Vendelux Information Security and Customer Data Handling Posture and Policy
- Author: Mike Gogulski <firstname.lastname@example.org>
- Author: Eliel Mamousette <email@example.com>
- Last updated: 16 May 2022
- Changelog at the end
- Overview of this document 2
- Organizational Structure 2
- Operating Environment 2
- Application access control, security, and privacy 3
- Customer System Interactions 3
- Server platform access control and security 4
- Physical and Logical Access Control 4
- System backups 5
- Database backups 5
- Platform-as-a-service provider control panel access 5
- Authentication and authorization management at termination of employment 5
- Outsourcing systems access control and security 6
- Notes 7
- Changelog 7
Overview of this document
The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Vendelux except where Client is responsible for security and privacy TOMs. Evidence of the measures implemented and maintained by Vendelux may be presented in the form of up-to-date attestations, reports or extracts from independent bodies upon request from the Client.
For purposes of context and understanding Vendelux’s organizational structure, the following describes the state of the company on the date of the last revision of this document:
- Top management: 2 co-founders, CEO and COO
- Technical staff:
- The Lead Senior Engineer, accountable to top management.
- Developers: 5 staff reporting to the Lead Senior Engineer.
- Non-technical staff: 11 non-technical staff with their own organizational structure, ultimately accountable to top management.
For purposes of context and understanding Vendelux’s platform, the following describes the operational environment as of the date of the last revision of this document:
- A single cloud services company under US jurisdiction providing:
- Cloud storage
- Platform-as-a-service, consisting of:
- Application system platforms
- Database system platforms
- Around 20 outsourcing providers of various services (see “Outsourcing systems access control and security” below for a list of services)
- Please note: In federated service delivery scenarios, one or more data controllers and one or more subcontracted data processors may be entrusted with or involved in processing personal data.
Application access control, security, and privacy
Customer System Interactions
- Our systems initiate no connections to customer systems. All interactions between customers and our systems are initiated by the customer,
- with the notable exception of email (assuming that the customer does not outsource its email service), which happens either based on a schedule, based on mailing list membership, or based on the customer’s request for certain data processing operations (extracts from our database or insertions to our database).
- All customer, staff, partner, and user interactions with the application and its APIs are carried over Hypertext Transport Protocol Secure (HTTPS), using current encryption algorithms and session negotiation methods, and denying broken algorithms and session negotiation methods.
- User authentication is handled by a third party, Auth0.
- There is an exception to this rule in the form of 3 private event data API endpoints that we make available to our (small number of) data provider partners.
- Customers have the choice of establishing accounts with usernames and passwords, or with social logins that support the OAuth2 protocol (currently, on our site, Google and Salesforce).
- Auth0 is a leading provider of outsourced identity and access management solutions. It is a subsidiary of Okta, a NASDAQ-traded public company.
- Auth0’s Security, Privacy, and Compliance page (https://auth0.com/security) lists their security and privacy certifications (including ISO 27001 and SOC Type II) as well as containing a description linking to their page detailing Auth0 GDPR compliance and
- User authorization is handled by flags in our database, which links a User object to an Auth0 ID. The User object in turn has flags for “active”, “staff”, and “superuser”, the latter two being restricted to employees and contractors.
- The “active” permissions set distinguishes customers with active accounts from User records associated with other people in our database, and allows Users with it to log in to the application. (This association is necessary because our customers are quite often also attendees of the events we feature.)
- The “staff” permission set is a superset of the “active” permissions set. It is granted only to staff with a concrete need and authorization by top management or the Lead Senior Engineer/systems administrator for basic read/write access to the database via the web application framework’s control panel. Additionally, there are some frontend application capabilities restricted to users with “staff” permissions.
- The “superuser” permissions set is a superset of the “staff” permissions set. It is granted only to staff with a concrete need and authorization by top management or the Lead Senior Engineer/systems administrator for full access to everything the web application framework control panel provides (essentially, create/update/delete access to every object, as well as reporting). Additionally, there are some frontend application capabilities restricted to users with “superuser” permissions.
- The same exception regarding event data API endpoints applies as in the previous section.
- Additional user authorization (read and write access to specific data) is controlled by either the User object’s linkage to an allow list for that data, or by the User’s Profile object’s linkage to an allow list for that data.
Server platform access control and security
Physical and Logical Access Control
- Access to the platform is proscribed and granted only to operators employed by our US Based Cloud Provider
- Staff access to server systems is via SSH using public key encryption, generally using the RSA algorithm.
- Server system access is limited to staff with a defined need and authorization by top management or the Lead Senior Engineer. At present, staff with access to the server platforms are:
- For the application systems, 5 developers, one of whom also has systems administration duties, plus the Lead Senior Engineer.
- For the database systems, 3 of the developers above plus the Lead Senior Engineer. • No other staff or outside entities have command line or other administrative access to server systems, including management.
- Each developer has their own instance of the database for their use and testing. Developers do not work on the production database, except in the cases of a) the Lead Senior Engineer and systems administrator, who share DBA duties; and b) emergency outage situations.
- Regular backups are taken and stored encrypted in a cloud service provider object store. The encryption keys are held exclusively by the Lead Senior Engineer and the systems administrator.
- Regular backups are taken and stored unencrypted on the database server, to which only the Lead Senior Engineer and the systems administrator have access.
Platform-as-a-service provider control panel access
- Access to the control panel is restricted to the two co-founders, the Lead Senior Engineer and the systems administrator.
- The systems administrator is accountable for keeping systems up to date with current patches, following best practices for configuring and securing the systems, and for responding to security incidents as they occur.
- Each developer is accountable for the security of their code, but higher levels of accountability attach both to the systems administrator due to his role in approving and deploying changes, and to the Lead Senior Engineer due to his supervisory role.
Authentication and authorization management at termination of employment
- Top management is accountable for revocation of access to:
- Email accounts
- Internal messaging
- Creative tools
- Recruitment management
- The systems administrator is accountable for revocation of all other access, upon request by top management or the Lead Senior Engineer.
Outsourcing systems access control and security
- In general and where possible, administrative access to outsourcing services is structured such that top managers have super-administrator rights. They can then delegate regular administrator and other more limited roles to staff. Depending on the service, regular administrators may or may not be able to disable or remove user accounts, and must resort to the super-administrator(s).
- Outsourcing service administrative access is granted to staff strictly based on concrete need and authorization by top management or the Lead Senior Engineer.
- Regular user access to outsourcing services is granted to staff strictly based on concrete need and authorization by top management or the Lead Senior Engineer.
Outsourcing providers currently provide the following services. Unless otherwise indicated in a footnote, these providers have no access to customer data:
- Email accounts (2)(5)(6)
- Internal instant messaging (2)(6)
- Online office applications suite (2)(6)
- Customer Relationship Management (CRM) (2)(6)
- Creative tools for user interface design
- Recruitment and staffing management
- User authentication (1)(7)(8)
- Source code control (2)
- Trouble ticket/issue management (2)
- Wikis (2)
- Contact data enrichment (3)
- Email address verification (3)
- Email mailing lists
- Custom email solutions
- Platform-as-a-service (application and database servers) (4) 123762528. Cloud object storage
- Web caching, denial of service mitigation, and several ancillary services (8)
- Domain name (DNS) resolution
- Web scraping
- Systems and application monitoring
- Virtual Private Networks (VPNs)
- Web analytics (8)
- Access to authentication data
- Access to staff communications
- Tightly-limited access to customer data, restricted to only the necessary name/company/email address fields; always initiated by the application, management, or developers
- Full access to customer data, but contractually and legally barred from accessing it; US jurisdiction
- As the root of nearly all other authentication to company systems and assets, administrative access is strictly limited to the company’s two co-founders. 6. Access to sales-related customer information, but contractually and legally barred from accessing it; US jurisdiction
- Access to customer information only in the form of association of a username/password or social authentication method with a profile object containing data provided by the customer, but contractually and legally barred from accessing it; US jurisdiction 8. The standard concerns regarding third-party cookies apply.
16 February 2022 – Mike Gogulski – Document created
12 May 2022 – Mike Gogulski – Updates related to organizational structure and team size changes. Some cosmetic fixes and clarifications.
14 May 2022 – Eliel Mamousette – Updated document structure to provide index of contents 16 May 2022 – Eliel Mamousette – Corrected formatting of document for consistency