Security Policy

as of 31st March 2019

This Security Policy is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

 

Overview

SatisMeter will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data processed by its service, as follows:

  • Security policies are reviewed and approved by SatisMeter executive leadership.
  • Security systems and processes are regularly reviewed and tested by security staff and third parties.
  • Use of network firewalls and Web Application Firewall (WAF) to protect
  • Customer Data accessible via the Internet is required.
  • Physical access to systems containing Customer Data is restricted. System access is based on the principle of least privilege, separation of duties, and is regularly reviewed.
  • Applicable and necessary security patches are kept up-to-date.
  • Use of default system passwords is prohibited and the use of “strong passwords” is mandated on all systems.

 

Access Limitations

  • SatisMeter restricts access to Customer Data only to those employees who have a need to know or otherwise access Customer Data to enable SatisMeter to perform its obligations under the Agreement; provided that (a) a background check has been conducted of those employees, and (b) those employees are bound in writing by obligations of confidentiality sufficient to protect the Customer Data in accordance with requirements herein.
  • SatisMeter maintains a disciplinary process to address any unauthorized access, use or disclosure of Customer Data.

 

Customer Data Transmission

  • All access into the Service utilizes secure protocol HTTPS; All clear text HTTP connections are disabled by default.
  • Copying of Customer Data outside of the SaaS Operations Environment by any employee is restricted by policy and only permitted for legitimate business need.
  • Customer Data is transmitted via secure TLS exclusively; SSL is disabled by default.
  • Except for transmissions initiated by Customer through the use of the SaaS Service,

 

Data Storage, Retention and Availability

  • SatisMeter does not store or process Customer Data in any form outside of the United States, other than for transit purposes, without the prior written consent of Customer.
  • Customer Data is transmitted using secure protocols, on dedicated link, and stored in a secured facility for backup.

 

Security Breach Response

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security.

SatisMeter maintains a security incident response plan and a team of personnel trained to identify, investigate, and respond to security issues.

In the event of a Security Breach impacting Customer Data, SatisMeter shall:

  1. take immediate steps to remedy the breach;
  2. notify Customer as soon as is practicable;
  3. take any other prompt actions towards prevention of any additional Security Breach.

In any notification to Customer, SatisMeter shall

  1. provide a description of the incident, the data accessed, the identity of affected third parties, if any, and such other relevant information determined by SatisMeter, and
  2. designate a single individual as a point of contact for Customer.

SatisMeter agrees to cooperate with Customer and any law enforcement or regulatory official in connection with any Security Breach, including without limitation any investigation, reporting or other obligations required by applicable law, as well as any dispute, inquiry or claim concerning the Security Breach. For purposes of this subsection, “Security Breach” means any actual unauthorized use, access, disclosure or misuse of Customer Data of which SatisMeter becomes aware.

 

SaaS Operations Management

  • SatisMeter maintains and follows change management processes. All changes to the production environment are risk-assessed, logged, and approved. Releases to the production environment are promoted through a pre-production test environment.
  • The operations environment is separate from the development and staging environments. All SaaS environments are separate from the corporate IT environment.
  • Logical access to the Service infrastructure is restricted using the principles of least privilege and need to know.
  • Access to all systems is controlled by an authentication method involving a minimum of a unique user ID/password combination. Privileged users and administrators must use strong authentication.
  • Access to systems of third party providers, where available, is secured by two-factor.

 

System Protection

  • SatisMeter protects its computer and operations systems using standard industry methods designed to prevent outages and minimize impacts during any unavoidable service interruptions.
  • Security relevant events, including, login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software, or operating systems, changes to user permissions or privileges or use of any privileged system function, are logged on all systems.

 

User Responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes.