 27001 and FedRAMPsm compliance.
- The data centers and their equipment are physically protected against natural disasters, unauthorized entry, malicious attacks, and accidents
- Equipment at the data centers are protected from power failures and other disruptions caused by failures in supporting utilities, and are appropriately maintained
- Access to Five to Nine systems is granted only to Five to Nine Personnel and/or to permitted employees of Five to Nine’s subcontractors and access is strictly limited as required for those persons to fulfill their function
- All laptops used by Five to Nine Personnel have encrypted hard drives
- All users access Five to Nine systems with a unique identifier (UID)
- Five to Nine has established a password policy that prohibits the sharing of passwords and requires default passwords to be altered. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form
- Five to Nine has a comprehensive process to deactivate users and their access when Personnel leaves the company or a functional role
- All access or attempted access to systems is logged and monitored
- As a matter of course, Five to Nine Personnel do not access Personal Data. Where access is required to operate the service or assist in a customer issue, the request for access must be formally justified/tracked and approved by the customer
- Five to Nine restricts Personnel access to Personal Data on a “need-to-know” basis based on this justification
- Each such access and its subsequent operations are logged and monitored
Data Transmission / Storage
- Customer access to Five to Nine services is protected by the most current version of Transport Layer Security (TLS)
- Five to Nine uses Strong Encryption in the transmission of Customer Data within our data centers and between our data centers and customer devices
- Upon Customer’s request, Personal Data will be promptly deleted
- Five to Nine uses logical separation within its multi-tenant architecture to ensure data segregation between customers.
- In each step of the processing, Customer Data received from different Customers is assigned a unique identifier so data is always physically or logically separated
- Customers only have access to their own Customer Data which is available upon request
- Five to Nine retains company data for the duration of their contract with Five to Nine and purges it at termination of contract.
- Employee data is retained for the duration of their employment and purged at termination of employment. Our data retention policy can additionally adhere to client retention policy as long as it’s in accordance with applicable law.
Confidentiality & Integrity
- Five to Nine has a formal background check process and carries out background checks on all new Personnel
- All Five to Nine Personnel are subject to individual confidentiality and non-disclosure agreements
- Five to Nine has a central, secured repository of product source code, which is accessible only to authorized Personnel
- Five to Nine has a formal application security program and employs a robust Secure Development Lifecycle (SDLC) which is detailed in our SDLC Policy
Five to Nine uses the following sub-contractors to provide its services:
- Amazon Web Services