Information and Data Security Statement

This statement exclusively covers Figure Eight’s policies and practices regarding information and data security. It does not recapitulate the law, nor does it attempt to define good conduct outside of the security context.

Operational Security

Figure Eight is a software-as-a-service (Saas) business. The company has a dedicated operations team that is responsible for ensuring the safe operation of Figure Eight’s website(s). Members of this team are carefully vetted for reliability and responsibility and are trained to be knowledgeable and aware of sensitive information.

 

Production Passwords and Credentials

All passwords and credentials that enable access to Figure Eight’s production system are stored in secure systems that are only accessible to authorized staff.

 

Production Access

Only authorized staff has direct access to production machines. Development staff members have limited access to production services for debugging purposes, and only select authorized individuals have access to Figure Eight’s data stores for analytics purposes (see Data Security, below).

 

Change Management

Figure Eight uses automated configuration management to ensure that all changes are applied in a deliberate manner. Every change to production, except in cases of emergency, go through the following stages:

  • The change is implemented and tested in a sandbox environment;
  • The change is committed to configuration management and applied to the testing environment;
  • The change is reviewed by one or more authorized staff members, and the testing environment is vetted to ensure that the change is effective;
  • The change is applied to the production environment;
  • Changes with operational impact are only applied during pre-announced maintenance windows.

General Security Practices

  • All access to production systems is via channels secured by virtual private network (VPN) or secure shell (ssh).
  • No node or service is allowed to communicate with other services without credentials.
  • Only services intended for general consumption are publicly available.
  • All systems log to a central repository for analysis and change tracking.
  • Continuous backups of data are made and stored in redundant locations.
  • Only authorized personnel may access or restore any data from the backup datasets.
  • Configuration of systems and services is performed automatically by programs vetted for security deficits.
  • Figure Eight continuously monitors and responds to active and emerging security threats, especially the Open Web Applications Security Project (OWASP) top 10 and Community Emergency Response Teams (CERT) advisories.
  • Security updates are applied within seven (7) days in non-emergency cases or more rapidly in the case of an urgent threat.

Data Security

Securing data in Figure Eight’s platform includes securing relational databases, online caches, and backups.

  • All live data storage systems are separate from other services, can only be accessed via randomly generated credentials managed by authorized personnel, and are rotated quarterly.
  • All systems with live data storage restrict direct access to authorized personnel.
  • Backups use at-rest encryption and only the nodes performing backups and authorized personnel have access to credentials.

Data Access

A select group of Figure Eight staff has limited, read-only access to real-time data for analytics purposes. The need for this access is reviewed on a quarterly basis.

Only data that does not contain any personally identifiable information (PII) may be sent to third-party services for business intelligence analysis Platform Security

Figure Eight’s platform also contains a number of security measures to ensure the secure performance of its services.

  • SSL everywhere. All access to the platform happens through secure HTTPS connections with certificates that have been updated since the “Heartbleed” vulnerability.
  • Access control lists define the behavior of any user of the platform, and limit them to authorized behaviors.
  • Extensive anti-fraud processes run continuously to detect malicious or harmful use of the platform. These processes are under continuous refinement by our dedicated data science team.
  • Tasks have unpredictable identifiers (UUID4) that prevent any individual contributor from predicting other task identifiers.
  • Contributors work on a subset of data. Tasks are delivered to contributors in a manner that does not enable them to guess or know the full set of data being worked on. Customers may limit the work performed by any contributor to further constrain the amount of information shared.
  • All work activity is extensively logged to enable tracing any security issues.

Workplace Security

Secrets, Passwords, and Credentials

Keeping passwords and credentials secure for services used by Figure Eight is essential. Figure Eight uses a centralized, secure method for storing and disseminating passwords. Every Figure Eight employee and consultant is required to use this system for storing secure information.

 

Generating Passwords

Figure Eight requires the use of randomly generated passwords at least 20 characters long for all services. In rare instances, passwords may be shorter if the service provider does not allow 20 characters.

 

Sharing Passwords

When services require access by multiple users, but do not offer multiple sign-in, credentials may be securely shared via our centralized system to enable team access. Sharing credentials by other means is not permitted.

 

Storing Secrets

Other secure information, like credit card information or secure tokens, must be stored in Figure Eight’s centralized store. It is not permitted to store such information in any other format.

 

Figure Eight Issued Equipment

Figure Eight provides all employees with an Apple laptop to effectively perform work.

 

Provisioning Profile

All company-issued laptops are equipped with a provisioning profile.

This profile:

  • Ensures that laptops are encrypted
  • Requires password entry when waking from sleep mode
  • Allows Figure Eight to remotely wipe the machine in the event of theft or loss
  • Allows Figure Eight to automatically apply OS and software security updates

Data Storage Protocols

All documents, files, and data must be stored in the company’s file storage accounts, revision control systems, or otherwise stored in a company-provided external system. Files may not be stored locally on laptops only. When a Figure Eight employee or contractor terminates employment, all data stored on company-issued laptops is destroyed.

 

Data Security Policies and Training for Figure Eight Employees and Contractors

All employees are issued an Employee Handbook, which includes policies regarding information and data security.