POPin Security Policy
OverviewPOPin is an anonymous crowdsourcing platform for leaders to increase productivity and achieve goals. It builds trust, exposes confusion, and uncovers ways to improve. POPin applies security best practices on our Hosting Platform. We focus on the security and privacy of our customers data and we ensure that by applying security and data controls at every layer in our application stack.
POPin’s Commitment to Trust
“The security, privacy, and anonymity of our customer’s data is our highest priority.”— Hayes Drumwright, POPin CEO
- We Encrypt All Customer Data in Transit
- We Encrypt All Customer Data at Rest
- We Follow OWASP Best Practices for Secure Coding
- We Follow AWS Best Practices for Security and Redundancy
- We Run Continuous Vulnerability Assessments against our Platform
Security Assessments and Compliance
Data CentersPOPin’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
POPin utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see: https://aws.amazon.com/security
System configuration and consistency is maintained via custom configuration management software that is version controlled, peer reviewed, and tested thoroughly before implementing in our Production environment. We use AWS Best Practice tools to enforce Infrastructure and Application security.
Operating system access is limited to the POPin Development Team and requires username, key, and IP authentication. Operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing.
POPin Production and Staging environments network segments are completely isolated and independent of each other. There is no data sharing between them. All Customer data is only hosted in the Production environment.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Spoofing and Sniffing Protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to.
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
The POPin Platform is a Multi-Tenant architecture, however user access is granted on a ‘per-Question’ basis. User verification and password recovery are done via time limited single use links/tokens sent to the registered email. Production servers are outfitted to send secure cookies and other security related headers and have been vetted to conform to OWASP Security Best Practices.
Customers can simplify their access to our application by using our secure SAML2 SSO integration.
All data is encrypted at rest using AWS Best Practices. Only our POPin Development Team can access data directly and only after username, key, and IP authentication.
POPin is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to POPin’s environment, ranked based on risk, and assigned accordingly.
We continually apply the latest security updates to all operating systems and applications, in order to mitigate exposure to vulnerabilities. This process allows POPin to keep the environment up-to-date.
We undergo penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Our third party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities. POPin works closely with external security assessors to review the security of the POPin platform and apply best practices.
Issues found in POPin applications are risk ranked, prioritized, assigned accordingly for remediation, and POPin’s Development Team reviews each remediation plan to ensure proper resolution.
Customer Data stored in our POPin platform are automatically backed up every night to secure, access controlled, and redundant storage. We use these backups to automatically bring our application back online in the event of an outage.
From our instance images to our databases, each component is backed up to secure, access-controlled, and redundant storage. We apply AWS Best Practices to ensure High-Availability of our Infrastructure and Primary Databases. In addition to standard backup practices, POPin’s infrastructure is designed to scale and be fault tolerant by automatically failing over to healthy instances and reducing the likelihood of any issues being visible to the user.
The POPin platform is designed to automatically failover to Synced and Redundant databases in the event of the failure of our Primary Databases.
Customer Data Retention and Destruction
Within 30 days of a written data deletion request, by an authorized representative of the tenant company, we will remove tenant related data from the DB. Backed up data will be rotated out of our archives within 30 days after deletion from the DB.
Decommissioning hardware is managed by our infrastructure provider using a process designed to prevent customer data exposure. AWS uses techniques outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data.
For additional information see: https://aws.amazon.com/security
We takes steps to protect the privacy of our customers and protect data stored within the platform. Some of the protections inherent to POPin’s products include authentication, access controls, data transport encryption, HTTPS restrictions to our platform, and all customer data encrypted at rest. For additional information see: https://popinnow.com/privacy-policy
Access to Customer Data
General POPin staff do not access or interact with customer data or applications as part of normal operations. Our POPin Customer Success (CS) team does review your data on your behalf as needed, but generally at the request of the customer, for support purposes or where required by law. Customer data is access controlled and all access restricted to the POPin CS or Developer Team.