Version 1.0 Date: May 6, 2019
InFront Compliance believes that compliance data is critical to growing and protecting your business, and we take collecting and securing that data extremely seriously. Our founding team is technology and data lawyers who have taken a security-aware development approach and built the InFront Compliance platform with a strong security culture.
To that end, we have adopted administrative, technological and physical security measures designed to ensure that your data stays secure.
For subscribers to our platform (“Platform”), we collect operational and compliance related information so that we can provide reports and insights relating to compliance performance. That information is one-way encrypted at rest and in motion using the AES-128 standards or similarly high standards meaning that only our subscribers have access to that information. InFront Compliance only has access to that information on an aggregated basis and does not have access to individual subscriber compliance response data.
How data is hosted: The InFront Compliance Platform is hosted with Amazon Web Services so that we can leverage the massive investments that Amazon itself makes in security to the benefit of our subscribers.
Physical Security: InFront Compliance production data is processed and stored within world-renowned data centers, which use state-of-the-art multilayer access, alerting, and auditing measures, including: perimeter fencing; vehicle access barriers; custom-designed electronic access cards; biometric checks; laser beam intrusion detection; continuous external and internal security camera surveillance; 24×7 trained security guards, and security System.
Servers and Networking: All servers that run InFront Compliance software in production are recent, continuously patched Linux systems. Additional hosted services that we utilize, such as Amazon Cloud Storage, are comprehensively hardened Amazon infrastructure-as-a-service (IaaS) platforms.
Our web servers use the strongest grade of HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.
Internal tier-to-tier requests are signed and authenticated to prevent request forgery, tampering, and replay.
Storage: All persistent data is encrypted at rest using the AES-128 standards or similarly high standards, allowing Amazon to have successfully completed ISO 27001, SSAE-16, SOC 1, SOC 2, and SOC 3 certifications.
Workplace Security: In addition to the advanced security located at our data centers, we also have implemented workplace security measures including publicly inaccessible work spaces that are secured with physical locks and security systems.
Employee Equipment: Employee computers have strong passwords, encrypted disks, firewalls, and, where applicable, inbound and outbound network traffic monitoring and alerting.
Employee Access: We follow the principle of least privilege in how we write software as well as the level of access employees are instructed to utilize in diagnosing and resolving problems in our software and in response to customer support requests.
We use Google for Business account infrastructure to verify employee account identity and require two-factor authentication for all internal applications without exception. Access to administrative interfaces additionally enforce administrator permissions where applicable, and all administrative access is logged and auditable using traditional web server logs as well as via the InFront Compliance Platform itself to make it easy to find and review any administrative activities with full fidelity. For third-party SaaS providers, we utilize Amazon and Google as identity providers whenever possible to provide access control across all the apps that employees access as part of their job.
Code Reviews and Production Signoff: All changes to source code destined for production systems are subject to pre-commit code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.
Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.
Service Levels, Backups, and Recovery: InFront Compliance infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of autoscaling, load balancing, task queues and rolling deployments. Due to the very large amount of data that InFront Compliance stores, we do not currently make point-in-time backups, although we do use highly redundant data stores and/or rapid recovery infrastructure, making unintentional loss of received data due to hardware failures very unlikely.
Excluding Sensitive Data: Our Platform facilitates customization by our subscribers of what kinds of information can be collected using the Platform. In such instances, the most important security consideration — one that is in our subscriber’s control — is the choice of what data to collect in the first place. By responsibly excluding sensitive information, subscribers can gain full benefit from InFront Compliance without sensitive data ever leaving an end user’s computer.
Client and Server Hardening: Exposed server endpoints are recurrently tested for vulnerabilities using multiple types of scanning software as well as manual testing. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques. All requests are logged and made searchable to operations staff.
We also use multiple techniques to ensure that using the InFront Compliance Platform is safe and that requests are authentic, including: IFRAME sandboxing; XSS and CSRF protection; signed and encrypted user auth cookies; remote invalidation of extant sessions upon password change/user deactivation; API and Integrations; and, all access to InFront Compliance REST API endpoints require an access key that can be regenerated on demand by customers
Integrations with other applications are all opt-in at subscriber’s request and authenticated via OAuth or other applicable mechanisms required by the third party application. Integrations can be disabled at any time.
Customer Payment Information: We use Fattmerchant for payment processing and do not store any credit card information. Fattmerchant is a trusted, Level 1 PCI Service Provider. Learn more.
Incident Reporting and Ongoing Improvements: InFront Compliance is in the process of implementing a Responsible Vulnerability Disclosure program. We will post additional updates as and when the process has been implemented. If you have a security concern or are aware of an incident, please send an email to firstname.lastname@example.org with the phrase “security concern” in the subject line.