This statement exclusively covers Figure Eight’s policies and practices regarding information and data security. It does not recapitulate the law, nor does it attempt to define good conduct outside of the security context.
Figure Eight is a software-as-a-service (Saas) business. The company has a dedicated operations team that is responsible for ensuring the safe operation of Figure Eight’s website(s). Members of this team are carefully vetted for reliability and responsibility and are trained to be knowledgeable and aware of sensitive information.
All passwords and credentials that enable access to Figure Eight’s production system are stored in secure systems that are only accessible to authorized staff.
Only authorized staff has direct access to production machines. Development staff members have limited access to production services for debugging purposes, and only select authorized individuals have access to Figure Eight’s data stores for analytics purposes (see Data Security, below).
Figure Eight uses automated configuration management to ensure that all changes are applied in a deliberate manner. Every change to production, except in cases of emergency, go through the following stages:
Securing data in Figure Eight’s platform includes securing relational databases, online caches, and backups.
A select group of Figure Eight staff has limited, read-only access to real-time data for analytics purposes. The need for this access is reviewed on a quarterly basis.
Only data that does not contain any personally identifiable information (PII) may be sent to third-party services for business intelligence analysis Platform Security
Figure Eight’s platform also contains a number of security measures to ensure the secure performance of its services.
Keeping passwords and credentials secure for services used by Figure Eight is essential. Figure Eight uses a centralized, secure method for storing and disseminating passwords. Every Figure Eight employee and consultant is required to use this system for storing secure information.
Figure Eight requires the use of randomly generated passwords at least 20 characters long for all services. In rare instances, passwords may be shorter if the service provider does not allow 20 characters.
When services require access by multiple users, but do not offer multiple sign-in, credentials may be securely shared via our centralized system to enable team access. Sharing credentials by other means is not permitted.
Other secure information, like credit card information or secure tokens, must be stored in Figure Eight’s centralized store. It is not permitted to store such information in any other format.
Figure Eight provides all employees with an Apple laptop to effectively perform work.
All company-issued laptops are equipped with a provisioning profile.
All documents, files, and data must be stored in the company’s file storage accounts, revision control systems, or otherwise stored in a company-provided external system. Files may not be stored locally on laptops only. When a Figure Eight employee or contractor terminates employment, all data stored on company-issued laptops is destroyed.
All employees are issued an Employee Handbook, which includes policies regarding information and data security.